Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Azure Container Registries now supports Helm repos #99

Closed
patrickmslatteryvt opened this issue Oct 3, 2018 · 7 comments
Closed

Azure Container Registries now supports Helm repos #99

patrickmslatteryvt opened this issue Oct 3, 2018 · 7 comments

Comments

@patrickmslatteryvt
Copy link

Azure Container Registries (ACR) now supports Helm repos:
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-helm-repos

However the ACR Helm repos are private and therefore do not work with the current version of Helmsman, example below:

helmsman -dry-run -f ./src/helmsman.infra.toml
 _          _ 
| |        | | 
| |__   ___| |_ __ ___  ___ _ __ ___   __ _ _ __
| '_ \ / _ \ | '_ ` _ \/ __| '_ ` _ \ / _` | '_ \ 
| | | |  __/ | | | | | \__ \ | | | | | (_| | | | | 
|_| |_|\___|_|_| |_| |_|___/_| |_| |_|\__,_|_| |_| version: v1.6.1
A Helm-Charts-as-Code tool.

2018/10/03 23:00:37 INFO: Parsed TOML [[ ./src/helmsman.infra.toml ]] successfully and found [ 11 ] apps.
2018/10/03 23:00:37 INFO: namespace validation -- Tiller is NOT desired to be deployed in namespace [ weave-scope ].
2018/10/03 23:00:37 INFO: namespace validation -- Tiller is NOT desired to be deployed in namespace [ tls ].
2018/10/03 23:00:37 INFO: namespace validation -- Tiller is NOT desired to be deployed in namespace [ infra ].
2018/10/03 23:00:38 WARN: I could not create namespace [weave-scope ]. It already exists. I am skipping this.
2018/10/03 23:00:38 WARN: I could not create namespace [tls ]. It already exists. I am skipping this.
2018/10/03 23:00:39 WARN: I could not create namespace [infra ]. It already exists. I am skipping this.
2018/10/03 23:00:39 INFO: deploying Tiller in namespace [ kube-system ].
2018/10/03 23:00:40 INFO: posting notifications to slack ... 
2018/10/03 23:00:40 ERROR: while adding repo [###containers]: Error: Looks like "https://###containers.azurecr.io/helm/v1/repo" is not a valid chart repository or cannot be reached: Failed to fetch https://###containers.azurecr.io/helm/v1/repo/index.yaml : 401 Unauthorized

curl --silent https://###containers.azurecr.io/helm/v1/repo/index.yaml | jq .
{
  "errors": [
    {
      "code": "UNAUTHORIZED",
      "message": "authentication required",
      "detail": [
        {
          "Type": "artifact-repository",
          "Name": "repo",
          "Action": "pull"
        }
      ]
    }
  ]
}

Are there any plans to support this repo type?

@luisdavim
Copy link
Collaborator

There is support for private repos but I think it's specific to S3 and GCS:
https://github.com/Praqma/helmsman/blob/master/docs/how_to/use_private_helm_charts.md

@sami-alajrami
Copy link
Contributor

@patrickmslatteryvt we have been using helm plugins to support private repos in S3 and GCS .. after a quick check, I could not find any existing helm plugins to handle azure private charts. We will support this once such a plugin exists.

@sami-alajrami sami-alajrami added the wontdo The requested feature is no longer of interest or no longer applicable. label Jan 7, 2020
@mmisztal1980
Copy link

July 2020: Any updates on this? is it possible to use Helmsman with ACR yet?

@bergerx
Copy link
Contributor

bergerx commented Oct 28, 2020

I think this issue should be addressed as a generic HELM_EXPERIMENTAL_OCI support.
This process is actually vaguely defined in https://helm.sh/docs/topics/registries/ and can be used for any OCI compliant container registries and not really specific to ACR.

Here is what is expected to install a helm chart hosted on ACR:

export HELM_EXPERIMENTAL_OCI=1
echo $spPassword | helm registry login mycontainerregistry.azurecr.io --username <service-principal-id> --password-stdin
helm chart pull mycontainerregistry.azurecr.io/helm/hello-world:v1
helm chart export mycontainerregistry.azurecr.io/helm/hello-world:v1 --destination ./install
cd install
helm install myhelmtest ./hello-world

Here is a very similar document for using ECR as a helm repo: https://docs.aws.amazon.com/AmazonECR/latest/userguide/push-oci-artifact.html

The the underlying issue here is the way HELM_EXPERIMENTAL_OCI support works. It doesn't work as a regular helm repo but expects users to helm chart pull + helm chart export + helm install rather than conventional helm repo add + helm install sequence. I'm not sure if this can be handled by a helm plugin (maybe it can, i just don't know). Also there seem to be lots of discussions around this on the helm project (helm/community#136 [this is the main issue to finalize Helm's OCI integration], helm/helm#8094, helm/helm#6982, helm/helm#6983, helm/helm#6593, helm/helm#7613, helm/helm#8332, helm/helm#8387, helm/helm#6990, helm/helm#8843), so it seems like the future of this is not certain yet as its already hidden behind an experimental feature flag.

Also here is a similar discussion from sister projects: roboll/helmfile#1403 (has some insights on the topic from same perspective with helmsman), pulumi/pulumi-kubernetes#1314, hashicorp/terraform-provider-helm#396, argoproj/argo-cd#3349, argoproj/argo-cd#4018, fluxcd/source-controller#124

ArgoCD seems to be just implemented it like this:

  # Add a private Helm OCI-based repository named 'stable' via HTTPS
  argocd repo add helm-oci-registry.cn-zhangjiakou.cr.aliyuncs.com --type helm --name stable --enable-oci --username test --password test

Even though we'd really like to use ACR as our helm repo (so that we don't need to maintain an internal helm repo), I think best path here seems to wait for helm/community#136 to reach a conclusion and be followed by the implementation to avoid further migrations or ending up with soon-to-obsolete implementation on helmsman.

@antoinedeschenes
Copy link
Contributor

These repos use basic auth? You can specify https://user:pass@myregistry.com/charts or setup the repo in helm first with --user and --password and omit them from the helmRepos section

@luisdavim
Copy link
Collaborator

luisdavim commented May 18, 2021

I've opened #612 (for: #581) and I'm looking for someone that could test it since I currently don't have access to a setup where I can test it myself...
Also, since #610 Helmsman supports passing a URL for a chart so that could also be an alternative...

@luisdavim luisdavim removed the wontdo The requested feature is no longer of interest or no longer applicable. label May 18, 2021
@luisdavim
Copy link
Collaborator

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants