Helm insecure flag is not honored when performing a push to insecure repo
steromano87 opened this issue · comments
Is this a request for help?:
YES
Is this a BUG REPORT or FEATURE REQUEST? (choose one):
BUG REPORT
Environment (plugin version, maven version, OS, ...):
Plugin version: 6.7.0
Helm repo type: Harbor (with self signed certificate)
What happened:
I configured the Harbor OCI registry login as a separate step and I added the insecure flag. It worked correctly.
However, when I try and upload my chart using the push goal, the login is re-attempted. This login attempt does not honor the insecure flag, so the build fails.
What you expected to happen:
- if a previous login was already performed, the login part should be skipped
- the
insecureoption should be added to thepushgoal to allow tghe push to insecure registries. Helm provides the--insecure-skip-tls-verifyoption to bypass the certificate during push.
How to reproduce it (as minimally and precisely as possible):
- Spin up a Harbor registry (or any registry that uses a self-signed certificate)
- Build a chart
- Try to upload the chart to the insecure registry using the
pushgoal
Anything else we need to know:
Currently we are bypassing this issue by using the exec-maven-plugin and performing the push command outside the plugin, however this approach works only if the Helm executable is in the path.
Thanks for your report.
I'll add the flag to skip login with helm:push. This login was implemented with helm:push before helm:registry-login was created. I've added a warning to migrate to helm:registry-login.
@steromano87 i've created a pull request #303 Can you verify that this is a solution for your issue?
Hi @sschnabe, thanks for the fix!
However I think that this commit solves the problem only partially...
The TLS certificate is checked twice, once during login and once when pushing an OCI artifact. Your fix correctly addresses the login check, however an additional insecure flag should be added to the helm-push goal to set the Helm option to skip the TLS check during push phase.
From my point of view this was added with #304. Can you verify this?
Hi @sschnabe, yes, the mentioned merge request covers this case. Can you please link this issue to that MR, to keep track of the resolution?
With mentioning the pr its attached in this issues and the pr.
Both prs are released as 6.8.0
Hi @sschnabe, I'm using version 6.9.0 of the plugin and I still have this issue: adding the insecure flag only fixes the helm:registry-login issue, but not the helm:push one:
[INFO] --- helm-maven-plugin:6.9.0:push (default-cli) @ core ---
[INFO] Use 3.12.2 as helm version
[INFO] Uploading /home/daniele/workspace/dan-shop-core/target/helm/repo/dan-shop-core-service-0.0.1-SNAPSHOT.tgz...
[ERROR] Error: failed to do request: Head "https://minikube.nexus-docker-dan-snapshot-http:30501/v2/dan-shop-core-service/blobs/sha256:168262311e5e887e5a61229248000d146d3691647fd080d39a7d04cebdd910bf": http: server gave HTTP response to HTTPS client
I'm running the following command:
mvn helm:init helm:dependency-build helm:lint helm:package helm:registry-login helm:push
And here is the plugin configuration:
<insecure>true</insecure>
<skipPushLogin>true</skipPushLogin>
<chartVersion>${project.version}</chartVersion>
<chartDirectory>${project.basedir}/${project.name}</chartDirectory>
<autoDetectLocalHelmBinary>false</autoDetectLocalHelmBinary>
<helmDownloadUrl>https://get.helm.sh/helm-v3.12.2-linux-amd64.tar.gz</helmDownloadUrl>
<uploadRepoStable>
<name>release-repo</name>
<url>${docker.repository.release}</url>
<type>NEXUS</type>
...