helm: Helm 3: 'helm chart push/pull' can't fetch oauth token

Output of helm version: version.BuildInfo{Version:“v3.0.0-alpha.2”, GitCommit:“97e7461e41455e58d89b4d7d192fed5352001d44”, GitTreeState:“clean”, GoVersion:“go1.12.7”}

I setup a docker registry (container, image is registry:2) and an auth sever(other container, image is cesanta/docker_auth:latest)

And I enabled token auth on the registry. The auth configuration of the registry container is as follow:

auth:
  token:
    realm: https://helm.auth.zte.com:5001/auth
    service: "token"
    issuer: "Auth Service"
    rootcertbundle: /certs/server.pem
http:
  addr: :5000
  host: https://helm.registry.zte.com:5000
  tls:
    certificate: /certs/domain.crt
    key: /certs/domain.key
  headers:
    X-Content-Type-Options: [nosniff]

The config of auth server is as follow:

server:  # Server settings.
  # Address to listen on.
  addr: ":5001"
  # TLS certificate and key.
  certificate: "/ssl/server.pem"
  key: "/ssl/server.key"

token:  # Settings for the tokens.
  issuer: "Auth Service"  # Must match issuer in the Registry config.
  expiration: 900


# Static user map.
users:
  # Password is specified as a BCrypt hash. Use htpasswd -B to generate.
  "helm":
    password: "$2y$05$JX9D.kynlW5HsbWx7FeUOuBY7XdKAB/bq27yLAFmFCsrcDzgzHdpi"

acl:
  # Admin has full access to everything.
  - match: {account: "helm"}
    actions: ["*"]

“helm registry login https://helm.registry.zte.com:5000” returned “Login succeed”. But when I run helm chart push, the response from helm said

helm chart --debug push helm.registry.zte.com:5000/mysql:1.2.0
The push refers to repository [helm.registry.zte.com:5000/mysql]
Name: mysql
Version: 1.2.0
Meta: sha256:ce6406ac24828c894298fbf6f2b45552e15033de13e11a79968c6e73a959d7c1
Content: sha256:ab5943bba9a103dabb3c579ec116c5cd90e9cd06693583f5dc31c03653fe3564
WARN[0000] encountered unknown type application/vnd.cncf.helm.chart.content.layer.v1+tar; children may not be fetched 
DEBU[0000] push                                          digest="sha256:ab5943bba9a103dabb3c579ec116c5cd90e9cd06693583f5dc31c03653fe3564" mediatype=application/vnd.cncf.helm.chart.content.layer.v1+tar size=4086
WARN[0000] reference for unknown type: application/vnd.cncf.helm.chart.content.layer.v1+tar  digest="sha256:ab5943bba9a103dabb3c579ec116c5cd90e9cd06693583f5dc31c03653fe3564" mediatype=application/vnd.cncf.helm.chart.content.layer.v1+tar size=4086
DEBU[0000] do request                                    digest="sha256:ab5943bba9a103dabb3c579ec116c5cd90e9cd06693583f5dc31c03653fe3564" mediatype=application/vnd.cncf.helm.chart.content.layer.v1+tar request.headers="map[Accept:[application/vnd.cncf.helm.chart.content.layer.v1+tar, *]]" request.method=HEAD size=4086 url="https://helm.registry.zte.com:5000/v2/mysql/blobs/sha256:ab5943bba9a103dabb3c579ec116c5cd90e9cd06693583f5dc31c03653fe3564"
WARN[0000] encountered unknown type application/vnd.cncf.helm.config.v1+json; children may not be fetched 
DEBU[0000] push                                          digest="sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a" mediatype=application/vnd.cncf.helm.config.v1+json size=2
WARN[0000] reference for unknown type: application/vnd.cncf.helm.config.v1+json  digest="sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a" mediatype=application/vnd.cncf.helm.config.v1+json size=2
DEBU[0000] do request                                    digest="sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a" mediatype=application/vnd.cncf.helm.config.v1+json request.headers="map[Accept:[application/vnd.cncf.helm.config.v1+json, *]]" request.method=HEAD size=2 url="https://helm.registry.zte.com:5000/v2/mysql/blobs/sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"
WARN[0000] encountered unknown type application/vnd.cncf.helm.chart.meta.layer.v1+json; children may not be fetched 
DEBU[0000] push                                          digest="sha256:ce6406ac24828c894298fbf6f2b45552e15033de13e11a79968c6e73a959d7c1" mediatype=application/vnd.cncf.helm.chart.meta.layer.v1+json size=492
WARN[0000] reference for unknown type: application/vnd.cncf.helm.chart.meta.layer.v1+json  digest="sha256:ce6406ac24828c894298fbf6f2b45552e15033de13e11a79968c6e73a959d7c1" mediatype=application/vnd.cncf.helm.chart.meta.layer.v1+json size=492
DEBU[0000] do request                                    digest="sha256:ce6406ac24828c894298fbf6f2b45552e15033de13e11a79968c6e73a959d7c1" mediatype=application/vnd.cncf.helm.chart.meta.layer.v1+json request.headers="map[Accept:[application/vnd.cncf.helm.chart.meta.layer.v1+json, *]]" request.method=HEAD size=492 url="https://helm.registry.zte.com:5000/v2/mysql/blobs/sha256:ce6406ac24828c894298fbf6f2b45552e15033de13e11a79968c6e73a959d7c1"
DEBU[0000] fetch response received                       digest="sha256:ce6406ac24828c894298fbf6f2b45552e15033de13e11a79968c6e73a959d7c1" mediatype=application/vnd.cncf.helm.chart.meta.layer.v1+json response.headers="map[Content-Length:[148] Content-Type:[application/json; charset=utf-8] Date:[Tue, 13 Aug 2019 02:07:40 GMT] Docker-Distribution-Api-Version:[registry/2.0] Www-Authenticate:[Bearer realm=\"https://helm.auth.zte.com:5001/auth\",service=\"token\",scope=\"repository:mysql:pull\"] X-Content-Type-Options:[nosniff]]" size=492 status="401 Unauthorized" url="https://helm.registry.zte.com:5000/v2/mysql/blobs/sha256:ce6406ac24828c894298fbf6f2b45552e15033de13e11a79968c6e73a959d7c1"
DEBU[0000] Unauthorized                                  digest="sha256:ce6406ac24828c894298fbf6f2b45552e15033de13e11a79968c6e73a959d7c1" header="Bearer realm=\"https://helm.auth.zte.com:5001/auth\",service=\"token\",scope=\"repository:mysql:pull\"" mediatype=application/vnd.cncf.helm.chart.meta.layer.v1+json size=492
DEBU[0000] fetch response received                       digest="sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a" mediatype=application/vnd.cncf.helm.config.v1+json response.headers="map[Content-Length:[148] Content-Type:[application/json; charset=utf-8] Date:[Tue, 13 Aug 2019 02:07:40 GMT] Docker-Distribution-Api-Version:[registry/2.0] Www-Authenticate:[Bearer realm=\"https://helm.auth.zte.com:5001/auth\",service=\"token\",scope=\"repository:mysql:pull\"] X-Content-Type-Options:[nosniff]]" size=2 status="401 Unauthorized" url="https://helm.registry.zte.com:5000/v2/mysql/blobs/sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"
DEBU[0000] Unauthorized                                  digest="sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a" header="Bearer realm=\"https://helm.auth.zte.com:5001/auth\",service=\"token\",scope=\"repository:mysql:pull\"" mediatype=application/vnd.cncf.helm.config.v1+json size=2
DEBU[0000] token request failed                          body="Bad request: invalid scope: \"repository:mysql:pull repository:mysql:pull,push\"\n" digest="sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a" mediatype=application/vnd.cncf.helm.config.v1+json size=2 status="400 Bad Request"
Error: failed to fetch oauth token: unexpected status: 400 Bad Request
helm.go:76: [debug] unexpected status: 400 Bad Request
helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker.(*dockerAuthorizer).fetchTokenWithOAuth
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go:215
helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker.(*dockerAuthorizer).setTokenAuth
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go:149
helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker.(*dockerAuthorizer).AddResponses
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go:83
helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker.(*dockerBase).retryRequest
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker/resolver.go:393
helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker.(*dockerBase).doRequestWithRetries
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker/resolver.go:373
helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker.dockerPusher.Push
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker/pusher.go:86
helm.sh/helm/vendor/github.com/containerd/containerd/remotes.push
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/remotes/handlers.go:135
helm.sh/helm/vendor/github.com/containerd/containerd/remotes.PushHandler.func1
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/remotes/handlers.go:127
helm.sh/helm/vendor/github.com/containerd/containerd/images.HandlerFunc.Handle
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/images/handlers.go:53
helm.sh/helm/vendor/github.com/containerd/containerd/images.Handlers.func1
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/images/handlers.go:63
helm.sh/helm/vendor/github.com/containerd/containerd/images.HandlerFunc.Handle
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/images/handlers.go:53
helm.sh/helm/vendor/github.com/containerd/containerd/images.Dispatch.func1
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/images/handlers.go:123
helm.sh/helm/vendor/golang.org/x/sync/errgroup.(*Group).Go.func1
	/go/src/helm.sh/helm/vendor/golang.org/x/sync/errgroup/errgroup.go:57
runtime.goexit
	/usr/local/go/src/runtime/asm_386.s:1321
failed to fetch oauth token
helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker.(*dockerAuthorizer).setTokenAuth
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go:151
helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker.(*dockerAuthorizer).AddResponses
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go:83
helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker.(*dockerBase).retryRequest
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker/resolver.go:393
helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker.(*dockerBase).doRequestWithRetries
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker/resolver.go:373
helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker.dockerPusher.Push
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/remotes/docker/pusher.go:86
helm.sh/helm/vendor/github.com/containerd/containerd/remotes.push
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/remotes/handlers.go:135
helm.sh/helm/vendor/github.com/containerd/containerd/remotes.PushHandler.func1
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/remotes/handlers.go:127
helm.sh/helm/vendor/github.com/containerd/containerd/images.HandlerFunc.Handle
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/images/handlers.go:53
helm.sh/helm/vendor/github.com/containerd/containerd/images.Handlers.func1
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/images/handlers.go:63
helm.sh/helm/vendor/github.com/containerd/containerd/images.HandlerFunc.Handle
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/images/handlers.go:53
helm.sh/helm/vendor/github.com/containerd/containerd/images.Dispatch.func1
	/go/src/helm.sh/helm/vendor/github.com/containerd/containerd/images/handlers.go:123
helm.sh/helm/vendor/golang.org/x/sync/errgroup.(*Group).Go.func1
	/go/src/helm.sh/helm/vendor/golang.org/x/sync/errgroup/errgroup.go:57
runtime.goexit
	/usr/local/go/src/runtime/asm_386.s:1321

I doubted the auth server might work incorrectly. I use a script to test it.

#!/bin/bash -ex
# This is the operation we want to perform on the registry
registryURL=https://helm.registry.zte.com:5000/v2/_catalog

# Save the response headers of our first request to the registry to get the Www-Authenticate header
respHeader=$(tempfile);
curl -k --dump-header $respHeader $registryURL

# Extract the realm, the service, and the scope from the Www-Authenticate header
wwwAuth=$(cat $respHeader | grep "Www-Authenticate")
realm=$(echo $wwwAuth | grep -o '\(realm\)="[^"]*"' | cut -d '"' -f 2)
service=$(echo $wwwAuth | grep -o '\(service\)="[^"]*"' | cut -d '"' -f 2)
scope=$(echo $wwwAuth | grep -o '\(scope\)="[^"]*"' | cut -d '"' -f 2)

# Build the URL to query the auth server
authURL="$realm?service=$service&scope=$scope"

# Query the auth server to get a token
token=$(curl -ks -H "Authorization: Basic $(echo -n "helm:helm" | base64)" "$authURL")
# Get the bare token from the JSON string: {"token": "...."}
token=$(echo $token | jq .token | tr -d '"')

# Query the registry again, but this time with a bearer token
curl -vk -H "Authorization: Bearer $token" $registryURL

From result, a token can be fetch from the auth server.

+ curl -k --dump-header /tmp/fileOVd0Rb https://helm.registry.zte.com:5000/v2/_catalog
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}

++ curl -ks -H 'Authorization: Basic aGVsbTpoZWxt' 'https://helm.auth.zte.com:5001/auth?service=token&scope=registry:catalog:*'
+ token='{"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkVUWEw6TTNUUjpSNlJBOjQySk86T1c3TTpLRTRaOjRWVVg6SjVKRDpWRUFBOkpPVFQ6RkdVVjo2QVZDIn0.eyJpc3MiOiJBdXRoIFNlcnZpY2UiLCJzdWIiOiJoZWxtIiwiYXVkIjoidG9rZW4iLCJleHAiOjE1NjU2NjM2NzIsIm5iZiI6MTU2NTY2Mjc2MiwiaWF0IjoxNTY1NjYyNzcyLCJqdGkiOiI4NjEyMTk1OTA2NzkzMTQzODI0IiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVnaXN0cnkiLCJuYW1lIjoiY2F0YWxvZyIsImFjdGlvbnMiOlsiKiJdfV19.NqId_NBqyCQBl9FB8E3UajU38quilY0a6CkARP5shhk45cmfHN9bFio2YG-ddJabp6mWKcrH-1smiEIGcYcIXrwuoTu3j9i-_Fcj7XTrrq06EkXMXc7D84O9H81PcdxZKOEQKxyu3OhJchS-FnsJiknH4QdvywU8mszfQC8RHb05pBULU-bgS2hGe8roU7voMkK8XywWg8I2qTzQZt6I5X3OSgroyjUdZtqF4Clfs6k6YMdqyrjx6rXo1EWRa2JTkO3n7fBu-3FrtQBG4U_v--jcG1WwAcXbHoOVXmE1E00y7_v2nLRvD78_DIDH6ZWSjyWSOXdENPWNwvj_R1qAcg"}'

+ curl -vk -H 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkVUWEw6TTNUUjpSNlJBOjQySk86T1c3TTpLRTRaOjRWVVg6SjVKRDpWRUFBOkpPVFQ6RkdVVjo2QVZDIn0.eyJpc3MiOiJBdXRoIFNlcnZpY2UiLCJzdWIiOiJoZWxtIiwiYXVkIjoidG9rZW4iLCJleHAiOjE1NjU2NjM2NzIsIm5iZiI6MTU2NTY2Mjc2MiwiaWF0IjoxNTY1NjYyNzcyLCJqdGkiOiI4NjEyMTk1OTA2NzkzMTQzODI0IiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVnaXN0cnkiLCJuYW1lIjoiY2F0YWxvZyIsImFjdGlvbnMiOlsiKiJdfV19.NqId_NBqyCQBl9FB8E3UajU38quilY0a6CkARP5shhk45cmfHN9bFio2YG-ddJabp6mWKcrH-1smiEIGcYcIXrwuoTu3j9i-_Fcj7XTrrq06EkXMXc7D84O9H81PcdxZKOEQKxyu3OhJchS-FnsJiknH4QdvywU8mszfQC8RHb05pBULU-bgS2hGe8roU7voMkK8XywWg8I2qTzQZt6I5X3OSgroyjUdZtqF4Clfs6k6YMdqyrjx6rXo1EWRa2JTkO3n7fBu-3FrtQBG4U_v--jcG1WwAcXbHoOVXmE1E00y7_v2nLRvD78_DIDH6ZWSjyWSOXdENPWNwvj_R1qAcg' https://helm.registry.zte.com:5000/v2/_catalog
*   Trying 127.0.0.1...
* Connected to helm.registry.zte.com (127.0.0.1) port 5000 (#0)
* found 149 certificates in /etc/ssl/certs/ca-certificates.crt
* found 594 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification SKIPPED
* 	 server certificate status verification SKIPPED
* 	 common name: helm.registry.zte.com (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: C=CN,ST=SH,L=SH,O=ZTE,OU=ZTE,CN=helm.registry.zte.com
* 	 start date: Wed, 07 Aug 2019 08:43:47 GMT
* 	 expire date: Thu, 06 Aug 2020 08:43:47 GMT
* 	 issuer: C=CN,ST=SH,L=SH,O=ZTE,OU=ZTE,CN=helm.registry.zte.com
* 	 compression: NULL
* ALPN, server accepted to use http/1.1
> GET /v2/_catalog HTTP/1.1
> Host: helm.registry.zte.com:5000
> User-Agent: curl/7.47.0
> Accept: */*
> Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkVUWEw6TTNUUjpSNlJBOjQySk86T1c3TTpLRTRaOjRWVVg6SjVKRDpWRUFBOkpPVFQ6RkdVVjo2QVZDIn0.eyJpc3MiOiJBdXRoIFNlcnZpY2UiLCJzdWIiOiJoZWxtIiwiYXVkIjoidG9rZW4iLCJleHAiOjE1NjU2NjM2NzIsIm5iZiI6MTU2NTY2Mjc2MiwiaWF0IjoxNTY1NjYyNzcyLCJqdGkiOiI4NjEyMTk1OTA2NzkzMTQzODI0IiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVnaXN0cnkiLCJuYW1lIjoiY2F0YWxvZyIsImFjdGlvbnMiOlsiKiJdfV19.NqId_NBqyCQBl9FB8E3UajU38quilY0a6CkARP5shhk45cmfHN9bFio2YG-ddJabp6mWKcrH-1smiEIGcYcIXrwuoTu3j9i-_Fcj7XTrrq06EkXMXc7D84O9H81PcdxZKOEQKxyu3OhJchS-FnsJiknH4QdvywU8mszfQC8RHb05pBULU-bgS2hGe8roU7voMkK8XywWg8I2qTzQZt6I5X3OSgroyjUdZtqF4Clfs6k6YMdqyrjx6rXo1EWRa2JTkO3n7fBu-3FrtQBG4U_v--jcG1WwAcXbHoOVXmE1E00y7_v2nLRvD78_DIDH6ZWSjyWSOXdENPWNwvj_R1qAcg
> 
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
< Docker-Distribution-Api-Version: registry/2.0
< X-Content-Type-Options: nosniff
< Date: Tue, 13 Aug 2019 02:19:32 GMT
< Content-Length: 20
< 
{"repositories":[]}
* Connection #0 to host helm.registry.zte.com left intact

Is there important something i miss for helm? Any suggestion about it?

Thanks in advance!

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 7
  • Comments: 51 (13 by maintainers)

Most upvoted comments

I solved this problem like this. azurermtest-ACR - azurerm ServiceConnection for Docker Registry

- task: AzureCLI@2
  env:
      HELM_EXPERIMENTAL_OCI: 1
  inputs:
    azureSubscription: 'azurermtest-ACR'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      ACCESS_TOKEN=$(az acr login --name testcontainerregistry.azurecr.io --expose-token --output tsv --query accessToken)
      echo $ACCESS_TOKEN | helm registry login testcontainerregistry.azurecr.io -u 00000000-0000-0000-0000-000000000000 --password-stdin
      helm chart save $(Build.Repository.Name)/charts/app/ testcontainerregistry.azurecr.io/charts/app:latest
      helm chart push testcontainerregistry.azurecr.io/charts/app:latest
+19
y6vmeq on Sep 17, 2020

I solved this problem like this. azurermtest-ACR - azurerm ServiceConnection for Docker Registry

- task: AzureCLI@2
  env:
      HELM_EXPERIMENTAL_OCI: 1
  inputs:
    azureSubscription: 'azurermtest-ACR'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      ACCESS_TOKEN=$(az acr login --name testcontainerregistry.azurecr.io --expose-token --output tsv --query accessToken)
      echo $ACCESS_TOKEN | helm registry login testcontainerregistry.azurecr.io -u 00000000-0000-0000-0000-000000000000 --password-stdin
      helm chart save $(Build.Repository.Name)/charts/app/ testcontainerregistry.azurecr.io/charts/app:latest
      helm chart push testcontainerregistry.azurecr.io/charts/app:latest

It does solve the problem !! Thanks !!

+5
sharadbharadia on Jan 19, 2021

Ah, looking at this issue more closely I don’t believe a PR was pushed or merged to address this issue. The comment from @itzikban appears to be an anomaly. Re-opening.

@waveywaves did you happen to submit a fix for this yet?

+5
bacongobbler on Jun 8, 2020

@itzikban how are you setting up your insecure registry in this case ? Is it a registry:2 image on docker ? @bacongobbler I am still working on it. This is particularly tricky 😕 I have resumed work on this yesterday only.

+3
waveywaves on Jun 17, 2020

I only started working on the this weekend. Will update it ASAP

+3
waveywaves on May 13, 2020

@waveywaves just a gentle check with you if you were able to make progress with this?

+2
sammym1982 on Jun 29, 2020

Hi, I am running into the same issue with Azure ACR, exactly the one described here under “Open Issue” section: https://gaunacode.com/publishing-helm-3-charts-to-azure-container-registry-using-azure-devops-part-2. So nothing to do with insecure registries… The version of helm is the latest: 3.2.1/x64/linux-amd64 Error: failed to authorize: failed to fetch anonymous token: unexpected status: 401 Unauthorized Any idea? Thanks

+2
tigran-a on May 28, 2020

I have started on work on a PR to add the Auth support for helm chart push/pull. Will update soon.

+2
waveywaves on May 25, 2020

OK, I read the specs and oras is working correct. It is not very useful to repeat the name of the repository, but it’s correct, as you can see in the specs:

distribution-spec

I opened an issue #268 for cesanta/docker_auth and see if I can fix it.

+2
jamct on Dec 14, 2019

Passing the accesstoken or credentials should not be necessary. I don’t want to mess with credentials in my Azure DevOps pipelines. Serviceconnections are there to help with that. az acr login should also register the repository with Helm, as it seems to do on Windows and Mac but not on Linux.

So great to see people finding workarounds here, but eventually this issue should be properly fixed. Especially since the old (Helm 2) az acr helm commands, which don’t need credentials, still work but are marked as deprecated.

+1
kwaazaar on Oct 7, 2021

Before it gets fixed, what I end up with is to use an ACR access key and then used echo $ACCESS_KEY_PASSWORD | helm registry login youracrname.azurecr.io -u youracrname --password-stdin Not a solution, but maybe someone finds it helpful.

+1
tigran-a on Jul 17, 2020

Has anyone managed to fix this? Im having the same issue using Harbor as my registry - Logged in fine, using admin but I cant push any charts to a repo - always throws a 403 error.

+1
ssurovich on May 4, 2020
Read more comments on GitHub
← helm: Helm 3 doesn't create namespace
helm: [Helm 3] improper RBAC setup causes release to be stuck in `pending-install` status despite installing fine →