As a Platform Operator, I want securely deploy Helm charts to downstream clusters with no direct internet access.
Acceptance Criteria:
- A new mode is introduced in the
HelmOps resource (e.g., via a flag like airGap: true).
- When this air-gap mode is enabled, the upstream Fleet controller will:
- Pull the specified Helm chart from its repository.
- Package the chart's contents into a new
Content custom resource.
- Distribute the reference to the
Content resource, instead of the direct Helm chart reference, to the targeted downstream clusters using Fleet's existing bundle mechanism. Set up RBAC for the agent, so it can pull Content resources from its cluster namespace.
- The Fleet agent on a downstream, air-gapped cluster will:
- Recognize and receive the
Content resource.
- Use the data within the
Content resource to perform a local Helm installation or upgrade.
- The downstream cluster does not require direct network access to the original Helm repository. It has however access to the k8s API of the management cluster.
- The solution must account for Helm chart dependencies, ensuring they are packaged within the
Content resource.
- The process for handling private Helm repositories on the upstream cluster, using
helmSecretName, remains secure and functional.
As a Platform Operator, I want securely deploy Helm charts to downstream clusters with no direct internet access.
Acceptance Criteria:
HelmOpsresource (e.g., via a flag likeairGap: true).Contentcustom resource.Contentresource, instead of the direct Helm chart reference, to the targeted downstream clusters using Fleet's existing bundle mechanism. Set up RBAC for the agent, so it can pullContentresources from its cluster namespace.Contentresource.Contentresource to perform a local Helm installation or upgrade.Contentresource.helmSecretName, remains secure and functional.