Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

helm_release does not allow https or oci for azure container registry #964

Open
vikrantoct7 opened this issue Sep 29, 2022 · 7 comments
Open

helm_release does not allow https or oci for azure container registry #964

vikrantoct7 opened this issue Sep 29, 2022 · 7 comments

Comments

@vikrantoct7
Copy link

vikrantoct7 commented Sep 29, 2022
edited by BBBmau
Loading

Terraform, Provider, Kubernetes and Helm Versions

Terraform version: Terraform v1.2.2 on linux_amd64
Provider version:   azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.19.0"
    }

Kubernetes version: 
 kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "=2.7.1"
    }

helm version: 
helm = {
      source  = "hashicorp/helm"
      version = "=2.4.1"
    }

Affected Resource(s)

  • helm_release
  • helm_repository
data "azurerm_kubernetes_cluster" "default" {
  name                = "testpocaks"
  resource_group_name = "<azure rg name>"
}

--repository access with https
resource "helm_release" "hello-world" {
name = "hello-world"
chart = "hello-world"
namespace = "hello-world"
create_namespace = "true"
repository = "https://pocacringress.azurecr.io/helm/hello-world"
version = "0.1.0"
wait = "true"
force_update = "true"
}

--repository access with oci
resource "helm_release" "hello-world" {
name = "hello-world"
chart = "hello-world"
namespace = "hello-world"
create_namespace = "true"
repository = "oci://pocacringress.azurecr.io/helm/hello-world"
version = "0.1.0"
wait = "true"
force_update = "true"
}

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

Debug Output

Could not download chart: looks like https://pocacringress.azurecr.io/helm/hello-world is not valid chart repository or cannot reached: failed to fetch https://pocacringress.azurecr.io/helm/hello-world//index.yaml: 404

NOTE: In addition to Terraform debugging, please set HELM_DEBUG=1 to enable debugging info from helm.

Panic Output

Steps to Reproduce

  1. terraform init
  2. terraform apply --auto-approve

Expected Behavior

Chart should be fetch. by helm_release directly. it should support oci and https both protocol. we tried with both.
however helm pull oci://pocacringress.azurecr.io/helm/hello-world --version 0.1.0 --untar worked well

Actual Behavior

error using https
Could not download chart: looks like https://pocacringress.azurecr.io/helm/hello-world is not valid chart repository or cannot reached: failed to fetch https://pocacringress.azurecr.io/helm/hello-world//index.yaml: 404

error using oci
Could not download chart: looks like oci://pocacringress.azurecr.io/helm/hello-world is not valid chart repository or cannot reached: failed to fetch oci://pocacringress.azurecr.io/helm/hello-world//index.yaml: 404

Important Factoids

References

#765

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
@github-actions github-actions bot removed the bug label Sep 29, 2022
@BBBmau
Copy link
Contributor

BBBmau commented Oct 19, 2022

Hello @vikrantoct7 ! Thank you for opening this issue. It looks like you're including the name of the chart in the repository URL here:

repository = "oci://pocacringress.azurecr.io/helm/hello-world"

Try this instead:

repository = "oci://pocacringress.azurecr.io/helm"

@vikrantoct7
Copy link
Author

Hi @BBBmau , i have already tried this..this was also not working

@devraj
Copy link

devraj commented Aug 5, 2023
edited
Loading

I've been battling authenticating against Github Container Registry and have a feeling that it might be related to this issue.
See comment below

@ribboncake94
Copy link

Hello @vikrantoct7 ! Thank you for opening this issue. It looks like you're including the name of the chart in the repository URL here:

repository = "oci://pocacringress.azurecr.io/helm/hello-world"

Try this instead:

repository = "oci://pocacringress.azurecr.io/helm"

Hi @BBBmau Thanks for this, It has worked for me.

@0xMH
Copy link

0xMH commented Apr 26, 2024

I don't believe that this is a bug. In the code that you shared, it appears that you aren't authenticating to acr in the first place.

data "azurerm_container_registry" "acr" {
  name                = var.acr_name
  resource_group_name = var.acr_resource_group_name
}

data "azurerm_container_registry_scope_map" "scope_map" {
  name                    = "_repositories_pull"
  container_registry_name = data.azurerm_container_registry.acr.name
  resource_group_name = var.acr_resource_group_name
}


resource "azurerm_container_registry_token" "helm_registry_token" {
  name                    = "akspulluser"
  container_registry_name = data.azurerm_container_registry.acr.name
  resource_group_name = var.acr_resource_group_name
  scope_map_id            = data.azurerm_container_registry_scope_map.scope_map.id
}

resource "azurerm_container_registry_token_password" "helm_registry_token_password" {
  container_registry_token_id = azurerm_container_registry_token.helm_registry_token.id
  password1 {

  }
}

then you should pass

repository_username = azurerm_container_registry_token.helm_registry_token.name, 

repository_password = azurerm_container_registry_token_password.helm_registry_token_password.password1[0].value

to your helm_release resource.

@devraj
Copy link

devraj commented Apr 27, 2024

I don't believe that this is a bug. In the code that you shared, it appears that you aren't authenticating to acr in the first place.

I second this for ghcr, I wasn't authenticating against it properly. I was authenticated such that I could get the private chart but not the image themselves. Registering a kubernetes_secret allowed me to get the private chart without issues.

resource "kubernetes_secret" "app-registry-secret" {
  metadata {
    name      = "harvestos-registry-secret"
    namespace = "harvest"
  }

  type = "kubernetes.io/dockerconfigjson"

  data = {
    ".dockerconfigjson" = jsonencode({
      auths = {
        "${var.oci_registry}" = {
          "username" = var.gh_username
          "password" = var.gh_password
          "email"    = var.gh_email
          "auth"     = base64encode("${var.gh_username}:${var.gh_password}")
        }
      }
    })
  }

  depends_on = [
    var.eks_cluster,
    kubernetes_namespace.namespace
  ]

}

@vikrantoct7
Copy link
Author

vikrantoct7 commented Apr 27, 2024
edited
Loading

@0xMH well i did not try that solution.. Even i did not get such solution in Teraform examples or anywhere else.
Thanks for this solution.. New learning for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@devraj @0xMH @vikrantoct7 @BBBmau @ribboncake94