Originating Issue for Epic: Support Helm charts in OCI Container Registry

Problem to solve

Helm 3 is the eagerly awaited next release of Helm, the Kubernetes package manager and deploy tool. With the launch of Helm 3, which is now in beta, pushing and pulling charts can now be done via OCI Registry. This means that users can now utilize the GitLab Container Registry for hosting Helm charts.

The prospect of storing a project's container images and the associated Helm chart in the same place with the same credentials is thrilling. No third party repos are necessary, and the problem of the single-namespaced HTTP Helm repos goes away (i.e. a chart called "service" can only exist once). When pushed to the OCI registry, the Helm chart simply shares the same namespace as the Gitlab project, just like the container images. Project, containers, and helm chart also have the same lifecycle and can be managed together.

• The good news: It already works, and it's still alpha stage
• The bad news: the UI does not display the content
  • The bad part is that the registry UI displays: No tags in Container Registry for this container image. and Something went wrong while fetching the registry list.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sidney (Systems Administrator)

Proposal

Update Docker Distribution Registry to add support for additional OCI media types, specifically Helm charts.

Further details

Media types

• I suspect the problem is similar to MR https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/31127
• I think the media-type that Helm chose is application/vnd.cncf.helm.config.v1+json.

Why is this blocked

• This change requires changes to Docker Distribution Registry, and it seems these changes are not being moved into releases by Docker. So, we will need to utilize our fork of Docker Registry and make the changes in our fork.
• gitlab-org/charts/gitlab#1614 (closed) is intended to define a plan for utilizing our fork of DDR.

Permissions and Security

• Follow the same permissions model as the Container Registry:
  • Reporters and above can view and download charts
  • Developers and above can view, download, publish and delete charts

Documentation

• Container Registry Docs: Add Helm 3 examples

What does success look like, and how can we measure that?

• Success looks like users can push and pull helm charts to the GitLab Container Registry and see the relevant metadata in the UI.

Links / references

• https://v3.helm.sh/docs/topics/registries/

Demo

*requires this alpha build: * https://get.helm.sh/helm-v3.0.0-alpha.2-linux-amd64.tar.gz

# helm registry login  --password "$(secret-tool lookup username_value tobias.wolf@example.com)" -u tobias.wolf@example.com gitlab.example.com:5005
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login succeeded
# helm create foo
Creating foo
# helm chart save foo gitlab.example.com:5005/tobias.wolf/build-test/helm/foo:0.0.1
Name: foo
Version: 0.1.0
Meta: sha256:42603b382336019d658ec8c0c71c57be421dc49a471ce6c6b776d7834e54cbec
Content: sha256:bfc11b014315e14f4191ff0cd53a7f9158db9013722c33919f566ae9d69b8ef1
0.0.1: saved
# helm chart push gitlab.example.com:5005/tobias.wolf/build-test/helm/foo:0.0.1
The push refers to repository [gitlab.example.com:5005/tobias.wolf/build-test/helm/foo]
Name: foo
Version: 0.1.0
Meta: sha256:42603b382336019d658ec8c0c71c57be421dc49a471ce6c6b776d7834e54cbec
Content: sha256:bfc11b014315e14f4191ff0cd53a7f9158db9013722c33919f566ae9d69b8ef1
0.0.1: pushed to remote (2 layers, 2.3 KiB total)
# rm -rf foo
# helm chart remove gitlab.example.com:5005/tobias.wolf/build-test/helm/foo:0.0.1
0.0.1: removed
# helm chart list
REF     NAME    VERSION DIGEST  SIZE    CREATED
# helm chart pull gitlab.example.com:5005/tobias.wolf/build-test/helm/foo:0.0.1
0.0.1: Pulling from gitlab.example.com:5005/tobias.wolf/build-test/helm/foo
Name: foo
Version: 0.1.0
Meta: sha256:42603b382336019d658ec8c0c71c57be421dc49a471ce6c6b776d7834e54cbec
Content: sha256:bfc11b014315e14f4191ff0cd53a7f9158db9013722c33919f566ae9d69b8ef1
Status: Chart is up to date for gitlab.example.com:5005/tobias.wolf/build-test/helm/foo:0.0.1
# helm chart list
REF                                                             NAME    VERSION DIGEST  SIZE    CREATED
gitlab.example.com:5005/tobias.wolf/build-test/helm/foo:0.0.1     foo     0.1.0   bfc11b0 2.2 KiB 37 minutes
# helm chart export gitlab.example.com:5005/tobias.wolf/build-test/helm/foo:0.0.1
Name: foo
Version: 0.1.0
Meta: sha256:42603b382336019d658ec8c0c71c57be421dc49a471ce6c6b776d7834e54cbec
Content: sha256:bfc11b014315e14f4191ff0cd53a7f9158db9013722c33919f566ae9d69b8ef1
Exported to foo/
# find foo
foo
foo/.helmignore
foo/charts
foo/templates
foo/templates/service.yaml
foo/templates/ingress.yaml
foo/templates/deployment.yaml
foo/templates/_helpers.tpl
foo/templates/NOTES.txt
foo/values.yaml
foo/Chart.yaml