How to resolve Helm index.yaml virtual repository URL mismatch?

Nimer Bsoul
2019-06-06 22:48

 

Subject

Artifactory only supports resolution of Helm charts from virtual Helm chart repositories. To resolve Helm charts from other local or remote Helm chart repositories, you need to aggregate them in a virtual Helm chart repository and therefore Artifactory generates an index.yaml for the packages from all aggregated repositories.

Affected Versions

All versions

Details

The Helm indexing in Artifactory is done by aggregating the Helm packages from all repository types in a configuration file named index.yaml that has the metadata of each package which is generated for the virtual repository and it’s not seen in the UI of Artifactory but rather saved in the Virtual repository Cache.
In addition of the aggregation mentioned above, Artifactory replaces the URL param with the base URL of Artifactory and if it’s configured, the virtual repository will add the URL that the Helm client reach Artifactory with.

The above mechanism can cause issues where the URL’s in the index.yaml for each package is not what the Helm client can index and you can encounter the following scenario:

1 – The Helm remote repository is configured with “https://cbc-charts.storage.googleapis.com” please note the HTTPS protocol.
2 – Create a virtual repository to aggregate the above remote repository.
3 – Add the Helm virtual repository as a resource for the helm client:helm repo add helm-virtual https://<ARTIFACTORY_URL>/helm-virtual --username ***** --password *****
4 – Update the Helm client with the recent addition:helm repo update
5 – Try to fetch a Helm package through the virtual repository helm fetch helm-virtual/<helm-package-name>Error: Failed to fetch http://<ARTIFACTORY_URL>/helm-virtual/<helm-package-name-0.0.0.tgz> : 401 Unauthorized

The above error can occur because the index.yaml was returned to the Helm client by the virtual repository and since the request reached Artifactory with HTTP (can be due to a termination by the Nginx configuration from HTTPS to HTTP ) and there is not a Base URL configured in Artifactory, then the index.yaml returned will include the following:
- apiVersion: v1
    appVersion: 0.0.0
    created: 2017-09-04T20:33:57.58469666Z
    description: CoreOS zetcd Helm chart for Kubernetes
    digest: 5eb700d49146fa6b070c2fdb9ce2f85f1e3071adee2368d5cdcc05cde5b5e4b7
    home: https://github.com/<source>/<name>
    maintainers:
    - name: <NAME>
    name: <NAME>
    sources:
    - https://github.com/<source>/<name>
    urls:
    - http://<ARTIFACTORY_URL>/helm-virtual/<helm-package-name-0.0.0.tgz>
    version: 0.1.0 

With the index.yaml above containing the URL with HTTP instead of HTTPS because of the aggregation mechanism that the Helm client expects, the error is therefore received.
In order to overcome the described scenario, there are two possibilities:

1 – Adding a custom Base URL to Artifactory with the name “https://<ARTIFACTORY_URL>/”.
This should override the existing way the request from the helm client is being processed in Artifactory.
The way to configure custom Base URL in Artifactory UI is under Admin tab → General Configuration and applying the url in the field “Custom Base URL”.
The next step is to regenerate the index.yam from the virtual repository cache and it can be done by using the Artifactory UI under the tree browser → right click on the virtual helm repo and click on “Zap Caches”.
Run “helm repo update” and the index.yaml file that will be generated should have HTTPS entries instead of HTTP.

2 – Change the Reverse Proxy configuration and Add the header “X-Artifactory-Override-Base-Url”  to the proxy configuration file, which should override the way the request is reaching to Artifactory through the proxy.
After configuring the above you will have to reload your Reverse Proxy and then clear the cache as mentioned above. You could now run the ‘helm repo update’ command and the “index.yaml” file should be properly generated.