Allow to pull charts from OCI registry

Question

Allow to pull charts from OCI registry

giuscri opened this issue 4 years ago · 6 comments

Answer 1 · 2020-12-03T18:08:32.000Z

Would someone write some pointers for how to implement this?

Answer 2 · 2022-05-29T19:21:15.000Z

I just tried to install an OCI chart and it works just fine if you put the full URI (oci://...) into the spec.chart field of a HelmChart CR. (No need to specify thespec.repo)

Answer 3 · 2022-06-29T19:06:42.000Z

I just tried to install an OCI chart and it works just fine if you put the full URI (oci://...) into the spec.chart field of a HelmChart CR. (No need to specify thespec.repo)

I think this works only for registries using HTTPS. When using k3d managed registries, these are HTTP, so the install errors out with failed to do request: Head "https://k3d-registry.localhost:5000/v2/mychart/manifests/0.1.0": http: server gave HTTP response to HTTPS client for me

I think this requires helm/helm#6324

Answer 4 · 2023-06-22T21:25:55.000Z

I ran into this issue when trying to leverage a private OCI registry. It seems that public OCI registries work by excluding the repo field and fully-qualifying the chart. However, private registries do not and the authSecret support added here only works when repo is provided, which doesn't work with oci:// registries. When installing locally, I login using docker login and then helm pull oci:// works fine as it seems to inherit the credentials. Given that it is fairly common to create a docker registry secret in the cluster so that kubelet can pull the images from the oci:// registry, I found that if you can mount that same registry secret in /home/klipper-helm/docker then it works fine. I would be glad to push a PR if there is interest but honestly not all that familiar with go, so it might take a minute.

Answer 5 · 2023-06-26T20:07:41.000Z

@smbecker hmm, so there is no facility for hosting a repo index when using an OCI registry as the chart store?

Answer 6 · 2023-06-27T13:38:50.000Z

@smbecker hmm, so there is no facility for hosting a repo index when using an OCI registry as the chart store?

Helm only supports a subset of commands when targeting OCI registries. You can explicitly login but it has been my experience that when using OCI-based registries for Helm charts, then the containers are likely on the same registry as well. In that case, it is easier to just use the inherited docker authentication to login for Helm as well.