Helm subchart promotion does not seem to use credentials

[tmsdce]

Checklist

• I've searched the issue queue to verify this is not a duplicate bug report.
• I've included steps to reproduce the bug.
• I've pasted the output of kargo version.
• I've pasted logs, if applicable.

Description

Hi everyone, this project looks very promising !

I'm giving a first shot at the helm subchart promotion mechanism and I'm getting 401 errors during the helm dependency update phase. It is as if promotion does not use the provided credentials whereas Warehouse's subscription does use it correctly. I saw #1281 but I don't know if it is the exact same issue as it should have been fixed in #1450

Steps to Reproduce

Not sure if this can be reproduced accurately but here's my setup

• I have a repo organised as follows

└── stages
    ├── prod
    │   ├── Chart.yaml
    │   └── values.yaml
    ├── test
    │   ├── Chart.yaml
    │   └── values.yaml
    └── uat
        ├── Chart.yaml
        └── values.yaml

• Each Chart.yaml file has the following dependency defined. The app-for-kargo chart is published on our harbor registry. Proper credentials are needed so that the chart can be pulled.

dependencies:
  - name: app-for-kargo
    version: 0.1.0
    repository: oci://my.harbor.registry/helm

• I have defined a Warehouse that subscribes to both the git repo (for when a value file is updated for example) and the chart repository (for when a new release of the chart is published). The subscription part works fine as a freight is generated showing both the latest commit of the repo and the latest version of the helm chart. Credentials are provided as secrets and correctly used by the warehouse controller. The secret for the Harbor OCI registry uses oci://my.harbor.registry/helm/app-for-kargo for the repoURL field

---
apiVersion: kargo.akuity.io/v1alpha1
kind: Warehouse
metadata:
  name: kargo-demo
  namespace: kargo-demo
spec:
  subscriptions:
  - git:
      repoURL: https://my.git.repo/kargo-demo.git
      includePaths:
      - regex:^stages/.*$
  - chart:
      repoURL: oci://my.harbor.registry/helm/app-for-kargo
      semverConstraint: ^0

• I defined a Stage named test like this

---
apiVersion: kargo.akuity.io/v1alpha1
kind: Stage
metadata:
  name: test
  namespace: kargo-demo
spec:
  subscriptions:
    warehouse: kargo-demo
  promotionMechanisms:
    gitRepoUpdates:
    - repoURL: https://my.git.repo/kargo-demo.git
      writeBranch: stage/test
      helm:
        charts:
          - chartPath: stages/test
            name: app-for-kargo
            repository: oci://my.harbor.registry/helm
    argoCDAppUpdates:
    - appName: kargo-demo-test
      appNamespace: argocd

• When trying to promote the freight to the test stage, I get a 401 during the helm dependency update phase (see logs in the dedicated section)

Version

Client Version: v0.5.2
Server Version: v0.5.2

Logs

• Logs from the controller

time="2024-05-03T15:30:04Z" level=info msg="began promotion" freight=0980b25b17eb868cea939eeb5d584f0862a58596 namespace=kargo-demo promotion=test.01hwzh7ams63ze299er1fccnm8.0980b25 stage=test
time="2024-05-03T15:30:05Z" level=error msg="error executing Promotion: error executing Git-based promotion mechanisms: error executing Helm promotion mechanism: error updating dependencies for chart \"stages/test\": :error running `helm dependency update` for chart at \"/tmp/repo-985781906/repo/stages/test\": error executing cmd [/usr/local/bin/helm dependency update /tmp/repo-985781906/repo/stages/test]: Saving 1 charts\nDownloading app-for-kargo from repo oci://my.harbor.registry/helm\nSave error occurred:  could not download oci://my.harbor.registry/helm/app-for-kargo: unexpected status from HEAD request to https://my.harbor.registry/v2/helm/app-for-kargo/manifests/0.1.0: 401 Unauthorized\nError: could not download oci://my.harbor.registry/helm/app-for-kargo: unexpected status from HEAD request to https://my.harbor.registry/v2/helm/app-for-kargo/manifests/0.1.0: 401 Unauthorized\n" freight=0980b25b17eb868cea939eeb5d584f0862a58596 namespace=kargo-demo promotion=test.01hwzh7ams63ze299er1fccnm8.0980b25 stage=test
time="2024-05-03T15:30:05Z" level=info msg="promotion Errored" freight=0980b25b17eb868cea939eeb5d584f0862a58596 namespace=kargo-demo promotion=test.01hwzh7ams63ze299er1fccnm8.0980b25 stage=test

• On the Harbor side, the request indeed seems to be sent without any form of credential passed

2024-05-03T16:25:20Z [DEBUG] [/lib/http/error.go:62]: {"errors":[{"code":"UNAUTHORIZED","message":"authorize header needed to send HEAD to repository: authorize header needed to send HEAD to repository"}]}

[tmsdce]

Thanks for the fix @hiddeco 👍