Centralized catalog and sync pipeline for Kubernetes addons. Upstream Helm charts and their container images are mirrored to a private OCI registry so clusters can install addons without reaching the public internet.

addons/**/*.yaml   ──>   GitHub Actions   ──>   sync-chart (Go)   ──>   OCI Registry
                         detects new                                    (Artifact Registry)
                         chartVersions

When an addon file is pushed to main with a new chartVersion, the CI pipeline:

1. Pulls the upstream Helm chart (OCI or HTTP repo)
2. Renders templates and extracts container images from workload specs
3. Mirrors each image to the private registry via crane
4. Patches values.yaml to point at the mirrored images
5. Pushes the modified chart to oci://asia-south1-docker.pkg.dev/.../kluisz-managed-k8s-public-repository

Create a YAML file under the appropriate addons/<category>/ directory:

name: my-addon
description: "What this addon does"
category: NETWORKING          # NETWORKING | SECURITY | MONITORING | STORAGE | OTHER
namespace: my-namespace
chart: my-addon
originalRepo: "oci://ghcr.io/org/charts/my-addon"   # or https:// for HTTP repos
versions:
  - version: "1.0.0"
    chartVersion: "1.0.0"
    minK8sVersion: "1.31"
    maxK8sVersion: "1.35"

Open a PR. The validate-addon-charts workflow will verify that the chart and version are pullable from the upstream repo. Once merged, the sync-addon-charts workflow mirrors everything to the private registry.

For internal charts (no upstream), omit originalRepo -- these are pushed to the registry through other means and the sync pipeline skips them.

See schema/addon.schema.json for the full schema reference.

helm install <addon-name> \
  oci://asia-south1-docker.pkg.dev/<project>/kluisz-managed-k8s-public-repository/<chart> \
  --version <version> \
  --namespace <namespace> \
  --create-namespace

Example:

helm install cilium \
  oci://asia-south1-docker.pkg.dev/<project>/kluisz-managed-k8s-public-repository/cilium \
  --version 1.19.1 \
  --namespace kube-system

addons/
  monitoring/          kube-state-metrics, metrics-server
  networking/          cilium, coredns, traefik, kluisz-multus
  security/            cert-manager
  storage/             kluisz-csi-driver
  other/               kluisz-cluster-autoscaler, kluisz-nodepool-provider

tools/sync-chart/      Go application (5-step sync pipeline)
  main.go              Entry point and orchestration
  helm.go              Chart pull (step 1) and push (step 5)
  images.go            Image extraction (step 2) and mirroring (step 3)
  patch.go             values.yaml patching (step 4)

.github/workflows/
  sync-addon-charts.yml       Syncs new versions on push to main
  validate-addon-charts.yml   Validates chart pullability on PRs

schema/addon.schema.json      JSON schema for addon definition files
config.yaml                   OCI registry URL

Detects addon files with new chartVersion entries, then runs the sync-chart pipeline for each. Uses GCP Workload Identity Federation for registry authentication. Jobs run in parallel with fail-fast: false.

Can also be triggered manually via workflow_dispatch to re-sync all addons.

Same detection logic, but only validates that the upstream chart exists and is pullable -- no GCP auth or image mirroring needed. Catches typos and non-existent versions before they reach main.

cd tools/sync-chart

# Set required env vars
export REGISTRY=asia-south1-docker.pkg.dev/<project>/kluisz-managed-k8s-public-repository
export ADDON_CHART=cilium
export ADDON_REPO=https://helm.cilium.io
export ADDON_VERSION=1.19.1

# Authenticate to Artifact Registry
gcloud auth configure-docker asia-south1-docker.pkg.dev --quiet

go run .

cd tools/sync-chart
go test ./...