From 0135eb19d4569364fa26c71da0f0c3613f62021c Mon Sep 17 00:00:00 2001
From: Stefan Prodan <stefan.prodan@gmail.com>
Date: Wed, 30 Mar 2022 13:18:27 +0300
Subject: [PATCH] Add proposal for adding Helm OCI support to Flux Source API

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
---
 rfcs/helm-oci/README.md | 110 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 110 insertions(+)
 create mode 100644 rfcs/helm-oci/README.md

diff --git a/rfcs/helm-oci/README.md b/rfcs/helm-oci/README.md
new file mode 100644
index 00000000..a57d3db1
--- /dev/null
+++ b/rfcs/helm-oci/README.md
@@ -0,0 +1,110 @@
+# RFC-xxxx Flux OCI support for Helm
+
+**Status:** provisional
+
+**Creation date:** 2022-03-30
+
+**Last update:** 2022-03-30
+
+## Summary
+
+Given that Helm v3.8 supports [OCI](https://helm.sh/docs/topics/registries/) for package distribution,
+we should extend the Flux Source API to allow fetching Helm charts from container registries.
+
+## Motivation
+
+Helm OCI support is one of the most requested feature in Flux
+as seen on this [issue](https://github.com/fluxcd/source-controller/issues/124).
+
+### Goals
+
+- Add support for fetching Helm charts stored as OCI artifacts with minimal API changes to Flux.
+- Make it easy for users to switch from HTTP/S Helm repositories to OCI repositories.
+
+### Non-Goals
+
+- Introduce a new API kind for referencing charts stored as OCI artifacts.
+
+## Proposal
+
+Introduce an optional field called `type` to the `HelmRepository` spec.
+
+When not specified, the `spec.type` field defaults to `Default` which preserve the current `HelmRepository` API behaviour.
+
+When the `spec.type` field is set to `OCI`, the `spec.url` field must be prefixed with `oci://` (to follow the Helm conventions).
+For `oci://` URLs, source-controller will use the Helm SDK and the `oras` library to connect to the OCI remote storage.
+For authentication, the controller will use Kubernetes secrets of `kubernetes.io/dockerconfigjson` type.
+
+### User Stories
+
+#### Story 1
+
+> As a developer I want to use Flux `HelmReleases` that refer to Helm charts stored
+> as OCI artifacts in GitHub Container Registry.
+
+First create a secret using a GitHub token that allows access to GHCR:
+
+```sh
+kubectl create secret docker-registry ghcr-charts \
+    --docker-server=ghcr.io \
+    --docker-username=$GITHUB_USER \
+    --docker-password=$GITHUB_TOKEN
+```
+
+Then define a `HelmRepository` of type `OCI` and reference the `dockerconfig` secret:
+
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: ghcr-charts
+  namespace: default
+spec:
+  type: OCI
+  url: oci://ghcr.io/my-org/charts/
+  secretRef:
+    name: ghcr-charts
+```
+
+And finally in Flux `HelmReleases`, refer to the ghcr-charts `HelmRepository`:
+
+```yaml
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  interval: 60m
+  chart:
+    spec:
+      chart: my-app
+      version: '1.0.x'
+      sourceRef:
+        kind: HelmRepository
+        name: ghcr-charts
+      interval: 1m # check for new OCI artifacts every minute
+```
+
+### Alternatives
+
+We could use introduce a new API type e.g. `HelmOCIRepository`. That is considered unpractical,
+as there is no benefit for users in having a dedicated kind instead of a `type` filed in the current
+`HelmRepository` API. Adding a `type` filed to the spec follows the Flux Bucket API design, where 
+the same Kind servers different implementations: AWS S3 vs Azure Blob vs Google Storage.
+
+## Design Details
+
+In source-controller we'll add a new predicate for indexing `HelmRepositories` based on the `spec.type` field.
+
+When the `spec.type` field is set to `OCI`, the `HelmRepositoryReconciler`
+will set the `HelmRepository` Ready status to `False` if the URL is not prefixed with `oci://`,
+otherwise the Ready status will be set to `True`.
+
+The current `HelmChartReconciler` will use the `HelmRepositories` with `type: Default`.
+For `type: OCI` we'll introduce a new reconciler `HelmChartOCIReconciler` that uses `oras` to download charts
+and their dependencies.
+
+### Enabling the feature
+
+The feature is enabled by default.
-- 
GitLab