Push to OCI insecure registry #10408
Conversation
helm-bot
added
the
size/M
pytimer
force-pushed
the
push-registry
branch
from
8e315df
to
3e0a755
Compare
pytimer
force-pushed
the
push-registry
branch
from
3e0a755
to
f7ebbe7
Compare
|
Need to update this pr code, because oci feature move out experimental. related pr: #10546 |
pytimer
force-pushed
the
push-registry
branch
from
f7ebbe7
to
3660bf8
Compare
|
Update push/pull chart to oci insecure registry from the latest code, because oci feature move out experimental. |
| @@ -54,5 +54,9 @@ func newPushCmd(cfg *action.Configuration, out io.Writer) *cobra.Command { | |||
| }, | |||
| } | |||
|
|
|||
| f := cmd.Flags() | |||
| f.BoolVar(&client.InsecureSkipTLSverify, "insecure-skip-tls-verify", false, "skip tls certificate checks for the chart upload") | |||
There was a problem hiding this comment.
Should this just be --insecure ?
Nvm, looks like this is same flag we use for helm repo commands
There was a problem hiding this comment.
I see the helm pull use insecure-skip-tls-verify, so i add this flag in helm push, should i change it?
| if p.InsecureSkipTLSverify || p.PlainHTTP { | ||
| if err := p.cfg.RegistryClient.WithResolver(p.InsecureSkipTLSverify, p.PlainHTTP); err != nil { | ||
| return out.String(), err | ||
| } | ||
| } |
There was a problem hiding this comment.
@pytimer - can we also make sure this is used in helm install / helm upgrade?
See #10659 (comment)
There was a problem hiding this comment.
I missing it, i will try it tomorrow.
There was a problem hiding this comment.
I see the helm install/upgrade code, now --insecure-skip-tls-verify not used in install/upgrade command when scheme is oci://.
I can do it in helm install/upgrade to support insecure OCI registry, but i'm not sure that in this pr or open another pr to do it.
There was a problem hiding this comment.
if you have the bandwidth to add to install/upgrade, please do!
|
it worked with self-signed ssl! Push> helm push traefik-10.14.1.tgz oci://[gitlab]:5005/arukiidou/grype --insecure-skip-tls-verify
Pushed: [gitlab]:5005/arukiidou/grype/traefik:10.14.1
Digest: sha256:2b9166854adf09d2aa0d24dd166431539e369caa94bb57750bd87f195917a248
> helm push traefik-10.14.1.tgz oci://[gitlab]:5005/arukiidou/grype
Error: failed to do request: Head "https://[gitlab]:5005/v2/arukiidou/grype/traefik/blobs/sha256:32fd640f11acced4fdb4d13866394e2a94a0085de340b59b807f9a95cbfb1f9b": x509: certificate signed by unknown authority
pull> helm pull oci://[gitlab]:5005/arukiidou/grype/traefik --insecure-skip-tls-verify
Pulled: [gitlab]:5005/arukiidou/grype/traefik:10.14.1
Digest: sha256:2b9166854adf09d2aa0d24dd166431539e369caa94bb57750bd87f195917a248
> helm pull oci://[gitlab]:5005/arukiidou/grype/traefik
Error: Get "https://[gitlab]:5005/v2/arukiidou/grype/traefik/tags/list": x509: certificate signed by unknown authority |
|
Waiting for this fix to implement OCI based image and helm repository using Harbor. |
|
I will commit |
|
Now this pr supports @jdolitsky please review the code if you have time, thanks. |
|
@pytimer - can you please fix the DCO error? |
|
I believe this is in conflict with #10638 ... @antgamdia - once @pytimer fixes DCO, would you be able to push on top of this PR/fork? I think @pytimer - let us know if this sounds OK to you |
I will fix it today. |
OK. If need me to do anything, please tell me, thanks. |
Signed-off-by: pytimer <lixin20101023@gmail.com>
Signed-off-by: pytimer <lixin20101023@gmail.com>
pytimer
force-pushed
the
push-registry
branch
from
a500a9b
to
2f861d4
Compare
Sure! Will do during next week |
|
3.10.3 version, helm push not find -insecure-skip-tls-verify |
|
@dreamerkr this PR was not merged yet so it did not make it into the 3.10 release |
now,How to solve this problem? the best solution use https? but I only want try it |
|
@dreamerkr currently, yes only an HTTPS expository is supported. As mentioned, there are ongoing efforts to bring the plain HTTP based integrations |
|
Can we get a release with this PR merged please? |
|
Could we get this feature merged? It has been here for a long time. We need this feature. Thanks. |
|
Tested v3.11.3 |
still not work in v3.11.3 login |
Ah, yep you're correct. I confused this with a server using a self-signed certificate |
root@ubuntu:/home/cyxinda/workspace/test# helm version
version.BuildInfo{Version:"v3.12.0", GitCommit:"c9f554d75773799f72ceef38c51210f1842a1dea", GitTreeState:"clean", GoVersion:"go1.20.3"}
root@ubuntu:/home/cyxinda/workspace# helm push test-0.1.0.tgz oci://harbor.192.168.5.6.nip.io/my --ca-file /etc/containerd/certs.d/harbor.192.168.5.6.nip.io/ca.crt --cert-file /etc/containerd/certs.d/harbor.192.168.5.6.nip.io/harbor.192.168.5.6.nip.io.cert --key-file /etc/containerd/certs.d/harbor.192.168.5.6.nip.io/harbor.192.168.5.6.nip.io.key
Pushed: harbor.192.168.5.6.nip.io/my/test:0.1.0
Digest: sha256:15244ea1d01d8d7f4617252687c8c143ef543d61c9e13657ef30139258b8944d
root@ubuntu:/home/cyxinda/workspace/test# helm pull oci://harbor.192.168.5.6.nip.io/my/test --version 0.1.0 --ca-file /etc/containerd/certs.d/harbor.192.168.5.6.nip.io/ca.crt --cert-file /etc/containerd/certs.d/harbor.192.168.5.6.nip.io/harbor.192.168.5.6.nip.io.cert --key-file /etc/containerd/certs.d/harbor.192.168.5.6.nip.io/harbor.192.168.5.6.nip.io.key
Pulled: harbor.192.168.5.6.nip.io/my/test:0.1.0
Digest: sha256:15244ea1d01d8d7f4617252687c8c143ef543d61c9e13657ef30139258b8944d
root@ubuntu:/home/cyxinda/workspace/test# ls
test-0.1.0.tgz
|
joejulian
added
needs-rebase
|
@pytimer Can you please rebase? |
|
When will this be merged? We actually need this badly. |
|
@BesartSulejmani Capabilities should now be available We should be good to close this PR as I believe that everything has been covered? @mattfarina @joejulian @gjenkins8 |
I agree. Closing |
What this PR does / why we need it:
This PR implement push chart to OCI registry, or pull chart from OCI registry.
Fixes: #6324
Usage:
Special notes for your reviewer:
If applicable: