[Bug]: Helm OCI based charts not able to install

[dipankardas011]

📝 Bug Title

Helm OCI based charts unable to install

🔄 Steps to Reproduce

1. Containerzed deployment of ksctl/ka
2. apply the stack which contains oci chart deployment

apiVersion: app.ksctl.com/v1
kind: Stack
metadata:
  labels:
    app.kubernetes.io/name: ka
    app.kubernetes.io/managed-by: kustomize
  name: stack-sample
spec:
  stackName: wasm/spinkube-standard

kubectl apply -f <>.yml

3. the error will be

✅ Expected Behavior

It should not fail to install

❌ Actual Behavior

Before changing the ociChartPull.DirPath which is default to .

2025-01-26T11:42:38Z    ERROR   Reconciler error        {"controller": "stack", "controllerGroup": "app.ksctl.com", "controllerKind": "Stack", "Stack": {"name":"stack-sample"}, "namespace": "", "name": "stack-sample", "reconcileID": "c4eced1a-2e2f-4e2d-9f89-478351ab50b7", "error": "failed to pull chart: link error: cannot rename /tmp/spin-operator-0.4.0.tgz2080868609 to spin-operator-0.4.0.tgz: rename /tmp/spin-operator-0.4.0.tgz2080868609 spin-operator-0.4.0.tgz: permission denied"}

After changing the ociChartPull.DirPath to xyz/

2025-01-26T14:08:57Z    ERROR   Reconciler error        {"controller": "stack", "controllerGroup": "app.ksctl.com", "controllerKind": "Stack", "Stack": {"name":"stack-sample"}, "namespace": "", "name": "stack-sample", "reconcileID": "f7a50309-1aa8-45ce-a587-f33a2163ebb7", "error": "FailedHelmClientErr: failed to locate chart component=helm-client Reason=path \"./spin-operator-0.4.0.tgz\" not found"}

🖥️ Environment

ksctl v2.0.0-rc.2 and ka 0.1.0

📎 Additional Context

After checking the error and adding debuging step the contents of the container image. We found the following

Final Layer Base Image which is gcr.io/distroless/static:nonroot

here is how we came to know about. below is the code to try it yourself

package main

import (
	"fmt"
	"net/http"
	"os"
	"path/filepath"
)

func main() {
	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		fmt.Fprintf(w, "Hello, World!")

		fmt.Println(filepath.Join("."))
		fmt.Println(filepath.Join(".", "./cdcdc/cdcdc"))
		if err := os.WriteFile("/work/test.txt", []byte("Hello, World!"), 0644); err != nil {
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}
		if v, err := os.ReadFile("/work/test.txt"); err != nil {
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		} else {
			fmt.Fprintf(w, "File content: %s\n", v)
		}
		if v, err := os.ReadDir("/work"); err != nil {
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		} else {
			for _, f := range v {
				fmt.Fprintf(w, "File: %s\n", f.Name())
			}
		}
		return
	})

	fmt.Println("Server started at :8080")
	if err := http.ListenAndServe(":8080", nil); err != nil {
		fmt.Println("Failed to start server", err)
		return
	}
}

# Build the manager binary
FROM golang:1.23 AS builder
ARG TARGETOS
ARG TARGETARCH

WORKDIR /workspace
# Copy the Go Modules manifests
COPY go.mod go.mod
# cache deps before building and copying source so that we don't need to re-download as much
# and so that source changes don't invalidate our downloaded layer
RUN go mod download

# Copy the go source
COPY main.go main.go

# Build
# the GOARCH has not a default value to allow the binary be built according to the host where the command
# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager main.go

# Use distroless as minimal base image to package the manager binary
# Refer to https://github.com/GoogleContainerTools/distroless for more details
FROM gcr.io/distroless/static:nonroot
WORKDIR /
COPY --from=builder /workspace/manager .
USER 65532:65532

ENTRYPOINT ["/manager"]

Solution
you can shift the folder location to escape the permission issue, may be some emptyDir in k8s or simple volume in docker

🎯 Affected Components

• 🖥️ CLI
• 🎨 UI
• 📚 Documentation
• 🔧 Core Functionality
• 🔌 Plugins/Extensions

✔️ Confirmations

• 🔍 I have searched existing issues and verified this is a new bug
• 💬 I will respond to questions and updates in this bug report
• 📜 I have read and agree to follow the Contribution Guidelines