Wildcard support in OCI Helm repositories does not work

[Danielkem]

Checklist:

• I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• I've included steps to reproduce the bug.
• I've pasted the output of argocd version.

Describe the bug

I try to create an application from an OCI Helm repository with wildcard (*) as version instead of explicitly specifying the version of the chart which fails with the following error:

Unable to create application: application spec for x is invalid: InvalidSpecError: Unable to generate manifests in : rpc error: code = Unknown desc = unable to get tags: failed to get tags: unable to decode json: invalid character '<' looking for beginning of value

As seen here:

When I instead pin the version it does work as expected:

To Reproduce

The repository is Harbor:

Expected behavior

It should work as described in #10641

Screenshots

Version

argocd-server: v2.6.1+3f143c9
  BuildDate: 2023-02-08T18:51:05Z
  GitCommit: 3f143c9307f99a61bf7049a2b1c7194699a7c21b
  GitTreeState: clean
  GoVersion: go1.18.10
  Compiler: gc
  Platform: linux/amd64
  Kustomize Version: v4.5.7 2022-08-02T16:35:54Z
  Helm Version: v3.10.3+g835b733
  Kubectl Version: v0.24.2
  Jsonnet Version: v0.19.1

Logs

Paste any relevant application logs here.

[alexef]

@Danielkem thank you for reporting this. is Harbour a cloud registry or something you run on premise? I will try to reproduce the problem, I just need to know how to set this up.

I know OCI Helm wildcard works at least for AWS ECR and Azure Container Registry.

[Danielkem]

Hey @alexef,
We use https://artifacthub.io/packages/helm/bitnami/harbor/15.2.2 to deploy our Harbor instance on AKS. Should be quite easy to setup and reproduce with that helm chart. If there is anything else I can do to help with debugging this please tell me.

[ankitabhopatkar13]

We are facing somewhat similar issue with Gitlab OCI registry for helm charts.

When we try to use "*" in targetRevision to pick the latest helm chart from the OCI registry, we receive the following error -

Unable to save changes: application spec for <app_name> is invalid: InvalidSpecError: Unable to generate manifests in : rpc error: code = Unknown desc = unable to get tags: failed to get tags: failed tags part: invalid response: 401 Unauthorized {"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"reposito...

Looking at the code a bit it fails probably here and if we are not wrong, it is implemented considering AWS ECR API specification.

Note that if we use a fixed version in targetRevision it does not fail because it skips the GetTags call.

[blakepettersson]

Looking at the code a bit it fails probably here and if we are not wrong, it is implemented considering AWS ECR API specification.

Nope that's implemented considering the OCI spec.

[blakepettersson]

@ankitabhopatkar13 does that work when you use the helm CLI? Gitlab has a huge disclaimer about its Helm support not being ready for production use...

[ankitabhopatkar13]

@blakepettersson can you please elaborate on what exactly do you mean with using helm CLI?

We can do a helm show on the private Gitlab Registry after logging in to the registry. The commands that we ran are as follows -

helm registry login -u ...
helm show all oci://registry.gitlab.com/<path>

We can't do a helm search on the repo as helm does not support it for OCI registries.

[blakepettersson]

@ankitabhopatkar13 something like

helm install --dry-run oci://registry.gitlab.com/<path> --generate-name --version "0.2.*" | grep helm.sh/chart | head -n1

or

helm pull oci://registry.gitlab.com/<path> --version "0.2.*"

[ankitabhopatkar13]

Yes, we could do -

helm pull oci://registry.gitlab.com/<path> --version "2.1.*"

and even

helm pull oci://registry.gitlab.com/<path> --version "*"

[comtihon]

Same issue, when upgrading from 2.5.5 to 2.6.1

[ankitabhopatkar13]

@blakepettersson Just to add more context:

The only way we(cc: @jorianvo) could list all the tags at https://registry.gitlab.com/v2/<path>/tags/list is by first getting a bearer token from Gitlab and then passing that token as a header Authorization: Bearer.

As per this Www-Authenticate in the response header tells us how to authenticate to list all the tags, the header value we get is:

Www-Authenticate: Bearer realm="https://gitlab.com/jwt/auth",service="container_registry",scope="repository:<path>:pull"

Then we generate a bearer token by running the following:

curl --user 'dummy:<personal-access-token>'  'https://gitlab.com/jwt/auth?client_id=docker&offline_token=true&service=container_registry&scope=repository:<path>:pull'

Then we use the token to list all the tags by running the following:

curl --header "Authorization: Bearer <token_from_above>" "https://registry.gitlab.com/v2/<path>/tags/list"

[OpsMaya]

Maybe related issue, GHCR and ArgoCD 2.6.1,
got a 404 error while specifying a wildcard

Unable to create application: application spec for test is invalid: InvalidSpecError: Unable to generate manifests in : rpc error: code = Unknown desc = unable to get tags: failed to get tags: failed tags part: invalid response: 404 Not Found {"error":"Not Found"}

But when specifying the correct version its working.

[blakepettersson]

@ankitabhopatkar13 that was indeed very helpful, thanks a lot!

From what I can see in the code the GetTags logic relies on HTTP Basic authentication, without performing the Docker registry flow. This is definitely something that needs to be addressed. I don't use Gitlab nor GHCR so I can't be much help here sadly...

[bennesp]

Maybe related issue, GHCR and ArgoCD 2.6.1.

I get a 404 trying using this snippet:

chart: metacontroller-helm
repoURL: ghcr.io/metacontroller
targetRevision: v4.7.*

and a rpc error: code = Unknown desc = unable to get tags: failed to get tags: failed tags part: invalid response: 401 Unauthorized {"errors":[{"code":"UNAUTHORIZED","message":"authentication required"}]} trying to use this:

chart: metacontroller/metacontroller-helm
repoURL: ghcr.io
targetRevision: v4.7.*

Instead, pinning the targetRevision: v4.7.8 works fine

[alexef]

@ankitabhopatkar13

Then we use the token to list all the tags by running the following

do I understand correctly that for helm template or helm pull, you use --user dummy:<personal-access-token>, but for listing tags you need to exchange that credential pair for a JWT token?

[alexef]

@detvdl / @blakepettersson after checking a bit https://github.com/oras-project/oras-go/blob/31c574b137ccfb3e8627e47f138c4a44b9efa8e5/registry/remote/auth/client.go#L156 and also remembering #11708, I don't see an easy way out of this mess.

We need to replace my GetTags implementation with the oras-go one. that should handle various registries with various policies (and hopefully continue to support AWS ECR and Azure CR without issues).

[ankitabhopatkar13]

@alexef

do I understand correctly that for helm template or helm pull, you use --user dummy:, but for listing tags you need to exchange that credential pair for a JWT token?

Yes, that is correct!

[alexef]

#12554 should fix it

[EladDolev]

Also getting the same with Google Artifact Registry

ComparisonError
rpc error: code = Unknown desc = unable to get tags: failed to get tags: unable to decode json: invalid character '<' looking for beginning of value

[ben741]

Maybe related issue, GHCR and ArgoCD 2.6.1, got a 404 error while specifying a wildcard

Unable to create application: application spec for test is invalid: InvalidSpecError: Unable to generate manifests in : rpc error: code = Unknown desc = unable to get tags: failed to get tags: failed tags part: invalid response: 404 Not Found {"error":"Not Found"}

But when specifying the correct version its working.

I'm seeing the same error message as @OpsMaya reported above, but with Azure CR and ArgoCD 2.6.7.

To clarify, is it likely to be the same root cause as the other reports here (with the mention of json in the error message), or is it a separate issue?

[alexef]

@Danielkem / @bennesp / @EladDolev / @ben741 appreciate if you can confirm the fix for Azure/GCR (now in master)

[ben741]

Thanks @alexef, I'm all set up to test this on Azure, but it looks like the latest tag (v2.8.0+d4714f3) is still just before your commit with the fix, so I'm just waiting on that to see if the issue goes away.

[ben741]

I tested with the new image (v2.8.0+6a3a81c.dirty) and Azure CR. Pulling a specific tag like 1.2.3 works fine, but using a wildcard like * or 1.2.* fails with a 401 status:

rpc error: code = Unknown desc = unable to get tags:
failed to get tags: 
GET "https://<examplecr>.azurecr.io/v2/abc/charts/def/tags/list": 
GET "https://<examplecr>.azurecr.io/oauth2/token?scope=repository%3Aabc%2Fcharts%2Fdef%3Ametadata_read%2Cpull&service=examplecr.azurecr.io": response status code 401: 
unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.

[ben741]

After using oras-go directly, I figured out my issue: I've been using a repoURL like mycr.azurecr.io/foo and chart path charts/bar, but on this line oras-go expects a registry (i.e. hostname, mycr.azurecr.io in my example - not the full repo URL). If I change the repoURL to mycr.azurecr.io and the chart path to foo/charts/bar, the tags are fetched successfully and wildcard support seems to work.

@alexef / @crenshaw-dev should I open a new issue for this?

[wardenlym]

Maybe related issue, GHCR and ArgoCD 2.6.1, got a 404 error while specifying a wildcard

Unable to create application: application spec for test is invalid: InvalidSpecError: Unable to generate manifests in : rpc error: code = Unknown desc = unable to get tags: failed to get tags: failed tags part: invalid response: 404 Not Found {"error":"Not Found"}

But when specifying the correct version its working.

I'm seeing the same error message as @OpsMaya reported above, but with Azure CR and ArgoCD 2.6.7.

To clarify, is it likely to be the same root cause as the other reports here (with the mention of json in the error message), or is it a separate issue?

I met this same problem when work with Azure CR :

argocd version
argocd: v2.7.3+unknown
  BuildDate: 2023-05-25T00:59:55Z
  GitCommit:
  GitTreeState:
  GitTag: 2.7.3
  GoVersion: go1.20.4
  Compiler: gc
  Platform: linux/amd64
argocd-server: v2.7.2+cbee7e6.dirty

Is there anything update about this issue?

[alexef]

After using oras-go directly, I figured out my issue: I've been using a repoURL like mycr.azurecr.io/foo and chart path charts/bar, but on this line oras-go expects a registry (i.e. hostname, mycr.azurecr.io in my example - not the full repo URL). If I change the repoURL to mycr.azurecr.io and the chart path to foo/charts/bar, the tags are fetched successfully and wildcard support seems to work.

@ben741 yes, this is a known long standing issue. If there's no other issue opened, please create one.

@wardenlym just to clarify, even with latest master, you still get a 404? what is the registry/repoURL combination do you use?

[wardenlym]

@wardenlym just to clarify, even with latest master, you still get a 404? what is the registry/repoURL combination do you use?

The combination I used before was:

  sources:
    - chart: chart-name
      repoURL: myreg.azurecr.io/helm-chart/charts

After seeing your suggestion, I updated to latest master and changed form to:

  sources:
    - chart: helm-chart/charts/chart-name
      repoURL: myreg.azurecr.io

and now it works fine.

[mchudinov]

I use ArgoCD version 2.7.4 and there is still this issue with private GitHub container registry. Neither manipulation with chart name - repoUrl name helps. It is still the same error

rpc error: code = Unknown desc = unable to get tags: failed to get tags: failed tags part: invalid response: 401 Unauthorized {"errors":[{"code":"UNAUTHORIZED","message":"authentication required"}]} 

My application configuration

kind: Application
apiVersion: argoproj.io/v1alpha1
metadata:
  name: example-helm
  namespace: argocd
spec:
  project: example
  source:
    chart: myorganization/example-helm
    repoURL: ghcr.io
    targetRevision: 0.2.*

Is the fix released? What version of ArgoCD has the fix?

[blakepettersson]

@mchudinov, it's not yet released - it's due for 2.8. Try the latest master and see if the problem persists.

[crenshaw-dev]

Ah, forgot that. Closing again. 😆

[jlec]

Does work for me in 2.8 :/

[alexef]

@jlec what is your set up? which Helm repository are you using, how is it configured? You might be running into different issues than the root cause of this ticket.

[stefangluszek]

It's still doesn't work with the latest released version of ArgoCD (2.8.2) and Google Artifact Registry. It seems the credentials are not passed correctly when requesting the tag list and the api server returns a 403.

[jlec]

@jlec what is your set up? which Helm repository are you using, how is it configured? You might be running into different issues than the root cause of this ticket.

I am using ghcr.io. For example

➜  helm show all oci://ghcr.io/jlec/uptime-kuma
Pulled: ghcr.io/jlec/uptime-kuma:0.1.22
Digest: sha256:a8f900f5567a28dc60d8546145dbbc4e33ef4b02d2a8d9323b9ba7e32a8340a8
apiVersion: v2
appVersion: 1.22.1
description: A Helm chart for Uptime Kuma
name: uptime-kuma
type: application
version: 0.1.22

Asking ArgoCD to install 0.1.* results in

Unable to save changes: application spec for kuma is invalid: InvalidSpecError: Unable to generate manifests in ./: rpc error: code = Unknown desc = unable to get tags: failed to get tags: GET "https://ghcr.io/v2/jlec/uptime-kuma/tags/list": GET "https://ghcr.io/token?scope=repository%3Ajlec%2Fuptime-kuma%3Apull&service=ghcr.io": response status code 401: unauthorized: authentication required

[gris-gris]

#16394 (comment)