Open jonnylangefeld opened 1 week ago
I believe it is a known limitation that Helm OCI support relies on ambient credentials, as set by helm registry login
or by docker login
. The upstream PR seeks to allow for adhoc credentials via flags, and Pulumi would assumedly incorporate that by wiring up the RepositoryOpts
. At this time, the RepositoryOpts
is applicable only to HTTP-based chart repositories.
Strictly speaking I don't think we would need to wait for the fix upstream, we could probably plumb the credentials through with what we already have.
Related https://github.com/pulumi/pulumi-kubernetes/issues/2911
Is it any walk around for this issue @blampe @EronWright? I'm stuck with installation of AWS Gateway AIP Controller chart as it is located only in OCI repository.
What happened?
helmv4
allows to download helm charts from private OCI registries by specifying username and password:However, this results in authentication errors despite correct credentials. Different kinds for the different cloud provider registries:
on AWS using ECR
```bash error: an unhandled error occurred: waiting for RPCs: rpc error: code = Unknown desc = unable to locate the chart: pull access denied, repository does not exist or may require authorization: authorization failed: no basic auth credentials ```on GCP using GCR
```bash error: an unhandled error occurred: waiting for RPCs: rpc error: code = Unknown desc = unable to locate the chart: unexpected status from HEAD request to https://gcr.io/v2/gke-shared-dev/upstream/helm.cilium.io/tetragon/mainfests/1.1.2: 401 Unauthorized ```We did some investigation and the following turns out to be the culprit:
When reproducing the issue with the CLI then this works:
but this doesn’t, even though it should:
The Pulumi helm v4 provider does the equivalent to the latter.
This is recognized as an open upstream helm issue: https://github.com/helm/helm/pull/12769
The main issue is the inconsistency.
helm pull
with username and password without previoushelm registry login
works forhttps://
helm registries, but not foroci://
.If this is an upstream helm issue, why is this posted on the pulumi-kubernetes repo?
The main reason I'm posting this here is that the
helmv4
Pulumi provider copy/pastes some private upstream functions. For instance thenewRegistryClient()
function that the upstream helm bugfix PR is attempting to fix here by adding the username and password to the signature, is copy/pasted into this repo because it's a private function: https://github.com/pulumi/pulumi-kubernetes/blob/f5f368dad365317f265f484b2d61a9180ee352f6/provider/pkg/helm/tool.go#L341This means that even if the upstream helm PR is merged, the
helmv4
Pulumi provider would still suffer from this issue. So it has to be fixed here as well. But we might still need to wait for the upstream fix, for the new upstreamNewClient()
function.The upstream helm PR has been open for 7 months with most recent activity 1 month ago. We could help push it along.
Output of
pulumi about
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).