Is your feature request related to a problem? Please describe.

Helm extension controller is unable to pull helm charts from an OCI registry that uses a self-signed CA certificate.

I create my helm extension as follows:

      extensions:
        helm:
          charts:
          - chartname: oci://registry.mke4dev.mirantis.net/mke/mirrored-chart-tigera-operator
            name: tigera-operator
            namespace: tigera-operator
            order: 4
            timeout: 10m0s

Here, oci://registry.mke4dev.mirantis.net is my private registry that uses TLS certificates issued by a private self-signed CA. The helm extension controller fails to pull this chart with an error

May 23 14:22:23 node0 k0s[454]: time="2025-05-23 14:22:23" level=error msg="Reconciler error" Chart="{k0s-addon-chart-tigera-operator kube-system}" component=extensions_controller controller=chart controllerGroup=helm.k0sproject.io controllerKind=Chart error="can't update or install chart: can't reconcile installation for \"k0s-addon-chart-tigera-operator\": can't locate chart `oci://registry.mke4dev.mirantis.net/mke/mirrored-chart-tigera-operator-v3.29.3`: failed to do request: Head \"https://registry.mke4dev.mirantis.net/v2/mke/mirrored-chart-tigera-operator/manifests/v3.29.3\": tls: failed to verify certificate: x509: certificate signed by unknown authority" name=k0s-addon-chart-tigera-operator namespace=kube-system reconcileID="\"435a14d2-1632-4faf-b519-18fee6103c03\""

Describe the solution you would like

I would like to be able to provide the CA certificate my registry uses as part of the helm chart spec.

Describe alternatives you've considered

I tried adding a helm repository, because repositories already allow setting CA cert

      repositories:
      - caFile: /etc/containerd/certs.d/registry.mke4dev.mirantis.net/ca.crt
        name: mke-repository
        url: oci://registry.mke4dev.mirantis.net

However, these repositories are considered classic helm repositories that expect an index.yaml file to be present. OCI registries are not classic helm repositories and therefore cannot be added this way. The helm extension controller throws an error

May 22 22:10:43 node0 k0s[457]: time="2025-05-22 22:10:43" level=error msg="Failed to reconcile cluster configuration" component=clusterConfig-reconciler error="can't init repository \"oci://registry.mke4dev.mirantis.net\": can't add repository: \"repo\" is not a valid chart repository or cannot be reached: registry.mke4dev.mirantis.net/index.yaml@: not found"

Additional context

Helm implemented custom transport support for all actions that use OCI registries here - helm/helm#11711

With this change, helm commands like install and upgrade have a --ca-file flag that sets the CA file for an OCI registry.

In k0s, when helm actions are initialized, e.g install - https://github.com/k0sproject/k0s/blob/main/pkg/helm/helm.go#L223
The install.CAFile option isn't used and cannot be set, making it impossible to use OCI registry with a non publicly trusted CA.