Helm Chart dependencies from OCI registries are not looked up #23499
-
How are you running Renovate?Mend Renovate hosted app on github.com If you're self-hosting Renovate, tell us what version of Renovate you run.No response If you're self-hosting Renovate, select which platform you are using.None Was this something which used to work for you, and then stopped?I am trying to get this working for the first time Describe the problemWe have Helm charts which contain references to other Helm charts in an OCI registry, for example: apiVersion: v2
name: name-of-chart
dependencies:
- name: configure-alertmanager-operator
repository: oci:https://ghcr.io/<organization>/charts
version: 0.0.1Renovate is configured to authenticate via {
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base"
],
"hostRules": [
{
"hostType": "docker",
"matchHost": "ghcr.io/<organization>",
"encrypted": {
"username": "...",
"password": "..."
}
},
{
"hostType": "docker",
"matchHost": "https://ghcr.io/<organization>/charts",
"encrypted": {
"username": "...",
"password": "..."
}
}
]When Renovate runs it responds with When Renovate detects this Helm chart and extracts its dependencies, it labels the Helm chart as a docker datasource: {
"currentValue": "0.0.1",
"datasource": "docker",
"depName": "configure-alertmanager-operator",
"packageName": "ghcr.io/<organization>/charts/configure-alertmanager-operator",
"versioning": "docker",
"warnings": [
{
"topic": "ghcr.io/<organization>/charts/configure-alertmanager-operator",
"message": "Failed to look up docker package ghcr.io/<organization>/charts/configure-alertmanager-operator"
}
],
"updates": []
},When it finds chart repositories, it seems to exclude OCI registries and seem to treat OCI charts purely as docker datasources: https://github.com/renovatebot/renovate/blob/main/lib/modules/manager/helmv3/artifacts.ts#L58 Is support for Helm charts dependencies in OCI registries not supported? Since the dependencies are not docker images, I'm not clear on how treating them as docker datasources will work? $ docker login ghcr.io/<organization>
Authenticating with existing credentials...
Login Succeeded
$ docker pull ghcr.io/<organization>/charts/configure-alertmanager-operator:0.0.1
0.0.1: Pulling from <organization>/charts/configure-alertmanager-operator
unsupported media type application/vnd.cncf.helm.config.v1+json
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZEversus $ helm registry login ghcr.io
Username: <organization>-user
Password:
Login Succeeded
$ helm pull oci:https://ghcr.io/<organization>/charts/configure-alertmanager-operator
Pulled: ghcr.io/<organization>/charts/configure-alertmanager-operator:0.0.1
Digest: sha256:...What are we doing wrong? Is the regex manager to be used and the dependencies to be treated as helm datasources? Relevant debug logsNo response Have you created a minimal reproduction repository?I have linked to a minimal reproduction in the description above |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 9 replies
-
|
@rarkins would appreciate some hints how to deal with this 🙇♂️ |
Beta Was this translation helpful? Give feedback.
-
|
So it's unauthorized, however how should the renovate config look like then? |
Beta Was this translation helpful? Give feedback.
-
|
The token works locally but not with Renovate |
Beta Was this translation helpful? Give feedback.
-
|
@viceice can you see anything wrong with the config that would make Renovate unauthorized? My best idea for next step would be to add logging locally and run Renovate locally to understand why authorization fails, because I cannot see what is wrong with the config. |
Beta Was this translation helpful? Give feedback.
-
|
that's probably your best option |
Beta Was this translation helpful? Give feedback.
-
|
Why does it add authentication for github but not for ghcr? INFO: rule.matchHost: ghcr.io
INFO: rule.resolvedHost: ghcr.io
INFO: field: password
INFO: field: token
INFO: rule.matchHost: api.github.com
INFO: rule.resolvedHost: api.github.com
INFO: field: password
INFO: field: token
DEBUG: Adding token authentication for api.github.com to hostRules |
Beta Was this translation helpful? Give feedback.
-
|
Finally got it working, pasting my config here for reference: {
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base"
],
"labels": [
"dependencies"
],
"prConcurrentLimit": 0,
"hostRules": [
{
"hostType": "docker",
"matchHost": "ghcr.io",
"username": "<user>",
"encrypted": {
"password": "<encrypted for org where github app is running and for org where charts reside>"
}
}
],
"regexManagers": [
{
"fileMatch": [
"tasks\/.*\\.y[a]?ml$"
],
"matchStrings": [
"chart_ref:\\s*oci:\/\/(?<registryUrl>.*)[\/](?<depName>.*)\\s*chart_version:\\s*(?<currentValue>.*)"
],
"datasourceTemplate": "docker"
}
]
}The issue seemed to be that the multiple |
Beta Was this translation helpful? Give feedback.
Finally got it working, pasting my config here for reference:
{ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ "config:base" ], "labels": [ "dependencies" ], "prConcurrentLimit": 0, "hostRules": [ { "hostType": "docker", "matchHost": "ghcr.io", "username": "<user>", "encrypted": { "password": "<encrypted for org where github app is running and for org where charts reside>" } } ], "regexManagers": [ { "fileMatch": [ "tasks\/.*\\.y[a]?ml$" ], "matchStrings": [ "chart_ref:\\s*oci:\/\/(?<registryUrl>.*)[\/](?<depName>.*)\\s*chart_version:\\s*(?<currentVal…