Error: could not download chart: failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://xyz.azurecr.io/oauth2/token?scope=repository%3Aabc%3Apull&service=xyz.azurecr.io: 401 Unauthorized

[amruta2729]

Terraform, Provider, Kubernetes and Helm Versions

Terraform version:1.6.4
Provider version:3.50.0
Kubernetes version:1.27

Affected Resource(s)

• helm_release

Debug Output

null_resource.push_images_acr (local-exec): Digest:
null_resource.push_images_acr (local-exec): Pushed: xyz.azurecr.io/demo:10.3.1
null_resource.push_images_acr (local-exec): Digest:
null_resource.push_images_acr: Creation complete after 28m22s [id=]
helm_release.abc: Creating...
data.helm_template.demo: Reading...
?
¦ Error: could not download chart: failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://xyz.azurecr.io/oauth2/token?scope=repository%3Aabc%3Apull&service=xyz.azurecr.io: 401 Unauthorized
¦
¦ with helm_release.demo,
¦ on main.tf line 287, in resource "helm_release" "demo":
¦ 287: resource "helm_release" "demo" {
¦
?

NOTE: In addition to Terraform debugging, please set HELM_DEBUG=1 to enable debugging info from helm.

Steps to Reproduce

1. terraform apply

Expected Behavior

Helm charts should get pulled successfully.

Actual Behavior

Helm charts are getting pushed successfully and present in the repository, the user has all the required permissions to pull/push helm charts to ACR, still helm_release giving 401:unauthorized error.

[arybolovlev]

Hi @amruta2729,

Please share your Terraform configuration. It would be helpful to see the provider block and the resource that fails.

Thanks.

[amruta2729]

Hi @arybolovlev ,

Below is the terraform version nd provider block used in our configuration -

`terraform {
required_version = ">= 1.5.0"

required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "> 3.50.0"
}
helm = {
source = "hashicorp/helm"
version = "> 2.12.1"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.23.0"
}
}
}

provider "helm" {
kubernetes {
config_path = "~/.kube/config"
}
}

provider "kubernetes" {
config_path = "~/.kube/config"
}

provider "azurerm" {
features {}
environment = local.cloud_environment
}`

And the resource block which is failing is -

`resource "helm_release" "operators" {
name = "operators"
namespace = "operator-system"
create_namespace = true
repository = "oci://${local.acr_name}.${local.acr_name_suffix}"
chart = "operators"
version = local.version
verify = false
timeout = 300
wait = true

set {
name = "global.platform"
value = "aks"
}

set {
name = "global.operatorNamespace"
value = "operator-system"
}

set {
name = "global.containerRegistry"
value = "${local.acr_name}.${local.acr_name_suffix}"
}

dynamic "set" {
for_each = local.use_existing_storage_acc ? [true] : []
content {
name = "global.storage.aks.storageAccountName"
value = local.storage_account_name
}
}

dynamic "set" {
for_each = local.use_existing_storage_acc ? [true] : []
content {
name = "global.storage.aks.storageAccountRG"
value = local.storage_acc_rg_name
}
}

set {
name = "operator.image.tag"
value = var.operator_tag
}

depends_on = [
null_resource.push_images_acr
]
}`

push_images_acr is a null_resource we have written from which we are executing a shell script for pushing the images and helm charts to ACR.

[amruta2729]

One finding we had is, that we are facing this issue from helm provider version 2.9.0, with version 2.8.0 it is working as expected.
Is there any major change around this area went in 2.9.0? Do let us know if anyone knows anything.