rules_helm icon indicating copy to clipboard operation
rules_helm copied to clipboard
verified publisher icon abrisco

OCI registry support in helm_import_repository

Open marksmithson opened this issue 11 months ago • 2 comments

helm_import_repository does not support OCI registries.

both of the following result in exceptions.

helm_import_repository(
        name = "redis_helm",
        chart_name = "redis-cluster",
        repository = "oci://registry-1.docker.io/bitnamicharts/redis-cluster",
        sha256 = "9e9aae48b962c640c598630ef575a44ab7bb35015e1792f8544fb34c3b30bc57",
        version = "11.2.1",
 )

causes: java.io.IOException: Bad URL: oci://registry-1.docker.io/bitnamicharts/redis-cluster/index.yaml

 helm_import_repository(
     name = "redis_helm",
     chart_name = "redis-cluster",
     repository = "not-requried-when-url-specified",
     sha256 = "9e9aae48b962c640c598630ef575a44ab7bb35015e1792f8544fb34c3b30bc57",
     url = "oci://registry-1.docker.io/bitnamicharts/redis-cluster:11.2.1",
 )

causes: java.io.IOException: Bad URL: oci://registry-1.docker.io/bitnamicharts/redis-cluster:11.2.1

Is there another way to import charts from OCI registries?

Happy to help with a patch for this is needed - some pointers on where to start would be appreciated.

marksmithson avatar Jan 06 '25 09:01 marksmithson

I would check https://github.com/bazel-contrib/rules_oci/blob/main/oci/private/pull.bzl for Bazel's implementation of oci.pull as a starting point.

Experimenting with this, it will fail trying to pull a chart uploaded to an OCI registry by helm push since Helm sets a custom media type in the manifest.

Also see https://helm.sh/docs/topics/registries/ for Helm's OCI support.

zachburg avatar May 13 '25 18:05 zachburg

@marksmithson I am also running into this. Curious if you ever came up with a solution?

vinnybod avatar May 15 '25 18:05 vinnybod

@marksmithson, are you still wanting to handle this?

zachburg avatar Jun 23 '25 18:06 zachburg

Interesting, I also found that chart repositories, which are served over HTTP, may link to oci:// chart packages, so rules_helm can't download the chart even if it was found in the repository.

Bitnami, the source of the chart deps in https://github.com/abrisco/rules_helm/blob/main/tests/test_deps.bzl, does this in https://charts.bitnami.com/bitnami/index.yaml (caution, rather large YAML document), where a URL to download a chart is like oci://registry-1.docker.io/bitnamicharts/redis:21.2.5.

Following https://cloud.google.com/kubernetes-engine/docs/concepts/about-container-images#about_image_manifests_digests_and_tags and helm show --debug oci://registry-1.docker.io/bitnamicharts/postgresql:16.7.3, I did figure out the two necessary curl commands that will need to be rewritten into a repository rule to download a OCI chart image over HTTP:

# Step 0: Get a bearer token
TOKEN=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:bitnamicharts/postgresql:pull" | jq -r '.token')

# Step 1: Retrieve image manifest to find the chart file's digest:
# We're assuming OCI images for Helm charts only ever have the chart as the first layer...
DIGEST=$(curl -H 'Accept: application/vnd.docker.distribution.manifest.v2+json' -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/bitnamicharts/postgresql/manifests/16.7.13  | jq -r '.layers[0].digest')

# Check that we got the digest:
echo $DIGEST
sha256:f0e0719eff78f5895fcec37341d030232273794f5e2293c79b422ca34d6eaa2e


# Step 2: Download the layer, this is the chart package:
# -L is necessary to follow a redirect
curl -L -v -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/bitnamicharts/postgresql/blobs/$DIGEST --output postgres-16.7.13.tgz

zachburg avatar Jun 24 '25 21:06 zachburg

Partially fixed in https://github.com/abrisco/rules_helm/pull/184

zachburg avatar Aug 12 '25 00:08 zachburg