Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fail to fetch OCI private Helm registry #49

Open
Brawdunoir opened this issue Jan 9, 2024 · 1 comment
Open

Fail to fetch OCI private Helm registry #49

Brawdunoir opened this issue Jan 9, 2024 · 1 comment

Comments

@Brawdunoir
Copy link

Hello, I ran into an issue using your plugin when dealing with OCI private helm registries.

Context

I want to add an ArgoCD application that pull a repo containing a helmfile.yaml.
Within this helmfile.yaml I got some OCI private repositories I need to authenticate first before being able to pull.

I tried a few things that are not working:

  • Add the OCI registry in ArgoCD
  • Connect to the OCI registry within the helmfile-plugin sidecar using helm registry login
  • Put HARBOR_USERNAME and HARBOR_PASSWORD environment variables in the ArgoCD application directly (as per helmfile documentation)

Problem

I got a 401 Unauthorized response when fetching a private helm repository.
It tries to connect as an anonymous user in order to pull the chart (Harbor logs).

Current solution

Make the OCI registry public solves the issue in the meantime, the app can be deployed without any issue.
This is not a long term solution for me because sometimes we host docker repositories along helm ones and these cannot be public.

Configuration

# helmfile.yaml (redacted)

repositories:
  - name: harbor
    url: my.harbor.com/repo2/helm
    oci: true

releases:
  - name: "chart2"
    chart: "harbor/chart2"
    version: "1.0.2-9aef758b"

Logs

time="2024-01-09T08:27:46Z" level=error msg="`argo-cd-helmfile.sh generate` failed exit status 1: helm version v3.13.3+gc8b9489\nhelmfile version 0.159.0\nstarting generate\nDecrypting secret /tmp/_cmp_server/23d488cc-ed46-4a4d-a435-634cd856a856/int/secrets.yaml\nPulling my.harbor.com/repo1/helm/chart1:v0.2.5\nPulling my.harbor.com/repo2/helm/chart2:1.0.2-9aef758b\nin ./helmfile.yaml: [release \"chart2\": command \"/usr/local/bin/helm\" exited with non-zero status:\n\nPATH:\n  /usr/local/bin/helm\n\nARGS:\n  0: /usr/local/bin/helm (19 bytes)\n  1: pull (4 bytes)\n  2: oci://my.harbor.com/repo2/helm/chart2 (46 bytes)\n  3: --version (9 bytes)\n  4: 1.0.2-9aef758b (14 bytes)\n  5: --destination (13 bytes)\n  6: /tmp/helmfile4217612109/chart2-int/repo2/chart2/1.0.2-9aef758b (57 bytes)\n  7: --untar (7 bytes)\n\nERROR:\n  exit status 1\n\nEXIT STATUS\n  1\n\nSTDERR:\n  Error: unexpected status from HEAD request to https://my.harbor.com/v2/repo2/helm/repo2/manifests/1.0.2-9aef758b: 401 Unauthorized\n\nCOMBINED OUTPUT:\n  Error: unexpected status from HEAD request to https://my.harbor.com/v2/repo2/helm/repo2/manifests/1.0.2-9aef758b: 401 Unauthorized]" execID=fe3c4

time="2024-01-09T08:27:46Z" level=error msg="finished streaming call with code Unknown" error="error generating manifests: `argo-cd-helmfile.sh generate` failed exit status 1: helm version v3.13.3+gc8b9489\nhelmfile version 0.159.0\nstarting generate\nDecrypting secret /tmp/_cmp_server/23d488cc-ed46-4a4d-a435-634cd856a856/int/secrets.yaml\nPulling my.harbor.com/repo1/helm/chart1:v0.2.5\nPulling my.harbor.com/repo2/helm/chart2:1.0.2-9aef758b\nin ./helmfile.yaml: [release \"chart2\": command \"/usr/local/bin/helm\" exited with non-zero status:\n\nPATH:\n  /usr/local/bin/helm\n\nARGS:\n  0: /usr/local/bin/helm (19 bytes)\n  1: pull (4 bytes)\n  2: oci://my.harbor.com/repo2/helm/chart2 (46 bytes)\n  3: --version (9 bytes)\n  4: 1.0.2-9aef758b (14 bytes)\n  5: --destination (13 bytes)\n  6: /tmp/helmfile4217612109/chart2-int/repo2/chart2/1.0.2-9aef758b (57 bytes)\n  7: --untar (7 bytes)\n\nERROR:\n  exit status 1\n\nEXIT STATUS\n  1\n\nSTDERR:\n  Error: unexpected status from HEAD request to https://my.harbor.com/v2/repo2/helm/repo2/manifests/1.0.2-9aef758b: 401 Unauthorized\n\nCOMBINED OUTPUT:\n  Error: unexpected status from HEAD request to https://my.harbor.com/v2/repo2/helm/repo2/manifests/1.0.2-9aef758b: 401 Unauthorized]" grpc.code=Unknown grpc.method=GenerateManifest grpc.service=plugin.ConfigManagementPluginService grpc.start_time="2024-01-09T08:27:40Z" grpc.time_ms=5794.475 span.kind=server system=grpc

Thanks for your awesome work on this plugin !

PS: If we cannot use private helm repos using this plugin, imo it should be stated in the README.md.
@hopisaurus
Copy link

hopisaurus commented Feb 2, 2024
edited

@Brawdunoir Try adding the environment variables to your argo-cd repo-server environment. This is how I have accomplished this to auth to private ECR registry containing OCI Helm charts with helmfile.

# argo-cd helm chart values
repoServer:
  envFrom:
    - secretRef:
        name: argocd-helmfile-oci-auth # Created secret with environment vars of auth.

# example secret
apiVersion: v1
kind: Secret
metadata:
  name: argocd-helmfile-oci-auth
  namespace: argocd
data:
  HARBOR_PASSWORD: <your token for auth>
  HARBOR_USERNAME: <your user for auth>
type: Opaque

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hopisaurus @Brawdunoir