Getting "failed to fetch Helm repository index" 403 Forbidden with Artifactory Saas as helm repository

[ttarando]

Hi there,

I'm getting below error when trying to create HelmRepository:

$ k get helmrepository
NAME               URL                                                             AGE   READY   STATUS
helm-charts-test   https://artifactory.mydomain.com/artifactory/helm-charts-test   96s   False   failed to fetch Helm repository index: failed to cache index to temporary file: failed to fetch https://artifactory.mydomain.com/artifactory/helm-charts-test/index.yaml : 403 Forbidden 

Manifests

helm repository

apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
  name: helm-charts-test
spec:
  interval: 10m
  url: https://artifactory.mydomain.com/artifactory/helm-charts-test
  secretRef:
    name: helm-charts-creds

creds secret

apiVersion: v1
kind: Secret
metadata:
  name: helm-charts-creds
data:
  username: xxxxxxxxxx
  password: xxxxxxxxxxxxxxxx

username and password were created using

echo -n "username" | base64

I also tried both api-key and identity token as password as well as URL with and without api/helm so https://artifactory.mydomain.com/artifactory/helm-charts-test and https://artifactory.mydomain.com/artifactory/api/helm/helm-charts-test getting the same result every time.

Adding helm repo manually with helm add works just fine.

[souleb]

Hello there, thanks for opening an issue.

Can you provide more information? kubectl describe would be nice, and also any relevant log from the source-controller. If you could also provide helm add --debugoutput, it might helps. Thanks.

[ttarando]

Thanks for looking into this @souleb

kubectl describe output:

Name:         helm-charts-test
Namespace:    log-collector
Labels:       
              kustomize.toolkit.fluxcd.io/name=log-collector
              kustomize.toolkit.fluxcd.io/namespace=flux-system
Annotations:  <none>
API Version:  source.toolkit.fluxcd.io/v1beta2
Kind:         HelmRepository
Metadata:
  Creation Timestamp:  2022-12-06T14:29:50Z
  Finalizers:
    finalizers.fluxcd.io
  Generation:  8
  Managed Fields:
    API Version:  source.toolkit.fluxcd.io/v1beta2
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:labels:
          f:kustomize.toolkit.fluxcd.io/name:
          f:kustomize.toolkit.fluxcd.io/namespace:
      f:spec:
        f:interval:
        f:secretRef:
          f:name:
        f:url:
    Manager:      kustomize-controller
    Operation:    Apply
    Time:         2022-12-07T01:40:17Z
    API Version:  source.toolkit.fluxcd.io/v1beta2
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:finalizers:
          .:
          v:"finalizers.fluxcd.io":
    Manager:      source-controller
    Operation:    Update
    Time:         2022-12-06T14:29:50Z
    API Version:  source.toolkit.fluxcd.io/v1beta2
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        f:conditions:
    Manager:         source-controller
    Operation:       Update
    Subresource:     status
    Time:            2022-12-07T01:46:41Z
  Resource Version:  118252667
  UID:               942196c7-a532-4f16-a145-c12e217c61b7
Spec:
  Interval:  10m
  Secret Ref:
    Name:   helm-charts-creds
  Timeout:  60s
  URL:      https://artifactory.mydomain.com/artifactory/helm-charts-test/
Status:
  Conditions:
    Last Transition Time:  2022-12-07T01:46:41Z
    Message:               no artifact for resource in storage
    Observed Generation:   8
    Reason:                NoArtifact
    Status:                True
    Type:                  Reconciling
    Last Transition Time:  2022-12-07T01:46:41Z
    Message:               failed to fetch Helm repository index: failed to cache index to temporary file: failed to fetch https://artifactory.mydomain.com/artifactory/helm-charts-test/index.yaml : 403 Forbidden
    Observed Generation:   8
    Reason:                Failed
    Status:                False
    Type:                  Ready
    Last Transition Time:  2022-12-07T01:46:41Z
    Message:               failed to fetch Helm repository index: failed to cache index to temporary file: failed to fetch https://artifactory.mydomain.com/artifactory/helm-charts-test/index.yaml : 403 Forbidden
    Observed Generation:   8
    Reason:                Failed
    Status:                True
    Type:                  FetchFailed
  Observed Generation:     -1
Events:
  Type     Reason  Age                     From               Message
  ----     ------  ----                    ----               -------
  Warning  Failed  9m13s (x1118 over 11d)  source-controller  failed to fetch Helm repository index: failed to cache index to temporary file: failed to fetch https://artifactory.mydomain.com/artifactory/helm-charts-test/index.yaml : 403 Forbidden```

[ttarando]

If I delete this repo and add it manually with helm repo add with --debug there is no additional output

➜  ~ helm repo add helm-charts-test https://artifactory.mydomain.com/artifactory/helm-charts-test --username xxxxxxx --password yyyyyyyyyyyyyyyyyyyyyyyyy -n log-collector --debug
"helm-charts-test" has been added to your repositories
➜  ~

[robin-coac]

Any Solutions ? @ttarando

[martinclaus]

The actual URL of the index.yaml is something like https://artifactory.mydomain.com:443/artifactory/api/helm/helm-charts-test/index.yaml, which is different from the URL you have used. You can check this by downloading the index.yaml through the artifactory UI. You need to use the exact same URL in the HelmRepository definition, else authentication will fail since credentials will not be passed on when the request is redirected. Alternatively, you can try to set .spec.passCredentials to true, but I do not recommend it for production, due to security implications.

In the end, this is an issue with artifactory's URL mangling not with flux.