Add support for deploying OCI helm charts in OLM v1

OchiengEd · OchiengEd · commit 3b36dfbcd19b · 2025-05-15T11:57:59.000-05:00
* added support for deploying OCI helm charts which sits behind
the HelmChartSupport feature gate
* extended the Cache interface to allow storing of Helm charts

Signed-off-by: Edmund Ochieng &lt;ochienged@gmail.com&gt;
diff --git a/internal/operator-controller/applier/helm.go b/internal/operator-controller/applier/helm.go
@@ -7,11 +7,14 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"path/filepath"
+	"regexp"
 	"slices"
 	"strings"
 
 	"helm.sh/helm/v3/pkg/action"
 	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chart/loader"
 	"helm.sh/helm/v3/pkg/chartutil"
 	"helm.sh/helm/v3/pkg/postrender"
 	"helm.sh/helm/v3/pkg/release"
@@ -26,6 +29,7 @@ import (
 
 	ocv1 "github.com/operator-framework/operator-controller/api/v1"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/authorization"
+	"github.com/operator-framework/operator-controller/internal/operator-controller/features"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/bundle/source"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/preflights/crdupgradesafety"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/util"
@@ -209,7 +213,120 @@ func (h *Helm) buildHelmChart(bundleFS fs.FS, ext *ocv1.ClusterExtension) (*char
 	if err != nil {
 		return nil, err
 	}
-	return h.BundleToHelmChartConverter.ToHelmChart(source.FromFS(bundleFS), ext.Spec.Namespace, watchNamespace)
+	var result *chart.Chart
+	contentType := bundleContentType(bundleFS)
+	switch contentType {
+	case HelmContent:
+		if !features.OperatorControllerFeatureGate.Enabled(features.HelmChartSupport) {
+			return nil, fmt.Errorf("helm chart support is not enabled")
+		}
+		result, err = loadChartWithEnrichments(bundleFS, WithInstallNamespace(ext.Spec.Namespace))
+		if err != nil {
+			return nil, fmt.Errorf("loading Helm chart; %w", err)
+		}
+	case BundleContent:
+		result, err = h.BundleToHelmChartConverter.ToHelmChart(source.FromFS(bundleFS), ext.Spec.Namespace, watchNamespace)
+		if err != nil {
+			return nil, err
+		}
+	default:
+		return nil, fmt.Errorf("unknown content found")
+	}
+
+	return result, nil
+
+}
+
+const (
+	HelmContent    string = "helm"
+	BundleContent  string = "bundle"
+	UnknownContent string = "unknown"
+)
+
+func bundleContentType(bundleFS fs.FS) string {
+	var contentType string
+	_ = fs.WalkDir(bundleFS, ".", func(path string, f fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+
+		if !f.IsDir() {
+			// Check if Helm chart
+			if filepath.Dir(path) == "charts" &&
+				filepath.Ext(f.Name()) == ".tgz" {
+				contentType = HelmContent
+				return fs.SkipAll
+			}
+
+			// Check if registry/v1 bundle
+			if filepath.Dir(path) == "metadata" &&
+				f.Name() == "annotations.yaml" {
+				contentType = BundleContent
+				return fs.SkipAll
+			}
+		}
+
+		return nil
+	})
+
+	if contentType != "" {
+		return contentType
+	}
+
+	return UnknownContent
+}
+
+type ChartOption func(*chart.Chart)
+
+func WithInstallNamespace(namespace string) ChartOption {
+	re := regexp.MustCompile(`{{\W+\.Release\.Namespace\W+}}`)
+
+	return func(chrt *chart.Chart) {
+		for i, template := range chrt.Templates {
+			chrt.Templates[i].Data = re.ReplaceAll(template.Data, []byte(namespace))
+		}
+	}
+}
+
+func loadChartWithEnrichments(bundleFS fs.FS, options ...ChartOption) (*chart.Chart, error) {
+	chrt, err := loadPulledHelmChart(bundleFS)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, f := range options {
+		f(chrt)
+	}
+
+	return chrt, nil
+}
+
+func loadPulledHelmChart(bundleFS fs.FS) (*chart.Chart, error) {
+	var filename string
+
+	if err := fs.WalkDir(bundleFS, ".", func(path string, f fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+		if strings.HasSuffix(f.Name(), ".tgz") && !f.IsDir() {
+			filename = path
+			return fs.SkipAll
+		}
+
+		return nil
+	}); err != nil && !errors.Is(err, fs.SkipAll) {
+		return nil, err
+	}
+
+	if filename == "" {
+		return nil, fmt.Errorf("no helm chart found")
+	}
+
+	tarball, err := fs.ReadFile(bundleFS, filename)
+	if err != nil {
+		return nil, fmt.Errorf("reading helm chart; %+v\n", err)
+	}
+	return loader.LoadArchive(bytes.NewBuffer(tarball))
 }
 
 func (h *Helm) renderClientOnlyRelease(ctx context.Context, ext *ocv1.ClusterExtension, chrt *chart.Chart, values chartutil.Values, post postrender.PostRenderer) (*release.Release, error) {
diff --git a/internal/operator-controller/features/features.go b/internal/operator-controller/features/features.go
@@ -16,6 +16,7 @@ const (
 	SyntheticPermissions              featuregate.Feature = "SyntheticPermissions"
 	WebhookProviderCertManager        featuregate.Feature = "WebhookProviderCertManager"
 	WebhookProviderOpenshiftServiceCA featuregate.Feature = "WebhookProviderOpenshiftServiceCA"
+	HelmChartSupport                  featuregate.Feature = "HelmChartSupport"
 )
 
 var operatorControllerFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
@@ -63,6 +64,14 @@ var operatorControllerFeatureGates = map[featuregate.Feature]featuregate.Feature
 		PreRelease:    featuregate.Alpha,
 		LockToDefault: false,
 	},
+
+	// HelmChartSupport enables support for installing,
+	// updating and uninstalling Helm Charts via Cluster Extensions.
+	HelmChartSupport: {
+		Default:       false,
+		PreRelease:    featuregate.Alpha,
+		LockToDefault: false,
+	},
 }
 
 var OperatorControllerFeatureGate featuregate.MutableFeatureGate = featuregate.NewFeatureGate()
diff --git a/internal/shared/util/image/cache.go b/internal/shared/util/image/cache.go
@@ -29,6 +29,7 @@ type LayerData struct {
 }
 
 type Cache interface {
+	ExtendCache
 	Fetch(context.Context, string, reference.Canonical) (fs.FS, time.Time, error)
 	Store(context.Context, string, reference.Named, reference.Canonical, ocispecv1.Image, iter.Seq[LayerData]) (fs.FS, time.Time, error)
 	Delete(context.Context, string) error
diff --git a/internal/shared/util/image/helm.go b/internal/shared/util/image/helm.go
@@ -0,0 +1,92 @@
+package image
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/fs"
+	"os"
+	"path"
+	"path/filepath"
+	"time"
+
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/types"
+	"github.com/opencontainers/go-digest"
+	specsv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	fsutil "github.com/operator-framework/operator-controller/internal/shared/util/fs"
+	"helm.sh/helm/v3/pkg/registry"
+)
+
+func hasChart(imgCloser types.ImageCloser) bool {
+	config := imgCloser.ConfigInfo()
+	return config.MediaType == registry.ConfigMediaType
+}
+
+type ExtendCache interface {
+	StoreChart(string, string, reference.Canonical, io.Reader) (fs.FS, time.Time, error)
+}
+
+func (a *diskCache) StoreChart(ownerID, filename string, canonicalRef reference.Canonical, src io.Reader) (fs.FS, time.Time, error) {
+	dest := a.chartsPath(ownerID, canonicalRef)
+
+	if err := fsutil.EnsureEmptyDirectory(dest, 0700); err != nil {
+		return nil, time.Time{}, fmt.Errorf("error ensuring empty charts directory: %w", err)
+	}
+
+	// Destination file
+	chart, err := os.Create(filepath.Join(dest, filename))
+	if err != nil {
+		return nil, time.Time{}, fmt.Errorf("creating chart file; %w", err)
+	}
+	defer chart.Close()
+
+	_, err = io.Copy(chart, src)
+	if err != nil {
+		return nil, time.Time{}, fmt.Errorf("copying chart to %s; %w", filename, err)
+	}
+
+	modTime, err := fsutil.GetDirectoryModTime(dest)
+	if err != nil {
+		return nil, time.Time{}, fmt.Errorf("error getting mod time of unpack directory: %w", err)
+	}
+	return os.DirFS(filepath.Dir(dest)), modTime, nil
+}
+
+func (a *diskCache) chartsPath(ownerID string, canonicalRef reference.Canonical) string {
+	return filepath.Join(a.unpackPath(ownerID, canonicalRef.Digest()), "charts")
+}
+
+func pullChart(ctx context.Context, ownerID string, img types.ImageSource, canonicalRef reference.Canonical, cache Cache, layoutDir string) (fs.FS, time.Time, error) {
+	raw, _, err := img.GetManifest(ctx, nil)
+	if err != nil {
+		return nil, time.Time{}, fmt.Errorf("get OCI helm chart manifest; %w", err)
+	}
+
+	chartManifest := specsv1.Manifest{}
+	if err := json.Unmarshal(raw, &chartManifest); err != nil {
+		return nil, time.Time{}, fmt.Errorf("unmarshaling chart manifest; %w", err)
+	}
+
+	var chartDataLayerDigest digest.Digest
+	if len(chartManifest.Layers) == 1 &&
+		(chartManifest.Layers[0].MediaType == registry.ChartLayerMediaType) {
+		chartDataLayerDigest = chartManifest.Layers[0].Digest
+	}
+
+	filename := fmt.Sprintf("%s-%s.tgz",
+		chartManifest.Annotations["org.opencontainers.image.title"],
+		chartManifest.Annotations["org.opencontainers.image.version"],
+	)
+
+	// Source file
+	tarballFile := path.Join(layoutDir, "blobs", "sha256", chartDataLayerDigest.Encoded())
+	tarball, err := os.Open(tarballFile)
+	if err != nil {
+		return nil, time.Time{}, fmt.Errorf("opening chart data; %w", err)
+	}
+	defer tarball.Close()
+
+	return cache.StoreChart(ownerID, filename, canonicalRef, tarball)
+}
diff --git a/internal/shared/util/image/mocks.go b/internal/shared/util/image/mocks.go
@@ -2,6 +2,7 @@ package image
 
 import (
 	"context"
+	"io"
 	"io/fs"
 	"iter"
 	"time"
@@ -44,6 +45,10 @@ type MockCache struct {
 	GarbageCollectError error
 }
 
+func (m MockCache) StoreChart(_ string, _ string, _ reference.Canonical, _ io.Reader) (fs.FS, time.Time, error) {
+	return m.StoreFS, m.StoreModTime, m.StoreError
+}
+
 func (m MockCache) Fetch(_ context.Context, _ string, _ reference.Canonical) (fs.FS, time.Time, error) {
 	return m.FetchFS, m.FetchModTime, m.FetchError
 }
diff --git a/internal/shared/util/image/pull.go b/internal/shared/util/image/pull.go
@@ -164,7 +164,7 @@ func (p *ContainersImagePuller) pull(ctx context.Context, ownerID string, docker
 	// Mount the image we just pulled
 	//
 	//////////////////////////////////////////////////////
-	fsys, modTime, err = p.applyImage(ctx, ownerID, dockerRef, canonicalRef, layoutImgRef, cache, srcCtx)
+	fsys, modTime, err = p.applyImage(ctx, ownerID, dockerRef, canonicalRef, layoutImgRef, cache, srcCtx, layoutDir)
 	if err != nil {
 		return nil, nil, time.Time{}, fmt.Errorf("error applying image: %w", err)
 	}
@@ -206,7 +206,7 @@ func resolveCanonicalRef(ctx context.Context, imgRef types.ImageReference, srcCt
 	return canonicalRef, nil
 }
 
-func (p *ContainersImagePuller) applyImage(ctx context.Context, ownerID string, srcRef reference.Named, canonicalRef reference.Canonical, srcImgRef types.ImageReference, cache Cache, sourceContext *types.SystemContext) (fs.FS, time.Time, error) {
+func (p *ContainersImagePuller) applyImage(ctx context.Context, ownerID string, srcRef reference.Named, canonicalRef reference.Canonical, srcImgRef types.ImageReference, cache Cache, sourceContext *types.SystemContext, layoutDir string) (fs.FS, time.Time, error) {
 	imgSrc, err := srcImgRef.NewImageSource(ctx, sourceContext)
 	if err != nil {
 		return nil, time.Time{}, fmt.Errorf("error creating image source: %w", err)
@@ -224,6 +224,11 @@ func (p *ContainersImagePuller) applyImage(ctx context.Context, ownerID string,
 		}
 	}()
 
+	if hasChart(img) {
+		return pullChart(ctx, ownerID, imgSrc, canonicalRef, cache, layoutDir)
+	}
+
+	// Helm charts would error when getting OCI config
 	ociImg, err := img.OCIConfig(ctx)
 	if err != nil {
 		return nil, time.Time{}, err

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ type LayerData struct {`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`type Cache interface {`
	`32`	`+ ExtendCache`
`32`	`33`	`Fetch(context.Context, string, reference.Canonical) (fs.FS, time.Time, error)`
`33`	`34`	`Store(context.Context, string, reference.Named, reference.Canonical, ocispecv1.Image, iter.Seq[LayerData]) (fs.FS, time.Time, error)`
`34`	`35`	`Delete(context.Context, string) error`