openshift-hyperfleet · openshift-merge-bot · May 14, 2026 · May 11, 2026
diff --git a/hyperfleet/adrs/0014-konflux-build-and-release.md b/hyperfleet/adrs/0014-konflux-build-and-release.md
@@ -21,7 +21,7 @@ Adopt a hybrid model: **Konflux handles image build and release, Prow retains E2
 The architecture has three layers:
 
 - **PaC (Pipelines as Code)** — trigger layer. Watches GitHub webhooks and matches git events (push to main, version tags) to `.tekton/` pipeline files in each component repo.
-- **Konflux** — orchestration layer. Builds images, generates SBOM, signs provenance (Tekton Chains), runs Enterprise Contract validation, and releases to `quay.io/redhat-services-prod/hyperfleet/`.
+- **Konflux** — orchestration layer. Builds images, generates SBOM, signs provenance (Tekton Chains), runs Enterprise Contract validation, and releases to `quay.io/redhat-services-prod/hyperfleet-tenant/hyperfleet/`.
 - **Prow** — test layer. Runs nightly and RC E2E tests against Konflux-built images from Quay. Retains PR presubmit checks (lint, unit tests).
 
 Key design choices:

diff --git a/hyperfleet/adrs/0016-helm-oci-distribution.md b/hyperfleet/adrs/0016-helm-oci-distribution.md
@@ -0,0 +1,52 @@
+---
+Status: Active
+Owner: Ciaran Roche
+Last Updated: 2026-05-11
+---
+
+# 0016 — Helm OCI Distribution via Konflux
+
+## Context
+
+HyperFleet distributes Helm charts to partner teams (GCP, ROSA) via the `helm-git` plugin, which pulls charts directly from Git repositories. This approach requires every consumer to install the plugin, provides no versioning semantics or content-addressable storage, and lacks signing or provenance. ArgoCD does not ship with `helm-git`, requiring custom images.
+
+The Helm ecosystem has converged on OCI registries as the standard distribution mechanism (Bitnami OCI-only migration, Harbor ChartMuseum removal, Helm 4 OCI-first). Konflux provides native Helm chart OCI support through `build-helm-chart-oci-ta` and a dedicated release pipeline.
+
+## Decision
+
+Publish all HyperFleet Helm charts as OCI artifacts to Quay.io via the Konflux release pipeline.
+
+Key design choices:
+
+- **Konflux native tooling** — `build-helm-chart-oci-ta` for chart packaging. Managed release pipeline for external registries pending from Konflux team (reference RELEASE-2363). No custom Tekton tasks or GitHub Actions.
+- **Separate Konflux Components** for chart builds — each component repo registers a `-chart` Component alongside its container image Component. Independent build triggers and Snapshots.
+- **Chart-specific EC policy** derived from `registry-standard` with container-specific rules excluded (no base image checks, CVE scanning, SBOM, or label requirements). Provenance verification retained.
+- **Standard image references** — chart `values.yaml` defaults point to Konflux-built images, overridable via `image.repository` and `image.tag` for local dev and E2E testing.
+- **Coupled versioning** — chart version and appVersion always match the git tag. Chart and app live in the same repo, get the same tag, and `build-helm-chart-oci-ta` derives the version automatically.
+- **`hyperfleet-infra` umbrella chart dependencies** migrate from `helm-git` to `oci://` references for versioned, content-addressable chart resolution.
+
+See [Helm OCI Distribution Design](../docs/release/helm-oci-distribution-design.md) for the full design document.
+
+## Consequences
+
+**Gains:**
+
+- No plugin dependency for chart consumers — standard Helm CLI and ArgoCD OCI support
+- Immutable, content-addressable chart versions with SHA256 digests
+- Supply chain security for charts — Tekton Chains provenance and cosign signing
+- Single registry and pipeline for all artifacts (images and charts)
+- Chart image defaults point to Konflux-built images, overridable for local dev and E2E
+
+**Trade-offs:**
+
+- Additional Konflux configuration to maintain (Components, RPA, EC policy per chart)
+- `hyperfleet-infra` umbrella chart migration requires testing with local dev and E2E workflows
+
+## Alternatives Considered
+
+| Alternative | Why Rejected |
+|-------------|--------------|
+| Continue with helm-git | Plugin dependency, no versioning/signing/provenance, ArgoCD requires custom images. Industry moving away. |
+| GitHub Actions for chart publishing | Split pattern (Konflux for images, GHA for charts). No Chains provenance. Konflux has native support. |
+| Traditional Helm repository (ChartMuseum / GitHub Pages) | Separate infrastructure. ChartMuseum deprecated. No content-addressable storage or signing. |
+| Single Konflux Component for image + chart | Konflux's Snapshot model produces one artifact per Component. A single Component cannot produce both a container image and a Helm chart OCI artifact. All teams (RHOAI, flightctl) use separate Components. |
diff --git a/hyperfleet/adrs/README.md b/hyperfleet/adrs/README.md
@@ -91,3 +91,4 @@ What did we decide? State it plainly.
 | [0013](0013-force-delete-scope-db-only.md) | Force Delete Scope: Database-Only | Proposed | 2026-05-01 |
 | [0014](0014-konflux-build-and-release.md) | Konflux for Container Image Build and Release | Active | 2026-04-21 |
 | [0015](0015-eventual-consistency-for-read-path.md) | Eventual Consistency for the API Read Path | Active | 2026-05-08 |
+| [0016](0016-helm-oci-distribution.md) | Helm OCI Distribution via Konflux | Active | 2026-05-11 |
diff --git a/hyperfleet/bill-of-artifacts.md b/hyperfleet/bill-of-artifacts.md
@@ -199,11 +199,11 @@ All core services use testcontainers-go for integration testing and golangci-lin
 |-------|-------|
 | **Release Process** | [hyperfleet-release-process.md](./docs/release/hyperfleet-release-process.md) |
 | **Pipeline Design** | [konflux-release-pipeline-design.md](./docs/release/konflux-release-pipeline-design.md) |
-| **ADR** | [0013 — Konflux for Container Image Build and Release](./adrs/0013-konflux-build-and-release.md) |
+| **ADR** | [0014 — Konflux for Container Image Build and Release](./adrs/0014-konflux-build-and-release.md) |
 
 ### 6.1 Konflux (Build and Release)
 
-Container images are built and released via Konflux on the `stone-prd-rh01` cluster. PaC tag-triggered pipelines build images, Tekton Chains signs provenance, and the `rh-push-to-external-registry` pipeline publishes to `quay.io/redhat-services-prod/hyperfleet/`. See [Konflux Release Pipeline Design](./docs/release/konflux-release-pipeline-design.md) for full architecture.
+Container images are built and released via Konflux on the `kflux-prd-rh02` cluster. PaC tag-triggered pipelines build images, Tekton Chains signs provenance, and the `rh-push-to-external-registry` pipeline publishes to `quay.io/redhat-services-prod/hyperfleet-tenant/hyperfleet/`. Helm charts will be published as OCI artifacts via the `build-helm-chart-oci-ta` task to `quay.io/redhat-services-prod/hyperfleet-tenant/` (pending a managed release pipeline for external registries from the Konflux team). See [Konflux Release Pipeline Design](./docs/release/konflux-release-pipeline-design.md) and [Helm OCI Distribution Design](./docs/release/helm-oci-distribution-design.md) for full architecture.
 
 ### 6.2 Prow CI
 
@@ -225,3 +225,4 @@ CI system for PR validation and E2E testing. Presubmit and postsubmit jobs acros
 | Date | Version | Change | Author |
 |------|---------|--------|--------|
 | 2026-03-25 | 1.0 | Initial Bill of Artifacts | Tirth Chetan Thakkar |
+| 2026-05-11 | 1.1 | Updated Konflux section: cluster to kflux-prd-rh02, added Helm OCI distribution, fixed ADR reference | Ciaran Roche |
diff --git a/hyperfleet/components/adapter/adapter-versioning.md b/hyperfleet/components/adapter/adapter-versioning.md
@@ -113,8 +113,7 @@ Adapter Binary v1.2.5 uses Config Schema 1.2
 
 **Helm Chart Versioning:**
 - Each adapter config is packaged as a Helm chart
-- Helm chart version follows semantic versioning independently
-- Chart version != Binary version != Schema version
+- Chart version and app version are coupled — both track the same git tag (see [Helm Chart Conventions](../../standards/helm-chart-conventions.md) Section 3)
 
 **Example deployment manifest:**
 ```yaml

diff --git a/hyperfleet/docs/release/README.md b/hyperfleet/docs/release/README.md
@@ -1,3 +1,9 @@
+---
+Status: Active
+Owner: HyperFleet Team
+Last Updated: 2026-05-11
+---
+
 # Release Documentation
 
 ## Start Here
@@ -6,8 +12,10 @@
 |----------|---------|
 | [Konflux Release Pipeline Design](./konflux-release-pipeline-design.md) | How the build and release pipeline works — architecture, flows, and design decisions |
 | [HyperFleet Release Process](./hyperfleet-release-process.md) | The release process — cadence, checklists, branching, bug handling, hotfixes |
+| [Helm OCI Distribution Design](./helm-oci-distribution-design.md) | How Helm charts are published as OCI artifacts via Konflux |
 | [Glossary](./glossary.md) | Definitions of terms used across the release docs |
-| [ADR 0013](../../adrs/0013-konflux-build-and-release.md) | Decision record for adopting Konflux |
+| [ADR 0014](../../adrs/0014-konflux-build-and-release.md) | Decision record for adopting Konflux |
+| [ADR 0016](../../adrs/0016-helm-oci-distribution.md) | Decision record for Helm OCI distribution |
 
 ## Prow Test and Release
 

diff --git a/hyperfleet/docs/release/glossary.md b/hyperfleet/docs/release/glossary.md
@@ -1,7 +1,7 @@
 ---
 Status: Active
 Owner: HyperFleet Team
-Last Updated: 2026-04-21
+Last Updated: 2026-05-11
 ---
 
 # Release Glossary
@@ -59,8 +59,10 @@ Key terms used across the release docs. Written for someone encountering these s
 
 | Term | Definition |
 |------|------------|
-| **stone-prd-rh01** | Konflux production cluster hosted by Red Hat. Runs the PaC controller, Tekton Chains, and release pipelines for HyperFleet. |
-| **Quay** | Red Hat's container registry. HyperFleet images are published to `quay.io/redhat-services-prod/hyperfleet/`. |
+| **kflux-prd-rh02** | Konflux production cluster hosted by Red Hat. Runs the PaC controller, Tekton Chains, and release pipelines for HyperFleet. |
+| **Quay** | Red Hat's container registry. HyperFleet images are published to `quay.io/redhat-services-prod/hyperfleet-tenant/hyperfleet/`. |
+| **OCI** (Open Container Initiative) | Standard for container and artifact distribution. Helm charts are published as OCI artifacts to the same registries as container images. |
+| **helm-git** | Helm plugin that pulls charts from Git repos. Legacy distribution method being replaced by OCI. Requires plugin installation on every consumer. |
 | **Pyxis** | Red Hat's container metadata catalog. Images registered here are automatically scanned for CVEs. |
 | **ArgoCD** | GitOps-based deployment tool. Partner teams use ArgoCD to consume HyperFleet images from Quay. |
 | **konflux-release-data** | GitLab repo containing RPA, constraint, and tenant configuration for Konflux releases. Source of truth for release pipeline config. |