How to resolve Helm index.yaml virtual repository URL mismatch?

Nimer Bsoul
2021-08-10 09:29

Artifactory only supports the resolution of Helm charts from virtual Helm chart repositories. To resolve Helm charts from other local or remote Helm chart repositories, you'll need to aggregate them into a virtual Helm chart repository. Thereafter, Artifactory will generate an index.yaml for the packages from all aggregated repositories.

Helm indexing in Artifactory is accomplished by aggregating the Helm packages from all repository types into a configuration file, called index.yaml. This file contains the metadata of each package, which is generated for the virtual repository and it’s not seen in the UI of Artifactory but rather saved in the Virtual repository Cache.

Additionally, Artifactory replaces the URL param with Artifactory's base URL and if it’s configured, the virtual repository will add the URL that the Helm client reach Artifactory with.

The above mechanism can cause issues where the URL’s in the index.yaml for each package is not what the Helm client can index and you can encounter the following scenario:

  1. The Helm remote repository is configured with “https://cbc-charts.storage.googleapis.com” please note the HTTPS protocol.
  2. Create a virtual repository to aggregate the remote repository above.
  3. Add a Helm virtual repository as a resource for the helm client: helm repo add helm-virtual https://<ARTIFACTORY_URL>/helm-virtual –username ***** –password *****
  4. Update your Helm client with the recent addition: helm repo update
  5. Try to fetch a Helm package through the virtual repository helm fetch helm-virtual/<helm-package-name>Error: Failed to fetch https://<ARTIFACTORY_URL>/helm-virtual/<helm-package-name-0.0.0.tgz> : 401 Unauthorized

The error (401 Unauthorized) above can occur because the index.yaml was returned to the Helm client by the virtual repository and since the request reached Artifactory with HTTP (can be due to a termination by the Nginx configuration from HTTPS to HTTP ) and there is not a Base URL configured in Artifactory, then the index.yaml returned will include the following:

– apiVersion: v1
    appVersion: 0.0.0
    created: 2017-09-04T20:33:57.58469666Z
    description: CoreOS zetcd Helm chart for Kubernetes
    digest: 5eb700d49146fa6b070c2fdb9ce2f85f1e3071adee2368d5cdcc05cde5b5e4b7
    home: https://github.com/<source>/<name>
    maintainers:
    – name: <NAME>
    name: <NAME>
    sources:
    – https://github.com/<source>/<name>
    urls:
    – https://<ARTIFACTORY_URL>/helm-virtual/<helm-package-name-0.0.0.tgz>
    version: 0.1.0 

With the index.yaml above containing the URL with HTTP instead of HTTPS because of the aggregation mechanism that the Helm client expects, the error is therefore received.

You can overcome this situation in one of two ways, either by:

  1. Overriding the way your helm client requests are being processed by adding the following custom base URL to Artifactory:

https://<ARTIFACTORY_URL>/

To do this, navigate in your UI to Administration > General > Settings, and enter URL in the Custom Base URL field.

Next, regenerate the index.yaml from your virtual repository cache by navigating to your UI's tree browser, right clicking on the virtual helm repository, and selecting Zap Caches. Thereafter, run the helm repo update and the index.yaml file that will be generated will have HTTPS entries instead of HTTP.

  1. Adding the following header to your reverse proxy configuration file:

X-Artifactory-Override-Base-Url

which will override the way the request is reaching to Artifactory through the proxy.

Thereafter, you'll have to reload your reverse proxy and then clear the cache by navigating to your UI's tree browser, right clicking on the virtual helm repository, and selecting Zap Caches as mentioned above. You will now need to run the ‘helm repo update’ command and the “index.yaml” file should be properly generated.