terraform-provider-helm
terraform-provider-helm copied to clipboard
hashicorp
helm_release does not allow https or oci for azure container registry
Terraform, Provider, Kubernetes and Helm Versions
Terraform version: Terraform v1.2.2 on linux_amd64
Provider version: azurerm = {
source = "hashicorp/azurerm"
version = "=3.19.0"
}
Kubernetes version:
kubernetes = {
source = "hashicorp/kubernetes"
version = "=2.7.1"
}
helm version:
helm = {
source = "hashicorp/helm"
version = "=2.4.1"
}
Affected Resource(s)
- helm_release
- helm_repository
data "azurerm_kubernetes_cluster" "default" {
name = "testpocaks"
resource_group_name = "<azure rg name>"
}
--repository access with https
resource "helm_release" "hello-world" {
name = "hello-world"
chart = "hello-world"
namespace = "hello-world"
create_namespace = "true"
repository = "https://pocacringress.azurecr.io/helm/hello-world"
version = "0.1.0"
wait = "true"
force_update = "true"
}
--repository access with oci
resource "helm_release" "hello-world" {
name = "hello-world"
chart = "hello-world"
namespace = "hello-world"
create_namespace = "true"
repository = "oci://pocacringress.azurecr.io/helm/hello-world"
version = "0.1.0"
wait = "true"
force_update = "true"
}
Terraform Configuration Files
# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.
Debug Output
Could not download chart: looks like https://pocacringress.azurecr.io/helm/hello-world is not valid chart repository or cannot reached: failed to fetch https://pocacringress.azurecr.io/helm/hello-world//index.yaml: 404
NOTE: In addition to Terraform debugging, please set HELM_DEBUG=1 to enable debugging info from helm.
Panic Output
Steps to Reproduce
-
terraform init -
terraform apply --auto-approve
Expected Behavior
Chart should be fetch. by helm_release directly. it should support oci and https both protocol. we tried with both. however helm pull oci://pocacringress.azurecr.io/helm/hello-world --version 0.1.0 --untar worked well
Actual Behavior
error using https Could not download chart: looks like https://pocacringress.azurecr.io/helm/hello-world is not valid chart repository or cannot reached: failed to fetch https://pocacringress.azurecr.io/helm/hello-world//index.yaml: 404
error using oci Could not download chart: looks like oci://pocacringress.azurecr.io/helm/hello-world is not valid chart repository or cannot reached: failed to fetch oci://pocacringress.azurecr.io/helm/hello-world//index.yaml: 404
Important Factoids
References
- GH-1234 https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release
https://github.com/hashicorp/terraform-provider-helm/issues/765
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Hello @vikrantoct7 ! Thank you for opening this issue. It looks like you're including the name of the chart in the repository URL here:
repository = "oci://pocacringress.azurecr.io/helm/hello-world"
Try this instead:
repository = "oci://pocacringress.azurecr.io/helm"
~I've been battling authenticating against Github Container Registry and have a feeling that it might be related to this issue.~ See comment below
Hello @vikrantoct7 ! Thank you for opening this issue. It looks like you're including the name of the chart in the repository URL here:
repository = "oci://pocacringress.azurecr.io/helm/hello-world"Try this instead:
repository = "oci://pocacringress.azurecr.io/helm"
Hi @BBBmau Thanks for this, It has worked for me.
I don't believe that this is a bug. In the code that you shared, it appears that you aren't authenticating to acr in the first place.
data "azurerm_container_registry" "acr" {
name = var.acr_name
resource_group_name = var.acr_resource_group_name
}
data "azurerm_container_registry_scope_map" "scope_map" {
name = "_repositories_pull"
container_registry_name = data.azurerm_container_registry.acr.name
resource_group_name = var.acr_resource_group_name
}
resource "azurerm_container_registry_token" "helm_registry_token" {
name = "akspulluser"
container_registry_name = data.azurerm_container_registry.acr.name
resource_group_name = var.acr_resource_group_name
scope_map_id = data.azurerm_container_registry_scope_map.scope_map.id
}
resource "azurerm_container_registry_token_password" "helm_registry_token_password" {
container_registry_token_id = azurerm_container_registry_token.helm_registry_token.id
password1 {
}
}
then you should pass
repository_username = azurerm_container_registry_token.helm_registry_token.name,
repository_password = azurerm_container_registry_token_password.helm_registry_token_password.password1[0].value
to your helm_release resource.
I don't believe that this is a bug. In the code that you shared, it appears that you aren't authenticating to acr in the first place.
I second this for ghcr, I wasn't authenticating against it properly. I was authenticated such that I could get the private chart but not the image themselves. Registering a kubernetes_secret allowed me to get the private chart without issues.
resource "kubernetes_secret" "app-registry-secret" {
metadata {
name = "harvestos-registry-secret"
namespace = "harvest"
}
type = "kubernetes.io/dockerconfigjson"
data = {
".dockerconfigjson" = jsonencode({
auths = {
"${var.oci_registry}" = {
"username" = var.gh_username
"password" = var.gh_password
"email" = var.gh_email
"auth" = base64encode("${var.gh_username}:${var.gh_password}")
}
}
})
}
depends_on = [
var.eks_cluster,
kubernetes_namespace.namespace
]
}
@0xMH well i did not try that solution.. Even i did not get such solution in Teraform examples or anywhere else. Thanks for this solution.. New learning for me.