Failed to configure oci:// url

[arnouthoebreckx]

• What problem are you trying to solve?

Nexus version: 3.38.1 Problem: using oci:// based URLs is not allowed by the UI, even though according to Nexus news OCI should be configurable. References:

• https://community.sonatype.com/t/support-of-oci-artifacts-such-as-helm-charts/10251?_ga=2.137254713.865264821.1690360270-521854742.1690360270
• [NEXUS-21087] (Docker) Support OCI registry format

We're trying to use "oci://quay.io" based urls to pull helm-charts and docker images from proxy repositories. However the UI interface indicates that http(s) urls should be used as can be seen in the screenshot.

Does anyone have any experience with this and/or an example that they can show me?

When using https:// instead of oci:// the repository remains empty and proxying does not work.

• Do you have a workaround you are using at present?

Sadly have not found a workaround for this.

[nblair]

Thanks @arnouthoebreckx for opening this issue. We do not currently have official support for oci:// urls through this capability. We'll keep this open to gauge demand and interest from the community.

[arnouthoebreckx]

Hi @nblair,

Is there any way around this? I read in the docs / release notes that there's OCI support, so I assume there's a workaround?

[nblair]

I went and tracked down the Jira issues linked in the release notes you referenced. The title of that Jira ticket is rather vague, but at the time in 2020 "OCI support" meant something different than it likely means today, 3 years later. What was implemented at that time was support for additional media types included in OCI containers. I don't have a workaround for you for oci:// urls at present.

[chri4774]

Helm Charts from Bitnami have switched to OCI urls. We would appreciate it if Nexus would support this format in a future release.

[eshackelford-ias]

We have been asking Sonatype to implement this since April 2023. Still no sign of this feature.

[JuryA]

Howdy everyone!🙋‍♂️

IMHO: To succinctly convey my viewpoint, it appears that the development team may need a deeper understanding of practical requirements. I recognize the complexity of Nexus beyond a mere Container/OCI registry; however, the imperative need for enhanced OCI Helm Chart support is evident. The prompt integration of the oci:// protocol is essential, considering its advanced security features and alignment with contemporary infrastructure needs.

The current strategy of postponing action until there is wider community interest is somewhat discouraging. The oci:// protocol is notably more robust and secure compared to traditional Helm repositories. Embracing oci:// will markedly diminish the risk of security infringements and provide a more dependable distribution framework for our applications.

Traditionally, Helm repositories, particularly private ones, have the drawback of storing login credentials in an unencrypted format, posing a severe security risk. Prioritizing data confidentiality and integrity is crucial. Transitioning to oci:// will enable us to abandon these obsolete methods in favor of encrypted storage and transmission, thereby adhering to the highest standards of security and compliance in the industry.

[augeivv]

More and more Helm Charts are switching to oci urls. Is there already a plan when Nexus will support oci helm charts?

[jastBytes]

We really really need this feature to be supported. More and more Helm repos are switching to OCI.

[tiberium]

Any update? Important feature, more and more important.

[chri4774]

We figured out, that you can use the Nexus docker-proxy functionality as a proxy for the oci helm charts. So for the bitnami helm charts where the oci charts are stored in dockerhub (oci://registry-1.docker.io/bitnamicharts/) we did the following:

• Setup a Nexus docker-proxy to point to dockerhub URL: https://registry-1.docker.io Docker Index: "Use Docker Hub" Use a separate HTTPS Port

• HELM-Login: helm registry login <nexus-host>:<docker-proxy-port> --username <user> --password <password>

• HELM pull, install, etc helm pull oci://<nexus-host>:<docker-proxy-port>/bitnamicharts/postgresql

[JuryA]

Based on Sonatype's current approach to this critical issue, it appears there is little interest in implementing OCI Helm charts. This is unfortunate because, with the growing popularity of Helm OCI and the increasing emphasis on security, combined with Sonatype's lack of active discussion on the matter, it is time to consider migrating to another solution. It is surprising that, although Helm OCI is commonly used with other Docker/OCI registries out of the box, Sonatype still has not adapted and continues to implement a solution that is not fully compatible with the OCI standard. This is indeed regrettable. Nobody wants to stay and wait—security and adherence to standards are crucial.