helm: Cannot push to HTTPS registry with self-signed certificate

I run an Harbor Repository and on the client I use helm 3.8.0. Client is Ubuntu. What is the hack to push the chart to a insecure registry?

If i try to push a helm chart to that registry I always get:

helm push btcsp-umbrella-1.0.0.tgz oci://harbor.osc.local/btcsp-staging
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /home/developer/.kube/config
Error: failed to do request: Head "https://harbor.osc.local/v2/btcsp-staging/btcsp-umbrella/blobs/sha256:a6cf34fd818a273010c54a86c69fbf42d3630d8bd2c18b227702905dd50e8ed5": x509: certificate signed by unknown authority

I tried with helm registry login with --insecure flag and this report login successful.

The output with helm push and --debug is:

helm push btcsp-umbrella-1.0.0.tgz oci://harbor.osc.local/btcsp-staging --debug
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /home/developer/.kube/config
WARN[0000] reference for unknown type: application/vnd.cncf.helm.chart.content.v1.tar+gzip 
DEBU[0000] checking and pushing to                       url="https://harbor.osc.local/v2/btcsp-staging/btcsp-umbrella/blobs/sha256:9c490d861642afe351815bca43c9ec2f97a02ccd328ca7ff3332843fb1c6a9d8"
DEBU[0000] do request                                    request.header.accept="application/vnd.cncf.helm.chart.content.v1.tar+gzip, */*" request.header.user-agent=Helm/3.8.0 request.method=HEAD url="https://harbor.osc.local/v2/btcsp-staging/btcsp-umbrella/blobs/sha256:9c490d861642afe351815bca43c9ec2f97a02ccd328ca7ff3332843fb1c6a9d8"
WARN[0000] reference for unknown type: application/vnd.cncf.helm.config.v1+json 
DEBU[0000] checking and pushing to                       url="https://harbor.osc.local/v2/btcsp-staging/btcsp-umbrella/blobs/sha256:a6cf34fd818a273010c54a86c69fbf42d3630d8bd2c18b227702905dd50e8ed5"
DEBU[0000] do request                                    request.header.accept="application/vnd.cncf.helm.config.v1+json, */*" request.header.user-agent=Helm/3.8.0 request.method=HEAD url="https://harbor.osc.local/v2/btcsp-staging/btcsp-umbrella/blobs/sha256:a6cf34fd818a273010c54a86c69fbf42d3630d8bd2c18b227702905dd50e8ed5"
Error: failed to do request: Head "https://harbor.osc.local/v2/btcsp-staging/btcsp-umbrella/blobs/sha256:9c490d861642afe351815bca43c9ec2f97a02ccd328ca7ff3332843fb1c6a9d8": x509: certificate signed by unknown authority
helm.go:84: [debug] Head "https://harbor.osc.local/v2/btcsp-staging/btcsp-umbrella/blobs/sha256:9c490d861642afe351815bca43c9ec2f97a02ccd328ca7ff3332843fb1c6a9d8": x509: certificate signed by unknown authority
failed to do request
github.com/containerd/containerd/remotes/docker.(*request).do
	github.com/containerd/containerd@v1.5.9/remotes/docker/resolver.go:569
github.com/containerd/containerd/remotes/docker.(*request).doWithRetries
	github.com/containerd/containerd@v1.5.9/remotes/docker/resolver.go:576
github.com/containerd/containerd/remotes/docker.dockerPusher.push
	github.com/containerd/containerd@v1.5.9/remotes/docker/pusher.go:118
github.com/containerd/containerd/remotes/docker.dockerPusher.Push
	github.com/containerd/containerd@v1.5.9/remotes/docker/pusher.go:65
oras.land/oras-go/pkg/oras.pusherIngester.Writer
	oras.land/oras-go@v1.1.0/pkg/oras/store.go:212
oras.land/oras-go/pkg/oras.(*hybridStore).Writer
	oras.land/oras-go@v1.1.0/pkg/oras/store.go:106
oras.land/oras-go/pkg/oras.(*hybridStore).Push
	oras.land/oras-go@v1.1.0/pkg/oras/store.go:72
oras.land/oras-go/pkg/oras.transferContent.func2.1
	oras.land/oras-go@v1.1.0/pkg/oras/copy.go:111
oras.land/oras-go/pkg/oras.transferContent.func3
	oras.land/oras-go@v1.1.0/pkg/oras/copy.go:137
github.com/containerd/containerd/images.HandlerFunc.Handle
	github.com/containerd/containerd@v1.5.9/images/handlers.go:55
github.com/containerd/containerd/images.Handlers.func1
	github.com/containerd/containerd@v1.5.9/images/handlers.go:65
github.com/containerd/containerd/images.HandlerFunc.Handle
	github.com/containerd/containerd@v1.5.9/images/handlers.go:55
github.com/containerd/containerd/images.Dispatch.func1
	github.com/containerd/containerd@v1.5.9/images/handlers.go:134
golang.org/x/sync/errgroup.(*Group).Go.func1
	golang.org/x/sync@v0.0.0-20210220032951-036812b2e83c/errgroup/errgroup.go:57
runtime.goexit
	runtime/asm_amd64.s:1581

The commands are:

helm package btcsp/
helm registry login harbor.osc.local --insecure --username johnDoe --password johnDoe
helm push btcsp-umbrella-1.0.0.tgz oci://harbor.osc.local/btcsp-staging

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 2
Comments: 27 (5 by maintainers)

Most upvoted comments

This bug is not stale.

breed808 on Jul 22, 2022

Maybe 3.8.1 release, this pr wait @antgamdia to merge the pr: https://github.com/helm/helm/pull/10638 .

pytimer on Mar 2, 2022

As a workaround you can try copy certificate of CA to /usr/local/share/ca-certificates/ and call update-ca-certificates

vklidu on Nov 11, 2022

Should be fixed in 3.8.1…unbelievable

ognif on Feb 8, 2022

This may be related to https://github.com/helm/helm/pull/10408 which should be fixed in 3.8.1

@ognif - do you want to try that changeset and see if it fixes your issue?

jdolitsky on Feb 8, 2022