source-controller icon indicating copy to clipboard operation
source-controller copied to clipboard
verified publisher icon fluxcd

OCIRepository does not support AWS ECR Pull through cache for Helm Charts

Open Zurvarian opened this issue 1 month ago • 3 comments

We've experienced an issue while migrating from using HelmRepository to OCIRepository to fetch our Helm Charts stored in ECR.

We are using a Pull Through cache to fetch the images from a different region than the one our services deploy and we saw that after migrating to use OCIRepository our helm charts are not getting pulled if they are not first created in the cached repository using helm pull.

We don't use OCIRepository for Docker images, so I cannot say if the same happens, but I suspect it does.

We are using Flux v2.7.5

Thanks.

Zurvarian avatar Dec 11 '25 12:12 Zurvarian

Flux source-controller is optimised to not blindly pull artifacts from upstream. Depending on how the spec.ref is configured it will first list tags (if semver is used), then it will do an HTTP HEAD request to fetch the OCI digest. If the upstream digest differs from what's stored in the source-controller artifact storage, only then it will perform a pull, but even then, it will never pull the whole artifact but only the Helm chart layer.

stefanprodan avatar Dec 11 '25 12:12 stefanprodan

Is there any option to override that behavior? Like force pull when using semver? The problem is that needing to pull in advance is annoying, because that means we cannot use automatic image updates as the images won't be pulled.

EDIT: I understand that the behavior described is the optimal one, and that's done to save time and resources, even for safety reasons. But I'm asking for a configurable option to override the default assuming the consequences.

Zurvarian avatar Dec 11 '25 13:12 Zurvarian

I'm using pull-through caches for container images, which Flux does not pull - I will eventually hit this issue too. The pull-through cache is a really limited feature on AWS, but where it's available it is really useful.

Beginning to adopt OCI in my own workflows, and we're slow to upgrade (still on Flux 2.6) so I haven't hit this yet. It would be really useful if there was a way to trigger pulls, but we use charts and assets from OCI repositories other than those on the AWS "pull-through blessed" list, so we are already on the hook to write a script that mirrors images manually into our ECR. (It sucks!)

kingdonb avatar Dec 11 '25 14:12 kingdonb