feat(883): helm transfer

[matthiasbruns]

What this PR does / why we need it

This pull-request adds the "download classic helm chart" to the transformer api.

This PR adds a bigger refactoring to the existing inputand oci-image-creation` - the concepts stayed the same, just technical changes.

`
introduce helm access type from ocmv1
It also adds the missing Helm access type to the new ocm.

type Helm struct {
	// +ocm:jsonschema-gen:enum=Helm/v1,helm/v1
	// +ocm:jsonschema-gen:enum:deprecated=Helm,helm
	Type runtime.Type `json:"type"`

	// HelmRepository is the URL of the helm repository to load the chart from.
	HelmRepository string `json:"helmRepository"`

	// HelmChart if the name of the helm chart and its version separated by a colon.
	HelmChart string `json:"helmChart"`

	// Version can either be specified as part of the chart name or separately.
	Version string `json:"version,omitempty"`
}

It is important to note what I dropped deprecated fields from the spec. CA and Keyring related fields should be loaded from the credentials as already done in the helm input.

reuse blob download from helm input
Additionally, this PR refactors the download helm blob from input to generalize the logic and make it reusable for helm access as well.

Reuse chart to OCI from help input
I also generalized the chart->OCI logic from input and made it reusable. It is now used in both input and the convert transformer.

Refactor CopyChartToOCILayout
I had to refactor CopyChartToOCILayout to be able to get the ociImageSpecV1.Descriptor. The problem was that the whole impl was async. Channels lead to blocking goroutines since io.Pipe was not done writing at the point where I needed the descriptor. I had to create

type Result struct {
	*direct.Blob
	desc chan descriptorOrError
}

type descriptorOrError struct {
	Descriptor ociImageSpecV1.Descriptor
	Err        error
}

to delay the access to said data.

GetHelmChart transformer implementation

The get transformer does the following:

• validate input spec against new v1alpha1.GetHelmChart
• generate output paths for the spec output
• get credentials by requesting ResourceConsumerIdentityProvider.GetResourceCredentialConsumerIdentity which is implemented in the HelmAccess
• delegate download to generalized helm download from the input package (now downloads)
  • in theory, we could use this transformer also for oci helm download, since the downloader supports the feature
  • but we will use the native GetOCIArtifact from transformers (probably)
• resulting blobs (chart and optionally a prov) will be copied into *v1alpha1.File
• the output contains
  • the original Resource
  • the chart file pointer with v1alpha1.File
  • (optionally) the prov file pointer with *v1alpha1.File

ConvertHelmChartToOCI transformer implementation

The convertion transformer does the following:

• expect chart, prov and resources as input
• reuse the oci creation logic from input
• calculate the correct ImageReference for the OCIImage access
• push the artifact as localblob as an output back the the graph

testing

• The pr spawns a repotest.NewTempServer() mock http server pointing to the shared helm testdata/mychart-0.1.0.tgz dir
• In the test we create Resources with several variations of the Helm access
• Each test verifies that the files are correctly downloaded and equal the original file
• provenance file download added
  • Open Question: should we also verify during transform? Currently, we only download the .prov file
• helm to oci tests and validated the created oci image and the prov files

Which issue(s) this PR fixes

Contributes: open-component-model/ocm-project#883

Testing

How to test the changes

See #1846 for testing

make sure helm input did not break

#!/bin/zsh

alias OCM='go run ../../main.go'

# Test helm input with local path
CHART_PATH="../../../bindings/go/helm/testdata/mychart"

# stat the chart path to ensure it exists
if [ ! -d "$CHART_PATH" ]; then
  echo "Error: Chart path $CHART_PATH does not exist"
  exit 1
fi

cat <<EOF > constructor-input-local.yaml
components:
- name: ocm.software/helm-input-local
  version: 0.1.0
  provider:
    name: ocm.software
  resources:
  - name: mychart
    version: 0.1.0
    type: helmChart
    input:
      type: helm/v1
      path: $CHART_PATH
EOF

# create dir relative to current directory to avoid issues with absolute paths in the constructor
INPUT_CTF_LOCAL="input-ctf-local-$(date +%s)"
mkdir $INPUT_CTF_LOCAL
echo "Using temporary directory for helm input (local): $INPUT_CTF_LOCAL"

OCM add cv --repository ctf::$INPUT_CTF_LOCAL --constructor constructor-input-local.yaml

echo "--- Local helm input test passed ---"

# Test helm input with remote repository (uses same podinfo chart)
cat <<EOF > constructor-input-remote.yaml
components:
- name: ocm.software/helm-input-remote
  version: 6.9.1
  provider:
    name: ocm.software
  resources:
  - name: podinfo
    version: 6.9.1
    type: helmChart
    input:
      type: helm/v1
      helmRepository: https://stefanprodan.github.io/podinfo/podinfo-6.9.1.tgz
EOF

INPUT_CTF_REMOTE="input-ctf-remote-$(date +%s)"
mkdir $INPUT_CTF_REMOTE
echo "Using temporary directory for helm input (remote): $INPUT_CTF_REMOTE"

OCM add cv --repository ctf::$INPUT_CTF_REMOTE --constructor constructor-input-remote.yaml

echo "--- Remote helm input test passed ---"

Verification

• I have tested the changes locally by running ocm

Summary by CodeRabbit

• New Features

  • Added Helm access spec, credential-aware identity resolution, and options for TLS/credentials.
  • Remote Helm chart retrieval (HTTP/OCI) with provenance support and configurable buffering/output path handling.
  • Conversion of Helm charts into OCI image layouts and transformers to fetch charts and produce OCI artifacts.

• Tests

  • Extensive unit and integration tests covering access parsing, identity/error cases, downloads, provenance, OCI conversion, and transformers.

[fabianburth]

You already asked in the war room today about the helm repository - back then, I said let's not implement it, if we don't need it.
I think, I just did not really understand it yet. I thought this was just an implementation detail.
Now, after looking over this again, I think - to be conceptually correct - we would need a ResourceRepository implementation for helm. To be more precise a ReadOnlyResourceRepository. In the plugin contracts, we do have this distinction already (see here). In the library interfaces and the plugin manager, we do not have such a fine granular differentiation (see here).
I think, we will likely go with a workaround now. If we implement the helm as a resource repository, we just return an error if someone wants to use the upload for now.

But I think, you should still bring a larger conceptual discussion to the team to decide how we want to deal with this in the future.

[matthiasbruns]

You already asked in the war room today about the helm repository - back then, I said let's not implement it, if we don't need it. I think, I just did not really understand it yet. I thought this was just an implementation detail. Now, after looking over this again, I think - to be conceptually correct - we would need a ResourceRepository implementation for helm. To be more precise a ReadOnlyResourceRepository. In the plugin contracts, we do have this distinction already (see here). In the library interfaces and the plugin manager, we do not have such a fine granular differentiation (see here). I think, we will likely go with a workaround now. If we implement the helm as a resource repository, we just return an error if someone wants to use the upload for now.

But I think, you should still bring a larger conceptual discussion to the team to decide how we want to deal with this in the future.

Sure, I am still discovering - I also think it might make sense to introduce the repository (either in this PR or in a patch pr afterwards) and will discuss this in the next WR (tomorrow).

[matthiasbruns]

repotest.NewTempServer(t, repotest.WithChartSourceGlob("../testdata/provenance/mychart-*")) is not working with otel 1.40

go mod tidy
go: finding module for package go.opentelemetry.io/otel/sdk/internal/internaltest
go: ocm.software/open-component-model/bindings/go/helm/download imports
        helm.sh/helm/v4/pkg/registry tested by
        helm.sh/helm/v4/pkg/registry.test imports
        github.com/distribution/distribution/v3/registry imports
        github.com/distribution/distribution/v3/tracing imports
        go.opentelemetry.io/contrib/exporters/autoexport imports
        go.opentelemetry.io/otel/sdk/log tested by
        go.opentelemetry.io/otel/sdk/log.test imports
        go.opentelemetry.io/otel/sdk/internal/internaltest: module go.opentelemetry.io/otel/sdk@latest found (v1.40.0), but does not contain package go.opentelemetry.io/otel/sdk/internal/internaltest

[matthiasbruns]

@fabianburth I prepared a ticket for the resource repository
open-component-model/ocm-project#911

I quickly talked to jakob about this and came to the conclusion that we should tackle this as a follow up in favor of unblocking the helm transfer.
We can talk about this in the refinement today :)

[matthiasbruns]

helm-to-oci transformation will be added today

[matthiasbruns]

waiting for #1862 to be merged to support nullable fields

[Skarlso]

Some initial comments before testing commences. :)

[piotrjanik]

I have tested implementation locally. LGTM

[Skarlso]

Just a few couple of observations here and there.

My main concern is the duplication which is weird. But otherwise, looks okay.

moved everything that shouldnt be public into internal