-
Notifications
You must be signed in to change notification settings - Fork 7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
helm v3.6.1 breaks compatibility with azure container registry #9857
Comments
I'm sorry, but posting only a single link isn't very helpful and I'm well aware of that change.
EDIT: it only works when I set |
As a temporary workaround, one could do: REPO="myrepo"
FILE="${HOME}/.config/helm/repositories.yaml"
FILE_TMP=$(mktemp)
# add repo
az acr helm repo add --name ${REPO}
# patch repo
yq -y '(.repositories[] | select(.name == $REPO) | .pass_credentials_all) |= true' --arg REPO ${REPO} < ${FILE} > ${FILE_TMP}
# overwrite config with patched one
mv ${FILE_TMP} ${FILE} |
Apologies. Was in the middle of grabbing coffee and on my way to the helm dev call this morning. Was just posting a link to quickly give some background context. The security release discusses a breaking change to the way Helm passes username/password credentials to the server hosting the chart package, listed in the
In Helm, we had to introduce a new However, in the latter case, they use a custom You can also work around this by adding the field to your local Hope this is more helpful. |
An alternative option may be to look at the implementation details of |
Marking as a support issue as this relates to a third-party implementation. We're happy to provide details, but it'll be up to the ACR team to implement. |
Thanks for bringing this up.
If this is causing an issue with ACR it means that another domain is being used (possibly on a redirect). It might be a good put some more debugging logging to identify what's going on in helm. |
Wait, it wasn't clear to me to use both REPO="myrepo"
#CRED=($(az acr credential show -n ${REPO} --query '{username: username, password: passwords[0].value}' -o tsv))
CRED=($(az acr credential show -n ${REPO} | jq -r '.username, .passwords[0].value'))
HOST=$(az acr show -n ${REPO} --query 'loginServer' -o tsv)
REPO_URL="https://${HOST}/helm/v1/repo"
helm repo add ${REPO} ${REPO_URL} \
--username ${CRED[0]} \
--password ${CRED[1]} \
--pass-credentials EDIT: single query for credentials |
Now as I understand, the last of these cases should mean that my setup should work, but it does not (I've only replaced a domain name with xxx):
I understand that helm might complain because the "-regular" repo is added without the port but the repo contains the port. But the repo added with the port should work right? It's identical between repo config and repo content. Both repos were added using helm versions before 3.6.1. |
In case of Azure Container Registry the host added to the repo list is the login server, the charts are served from another server. Example: $ helm repo add myrepo https://myrepo.azurecr.io/helm/v1/repo
"myrepo" has been added to your repositories
$ tail ~/.config/helm/repositories.yaml
- caFile: ""
certFile: ""
insecure_skip_tls_verify: false
keyFile: ""
name: myrepo
pass_credentials_all: false
password: ""
url: https://myrepo.azurecr.io/helm/v1/repo
username: ""
$ head ~/.cache/helm/repository/myrepo-index.yaml
apiVersion: v1
entries:
mychart:
- annotations:
azurecr.io/manifest-digest: sha256:REDACTED
apiVersion: v2
appVersion: 1.16.0
created: "2021-01-14T14:00:16.4682893Z"
description: A Helm chart for Kubernetes
digest: REDACTED
$ helm pull myrepo/mychart
Error: failed to fetch https://myrepo.azurecr.io/helm/v1/repo/_blobs/mychart-1.5.42.tgz : 401 Unauthorized As you can see, the repository has hostname EDIT: not sure if this information is correct... |
I'll add the same details as in @josefschabasser comment for my example:
As far as I can tell, for "internal" both urls are the same https://packages.cloud.xxx.de:443/. |
We’re aware of a few cases where artifactory could be using an internal redirect to another domain, which can cause the 401. Please do let us know if you can find out more about your case though. |
I'm seeing the same issue with Artifactory, where I can't download the chart if the repo wasn't added with
|
It might be helpful to have such a redirect included in --debug output in the future. |
Can you please test #9871 to see if it fixes your issue. |
I'm happy to report that Helm 3.6.2 fixes parts of the issue. |
Can confirm that specifying url with port now works correctly with Artifactory in helm 3.6.2 and |
Closing this issue as the OP's issue has been fixed in Helm 3.6.2. For follow-up discussions please open another ticket so that we can track that ticket separately. Thanks. |
Sorry, I'm late to the party. helm v3.6.2 indeed restores compatibility with Azure Container Registries, no need to use |
Output of
helm version
:Output of
kubectl version
:Cloud Provider/Platform (AKS, GKE, Minikube etc.): AKS
Steps to reproduce:
Expected outcome: chart can be installed/upgraded/pulled without issues
Actual outcome: adding repo and updating repo data works, everything else fails
Steps to mitigate: do not upgrade to v3.6.1, use HelmToolinstaller in Azure pipeline to install oder version
The text was updated successfully, but these errors were encountered: