Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Helm] OCI push might need verification of chart name #2314

Closed
manusa opened this issue Aug 1, 2023 · 6 comments · Fixed by #2510
Closed

[Helm] OCI push might need verification of chart name #2314

manusa opened this issue Aug 1, 2023 · 6 comments · Fixed by #2510
Assignees
@rohanKanojia
Labels
component/helm ⎈
Milestone
1.16.0

Comments

@manusa
Copy link
Member

manusa commented Aug 1, 2023

Description

when performing a push to an OCI repository, we're actually pushing a Helm chart to a container image registry. Container image registries and their API have a limitation when dealing with naming.

Our push approach uses the chart name to identify the target tag in the registry. This is very likely going to lead to problems when pushing Helm charts that have names which won't translate or get encoded into valid URLs. We need to investigate this. If necessary, provide client-side validation too just like we do for container image names.

Relates to:
@rohanKanojia rohanKanojia self-assigned this Dec 29, 2023
@rohanKanojia
Copy link
Member

If necessary, provide client-side validation too just like we do for container image names.

I think we can rely on ImageName to validate image names.

@rohanKanojia
Copy link
Member

When trying to push a helm chart to OCI registry with an invalid name, I see the following behavior:

ghcr.io, DockerHub return 404 : Failure in initiating upload request: Not Found

quay.io return 401 : Failure in initiating upload request: Unauthorized

@rohanKanojia rohanKanojia mentioned this issue Dec 29, 2023
Merged
17 tasks
@manusa
Copy link
Member Author

manusa commented Jan 2, 2024

If necessary, provide client-side validation too just like we do for container image names.

I think we can rely on ImageName to validate image names.

This would be OK for OCI repositories because chart names need to conform to the OCI standard.
It would be good to find some official reference so that we make sure that our specifications match those of helm. It's very likely that the official Helm CLI performs client-side validations, it would be good to have the reference to their code.

@rohanKanojia
Copy link
Member

You're right. When I'm doing helm push using some invalid chart name. Helm CLI seems to throw this error:

$ helm push Wjkube-helm-push-testing-1.0.0-SNAPSHOT.tar.gz oci://registry-1.docker.io/user --debug
Error: invalid_reference: invalid repository
helm.go:84: [debug] invalid_reference: invalid repository

@rohanKanojia
Copy link
Member

Checking Helm code, Helm seems to be relying on ORAS's oras-go to validate upload artifact name in pkg/registry/util.go

oras-go seems to be relying on this regexp for name validation in registry/reference.go

repositoryRegexp = regexp.MustCompile(`^[a-z0-9]+(?:(?:[._]|__|[-]*)[a-z0-9]+)*(?:/[a-z0-9]+(?:(?:[._]|__|[-]*)[a-z0-9]+)*)*$`)

@manusa
Copy link
Member Author

manusa commented Jan 2, 2024
edited
Loading

oras-go seems to be relying on this regexp for name validation in registry/reference.go

OK, so does that comply with a our ImageName validation? ideally our validation should be at least as strict as the one they're using.

@manusa manusa added this to the 1.16.0 milestone Jan 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rohanKanojia rohanKanojia

Labels
component/helm ⎈
Projects
None yet
Milestone
1.16.0
2 participants
@manusa @rohanKanojia