gitea icon indicating copy to clipboard operation
gitea copied to clipboard

Published 20 hours ago verified publisher icon go-gitea

Unable to push helm charts to internal gitea repo

Open kolaente opened this issue 1 year ago • 12 comments

Description

Pushing a helm repo with helm push <file>.tgz oci://gitea-instance.tld/org fails with the following error:

Error: failed commit on ref "manifest-sha256:b299865291f52fea32b90f2dd1c4c5ec913d3f5b195493640ae6de72593aa1e4": unexpected status from PUT request to https://kolaente.dev/v2/vikunja/vikunja/manifests/0.4.3: 403 Forbidden

(using an api token with the packages scope)

Gitea's logs show the following, which might be related:

gitea_1     | 2024/02/09 18:34:41 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/vikunja/vikunja/blobs/sha256:7f4a609cb030ce4d4f8a009c63807c0a5c7df94edc29db834d8c8418a01d6c45 for 172.18.0.2:41572, 401 Unauthorized in 0.1ms @ container/container.go:123(container.ReqContainerAccess)
gitea_1     | 2024/02/09 18:34:41 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/vikunja/vikunja/blobs/sha256:a7114e2efaafadce076e7a21b8fe6dbd0a29f9c1f4ee4ddbbb8304340e1f542c for 172.18.0.2:49142, 401 Unauthorized in 0.1ms @ container/container.go:123(container.ReqContainerAccess)
gitea_1     | 2024/02/09 18:34:41 ...eb/routing/logger.go:102:func1() [I] router: completed POST /v2/token for 172.18.0.2:49142, 404 Not Found in 0.1ms @ container/container.go:169(container.AuthenticateNotImplemented)
gitea_1     | 2024/02/09 18:34:41 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/token?scope=%2A&scope=repository%3Avikunja%2Fvikunja%3Apull%2Cpush&service=container_registry for 172.18.0.2:49142, 200 OK in 15.8ms @ container/container.go:146(container.Authenticate)
gitea_1     | 2024/02/09 18:34:41 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/vikunja/vikunja/blobs/sha256:7f4a609cb030ce4d4f8a009c63807c0a5c7df94edc29db834d8c8418a01d6c45 for 172.18.0.2:41572, 200 OK in 4.7ms @ container/container.go:483(container.HeadBlob)
gitea_1     | 2024/02/09 18:34:41 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/vikunja/vikunja/blobs/sha256:a7114e2efaafadce076e7a21b8fe6dbd0a29f9c1f4ee4ddbbb8304340e1f542c for 172.18.0.2:49142, 200 OK in 7.5ms @ container/container.go:483(container.HeadBlob)
gitea_1     | 2024/02/09 18:34:41 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/vikunja/vikunja/manifests/0.4.3 for 172.18.0.2:49142, 404 Not Found in 3.4ms @ container/container.go:621(container.HeadManifest)
gitea_1     | 2024/02/09 18:34:41 ...eb/routing/logger.go:102:func1() [I] router: completed PUT /v2/vikunja/vikunja/manifests/0.4.3 for 172.18.0.2:49142, 403 Forbidden in 12.2ms @ container/container.go:536(container.UploadManifest)

The token and helm cli version did not change since the last time this worked (all runs in CI).

Maybe related to https://github.com/go-gitea/gitea/issues/27640

Gitea Version

1.21.5

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Official docker image

Database

MySQL/MariaDB

kolaente avatar Feb 09 '24 18:02 kolaente

Did you do a helm registry login before the push? For me it just looks like a push without login/write access.

KN4CK3R avatar Feb 09 '24 21:02 KN4CK3R

I did, here is the full failing CI run: https://drone.kolaente.de/vikunja/helm-chart/80/1/2

kolaente avatar Feb 09 '24 22:02 kolaente

Tested it with your repo:

# helm registry login -u kn4ck3r gitea
Password:
Login Succeeded
# helm push vikunja-*.tgz oci://gitea-dev.local-lan.li:3000/kn4ck3r
Pushed: gitea-dev.local-lan.li:3000/kn4ck3r/vikunja:0.4.3
Digest: sha256:f0433e2eb50a6f4f2bb44c6146c7a9502e16a2acf7a04b082209b2cb246bff23

grafik

Are you using a token? Has the token the correct permissions?

KN4CK3R avatar Feb 09 '24 23:02 KN4CK3R

Using a token with the packages permissions (read and write). Is that enough?

kolaente avatar Feb 09 '24 23:02 kolaente

Just checked with a token from a different account and that worked. Looks like it's only the bot account which does not work.

kolaente avatar Feb 09 '24 23:02 kolaente

Yes, package write should be enough.

KN4CK3R avatar Feb 09 '24 23:02 KN4CK3R

Is there any way to debug this further?

kolaente avatar Feb 09 '24 23:02 kolaente

Tested it again and package read/write is enough to push the user or an org where the user is in a team with package write access.

KN4CK3R avatar Feb 10 '24 09:02 KN4CK3R

Same issue here, only with docker instead of helm. I consistently got an error using my ci-docker account, the repository owner account worked immediately. Version 1.21.11

f-denkena avatar May 03 '24 03:05 f-denkena

Could you provide some details about how to reproduce? eg: prepare a fresh instance, instance setup (docker compose?), create user / org / team, etc, then the command lines used.

wxiaoguang avatar May 03 '24 03:05 wxiaoguang

The instance is set up using portage, hosted on https://git.denkena-consulting.com. Command line was simply: docker login git.denkena-consulting.com The bot user (ci-docker) had package:write permission for the repository docker-base but was not authorized to push.

f-denkena avatar May 03 '24 04:05 f-denkena

Sorry but I have never heard of "portage" ..... 😭 I have my knowledge limitation, and the configuration & user & permission really matter.

KN4CK3R has tested and replied above, it seems to work well (unable to reproduce without more details)

A reproducible setup with detailed steps is really helpful (and important) to figure out the real problem. There is an issue report sample: https://github.com/go-gitea/gitea/issues/30680#issuecomment-2076299869 , with the reproducible setup, the problem could be clarified quickly.

wxiaoguang avatar May 03 '24 04:05 wxiaoguang