fix: pull external-secrets chart from OCI

.gitea/workflows/deploy.yml

@@ -237,14 +237,37 @@ jobs:
           }
 
           eso_diagnostics() {
-            kubectl -n flux-system get kustomizations,helmrepositories,helmcharts,helmreleases || true
+            kubectl -n flux-system get kustomizations,ocirepositories,helmrepositories,helmcharts,helmreleases || true
             kubectl -n flux-system describe kustomization addon-external-secrets || true
-            kubectl -n flux-system describe helmrepository external-secrets || true
-            kubectl -n flux-system describe helmchart.source.toolkit.fluxcd.io flux-system-external-secrets || true
+            kubectl -n flux-system describe ocirepository external-secrets || true
             kubectl -n flux-system describe helmrelease external-secrets || true
             kubectl -n external-secrets get pods -o wide || true
           }
 
+          wait_for_flux_oci_helm_release() {
+            local oci_name="$1"
+            local release_name="$2"
+            local target_namespace="$3"
+            local oci_timeout="$4"
+            local release_timeout="$5"
+            local reconcile_at
+
+            wait_for_resource flux-system "ocirepository.source.toolkit.fluxcd.io/${oci_name}" 600
+            reconcile_at="$(date +%s)"
+            kubectl -n flux-system annotate "ocirepository/${oci_name}" reconcile.fluxcd.io/requestedAt="${reconcile_at}" --overwrite
+            kubectl -n flux-system annotate "helmrelease/${release_name}" reconcile.fluxcd.io/requestedAt="${reconcile_at}" --overwrite
+
+            if ! kubectl -n flux-system wait --for=condition=Ready "ocirepository/${oci_name}" --timeout="${oci_timeout}"; then
+              eso_diagnostics
+              exit 1
+            fi
+
+            if ! kubectl -n flux-system wait --for=condition=Ready "helmrelease/${release_name}" --timeout="${release_timeout}"; then
+              eso_diagnostics
+              exit 1
+            fi
+          }
+
           flux_helm_diagnostics() {
             local repo_name="$1"
             local chart_name="$2"
@@ -318,7 +341,7 @@ jobs:
           # Wait directly on the ESO Helm objects; Kustomization readiness hides useful failure details.
           wait_for_resource flux-system kustomization.kustomize.toolkit.fluxcd.io/addon-external-secrets 600
           kubectl -n flux-system annotate kustomization/addon-external-secrets reconcile.fluxcd.io/requestedAt="$(date +%s)" --overwrite
-          wait_for_flux_helm_release external-secrets flux-system-external-secrets external-secrets external-secrets 900s 1800s 1800s
+          wait_for_flux_oci_helm_release external-secrets external-secrets external-secrets 1800s 1800s
           wait_for_resource "" crd/clustersecretstores.external-secrets.io 900
           wait_for_resource "" crd/externalsecrets.external-secrets.io 900
           kubectl wait --for=condition=established --timeout=600s crd/clustersecretstores.external-secrets.io

infrastructure/addons/external-secrets/helmrelease-external-secrets.yaml

@@ -6,12 +6,8 @@ metadata:
 spec:
   interval: 10m
   targetNamespace: external-secrets
-  chart:
-    spec:
-      chart: external-secrets
-      version: 2.1.0
-      sourceRef:
-        kind: HelmRepository
+  chartRef:
+    kind: OCIRepository
     name: external-secrets
     namespace: flux-system
   install:

infrastructure/addons/external-secrets/helmrepository-external-secrets.yaml

@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: external-secrets
-  namespace: flux-system
-spec:
-  interval: 1h
-  url: https://charts.external-secrets.io

infrastructure/addons/external-secrets/kustomization.yaml

@@ -2,5 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - namespace.yaml
-  - helmrepository-external-secrets.yaml
+  - ocirepository-external-secrets.yaml
   - helmrelease-external-secrets.yaml

infrastructure/addons/external-secrets/ocirepository-external-secrets.yaml

@@ -0,0 +1,13 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: external-secrets
+  namespace: flux-system
+spec:
+  interval: 10m
+  url: oci://ghcr.io/external-secrets/charts/external-secrets
+  ref:
+    tag: 2.1.0
+  layerSelector:
+    mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
+    operation: copy