fix: Deploy Application with Helm chart pointed by digest

[pgodowski]

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Title of the PR
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

Fixes #25078

In my organisation, we install Helm charts packaged into OCI repository, by pointing them via digest, e.g.

helm install example-registry-quay-openshift-operators.apps.quay-gori.cp.example.com/piotr/charts/test-nginx-chart/nginx@sha256:4b5007efa6ea560d18fb7cb7d4f268e180ef8f8e577861abeb8db38ad39a49eb

However, prior to the fix, one couldn't create Application with Helm OCI repository, when targetRevision is sha256 digest value, and not the image tag.

The underlying problem is with the Helm CLI commands produced by Argo, when image digest is being used, i.e.: the usage of --version flag, which Helm CLI tries to parse as a semver version, which obviously would fail when sha256 digest value is provided.

The Helm community discussed options what should be the proper helm CLI arguments, when image digests are used:

• Support digest pinning for OCI helm charts #23234
• OCI Specify Digest in Version Parameter helm/helm#10678
• feat: get charts by specifying the SHA256 checksum as the version. helm/helm#10799
• feat: OCI install by digest helm/helm#12690
• What do you want to see in OCI Support? helm/helm#10312 (comment)

With the conclusion, that whenever digest is used, the flag --version must not be used, and image digest must be specified as part of the helm chart name reference.

The fix is implemented in such a way that it detects whether targetRevision is either digest (sha256: prefix) or not and used different variant of Helm CLI flags depending on the actual condition.

Evidence from the ArgoUI that now both Helm charts pointed by semver or by digest work just fine (before the fix, only semver in targetRevision worked fine).

summary of make test:

DONE 6360 tests, 5 skipped in 137.957s

[bunnyshell]

❗ Preview Environment deployment failed on Bunnyshell

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

• 🚀 /bns:deploy to redeploy the environment
• ❌ /bns:delete to remove the environment

[codecov]

Codecov Report

❌ Patch coverage is 63.63636% with 8 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (master@0d0cec6). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
util/helm/cmd.go	40.00%	2 Missing and 4 partials ⚠️
reposerver/repository/repository.go	0.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##             master   #25079   +/-   ##
=========================================
  Coverage          ?   62.22%           
=========================================
  Files             ?      352           
  Lines             ?    49229           
  Branches          ?        0           
=========================================
  Hits              ?    30633           
  Misses            ?    15662           
  Partials          ?     2934           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[olivergondza]

Will be easier to read formatted as:

if version != "" {
    if strings.HasPrefix(version, "sha256:") {
        // ...
    } else {
        // ...
    }
}

[pgodowski]

I added versions.IsDigest function to make the code look cleaner.

[olivergondza]

For these general purpose functions, is there any other use for digests except for this helm use-case? If not, I would argue the fix does not belong to util/versions/tags.go.

[pgodowski]

created versions.IsDigest in util/versions/digest.go

[nitishfy]

please write detailed comment on the changes behind it. Why is it okay to use the version flag? You can possibly link the issue as well so any dev who reads this code understand why this was set.

[pgodowski]

added comments and refactored the code introducing versions.IsDigest function call

[nitishfy]

Suggested change

	if version != "" && !strings.HasPrefix(version, "sha256:") {
	// it is ok to use version flag
	args = append(args, "--version", version)
	} else if version != "" && strings.HasPrefix(version, "sha256:") {
	// For sha256 digest, append it to the chart name
	chartName = fmt.Sprintf("%s@%s", chartName, version)
	}
	if version != "" {
	if strings.HasPrefix(version, "sha256:") {
	chartName = fmt.Sprintf("%s@%s", chartName, version)
	} else {
	args = append(args, "--version", version)
	}
	}

Please write comments too.

[pgodowski]

refactored with introduction of IsDigest function.

[nitishfy]

The code looks good to me. Tagging @blakepettersson for reviews!

[blakepettersson]

Something to keep in mind (which I informed you of in #24970) is that this already exists with the OCI support in 3.1. Is there any particular reason you want to duplicate this with the Helm client?

[blakepettersson]

It might make sense to have this with the Helm client as well, but I'd like to hold off to see what Helm 4 is going to do in terms of OCI support.

[pgodowski]

Thank you all for the comments - will respond within the next 2 days.

[pgodowski]

@blakepettersson

Something to keep in mind (which I informed you of in #24970) is that this already exists with the OCI support in 3.1. Is there any particular reason you want to duplicate this with the Helm client?

We would like to make it working with Helm client, due to the already existing investement in Helm based repos and relative low energy required to make Argo working fine with Helm/OCI/digests.

It might make sense to have this with the Helm client as well, but I'd like to hold off to see what Helm 4 is going to do in terms of OCI support.

Based on my study of Helm4 alpha content, it will further evolve OCI repositories support in slightly different aspects, i.e. to be able to discover Helm charts from OCI repositories (which does not exist with Helm3 - there is no helm chart repos/index.yaml support in Helm3/OCI).