fix(helm): skip login if no credentials are provided #208
Conversation
thde
force-pushed
the
thde/pull-chart-login
branch
from
e4b3229
to
b2b3ae1
Compare
There was a problem hiding this comment.
Thank you very much for taking a stab at this @thde! Looks like there's more demand on #132, so it would be great to get this to the finish line and enable this scenario for folks. Thanks for doing your part! 💪
Do you have more explicit testing details you would be able to provide? e.g. the exact manifest you tested with and the exact behavior you saw? Not strictly required I'd say, but always really helpful for reviewers to a) get more confidence and b) test the PR changes themselves more quickly.
Thanks again!! 🙇♂️
thde
force-pushed
the
thde/pull-chart-login
branch
from
b2b3ae1
to
86c7da3
Compare
I use the following configuration that worked with the "old" https repo, but not with the oci one: Works ATM: Does not work ATM: |
Signed-off-by: thde <[email protected]>
thde
force-pushed
the
thde/pull-chart-login
branch
from
86c7da3
to
1f970c8
Compare
|
@thde thank you for that testing info and for integrating the feedback so far 🙇♂️ - i'm taking it for a test spin myself right now with simple yaml manifests to exercise the behavior. I'm a bit confused by your examples though, e.g. I can't find the |
|
Actually, I tried to get a repro scenario that demonstrates the failing behavior for an OCI chart based on your snippets above @thde, but my scenario surprisingly worked OK. I wonder if it's because of the in-cluster config I'm using? 🤔 Here's a full gist of the test scenario and manifests I tried to install the More details about your full repro scenario will be appreciated, so we can understand why mine works with no changes and yours requires the code changes in this PR to work correctly 🤓 |
Sorry that was my fault. I didn't realize that those were internal types.
@jbw976 thank you or the test scenario! That helped me to get closer to the underlying issue. I was able to successfully deploy your example. But mine was still failing... It seems that the error only occurs, if the The dependency tree: The error seems to originate from docker-credential-helpers/client/client.go#40. Helm uses the NewClientWithDockerFallback function from So if I run my code without having Docker available, it works successfully even without my proposed changes in this PR. How should we go from here? For me it would still make sense to not execute |
good question! with the repro suggestion in #132 (comment), i was able to reproduce the original behavior by trying to install Then I built your changes in this PR that skips login and tried that scenario again - unfortunately, it seems to just delay the error to a later step during chart pull/download ( This error message looks like what other folks were hitting in helm/helm#12424 - so I wonder if this could be solved by updating the dependencies in this repo? |
👍🏼 That's probably the best thing to try. Especially if an error occurs later on anyways. |
|
I tried updating the dependencies in It makes sense now that just updating the dependencies wouldn't work, because I was able to get the So this issue doesn't look related to just the helm version, it must be in the way we're configuring or invoking the helm pull functionality from inside the provider. From the
And here's where we're initializinfg some of those same objects: Notably, we're using an empty Have you gotten a chance to look at this more deeply? Any leads on what configuration we should be passing to the helm pull/registry clients, or how we should be invoking them, so that this scenario works like it does in the |
|
This issue also prevents me from installing https://github.com/grafana/grafana-operator/pkgs/container/helm-charts%2Fgrafana-operator/199945144?tag=v5.8.1, same error: I've managed to install grafana-operator from different source, but in company where I work at we're moving to OCI artifacts internally and this issue stops internal adoption 😢 |
|
I have been debugging this for the last couple of hours, did run helm cli and provider-helm side by side and debugged them line by line deep in the go http library calls. And you won't believe in the conclusion 🤯 We have an extra 
This PR indeed fixes the issue 🎉 Thanks @thde, and thanks for all the breadcrumbs @jbw976 🙌 The manifest for the dragonfly release (the one used to test With this PR both of the below manifests works fine: apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
name: dragonfly-oci-example
spec:
forProvider:
namespace: default
wait: true
chart:
name: dragonfly
repository: oci://ghcr.io/dragonflydb/dragonfly/helm # Previously there was a "/dragonfly" at the end here
version: v1.15.1
providerConfigRef:
name: helm-provider
---
apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
name: redis-oci-example
spec:
forProvider:
namespace: default
wait: true
chart:
name: redis
repository: oci://registry-1.docker.io/bitnamicharts
version: 18.13.0
providerConfigRef:
name: helm-provider |
|
I agree that this is a terrible UX and I am open for ideas to improve this. But this is not different than somebody making the cli call as below: Instead of |
|
Successfully created backport PR #221 for |
|
This fix released with v0.18.1. |
|
Amazing @turkenh, thank you so much for taking the investigation the final mile and figuring this out! you're always able to get to the bottom of things man, really grateful you took some time to look at this for us! 🙇♂️ 💪 🤩 Thanks again @thde for opening this PR and making the code change here, sorry for the distractions along the way hehe 😇 |
|
Thank you very much @turkenh , great job! |
Description of your changes
Skips login in helm if no credentials are provided:
Fixes #132
I have:
make reviewableto ensure this PR is ready for review. -No rule to make target 'reviewable'How has this code been tested
Use an OCI registry (like
oci://registry-1.docker.io/bitnamicharts) and try to pull a chart (likeredis). It will fail without there changes as described above.