Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: Could Not Add Chart Repository - Wrong Credentials? #32

Open
Piwero opened this issue May 20, 2024 · 13 comments
Open

Error: Could Not Add Chart Repository - Wrong Credentials? #32

Piwero opened this issue May 20, 2024 · 13 comments

Comments

@Piwero
Copy link

Piwero commented May 20, 2024

Description:
I'm experiencing an issue when trying to use the plugin to upload new versions of my Helm chart to my self-hosted Chartmuseum. When running the action, I get the following error:

Error: Could not add chart repository. Wrong credentials?

Repository: Piwero/sandbox-github-actions

Error Example: GitHub Actions Run

Steps to Reproduce:

  1. Go to the testing repo Piwero/sandbox-github-actions.
  2. Go the GitHub Actions workflow and trigger the "Release Helm Chart" action.

Expected Behavior:
The Helm chart should be successfully uploaded to my self-hosted Chartmuseum.

Actual Behavior:
The upload process fails with the error: Error: Could not add chart repository. Wrong credentials?

Secrets Added:

  • CM_REGISTRY: https://testmuseum.piwero.com
  • REGISTRY_USERNAME: testuser
  • REGISTRY_PASSWORD: ********

Additional Context:

  • The credentials (REGISTRY_USERNAME and REGISTRY_PASSWORD) are correctly set in the GitHub Secrets.
  • The password used for REGISTRY_PASSWORD is the same as the user password for Chartmuseum.
  • The same credentials work when used directly with Chartmuseum outside of GitHub Actions.

Feel free to play around with the GitHub Action. You can go to the sandbox repo and under actions, go to the "Release Helm Chart" action and run the workflow.

Please let me know if you need any further information to diagnose this issue. I can DM the password if needed for testing purposes.

Thank you
@nflaig
Copy link
Owner

nflaig commented May 20, 2024

I don't believe those credentials are passed as basic authentication but rather to log into the registry itself.

@Piwero
Copy link
Author

Piwero commented May 21, 2024

I don't believe those credentials are passed as basic authentication but rather to log into the registry itself.

Sorry, I don't understand what you mean here. I have passed those credentials which are used for adding the repo itself, for what I can see in the error it uses to add the repo like helm repo add --username testuser --password-stdin semantic-release-helm https://testmuseum.piwero.com. How are they supposed to work? or what should I pass instead as secrets in GH?

@nflaig
Copy link
Owner

nflaig commented May 21, 2024

you can see the error here https://github.com/Piwero/sandbox-github-actions/actions/runs/9160876947/job/25184511775#step:5:75, and trying to open https://testmuseum.piwero.com/index.yaml it requires basic authentication.

self-hosted Chartmuseum

what software are you using?

@Piwero
Copy link
Author

Piwero commented May 21, 2024

@nflaig just self hosted in a server, using traefik as ingress route. It works fine when running directly helm repo add test-museum https://testmuseum.piwero.com -username testuser --password XXX Basic authentication is passed with the secrets on GH with

CM_REGISTRY: https://testmuseum.piwero.com
REGISTRY_USERNAME: testuser
REGISTRY_PASSWORD: ********

isn't it?

I can see trying to use those parameters here https://github.com/Piwero/sandbox-github-actions/actions/runs/9160876947/job/25184511775#step:5:68

@nflaig
Copy link
Owner

nflaig commented May 22, 2024

using traefik as ingress route

Remove basic auth from traefik, or include basic authentication credentials in the URL

https://<username>:<password>@testmuseum.piwero.com

This is not an issue of this package but rather how you set up your server

@Piwero
Copy link
Author

Piwero commented May 22, 2024

@nflaig My basic authentication isn't with Traefik but with chartmuseum. Does this plugin don't take into consideration basic auth from Chartmuseum? https://chartmuseum.com/docs/#basic-auth

@nflaig
Copy link
Owner

nflaig commented May 22, 2024

@nflaig My basic authentication isn't with Traefik but with chartmuseum. Does this plugin don't take into consideration basic auth from Chartmuseum? https://chartmuseum.com/docs/#basic-auth

The username and password is used during helm add

semantic-release-helm/lib/verifyConditions.js

Lines 108 to 115 in b1647ba

if (username && password) {
await execa(
'helm',
['repo', 'add', '--username', username, '--password-stdin', 'semantic-release-helm', repositoryUrl],
{
input: password,
}
);

--basic-auth-user and --basic-auth-pass is not set anywhere as it's not a common use case to add basic auth on top of the already existing authentication.

You can try pass these in cmPushArgs, see https://github.com/nflaig/semantic-release-helm?tab=readme-ov-file#plugin-config

@nflaig
Copy link
Owner

nflaig commented May 22, 2024

You can try pass these in cmPushArgs, see https://github.com/nflaig/semantic-release-helm?tab=readme-ov-file#plugin-config

this is likely not gonna work as would have to pass basic auth flags to all commands

@Piwero
Copy link
Author

Piwero commented May 24, 2024

--basic-auth-user and --basic-auth-pass is not set anywhere as it's not a common use case to add basic auth on top of the already existing authentication.

What are the credentials in the README of the repo used for? https://github.com/nflaig/semantic-release-helm?tab=readme-ov-file#environment-variables
Aren't

export REGISTRY_HOST=<HOST>
export REGISTRY_USERNAME=<USERNAME>
export REGISTRY_PASSWORD=<PASSWORD>

used for these helm auth? or how they are used for?

@nflaig
Copy link
Owner

nflaig commented May 24, 2024

used for these helm auth? or how they are used for?

I just told you how the credentials are used with even a reference to the code, see #32 (comment)

@nflaig
Copy link
Owner

nflaig commented May 24, 2024

You might be able to pass basic auth credentials like this https://<username>:<password>@testmuseum.piwero.com, have you tried that?

@Piwero
Copy link
Author

Piwero commented May 24, 2024

@nflaig Yes, I have tried and still getting same error
https://github.com/Piwero/sandbox-github-actions/actions/runs/9223677838/job/25377406118

 command: 'helm repo add semantic-release-helm ***',
  escapedCommand: 'helm repo add semantic-release-helm "***"',
  exitCode: 1,
  signal: undefined,
  signalDescription: undefined,
  stdout: '',
  stderr: 'Error: looks like "***" is not a valid chart repository or cannot be reached: failed to fetch ***index.yaml : 403 Forbidden',
  failed: true,
  timedOut: false,
  isCanceled: false,
  killed: false,
  pluginName: 'semantic-release-helm3'
}
Error: AggregateError: 
    Error: Could not add chart repository. Wrong credentials?

Bear on mind that *** it's github injecting the secret with https://<username>:<password>@test-museum.piwero.com
I have also tested visiting https://<username>:<password>@test-museum.piwero.com and works fine. I think it's more of an issue with the plugin. For what I understand, when it's a chartmuseum, index.yaml isn't returned when visiting main page.
has the plugging being tested with chartmuseum?

@nflaig
Copy link
Owner

nflaig commented May 27, 2024

has the plugging being tested with chartmuseum?

yes, actually that it the only use case I had myself, I was using Harbor. Just remove basic auth and it will work..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nflaig @Piwero