Test does not work with OCI repositories

Question

Test does not work with OCI repositories

tropnikovvl opened this issue 8 months ago · 4 comments

I'm using this project and the test fails on it.
Flux docs.

flux-local test --path clusters/my-cluster --enable-helm -v

E           flux_local.exceptions.HelmException: Command 'helm template harbor-project-proxy oci://ghcr.io/hiddenmarten/harbor-project-proxy --namespace harbor --skip-crds --skip-tests --version 0.0.1 --values /var/folders/dr/8ck5qq7x1qs12dr6ccwjq2280000gn/T/tmp5ob58gxn/harbor-harbor-project-proxy-values.yaml --registry-config /dev/null --repository-cache /var/folders/dr/8ck5qq7x1qs12dr6ccwjq2280000gn/T/tmpnz52qm_3 --repository-config /var/folders/dr/8ck5qq7x1qs12dr6ccwjq2280000gn/T/tmp5ob58gxn/repository-config.yaml' failed with return code 1
E           Error: failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://ghcr.io/token?scope=repository%3Ahiddenmarten%2Fharbor-project-proxy%3Apull&service=ghcr.io: 403 Forbidden

---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
  name: hiddenmarten
  namespace: flux-system
spec:
  type: "oci"
  interval: 3h
  url: oci://ghcr.io/hiddenmarten
  timeout: 3m

apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
  name: harbor-project-proxy
  namespace: harbor
spec:
  chart:
    spec:
      chart: harbor-project-proxy
      version: 0.0.1
      sourceRef:
        kind: HelmRepository
        name: hiddenmarten
        namespace: flux-system
  releaseName: harbor-project-proxy

Answer 1 · 2024-05-10T20:52:25.000Z

Do you have a helm template command that works for this repository? It gets a 403 Forbidden in the example, so are you expecting this to work without any secrets/permissions?

Answer 2 · 2024-05-11T10:22:01.000Z

There seems to be some problem with this repository.
I will contact the owner and describe the situation.

In any case, I was able to reproduce the helm template on another OCI helm chart, but unfortunately, to do this I needed to log into my Github account.
I haven't found a workaround yet to avoid this.

echo $GITHUB_TOKEN | docker login ghcr.io -u tropnikovvl --password-stdin

helm template oci://ghcr.io/stefanprodan/charts/podinfo

Answer 3 · 2024-05-11T17:32:55.000Z

I don't seem to need any credentials:

$ helm version
version.BuildInfo{Version:"v3.14.4", GitCommit:"81c902a123462fd4052bc5e9aa9c513c4c8fc142", GitTreeState:"clean", GoVersion:"go1.21.9"}
$ helm template oci://ghcr.io/stefanprodan/charts/podinfo  | head
Pulled: ghcr.io/stefanprodan/charts/podinfo:6.6.2
Digest: sha256:83295d47de6d6ca634ed4b952a7572fc176bcc38854d0c11ca0fa197bc5f1154
---
# Source: podinfo/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: release-name-podinfo
  labels:
    helm.sh/chart: podinfo-6.6.2
    app.kubernetes.io/name: release-name-podinfo
    app.kubernetes.io/version: "6.6.2"

Answer 4 · 2024-05-12T09:03:23.000Z

I checked everything carefully again and this functionality works.
There are some problems on my side and on the creator of the chart I mentioned.
Thanks for the help! Issue can be closed