Local insecure registry for oci based helm charts?

Question

Local insecure registry for oci based helm charts?

ramarnat opened this issue 2 years ago · 5 comments

What happened?

I have setup a local registry based on the instructions here - https://kind.sigs.k8s.io/docs/user/local-registry/

When setting the helm chart properties, using oci (the registry was loaded with the oci pkg):

        forProvider:
          namespace: cp
          chart:
            name: foo-operator
            repository: oci://registry:5000
            version: "1.7.0"
          insecureSkipTLSVerify: true

I have tried a bunch of different options, but none of them work. If we use a named registry the provider tries to use https:// , and produces this error:

 DEBUG   events  Warning {"object": {"kind":"Release","name":"foo","uid":"84508856-0b77-45a8-abee-2f898f7e0a7c","apiVersion":"helm.crossplane.io/v1beta1","resourceVersion":"8476"}, "reason": "CannotCreateExternalResource", "message": "failed to install release: failed to login to registry: Get \"https://registry:5000/v2/\": http: server gave HTTP response to HTTPS client"}

In kind the configuration for skipping tls is also set:

    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.configs]
        [plugins."io.containerd.grpc.v1.cri".registry.configs."registry:5000"]
          [plugins."io.containerd.grpc.v1.cri".registry.configs."registry:5000".tls]
            insecure_skip_verify = true
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]
          endpoint = ["https://registry.k8s.io", "https://k8s.gcr.io"]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5001"]
          endpoint = ["http://registry:5000", "oci://registry:5000"]

How can we reproduce it?

Create a local registry following https://kind.sigs.k8s.io/docs/user/local-registry/
Upload an oci helm chart
Use the oci helm chart from a composition

What environment did it happen in?

Crossplane version:

Chart Name: crossplane
Chart Description: Crossplane is an open source Kubernetes add-on that enables platform teams to assemble infrastructure from multiple vendors, and expose higher level self-service APIs for application teams to consume.
Chart Version: 1.9.0
Chart Application Version: 1.9.0

Kube Version: v1.25.0

Answer 1 · 2022-12-01T15:34:30.000Z

It appears as though you can perform a login to an insecure registry, but you cannot pull from an insecure registry.

If I do not provide credentials, the error message is as follows:

create failed: failed to install release: failed to login to registry: Get "http://registry:5000/v2/": no basic auth credentials

When credentials are provided, it appears to perform the login without issue, but errors on the pull:

 failed to install release: failed to pull chart: failed to do request: Head "https://registry:5000/v2/helm-charts/mychart/manifests/1.0.0": http: server gave HTTP response to HTTPS client

I do not know go, but it seems as though, the InsecureSkipTLSverify bool is not being passed to the Pull client.

Edit:
Looks like this may not even be possible until this is merged?
helm/helm#10408

Answer 2 · 2022-12-12T19:37:30.000Z

Looks like this MR adds the missing functionality:
helm/helm#11599

Answer 3 · 2023-10-27T21:15:58.000Z

Related to #202

Answer 4 · 2024-04-26T13:20:51.000Z

I'm hoping this is either possible or closer to possible now that #202 has been resolved. If someone wants to try this scenario out and take it to the finish line if needed, that could be a welcome contribution 🙇

Answer 5 · 2024-04-29T17:28:00.000Z

This probably does solve it, but I am not working with the original product that required having this issue resolved.