helm: Helm repo add fails with some repositories

helm repo add fails with certain repositories when using Helm v3.3.2. The issue does not occur with v3.3.1 or earlier versions.

Example:

helm repo add jetstack https://charts.jetstack.io 
Error: looks like "https://charts.jetstack.io" is not a valid chart repository or cannot be reached: error unmarshaling JSON: while decoding JSON: json: unknown field "serverInfo"

The issue does not occur with every repository. For example, https://kubernetes-charts.storage.googleapis.com/ can still be added:

helm repo add stable https://kubernetes-charts.storage.googleapis.com/
"stable" has been added to your repositories

Output of helm version:

version.BuildInfo{Version:"v3.3.2", GitCommit:"e5077257b6ca106d1f65652b4ca994736d221ab1", GitTreeState:"clean", GoVersion:"go1.14.9"}

Output of kubectl version:

Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.6", GitCommit:"dff82dc0de47299ab66c83c626e08b245ab19037", GitTreeState:"clean", BuildDate:"2020-07-15T16:58:53Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.6", GitCommit:"dff82dc0de47299ab66c83c626e08b245ab19037", GitTreeState:"clean", BuildDate:"2020-07-20T00:20:54Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}

Cloud Provider/Platform (AKS, GKE, Minikube etc.):

The issue was observed on both KIND and OpenStack clusters.

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 18
Comments: 32 (12 by maintainers)

Most upvoted comments

Hi @SteveLasker - it appears this is also a problem in Helm 3, based on user reports.

bridgetkromhout on Sep 18, 2020

Quick update: for those using chartmuseum. charts.jetstack.io, codefresh, etc. Helm v3.3.3 and Helm v2.16.12 is now available with a fix. Please upgrade to receive the fix.

https://github.com/helm/helm/releases/tag/v3.3.3 https://github.com/helm/helm/releases/tag/v2.16.12

We’ve tested v3.3.3/v2.16.12 against a number of chart repositories, and they all seem to be working now. The only one that does not work currently is ACR.

I’ve re-titled the issue to reflect the current state of things.

bacongobbler on Sep 18, 2020

Hey @mate-szalai. This is unfortunately one of the side effects of one of the security fixes.

In order to address one of the security issues, Helm now has to validate that the index.yaml file does not contain any extra fields, which chartmuseum does appear to add.

We’re looking into this right now.

bacongobbler on Sep 17, 2020

It’s a little unfortunate that this security fix didn’t go through an embargo period to understand the impact and fix before it got rolled out.

Last Friday I kicked off a conversation on creating an embargo period setup for security releases.

@SteveLasker if you want a project to have an embargo setup for security releases the appropriate way to discuss it is to request it. Complaining that it doesn’t exist or that you are not on the list is an approach that usually doesn’t win favor with open source project maintainers.

I would also suggest that the next time y’all are going to extend something with Helm it may be useful to ask about patterns in doing so upstream. We could provide some guidance and hopefully avoid issues like this in the future.

The most immediate solution is to not upgrade Helm until we identify when we can get this rolled out.

This is a somewhat scary option. ACR extended the index.yaml file rather than use the built-in annotations field at the same level as the extension. So, to avoid breaking the experience for your users due to a custom extension that no longer works (when there were other ways to approach this) you are suggesting people don’t install a security update.

In the future, we are happy to help with Helm extension points (either in explaining them or discussing adding them). We would like to see ACR not end up in a broken situation where you’re telling people not to apply a Helm security release.

mattfarina on Sep 21, 2020

Engineering has confirmed Azure Public/Commercial is complete.

Azure China and Azure Gov clouds will rollout over the next two days.
ACR Helm Repo Security Advisory has been updated

SteveLasker on Sep 28, 2020

This also fails now for Azure Container Registry helmcharts with: error unmarshaling JSON: while decoding JSON: json: unknown field “acrMetadata”

antonsmelyanskiy on Sep 18, 2020

Helm 2.16.11 is affected, too.

jkroepke on Sep 18, 2020

Per the recent CNCF-sponsored security audit, the Helm maintainers needed to apply a security fix that enabled strict handling of YAML data in the Helm client.

It’s a little unfortunate that this security fix didn’t go through an embargo period to understand the impact and fix before it got rolled out. But, we are looking into it now as we do have a lot of usage. That said, to roll out a change to all Azure regions will take some time.

The helm repo behavior impacted here was an experiment that led to the OCI Artifacts work.

As noted in our ACR Roadmap, we do suggest users move to Helm 3 Registry support as it provides more scalability & reliability as all OCI compliant registries support this approach.

SteveLasker on Sep 18, 2020

@jkroepke Good call. I will push a backport PR for Helm 2 shortly.

hickeyma on Sep 18, 2020

@SteveLasker, I changed the title back and closing this now.

If the Helm maintainers wish to make changes to the issue, please feel free to do so.

mate-szalai on Oct 2, 2020

Woops, thanks DK. Fixed now. I’ll confirm the rollout is complete for Azure Commercial cloud regions shortly.

SteveLasker on Sep 28, 2020

A quick update for those tracking.

ACR Helm Repo Security Advisory

Date	Status
September 24, 2020	Active - in-deployment
September 22, 2020	Active - testing solution
September 18, 2020	Identified

Full details at: ACR Helm Repo Security Advisory

SteveLasker on Sep 28, 2020

Hey folks, An official update, with some learnings applied:

The ACR engineering team is validating a fix that has been deployed for canary testing on September 22, 2020
Assuming testing goes as expected, following Azure safe deployment practices, regional deployments will start September 23, 2020
Deployments to Azure Commercial should complete by the start of business, Monday, September 28, 2020 - please check here for final confirmation and status updates.
Azure government clouds and Azure China should complete by September 30, 2020

Learnings:

We have provided full insight into the issue and learnings we’re applying to an ACR Advisories page
We also encourage the Helm community to weigh in on your views on how security notifications should be handled by Helm and other CNCF projects.

SteveLasker on Sep 23, 2020

@jkroepke #8764 pushed for Helm v2 fix.

hickeyma on Sep 18, 2020