Add new server endpoint for installing OCI charts without Helm repository

[sowmya-sl]

Add dedicated endpoint and handler for installing Helm charts from OCI
registries. This provides a simplified installation flow for OCI charts
that doesn't require HelmChartRepository lookup.

Changes:

• Add InstallOCIChart function in actions for OCI-only installations
• Add HandleInstallOCIChart handler with OCI URL validation
• Register /api/helm/oci-chart endpoint in server routes
• Add tests for both the methods

HELM-598

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Excluded labels (none allowed) (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sowmya-sl
Once this PR has been reviewed and has the lgtm label, please assign jhadvig for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[webbnh]

I realize that this is still a draft PR, but I have a few comments.

Also, please ensure that all files end with a newline.

[webbnh]

Since the Zot cleanup comprises only a single line, and since we don't have similar comments elsewhere in this file, I would omit this comment.

[webbnh]

Having a fixed and silent fallback if HELM_VERSION is undefined is an invitation to trouble in the future (unless we keep the fallback version updated, which is its own kind of trouble).

I strongly recommend exiting with a message and error status if HELM_VERSION is undefined rather than supplying a default value.

[sowmya-sl]

I strongly recommend exiting with a message and error status if HELM_VERSION is undefined rather than supplying a default value.

I did not get you? Are you talking about installing helm chart?

[webbnh]

In line 7 of the code cited above, we set the value of the local variable $HELM_VERSON to the value of the existing environment variable with the same name, if the environment variable exists; otherwise, we force the value to be a fixed version, which will become increasingly inappropriate as time passes (unless we remember to come back and update this file in the future).

Instead of using the ${ :- } (default value) syntax, we should test that $HELM_VERSION is set, and, if it is not set, then exit the script with an error status.

[webbnh]

In Bash scripts, [[ is prefered over [.

[webbnh]

Since you don't turn the -e option back off, I believe you can combine these two lines together:

Suggested change

	#!/bin/bash
	set -e
	#!/bin/bash -e

Ditto for the other scripts.

[webbnh]

Are you sure that this URL is correct? I think the filename should begin with zb instead of zot.

Also, in downloadHelm.sh, the value of HELM_VERSION doesn't include the v (instead, it is added when the URL is constructed); we should probably be consistent in the treatment of ZOT_VERSION.

[sowmya-sl]

Its zot. Docs say zb is zot benchmark build.

Changed downloadHelm to include v in the HELM_VERSION

[webbnh]

Changed downloadHelm to include v in the HELM_VERSION

I happened to look at pkg/helm/actions/testdata/downloadChartmuseum.sh, and it omits the v from the variable value and adds it when constructing the URL. It would be best if we were consistent across all our files.

Is there a case where we would want a prefix other than v? If not, I suggest omitting it from the value.

[webbnh]

Why do we push two charts? Is there some difference between them which is significant? Or, are we just trying to ensure that the target registry can hold more than one? Or, is it something else?

[sowmya-sl]

I planned to use the other chart for the test with TLS. I will remove now, I can add when we actually do the tests.

[webbnh]

This script is identical to uploadOciCharts.sh except for the flag on the $HELM command and the port on the registry, right? I recommend combining the scripts and either using a command line argument to select the functionality or just making a single script which runs both sets of tests.

[webbnh]

I recommend against using a numeric value for the signal and instead suggest using a symbolic value (or just omitting it and using the default signal). (I think -15 is probably -SIGTERM, but I'm not sure, since it can vary between "Unixes"; and, I think that SIGTERM is the default.)

[webbnh]

"insecure" isn't really a good name: I don't think that the mere fact that we skip the TLS verification necessarily means that the connection is insecure. (At most, I think it means that we cannot be sure who we are connecting to, but the connection itself is, I think, still secure against third-parties.)

I think skipVerify or something similar would be better.

[sowmya-sl]

@webbnh I am thinking of moving this change to when we introduce GetDefaultOCIRegistry. (#15830). What do you say?

[webbnh]

That seems reasonable.

[webbnh]

It strikes me as odd that all three of these scenarios use the same releaseName value. Prior to your addition, the scenarios each had unique names, which seems appropriate.

The significance of the first scenario is that it uses an HTTP-based chart path, while the new scenarios use OCI-based paths. The difference between the two new paths is that one uses plain HTTP and the other uses TLS without verification. So, there's basis for making the names unique.

However, I have to wonder whether we aren't missing a few cells in the matrix: in terms of variables, we have:

• HTTP vs OCI path schemes
• plain HTTP vs. TLS(?)
• verified TLS vs. unverified TLS, and
• valid vs. invalid paths.

Presumably, for invalid paths, we don't need to test all of the other dimensions. And, presumably, for plain HTTP, we don't need to test TLS verification. But, for a valid path using TLS, presumably we should test both verified and unverified connections with both HTTP and OCI schemes. So, I think that there should be about seven cases:

• (1) invalid path
• valid path
  • plain HTTP
    • (2) HTTP scheme
    • (3) OCI scheme
  • TLS
    • verified
      • (4) HTTP scheme
      • (5) OCI scheme
    • unverified
      • (6) HTTP scheme
      • (7) OCI scheme

But, it's possible that not all of those make sense.

[sowmya-sl]

The test cases make sense. But I am not planning to add TLS test cases till the basic oci support is done end to end. Hope that is fine?

[webbnh]

My recommendation is to add the testing when the CUT (code under test) is added. (Technically, you're supposed to add the tests first, observe that they fail, then update the CUT, and observe that the tests pass...but I'm not sure that I've ever actually done that.... 🙃)

So, if the TLS support isn't going in, then you can omit adding the TLS testing; however, if you're adding latent support for TLS, then you should add the tests which correspond to whatever support you're adding to the CUT.

[webbnh]

Note that, in #15830, an attempt to use pkill is currently failing.