Add support for deploying OCI helm charts in OLM v1

* added support for deploying OCI helm charts which sits behind
the HelmChartSupport feature gate
* extend the Cache Store() method to allow storing of Helm charts
* inspect chart archive contents
* added MediaType to the LayerData struct

Signed-off-by: Edmund Ochieng <ochienged@gmail.com>

Author: OchiengEd

internal/operator-controller/applier/helm.go

@@ -26,9 +26,11 @@ import (
 
 	ocv1 "github.com/operator-framework/operator-controller/api/v1"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/authorization"
+	"github.com/operator-framework/operator-controller/internal/operator-controller/features"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/bundle/source"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/preflights/crdupgradesafety"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/util"
+	imageutil "github.com/operator-framework/operator-controller/internal/shared/util/image"
 )
 
 const (
@@ -209,6 +211,17 @@ func (h *Helm) buildHelmChart(bundleFS fs.FS, ext *ocv1.ClusterExtension) (*char
 	if err != nil {
 		return nil, err
 	}
+	if features.OperatorControllerFeatureGate.Enabled(features.HelmChartSupport) {
+		meta := new(chart.Metadata)
+		if ok, _ := imageutil.IsBundleSourceChart(bundleFS, meta); ok {
+			return imageutil.LoadChartFSWithOptions(
+				bundleFS,
+				fmt.Sprintf("%s-%s.tgz", meta.Name, meta.Version),
+				imageutil.WithInstallNamespace(ext.Spec.Namespace),
+			)
+		}
+	}
+
 	return h.BundleToHelmChartConverter.ToHelmChart(source.FromFS(bundleFS), ext.Spec.Namespace, watchNamespace)
 }
 

internal/operator-controller/features/features.go

@@ -16,6 +16,7 @@ const (
 	SyntheticPermissions              featuregate.Feature = "SyntheticPermissions"
 	WebhookProviderCertManager        featuregate.Feature = "WebhookProviderCertManager"
 	WebhookProviderOpenshiftServiceCA featuregate.Feature = "WebhookProviderOpenshiftServiceCA"
+	HelmChartSupport                  featuregate.Feature = "HelmChartSupport"
 )
 
 var operatorControllerFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
@@ -63,6 +64,14 @@ var operatorControllerFeatureGates = map[featuregate.Feature]featuregate.Feature
 		PreRelease:    featuregate.Alpha,
 		LockToDefault: false,
 	},
+
+	// HelmChartSupport enables support for installing,
+	// updating and uninstalling Helm Charts via Cluster Extensions.
+	HelmChartSupport: {
+		Default:       false,
+		PreRelease:    featuregate.Alpha,
+		LockToDefault: false,
+	},
 }
 
 var OperatorControllerFeatureGate featuregate.MutableFeatureGate = featuregate.NewFeatureGate()

internal/shared/util/image/cache.go

@@ -1,6 +1,7 @@
 package image
 
 import (
+	"bytes"
 	"context"
 	"errors"
 	"fmt"
@@ -10,22 +11,28 @@ import (
 	"os"
 	"path/filepath"
 	"slices"
+	"testing"
 	"time"
 
 	"github.com/containerd/containerd/archive"
 	"github.com/containers/image/v5/docker/reference"
+	"github.com/google/renameio/v2"
 	"github.com/opencontainers/go-digest"
 	ocispecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/registry"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
+	"github.com/operator-framework/operator-controller/internal/operator-controller/features"
 	errorutil "github.com/operator-framework/operator-controller/internal/shared/util/error"
 	fsutil "github.com/operator-framework/operator-controller/internal/shared/util/fs"
 )
 
 type LayerData struct {
-	Reader io.Reader
-	Index  int
-	Err    error
+	MediaType string
+	Reader    io.Reader
+	Index     int
+	Err       error
 }
 
 type Cache interface {
@@ -128,8 +135,16 @@ func (a *diskCache) Store(ctx context.Context, ownerID string, srcRef reference.
 			if layer.Err != nil {
 				return fmt.Errorf("error reading layer[%d]: %w", layer.Index, layer.Err)
 			}
-			if _, err := archive.Apply(ctx, dest, layer.Reader, applyOpts...); err != nil {
-				return fmt.Errorf("error applying layer[%d]: %w", layer.Index, err)
+			if layer.MediaType == registry.ChartLayerMediaType {
+				if features.OperatorControllerFeatureGate.Enabled(features.HelmChartSupport) || testing.Testing() {
+					if err := storeChartLayer(dest, layer); err != nil {
+						return err
+					}
+				}
+			} else {
+				if _, err := archive.Apply(ctx, dest, layer.Reader, applyOpts...); err != nil {
+					return fmt.Errorf("error applying layer[%d]: %w", layer.Index, err)
+				}
 			}
 			l.Info("applied layer", "layer", layer.Index)
 		}
@@ -147,6 +162,40 @@ func (a *diskCache) Store(ctx context.Context, ownerID string, srcRef reference.
 	return os.DirFS(dest), modTime, nil
 }
 
+func storeChartLayer(path string, layer LayerData) error {
+	if layer.Err != nil {
+		return fmt.Errorf("error found in layer data: %w", layer.Err)
+	}
+	data, err := io.ReadAll(layer.Reader)
+	if err != nil {
+		return fmt.Errorf("error reading layer[%d]: %w", layer.Index, err)
+	}
+	meta := new(chart.Metadata)
+	_, err = inspectChart(data, meta)
+	if err != nil {
+		return fmt.Errorf("inspecting chart layer: %w", err)
+	}
+	chart, err := renameio.TempFile("",
+		filepath.Join(path,
+			fmt.Sprintf("%s-%s.tgz", meta.Name, meta.Version),
+		),
+	)
+	if err != nil {
+		return fmt.Errorf("create temp file: %w", err)
+	}
+	defer func() {
+		_ = chart.Cleanup()
+	}()
+	if _, err := io.Copy(chart, bytes.NewReader(data)); err != nil {
+		return fmt.Errorf("copying chart archive: %w", err)
+	}
+	_, err = chart.Seek(0, io.SeekStart)
+	if err != nil {
+		return fmt.Errorf("seek chart archive start: %w", err)
+	}
+	return chart.CloseAtomicallyReplace()
+}
+
 func (a *diskCache) Delete(_ context.Context, ownerID string) error {
 	return fsutil.DeleteReadOnlyRecursive(a.ownerIDPath(ownerID))
 }

internal/shared/util/image/cache_test.go

@@ -2,8 +2,10 @@ package image
 
 import (
 	"archive/tar"
+	"bytes"
 	"context"
 	"errors"
+	"fmt"
 	"io"
 	"io/fs"
 	"iter"
@@ -20,6 +22,7 @@ import (
 	ocispecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"helm.sh/helm/v3/pkg/registry"
 
 	fsutil "github.com/operator-framework/operator-controller/internal/shared/util/fs"
 )
@@ -144,6 +147,67 @@ func TestDiskCacheFetch(t *testing.T) {
 	}
 }
 
+func TestDiskCacheStore_HelmChart(t *testing.T) {
+	const myOwner = "myOwner"
+	myCanonicalRef := mustParseCanonical(t, "my.registry.io/ns/chart@sha256:5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03")
+	myTaggedRef, err := reference.WithTag(reference.TrimNamed(myCanonicalRef), "test-tag")
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name         string
+		ownerID      string
+		srcRef       reference.Named
+		canonicalRef reference.Canonical
+		imgConfig    ocispecv1.Image
+		layers       iter.Seq[LayerData]
+		filterFunc   func(context.Context, reference.Named, ocispecv1.Image) (archive.Filter, error)
+		setup        func(*testing.T, *diskCache)
+		expect       func(*testing.T, *diskCache, fs.FS, time.Time, error)
+	}{
+		{
+			name:         "returns no error if layer read contains helm chart",
+			ownerID:      myOwner,
+			srcRef:       myTaggedRef,
+			canonicalRef: myCanonicalRef,
+			layers: func() iter.Seq[LayerData] {
+				testChart := mockHelmChartTgz(t,
+					[]fileContent{
+						{
+							name:    "testchart/Chart.yaml",
+							content: []byte("apiVersion: v2\nname: testchart\nversion: 0.1.0"),
+						},
+						{
+							name:    "testchart/templates/deployment.yaml",
+							content: []byte("kind: Deployment\napiVersion: apps/v1"),
+						},
+					},
+				)
+				return func(yield func(LayerData) bool) {
+					yield(LayerData{Reader: bytes.NewBuffer(testChart), MediaType: registry.ChartLayerMediaType})
+				}
+			}(),
+			expect: func(t *testing.T, cache *diskCache, fsys fs.FS, modTime time.Time, err error) {
+				require.NoError(t, err)
+			},
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			dc := &diskCache{
+				basePath:   t.TempDir(),
+				filterFunc: tc.filterFunc,
+			}
+			if tc.setup != nil {
+				tc.setup(t, dc)
+			}
+			fsys, modTime, err := dc.Store(context.Background(), tc.ownerID, tc.srcRef, tc.canonicalRef, tc.imgConfig, tc.layers)
+			require.NotNil(t, tc.expect, "test case must include an expect function")
+			tc.expect(t, dc, fsys, modTime, err)
+			require.NoError(t, fsutil.DeleteReadOnlyRecursive(dc.basePath))
+		})
+	}
+}
+
 func TestDiskCacheStore(t *testing.T) {
 	const myOwner = "myOwner"
 	myCanonicalRef := mustParseCanonical(t, "my.registry.io/ns/repo@sha256:5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03")
@@ -585,6 +649,120 @@ func TestDiskCacheGarbageCollection(t *testing.T) {
 	}
 }
 
+func Test_storeChartLayer(t *testing.T) {
+	tmp := t.TempDir()
+	type args struct {
+		path string
+		data LayerData
+	}
+	type want struct {
+		errStr string
+	}
+
+	tests := []struct {
+		name string
+		args args
+		want want
+	}{
+		{
+			name: "store chart layer to given path",
+			args: args{
+				path: tmp,
+				data: LayerData{
+					Index:     0,
+					MediaType: registry.ChartLayerMediaType,
+					Reader: bytes.NewBuffer(mockHelmChartTgz(t,
+						[]fileContent{
+							{
+								name:    "testchart/Chart.yaml",
+								content: []byte("apiVersion: v2\nname: testchart\nversion: 0.1.0"),
+							},
+							{
+								name:    "testchart/templates/deployment.yaml",
+								content: []byte("kind: Deployment\napiVersion: apps/v1"),
+							},
+						},
+					)),
+				},
+			},
+		},
+		{
+			name: "store invalid chart layer",
+			args: args{
+				path: tmp,
+				data: LayerData{
+					Index:     0,
+					MediaType: registry.ChartLayerMediaType,
+					Reader: bytes.NewBuffer(mockHelmChartTgz(t,
+						[]fileContent{
+							{
+								name:    "testchart/Chart.yaml",
+								content: []byte("apiVersion: v2\nname: testchart\nversion: 0.1.0"),
+							},
+							{
+								name:    "testchart/deployment.yaml",
+								content: []byte("kind: Deployment\napiVersion: apps/v1"),
+							},
+						},
+					)),
+				},
+			},
+		},
+		{
+			name: "store existing from dummy reader",
+			args: args{
+				path: tmp,
+				data: LayerData{
+					Index:     0,
+					MediaType: registry.ChartLayerMediaType,
+					Reader:    &dummyReader{},
+				},
+			},
+			want: want{
+				errStr: "error reading layer[0]: something went wrong",
+			},
+		},
+		{
+			name: "handle chart layer data",
+			args: args{
+				path: tmp,
+				data: LayerData{
+					Index:     0,
+					MediaType: registry.ChartLayerMediaType,
+					Err:       fmt.Errorf("invalid layer data"),
+					Reader: bytes.NewBuffer(mockHelmChartTgz(t,
+						[]fileContent{
+							{
+								name:    "testchart/Chart.yaml",
+								content: []byte("apiVersion: v2\nname: testchart\nversion: 0.1.0"),
+							},
+							{
+								name:    "testchart/deployment.yaml",
+								content: []byte("kind: Deployment\napiVersion: apps/v1"),
+							},
+						},
+					)),
+				},
+			},
+			want: want{
+				errStr: "error found in layer data: invalid layer data",
+			},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			err := storeChartLayer(tc.args.path, tc.args.data)
+			if tc.want.errStr != "" {
+				require.Error(t, err)
+				require.EqualError(t, err, tc.want.errStr, "chart store error")
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
+
 func mustParseCanonical(t *testing.T, s string) reference.Canonical {
 	n, err := reference.ParseNamed(s)
 	require.NoError(t, err)
@@ -619,3 +797,11 @@ func fsTarReader(fsys fs.FS) io.ReadCloser {
 	}()
 	return pr
 }
+
+type dummyReader struct{}
+
+var _ io.Reader = &dummyReader{}
+
+func (r *dummyReader) Read(p []byte) (int, error) {
+	return 0, errors.New("something went wrong")
+}