Add helm chart as blob to extension

It appears that there is currently no way for the extension to
retrieve the image pull secret to download the helm chart from an
oci repository.

Author: marwinski

pkg/apis/config/types.go

@@ -95,9 +95,11 @@ type AdditionalSeedManagedResource struct {
 	Helm HelmConfig
 }
 
-// HelmConfig specifies a Helm chart to pull from an OCI repository and render with values.
+// HelmConfig specifies a Helm chart source and render values.
+// Exactly one of OCIRepository or Chart must be set.
 type HelmConfig struct {
-	OCIRepository gardencorev1.OCIRepository
+	OCIRepository *gardencorev1.OCIRepository
+	Chart         *string
 	Values        *runtime.RawExtension
 }
 

pkg/apis/config/v1alpha1/types.go

@@ -110,10 +110,16 @@ type AdditionalSeedManagedResource struct {
 	Helm HelmConfig `json:"helm"`
 }
 
-// HelmConfig specifies a Helm chart to pull from an OCI repository and render with values.
+// HelmConfig specifies a Helm chart source and render values.
+// Exactly one of OCIRepository or Chart must be set.
 type HelmConfig struct {
 	// OCIRepository defines where to pull the chart from.
-	OCIRepository gardencorev1.OCIRepository `json:"ociRepository"`
+	// +optional
+	OCIRepository *gardencorev1.OCIRepository `json:"ociRepository,omitempty"`
+
+	// Chart is a base64-encoded, gzipped tar archive of the Helm chart.
+	// +optional
+	Chart *string `json:"chart,omitempty"`
 
 	// Values are the Helm values to use when rendering the chart.
 	// +optional

pkg/apis/config/v1alpha1/zz_generated.conversion.go

@@ -119,8 +119,14 @@ func validateAdditionalConfig(additional *config.AdditionalConfig, fldPath *fiel
 			names[res.Name] = true
 		}
 
-		if res.Helm.OCIRepository.Ref == nil || *res.Helm.OCIRepository.Ref == "" {
-			allErrs = append(allErrs, field.Required(idxPath.Child("helm").Child("ociRepository").Child("ref"), "OCI repository ref must not be empty"))
+		helmPath := idxPath.Child("helm")
+		hasOCI := res.Helm.OCIRepository != nil && res.Helm.OCIRepository.Ref != nil && *res.Helm.OCIRepository.Ref != ""
+		hasChart := res.Helm.Chart != nil && *res.Helm.Chart != ""
+
+		if hasOCI && hasChart {
+			allErrs = append(allErrs, field.Forbidden(helmPath, "only one of ociRepository or chart may be set"))
+		} else if !hasOCI && !hasChart {
+			allErrs = append(allErrs, field.Required(helmPath, "one of ociRepository.ref or chart must be set"))
 		}
 	}
 

pkg/apis/config/v1alpha1/zz_generated.deepcopy.go

@@ -196,7 +196,7 @@ var _ = Describe("ValidateConfiguration", func() {
 							{
 								Name: "my-nginx",
 								Helm: config.HelmConfig{
-									OCIRepository: gardencorev1.OCIRepository{
+									OCIRepository: &gardencorev1.OCIRepository{
 										Ref: ptr.To("registry-1.docker.io/bitnamicharts/nginx:25.0.5"),
 									},
 								},
@@ -212,7 +212,14 @@ var _ = Describe("ValidateConfiguration", func() {
 			Expect(ValidateConfiguration(conf)).To(BeEmpty())
 		})
 
-		It("should pass for valid seed managed resources", func() {
+		It("should pass for valid seed managed resources with OCI ref", func() {
+			Expect(ValidateConfiguration(conf)).To(BeEmpty())
+		})
+
+		It("should pass for valid seed managed resources with inline chart", func() {
+			conf.Falco.Additional.SeedManagedResources[0].Helm = config.HelmConfig{
+				Chart: ptr.To("H4sIAAAAAAAAA+3BAQ0AAADCoPdPbQ8HFAAAAAAAAAAAAAAAAAB+BjG/"),
+			}
 			Expect(ValidateConfiguration(conf)).To(BeEmpty())
 		})
 
@@ -249,29 +256,49 @@ var _ = Describe("ValidateConfiguration", func() {
 			))
 		})
 
-		It("should reject nil OCI repository ref", func() {
+		It("should reject when neither OCI ref nor chart is set", func() {
+			conf.Falco.Additional.SeedManagedResources[0].Helm = config.HelmConfig{}
+			Expect(ValidateConfiguration(conf)).To(ConsistOf(
+				PointTo(MatchFields(IgnoreExtras, Fields{
+					"Type":  Equal(field.ErrorTypeRequired),
+					"Field": Equal("falco.additional.seedManagedResources[0].helm"),
+				})),
+			))
+		})
+
+		It("should reject when both OCI ref and chart are set", func() {
+			conf.Falco.Additional.SeedManagedResources[0].Helm.Chart = ptr.To("H4sIAAAAAAAAA+3BAQ0AAADCoPdPbQ8HFAAAAAAAAAAAAAAAAAB+BjG/")
+			Expect(ValidateConfiguration(conf)).To(ConsistOf(
+				PointTo(MatchFields(IgnoreExtras, Fields{
+					"Type":  Equal(field.ErrorTypeForbidden),
+					"Field": Equal("falco.additional.seedManagedResources[0].helm"),
+				})),
+			))
+		})
+
+		It("should reject nil OCI repository ref when no chart set", func() {
 			conf.Falco.Additional.SeedManagedResources[0].Helm.OCIRepository.Ref = nil
 			Expect(ValidateConfiguration(conf)).To(ConsistOf(
 				PointTo(MatchFields(IgnoreExtras, Fields{
 					"Type":  Equal(field.ErrorTypeRequired),
-					"Field": Equal("falco.additional.seedManagedResources[0].helm.ociRepository.ref"),
+					"Field": Equal("falco.additional.seedManagedResources[0].helm"),
 				})),
 			))
 		})
 
-		It("should reject empty OCI repository ref", func() {
+		It("should reject empty OCI repository ref when no chart set", func() {
 			conf.Falco.Additional.SeedManagedResources[0].Helm.OCIRepository.Ref = ptr.To("")
 			Expect(ValidateConfiguration(conf)).To(ConsistOf(
 				PointTo(MatchFields(IgnoreExtras, Fields{
 					"Type":  Equal(field.ErrorTypeRequired),
-					"Field": Equal("falco.additional.seedManagedResources[0].helm.ociRepository.ref"),
+					"Field": Equal("falco.additional.seedManagedResources[0].helm"),
 				})),
 			))
 		})
 
 		It("should report multiple errors at once", func() {
 			conf.Falco.Additional.SeedManagedResources[0].Name = ""
-			conf.Falco.Additional.SeedManagedResources[0].Helm.OCIRepository.Ref = nil
+			conf.Falco.Additional.SeedManagedResources[0].Helm = config.HelmConfig{}
 			Expect(ValidateConfiguration(conf)).To(HaveLen(2))
 		})
 	})

pkg/apis/config/validation/validation.go

@@ -6,6 +6,7 @@ package additional
 
 import (
 	"context"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -83,7 +84,7 @@ func (r *Reconciler) Deploy(ctx context.Context) error {
 		return nil
 	}
 
-	if r.renderer == nil || r.helmRegistry == nil {
+	if r.renderer == nil {
 		return fmt.Errorf("chart renderer not initialized — restConfig was nil at construction time")
 	}
 
@@ -104,9 +105,26 @@ func (r *Reconciler) Deploy(ctx context.Context) error {
 }
 
 func (r *Reconciler) deployResource(ctx context.Context, res config.AdditionalSeedManagedResource, mrName string, labels map[string]string) error {
-	archive, err := r.helmRegistry.Pull(ctx, &res.Helm.OCIRepository)
-	if err != nil {
-		return fmt.Errorf("failed to pull chart: %w", err)
+	var archive []byte
+	var err error
+
+	switch {
+	case res.Helm.Chart != nil && *res.Helm.Chart != "":
+		archive, err = base64.StdEncoding.DecodeString(*res.Helm.Chart)
+		if err != nil {
+			return fmt.Errorf("failed to decode inline chart: %w", err)
+		}
+	case res.Helm.OCIRepository != nil:
+		if r.helmRegistry == nil {
+			return fmt.Errorf("helm registry not initialized — restConfig was nil at construction time")
+		}
+		pullCtx := context.WithValue(ctx, oci.ContextKeySecretNamespace, r.namespace)
+		archive, err = r.helmRegistry.Pull(pullCtx, res.Helm.OCIRepository)
+		if err != nil {
+			return fmt.Errorf("failed to pull chart: %w", err)
+		}
+	default:
+		return fmt.Errorf("neither chart nor ociRepository set for resource %s", res.Name)
 	}
 
 	var values map[string]interface{}