Unable to push helm charts to internal gitea repo

[kolaente]

Description

Pushing a helm repo with helm push <file>.tgz oci://gitea-instance.tld/org fails with the following error:

Error: failed commit on ref "manifest-sha256:b299865291f52fea32b90f2dd1c4c5ec913d3f5b195493640ae6de72593aa1e4": unexpected status from PUT request to https://kolaente.dev/v2/vikunja/vikunja/manifests/0.4.3: 403 Forbidden

(using an api token with the packages scope)

Gitea's logs show the following, which might be related:

gitea_1     | 2024/02/09 18:34:41 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/vikunja/vikunja/blobs/sha256:7f4a609cb030ce4d4f8a009c63807c0a5c7df94edc29db834d8c8418a01d6c45 for 172.18.0.2:41572, 401 Unauthorized in 0.1ms @ container/container.go:123(container.ReqContainerAccess)
gitea_1     | 2024/02/09 18:34:41 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/vikunja/vikunja/blobs/sha256:a7114e2efaafadce076e7a21b8fe6dbd0a29f9c1f4ee4ddbbb8304340e1f542c for 172.18.0.2:49142, 401 Unauthorized in 0.1ms @ container/container.go:123(container.ReqContainerAccess)
gitea_1     | 2024/02/09 18:34:41 ...eb/routing/logger.go:102:func1() [I] router: completed POST /v2/token for 172.18.0.2:49142, 404 Not Found in 0.1ms @ container/container.go:169(container.AuthenticateNotImplemented)
gitea_1     | 2024/02/09 18:34:41 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/token?scope=%2A&scope=repository%3Avikunja%2Fvikunja%3Apull%2Cpush&service=container_registry for 172.18.0.2:49142, 200 OK in 15.8ms @ container/container.go:146(container.Authenticate)
gitea_1     | 2024/02/09 18:34:41 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/vikunja/vikunja/blobs/sha256:7f4a609cb030ce4d4f8a009c63807c0a5c7df94edc29db834d8c8418a01d6c45 for 172.18.0.2:41572, 200 OK in 4.7ms @ container/container.go:483(container.HeadBlob)
gitea_1     | 2024/02/09 18:34:41 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/vikunja/vikunja/blobs/sha256:a7114e2efaafadce076e7a21b8fe6dbd0a29f9c1f4ee4ddbbb8304340e1f542c for 172.18.0.2:49142, 200 OK in 7.5ms @ container/container.go:483(container.HeadBlob)
gitea_1     | 2024/02/09 18:34:41 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/vikunja/vikunja/manifests/0.4.3 for 172.18.0.2:49142, 404 Not Found in 3.4ms @ container/container.go:621(container.HeadManifest)
gitea_1     | 2024/02/09 18:34:41 ...eb/routing/logger.go:102:func1() [I] router: completed PUT /v2/vikunja/vikunja/manifests/0.4.3 for 172.18.0.2:49142, 403 Forbidden in 12.2ms @ container/container.go:536(container.UploadManifest)

The token and helm cli version did not change since the last time this worked (all runs in CI).

Maybe related to #27640

Gitea Version

1.21.5

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Official docker image

Database

MySQL/MariaDB

[KN4CK3R]

Did you do a helm registry login before the push? For me it just looks like a push without login/write access.

[kolaente]

I did, here is the full failing CI run: https://drone.kolaente.de/vikunja/helm-chart/80/1/2

[KN4CK3R]

Tested it with your repo:

# helm registry login -u kn4ck3r gitea
Password:
Login Succeeded
# helm push vikunja-*.tgz oci://gitea-dev.local-lan.li:3000/kn4ck3r
Pushed: gitea-dev.local-lan.li:3000/kn4ck3r/vikunja:0.4.3
Digest: sha256:f0433e2eb50a6f4f2bb44c6146c7a9502e16a2acf7a04b082209b2cb246bff23

Are you using a token? Has the token the correct permissions?

[kolaente]

Using a token with the packages permissions (read and write). Is that enough?

[kolaente]

Just checked with a token from a different account and that worked. Looks like it's only the bot account which does not work.

[KN4CK3R]

Yes, package write should be enough.

[kolaente]

Is there any way to debug this further?

[KN4CK3R]

Tested it again and package read/write is enough to push the user or an org where the user is in a team with package write access.

[f-denkena]

Same issue here, only with docker instead of helm. I consistently got an error using my ci-docker account, the repository owner account worked immediately. Version 1.21.11

[wxiaoguang]

Could you provide some details about how to reproduce? eg: prepare a fresh instance, instance setup (docker compose?), create user / org / team, etc, then the command lines used.

[f-denkena]

The instance is set up using portage, hosted on https://git.denkena-consulting.com. Command line was simply:
docker login git.denkena-consulting.com
The bot user (ci-docker) had package:write permission for the repository docker-base but was not authorized to push.

[wxiaoguang]

Sorry but I have never heard of "portage" ..... 😭 I have my knowledge limitation, and the configuration & user & permission really matter.

KN4CK3R has tested and replied above, it seems to work well (unable to reproduce without more details)

A reproducible setup with detailed steps is really helpful (and important) to figure out the real problem. There is an issue report sample: #30680 (comment) , with the reproducible setup, the problem could be clarified quickly.