Prepare for OCI publishing of helm charts to docker hub

.github/workflows/publish-helm-oci.yaml

@@ -0,0 +1,198 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: Publish Helm Charts to OCI Registry
+
+on:
+  workflow_dispatch:
+    inputs:
+      solr-operator-chart-url:
+        description: 'URL to solr-operator Helm chart tarball (e.g., https://dist.apache.org/repos/dist/release/solr/solr-operator/v0.10.0/helm-charts/solr-operator-0.10.0.tgz)'
+        required: true
+        type: string
+      solr-chart-url:
+        description: 'URL to solr Helm chart tarball (e.g., https://dist.apache.org/repos/dist/release/solr/solr-operator/v0.10.0/helm-charts/solr-0.10.0.tgz)'
+        required: true
+        type: string
+      dry-run:
+        description: 'Dry run - download and verify charts but do not push to OCI registry'
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+
+jobs:
+  publish-oci:
+    name: Publish Helm Charts to OCI Registry
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: 'latest'
+
+      - name: Login to Docker Hub
+        if: ${{ !inputs.dry-run }}
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Validate Input URLs
+        run: |
+          # Validate URLs are from expected Apache dist domain
+          if [[ ! "${{ inputs.solr-operator-chart-url }}" =~ ^https://dist\.apache\.org/repos/dist/(release|dev)/solr/ ]]; then
+            echo "Error: solr-operator-chart-url must be from dist.apache.org"
+            exit 1
+          fi
+          if [[ ! "${{ inputs.solr-chart-url }}" =~ ^https://dist\.apache\.org/repos/dist/(release|dev)/solr/ ]]; then
+            echo "Error: solr-chart-url must be from dist.apache.org"
+            exit 1
+          fi
+          echo "✓ URLs validated"
+
+      - name: Download Helm Charts
+        run: |
+          set -e
+          echo "Downloading solr-operator chart from: ${{ inputs.solr-operator-chart-url }}"
+          curl --fail --show-error --location --retry 3 --retry-delay 5 \
+            -o solr-operator.tgz "${{ inputs.solr-operator-chart-url }}"
+
+          echo "Downloading solr chart from: ${{ inputs.solr-chart-url }}"
+          curl --fail --show-error --location --retry 3 --retry-delay 5 \
+            -o solr.tgz "${{ inputs.solr-chart-url }}"
+
+          echo "Charts downloaded successfully:"
+          ls -lh *.tgz
+
+          # Verify they are valid tar files
+          echo "Verifying chart integrity..."
+          tar -tzf solr-operator.tgz > /dev/null
+          tar -tzf solr.tgz > /dev/null
+          echo "✓ Charts are valid tarballs"
+
+      - name: Download and Verify Checksums
+        run: |
+          set -e
+          echo "Downloading checksums..."
+
+          # Download SHA512 checksums
+          curl --fail --show-error --location --retry 3 --retry-delay 5 \
+            -o solr-operator.tgz.sha512 "${{ inputs.solr-operator-chart-url }}.sha512"
+
+          curl --fail --show-error --location --retry 3 --retry-delay 5 \
+            -o solr.tgz.sha512 "${{ inputs.solr-chart-url }}.sha512"
+
+          echo "Checksums downloaded:"
+          ls -lh *.sha512
+
+          # Verify SHA512 checksums
+          echo "Verifying solr-operator chart checksum..."
+          sha512sum -c solr-operator.tgz.sha512
+          echo "✓ solr-operator chart checksum verified"
+
+          echo "Verifying solr chart checksum..."
+          sha512sum -c solr.tgz.sha512
+          echo "✓ solr chart checksum verified"
+
+          echo ""
+          echo "✅ All checksums verified successfully"
+
+      - name: Extract Chart Versions
+        id: versions
+        run: |
+          # Extract version from solr-operator chart
+          OPERATOR_VERSION=$(tar -xzOf solr-operator.tgz solr-operator/Chart.yaml | grep '^version:' | awk '{print $2}')
+          echo "operator-version=${OPERATOR_VERSION}" >> $GITHUB_OUTPUT
+          echo "Solr Operator Chart Version: ${OPERATOR_VERSION}"
+
+          # Extract version from solr chart
+          SOLR_VERSION=$(tar -xzOf solr.tgz solr/Chart.yaml | grep '^version:' | awk '{print $2}')
+          echo "solr-version=${SOLR_VERSION}" >> $GITHUB_OUTPUT
+          echo "Solr Chart Version: ${SOLR_VERSION}"
+
+      - name: Push solr-operator chart to OCI registry
+        if: ${{ !inputs.dry-run }}
+        run: |
+          echo "Pushing solr-operator chart (version ${{ steps.versions.outputs.operator-version }}) to oci://docker.io/apache/solr-operator-chart"
+          helm push solr-operator.tgz oci://docker.io/apache/solr-operator-chart
+          echo "✓ solr-operator chart pushed successfully"
+
+      - name: Push solr chart to OCI registry
+        if: ${{ !inputs.dry-run }}
+        run: |
+          echo "Pushing solr chart (version ${{ steps.versions.outputs.solr-version }}) to oci://docker.io/apache/solr-chart"
+          helm push solr.tgz oci://docker.io/apache/solr-chart
+          echo "✓ solr chart pushed successfully"
+
+      - name: Dry Run Summary
+        if: ${{ inputs.dry-run }}
+        run: |
+          echo "## 🧪 Dry Run Mode - No Charts Published" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Validation Results" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ URLs validated from dist.apache.org" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Charts downloaded successfully" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Chart integrity verified (valid tarballs)" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ SHA512 checksums verified" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Chart versions extracted" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Chart Information" >> $GITHUB_STEP_SUMMARY
+          echo "- **Solr Operator Version**: \`${{ steps.versions.outputs.operator-version }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- **Solr Chart Version**: \`${{ steps.versions.outputs.solr-version }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Next Steps" >> $GITHUB_STEP_SUMMARY
+          echo "Run this workflow again with **dry-run = false** to publish the charts to OCI registries." >> $GITHUB_STEP_SUMMARY
+
+      - name: Verify Published Charts
+        if: ${{ !inputs.dry-run }}
+        run: |
+          echo "Verifying charts are accessible from OCI registry..."
+
+          # Verify solr-operator chart
+          echo "Pulling solr-operator chart version ${{ steps.versions.outputs.operator-version }}..."
+          helm pull oci://docker.io/apache/solr-operator-chart --version ${{ steps.versions.outputs.operator-version }}
+          echo "✓ solr-operator chart verified"
+
+          # Verify solr chart
+          echo "Pulling solr chart version ${{ steps.versions.outputs.solr-version }}..."
+          helm pull oci://docker.io/apache/solr-chart --version ${{ steps.versions.outputs.solr-version }}
+          echo "✓ solr chart verified"
+
+      - name: Summary
+        if: ${{ success() && !inputs.dry-run }}
+        run: |
+          echo "## ✅ Successfully Published Helm Charts" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "The following charts have been published to OCI registries:" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Solr Operator Chart" >> $GITHUB_STEP_SUMMARY
+          echo "- **Registry**: \`oci://docker.io/apache/solr-operator-chart\`" >> $GITHUB_STEP_SUMMARY
+          echo "- **Version**: \`${{ steps.versions.outputs.operator-version }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- **Install**: \`helm install solr-operator oci://docker.io/apache/solr-operator-chart --version ${{ steps.versions.outputs.operator-version }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Solr Chart" >> $GITHUB_STEP_SUMMARY
+          echo "- **Registry**: \`oci://docker.io/apache/solr-chart\`" >> $GITHUB_STEP_SUMMARY
+          echo "- **Version**: \`${{ steps.versions.outputs.solr-version }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- **Install**: \`helm install solr oci://docker.io/apache/solr-chart --version ${{ steps.versions.outputs.solr-version }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Verification" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Charts downloaded and checksums verified" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Charts pushed to OCI registries" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Charts verified as accessible from OCI registry" >> $GITHUB_STEP_SUMMARY

README.md

@@ -54,8 +54,12 @@ Join us on the [#solr-operator](https://kubernetes.slack.com/messages/solr-opera
 Please visit the following pages for documentation on using and developing the Solr Operator:
 
 - [Local Tutorial](https://apache.github.io/solr-operator/docs/local_tutorial)
-- [Helm Instructions via Artifact Hub](https://artifacthub.io/packages/helm/apache-solr/solr-operator)
-  - The released helm charts and their instructions should be used for all safe and stable deployments.
+- **Helm Chart Installation**
+  - The Helm charts are available via OCI registry (recommended):
+    - **Solr Operator**: `helm install solr-operator oci://docker.io/apache/solr-operator-chart --version <VERSION>`
+    - **Solr Cloud**: `helm install solr oci://docker.io/apache/solr-chart --version <VERSION>`
+  - Or via traditional HTTPS repository: [Helm Instructions via Artifact Hub](https://artifacthub.io/packages/helm/apache-solr/solr-operator)
+  - The released helm charts should be used for all safe and stable deployments.
     The charts found in `helm/` are not guaranteed to be compatible with the last stable release, and should only be used for development purposes.
 - [Running the Solr Operator](https://apache.github.io/solr-operator/docs/running-the-operator)
 - [Known Issues](https://apache.github.io/solr-operator/docs/known-issues)

hack/release/wizard/releaseWizard.yaml

@@ -1108,6 +1108,53 @@ groups:
           cmd: ./hack/release/upload/upload_helm.sh -g "{{ gpg_key | default("<gpg_key_id>", True) }}" -a "{{ gpg.apache_id | default("<apache_id>", True) }}" -c "{{ official_helm_charts_url }}" -r "{{ dist_release_url }}"
           logfile: upload_helm.log
           tee: true
+  - !Todo
+    id: publish_helm_charts_oci
+    title: Publish Helm charts to OCI registry (Docker Hub)
+    depends: publish_helm_charts
+    vars:
+      dist_release_url: https://dist.apache.org/repos/dist/release/solr/solr-operator/{{ release_version }}
+      solr_operator_chart_url: '{{ dist_release_url }}/helm-charts/solr-operator-{{ release_version[1:] }}.tgz'
+      solr_chart_url: '{{ dist_release_url }}/helm-charts/solr-{{ release_version[1:] }}.tgz'
+      workflow_url: https://github.com/apache/solr-operator/actions/workflows/publish-helm-oci.yaml
+    description: |
+      Publish the Helm charts to OCI registries on Docker Hub using the GitHub Actions workflow.
+
+      This task publishes the voted Helm charts to OCI registries, making them available via:
+        - oci://docker.io/apache/solr-operator-chart
+        - oci://docker.io/apache/solr-chart
+
+      Steps to publish:
+      1. Navigate to the GitHub Actions workflow:
+         {{ workflow_url }}
+
+      2. Click the "Run workflow" button on the right side
+
+      3. Fill in the workflow inputs:
+         - solr-operator-chart-url: {{ solr_operator_chart_url }}
+         - solr-chart-url: {{ solr_chart_url }}
+         - dry-run: false (set to true for validation without publishing)
+
+      4. Optional: Run with dry-run=true first to verify:
+         - URLs are valid and accessible
+         - Charts download successfully
+         - SHA512 checksums match
+         - Chart versions are correct
+
+      5. Click "Run workflow" to start the job
+
+      6. Monitor the workflow execution for any errors
+
+      7. Verify successful completion by checking that both charts are accessible:
+         helm pull oci://docker.io/apache/solr-operator-chart --version {{ release_version[1:] }}
+         helm pull oci://docker.io/apache/solr-chart --version {{ release_version[1:] }}
+
+      Note: The workflow uses repository secrets DOCKERHUB_USER and DOCKERHUB_TOKEN for authentication.
+      The workflow automatically verifies SHA512 checksums before publishing.
+    links:
+      - '{{ workflow_url }}'
+      - '{{ solr_operator_chart_url }}'
+      - '{{ solr_chart_url }}'
   - !Todo
     id: publish_crds
     title: Publish the staged CRDs
@@ -1167,11 +1214,14 @@ groups:
     depends:
       - publish_docker_image
       - publish_helm_charts
+      - publish_helm_charts_oci
     description: |
       Check to make sure that ArtifactHub has successfully loaded the {{ release_version }} version of the Solr Operator and Solr Helm Charts.
       Mark this as complete when you have confirmed all aspects of the chart in artifactHub.
 
       The ChangeLog is very finicky, so make sure that it renders correctly.
+
+      Also verify that the OCI registry information is correctly displayed on ArtifactHub.
     links:
       - https://artifacthub.io/packages/helm/apache-solr/solr-operator
       - https://artifacthub.io/packages/helm/apache-solr/solr

helm/solr-operator/README.md

@@ -31,19 +31,34 @@ If you do not wish to use the Zookeeper Operator, set:
 - `zookeeper-operator.use: false`
 
 
-### Adding the Solr Operator Helm Chart Repository
-You should only need to add the solr operator helm chart repository once, by running the following command:
+### Installing the Chart
+
+The Solr Operator Helm chart can be installed using either the OCI registry (recommended) or the traditional HTTPS repository.
+
+#### Installation via OCI Registry (Recommended)
+
+The Helm chart is available directly from Docker Hub as an OCI artifact, which provides a more reliable distribution mechanism and doesn't require adding a repository.
 
 ```bash
-helm repo add apache-solr https://solr.apache.org/charts
+# Install CRDs first
+kubectl create -f https://solr.apache.org/operator/downloads/crds/v0.10.0-prerelease/all-with-dependencies.yaml
+
+# Install the Solr Operator from OCI registry
+helm install solr-operator oci://docker.io/apache/solr-operator-chart --version 0.10.0-prerelease
 ```
 
-### Installing the Chart
+#### Installation via HTTPS Repository (Traditional)
 
-To install the Solr Operator for the first time in your cluster, you can use the latest version or a specific version, run with the following commands:
+If you prefer the traditional method, you can add the Helm repository and install from there.
 
 ```bash
+# Add the repository (only needed once)
+helm repo add apache-solr https://solr.apache.org/charts
+
+# Install CRDs first
 kubectl create -f https://solr.apache.org/operator/downloads/crds/v0.10.0-prerelease/all-with-dependencies.yaml
+
+# Install the Solr Operator from HTTPS repository
 helm install solr-operator apache-solr/solr-operator --version 0.10.0-prerelease
 ```
 
@@ -57,7 +72,13 @@ _Note that the Helm chart version does not contain a `v` prefix, which the downl
 If you are upgrading your Solr Operator deployment, you should always use a specific version of the chart and pre-install the Solr CRDS:
 
 ```bash
+# Upgrade CRDs first
 kubectl replace -f https://solr.apache.org/operator/downloads/crds/v0.10.0-prerelease/all-with-dependencies.yaml
+
+# Upgrade via OCI registry (recommended)
+helm upgrade solr-operator oci://docker.io/apache/solr-operator-chart --version 0.10.0-prerelease
+
+# Or upgrade via HTTPS repository (traditional)
 helm upgrade solr-operator apache-solr/solr-operator --version 0.10.0-prerelease
 ```
 
@@ -67,18 +88,20 @@ If you want to specify the namespace for the installation, use the `--namespace`
 All resources will be deployed to the given namespace.
 
 ```bash
-helm install solr-operator apache-solr/solr-operator --namespace solr
+helm install solr-operator oci://docker.io/apache/solr-operator-chart --version 0.10.0-prerelease --namespace solr
 ```
 
 If you want to only watch that namespace, or others, then you will have to provide the `watchNamespaces` option.
 
 ```bash
 # Watch the namespace where the operator is deployed to (just pass the boolean true)
-helm install solr-operator apache-solr/solr-operator --namespace solr --set watchNamespaces=true
+helm install solr-operator oci://docker.io/apache/solr-operator-chart --version 0.10.0-prerelease --namespace solr --set watchNamespaces=true
+
 # Watch a single namespace different than the one being deployed to
-helm install solr-operator apache-solr/solr-operator --namespace solr --set watchNamespaces=other
-# Watch multiple namespaces (commmas must be escaped in the set string)
-helm install solr-operator apache-solr/solr-operator --namespace solr --set watchNamespaces="team1\,team2\,team3"
+helm install solr-operator oci://docker.io/apache/solr-operator-chart --version 0.10.0-prerelease --namespace solr --set watchNamespaces=other
+
+# Watch multiple namespaces (commas must be escaped in the set string)
+helm install solr-operator oci://docker.io/apache/solr-operator-chart --version 0.10.0-prerelease --namespace solr --set watchNamespaces="team1\,team2\,team3"
 ```
 
 Note: Passing `false` or `""` to the `watchNamespaces` variable will both result in the operator watchting all namespaces in the Kube cluster.
@@ -91,7 +114,11 @@ If you have solr operator installations in multiple namespaces that are managed
 This can be done with the `--skip-crds` helm option.
 
 ```bash
-helm install solr-operator apache-solr/solr-operator --skip-crds --namespace solr
+# Via OCI registry
+helm install solr-operator oci://docker.io/apache/solr-operator-chart --version 0.10.0-prerelease --skip-crds --namespace solr
+
+# Or via HTTPS repository
+helm install solr-operator apache-solr/solr-operator --version 0.10.0-prerelease --skip-crds --namespace solr
 ```
 
 **Helm will not upgrade CRDs once they have been installed.