Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update cheatsheet for Helm OCI #2020

Merged
merged 1 commit into from
Jul 17, 2024
Merged

Update cheatsheet for Helm OCI #2020

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 13 additions & 65 deletions content/en/flux/cheatsheets/oci-artifacts.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,41 +90,38 @@ spec:

### Helm OCI

For Helm users, Flux comes with [support](/flux/guides/helmreleases/#helm-oci-repository) for
For Helm users, Flux comes with [support](/flux/guides/helmreleases/#oci-repository) for
stefanprodan marked this conversation as resolved.
Show resolved Hide resolved
defining Helm releases with charts stored in container registries.

Example:

```yaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: podinfo
namespace: flux-system
namespace: default
spec:
interval: 10m
type: oci
url: oci://ghcr.io/stefanprodan/charts
url: oci://ghcr.io/stefanprodan/charts/podinfo
ref:
semver: ">6.0.0"
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: podinfo
namespace: flux-system
namespace: default
spec:
interval: 10m
targetNamespace: default
chart:
spec:
chart: podinfo
sourceRef:
kind: HelmRepository
name: podinfo
releaseName: podinfo
chartRef:
kind: OCIRepository
name: podinfo
```

The two artifact types can be used together, for example you could bundle a `Namespace`,
a `HelmRepository` and a `HelmRelease` into a Flux OCI artifact where the `HelmRepository`
points to a container registry where the chart is.
an `OCIRepository` and a `HelmRelease` into a Flux OCI artifact.

## Workflow examples

Expand Down Expand Up @@ -541,55 +538,6 @@ Status:

Verification failures are also visible when running `flux get sources oci` and in Kubernetes events.

## Verify Helm charts

Flux comes with support for verifying Helm charts stored as OCI artifacts signed
with [Sigstore Cosign](https://github.com/sigstore/cosign) or [Notaryproject notation](https://https://github.com/notaryproject/notation).

The verification works the same as for `OCIRepository`, the main difference is that for Helm,
the verification must be enabled with `HelmRelease.spec.chart.spec.verify`.

Assuming you've pushed and signed a Helm chart with:

```shell
helm push <app-name>-<app-version>.tgz oci://<registry-host>/<org>/charts
cosign sign --key cosign.key <registry-host>/<org>/charts/<app-name>:<app-version>
```

You can configure Flux to verify the chart signature before installing and upgrading a Helm release:

```yaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: helm-charts
spec:
interval: 1h
url: oci://<registry-host>/<org>/charts
type: oci
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: <app-name>
spec:
interval: 1h
chart:
spec:
chart: <app-name>
version: <app-version>
sourceRef:
kind: HelmRepository
name: helm-charts
verify:
provider: cosign
secretRef:
name: cosign-pub
```

For more details on how Helm chart verification works,
please see the [HelmChart documentation](/flux/components/source/helmcharts/#verification).

## Monitoring

Configure alerting for when new artifacts are pulled and reconciled:
Expand Down