From e4164c2c9ead40404fe5ff6615c72e3c94eee1c1 Mon Sep 17 00:00:00 2001
From: Ivan087 <wujiatai087@gmail.com>
Date: Mon, 17 Nov 2025 17:37:30 +0800
Subject: [PATCH] cover helm charts

---
 README.md               |  3 +++
 scripts/helm_publish.sh | 43 +++++++++++++++++++++++++++++++++++++++--
 2 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index e989a0d..f196276 100644
--- a/README.md
+++ b/README.md
@@ -22,8 +22,11 @@ The charts are pushed to `oci://$HELM_OCI_NAMESPACE` (Helm appends the chart nam
 ```
 HELM_PUSH_EXTRA_ARGS="--insecure-skip-tls-verify --plain-http"
 HELM_LOGIN_EXTRA_ARGS="--insecure --plain-http"
+ALLOW_OVERWRITE=1
 ```
 
+When `ALLOW_OVERWRITE=1` is set, the pre-push will first try to delete the existing `<chart>:<version>` tag from Harbor via API (requires `HELM_USERNAME`/`HELM_PASSWORD`). This is needed because OCI registries do not allow overwriting tags.
+
 ## Chart discovery
 
 No configuration needed by default. The script auto-discovers chart directories by looking for `Chart.yaml` up to depth 2 (excluding nested `charts/` vendor dir).
diff --git a/scripts/helm_publish.sh b/scripts/helm_publish.sh
index 5d39902..f4757ef 100755
--- a/scripts/helm_publish.sh
+++ b/scripts/helm_publish.sh
@@ -9,7 +9,8 @@ set -euo pipefail
 #   HELM_LOGIN_EXTRA_ARGS: extra flags for `helm registry login` (e.g., --insecure --plain-http)
 #   CHART_DIRS: space-separated list of chart directories; if empty, auto-discover
 #   DRY_RUN=1: only package, do not push
-#   HELM_PUSH_EXTRA_ARGS: extra flags for `helm push` (e.g., --insecure-skip-tls-verify)
+#   HELM_PUSH_EXTRA_ARGS: extra flags for `helm push` (e.g., --insecure-skip-tls-verify --plain-http)
+#   ALLOW_OVERWRITE=1: delete existing chart version in Harbor/OCI before push (OCI tags are immutable)
 
 ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
 cd "$ROOT_DIR"
@@ -19,8 +20,23 @@ if [[ -z "${HELM_OCI_NAMESPACE:-}" ]]; then
   exit 1
 fi
 
-# Derive registry host from HELM_OCI_NAMESPACE
+# Derive registry host and project from HELM_OCI_NAMESPACE
 HELM_REGISTRY_HOST="${HELM_OCI_NAMESPACE%%/*}"
+HELM_REGISTRY_PROJECT="${HELM_OCI_NAMESPACE#*/}"
+if [[ -z "$HELM_REGISTRY_PROJECT" || "$HELM_REGISTRY_PROJECT" == "$HELM_OCI_NAMESPACE" ]]; then
+  echo "[helm_publish] Invalid HELM_OCI_NAMESPACE: expected host/project, got '$HELM_OCI_NAMESPACE'" >&2
+  exit 1
+fi
+
+# Infer API scheme/insecure flags for Harbor API calls
+API_SCHEME="https"
+if [[ "${HELM_LOGIN_EXTRA_ARGS:-}${HELM_PUSH_EXTRA_ARGS:-}" == *"--plain-http"* ]]; then
+  API_SCHEME="http"
+fi
+INSECURE_CURL_FLAG=""
+if [[ "${HELM_LOGIN_EXTRA_ARGS:-}${HELM_PUSH_EXTRA_ARGS:-}" == *"--insecure"* || "${HELM_PUSH_EXTRA_ARGS:-}" == *"--insecure-skip-tls-verify"* ]]; then
+  INSECURE_CURL_FLAG="-k"
+fi
 
 # Auto-discover charts when CHART_DIRS not provided
 if [[ -z "${CHART_DIRS:-}" ]]; then
@@ -80,6 +96,29 @@ for chart_dir in ${CHART_DIRS}; do
     continue
   fi
 
+  # Resolve chart name/version from Chart.yaml
+  chart_name=$(sed -n 's/^name:[[:space:]]*\(.*\)$/\1/p' "$chart_dir/Chart.yaml" | head -n1 | tr -d '"' | xargs || true)
+  chart_version=$(sed -n 's/^version:[[:space:]]*\(.*\)$/\1/p' "$chart_dir/Chart.yaml" | head -n1 | tr -d '"' | xargs || true)
+
+  # Optional pre-delete to allow overwrite of existing tag in Harbor
+  if [[ "${ALLOW_OVERWRITE:-}" == "1" && -n "${chart_name}" && -n "${chart_version}" ]]; then
+    if [[ -n "${HELM_USERNAME:-}" && -n "${HELM_PASSWORD:-}" ]]; then
+      del_url="${API_SCHEME}://${HELM_REGISTRY_HOST}/api/v2.0/projects/${HELM_REGISTRY_PROJECT}/repositories/${chart_name}/artifacts/${chart_version}"
+      echo "[helm_publish] Attempting delete (if exists): $del_url"
+      http_code=$(curl -sS ${INSECURE_CURL_FLAG} -u "${HELM_USERNAME}:${HELM_PASSWORD}" -o /dev/null -w "%{http_code}" -X DELETE "$del_url" || true)
+      case "$http_code" in
+        200|202|404)
+          echo "[helm_publish] Delete HTTP $http_code (ok)";;
+        "")
+          echo "[helm_publish] Warning: curl returned no status; continuing";;
+        *)
+          echo "[helm_publish] Warning: delete returned HTTP $http_code; continuing to push";;
+      esac
+    else
+      echo "[helm_publish] ALLOW_OVERWRITE=1 but HELM_USERNAME/HELM_PASSWORD not set; skip delete"
+    fi
+  fi
+
   # Push to OCI registry; Helm will use chart name from the package
   echo "[helm_publish] Pushing $pkg_path to oci://$HELM_OCI_NAMESPACE"
   if ! helm push ${HELM_PUSH_EXTRA_ARGS:-} "$pkg_path" "oci://$HELM_OCI_NAMESPACE"; then