Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to work with private repositories? #52

Open
raafvargas opened this issue Oct 27, 2020 · 20 comments
Open

How to work with private repositories? #52

raafvargas opened this issue Oct 27, 2020 · 20 comments

Comments

@raafvargas
Copy link

raafvargas commented Oct 27, 2020

The pipeline works fine but when I add the repo and try to use it, I get the following error:

Error: Failed to fetch https://github.com/{{org}}/{{repo}}/releases/download/{{version}}/{{version}}.tgz : 404 Not Found

I believe that is happening because helm can't authenticate.
I already tried to add the repository using my username and personal access token but it's not working.

That's how I added the repo:

helm repo add --username {{username}} --password {{personal_token}} {{org}} https://{{org}}.github.io/{{repo}}

Someone knows if does exists some trick to use it with private repos?

@ivanov-aleksander
Copy link

I have the same issue.

@paltaa
Copy link

paltaa commented Nov 26, 2020

Any information on this? same issue

@ivanov-aleksander
Copy link

I spinned up chartmuseum and add additional step to push chart to chartmusem.

@raafvargas
Copy link
Author

I spinned up chartmuseum and add additional step to push chart to chartmusem.

I think that by now it's the only solution... I was trying to avoid to setup some infrastructure for chartmuseum, but I'll probably do the same.

@annabarnes1138
Copy link

The trick is to host the actual chart tarballs in your gh-pages branch alongside your index.yaml file. When you give Helm your username and password it uses it to authenticate to the repository (the index file). The index file then tells Helm where to get the tarball. If the tarball is hosted in some other location (in this case it's hosted in Github Releases) then it would require a second authentication (which Helm does not support). So if you host the files in the same place as your index file and make the links relative paths then there is no need for the second authentication. This would require modifications to helm/chart-releaser. I have been working on this on my own project. If I can get it working reliably I may submit a pr to that repo

@annabarnes1138
Copy link

I have a pr in the app repo (helm/chart-releaser#123) to resolve this. If I get it merged then I a pr to this repo will be needed to support the new option

@tomaszdudek7
Copy link

Duh. So, this entire tool works only if you host your charts publicly?

@abin-tiger
Copy link

+1

@pete911
Copy link

pete911 commented Jan 14, 2022

Hi, I had the same problem with private repos and private github pages. I created a new project -> https://github.com/pete911/hcr

This can be used as a github action (as described in README) and with private repos/github pages.

@jtyr
Copy link

jtyr commented Jan 16, 2022

@pete911 How do you solve the problem with different domains if the index is stored in GitHub pages and charts in releases? They both have different domains so private access via helm won't work.

@pete911
Copy link

pete911 commented Jan 17, 2022

Hi @jtyr, yeah, I just realised that updating index is fixed by just working directly on git branch, pulling is fixed as well by providing --username and --password flags to helm repo add ..., but helm pull ... or helm install ... does NOT work ... I have tried to use as url:

  • https://raw.githubusercontent.com/... cannot find url for releases
  • https://api.github.com/repos/<user>/<repo>/releases/assets/<id> does not download tar.gz but different content
  • ...

So the problem is not the host (helm pull etc. supports username and password), but I cannot find out how to download private github release

... sorry I have misread the issue, because the problem I had was that I couldn't even update index.yaml with original chart releaser

@jtyr
Copy link

jtyr commented Jan 18, 2022

@pete911 The reason why it doesn't work is because the index is on completely different domain than the asset (githubusercontent.com != github.com). That's why if you pass the username and password to Helm, it can only get the index but not the asset (Helm is refusing to use the same username and password for two completely different domains).

@pete911
Copy link

pete911 commented Jan 18, 2022

@jtyr I tried to do only helm pull without adding repo and I had no luck with pulling from github release on private repo, but on public repo it works fine:

  • public repo (I used fluent-bit as example) helm pull --untar https://github.com/fluent/helm-charts/releases/download/fluent-bit-0.19.17/fluent-bit-0.19.17.tgz works fine
  • private repo helm pull --untar --username <user> --password <token> https://api.github.com/repos/<user>/<repo>/releases/assets/<id> does not work, fails with Error: gzip: invalid header error

same when I use curl:

  • curl -i -H 'accept:application/octet-stream' -H 'Authorization: token <token>' https://api.github.com/repos/<user>/<repo>/releases/assets/<id> -o out
  • tar -xvf out produces tar: Error opening archive: Unrecognized archive format error

wget works fine though (in both I need to specify header, otherwise default is json)

  • wget --header='accept:application/octet-stream' --header='Authorization: token <token>' https://api.github.com/repos/<user>/<repo>/releases/assets/<id>

So .. not saying you are not right that the domains have to be the same, but I couldn't make it work with just pull (no index.yaml/repo added) on releases in private github repos.

@Jon-Call
Copy link

Jon-Call commented Apr 6, 2022

Here's a write-up with a custom action that works for me. It bundles the tar and places it in the gh-pages branch next to index.yaml so you can reference and auth the same way helm references the github raw url for index.yaml

https://im5tu.io/article/2022/01/creating-a-private-helm-repository-using-github-pages-enterprise/

Seems the fundamental problem is in how Github pages doesn't allow you to authenticate with basic auth as helm tries to do when hitting a private page. Instead it returns a login page with some yaml that confuses and errors out helm

error converting YAML to JSON: yaml: line 165: mapping values are not allowed in this context

So until this changes both the index and tarz need to be at https://raw.githubusercontent.com/

@tirelibirefe
Copy link

@pete911 The reason why it doesn't work is because the index is on completely different domain than the asset (githubusercontent.com != github.com). That's why if you pass the username and password to Helm, it can only get the index but not the asset (Helm is refusing to use the same username and password for two completely different domains).

Hello,
Do you have any workarounds to figure it out?

Thanks

@tirelibirefe
Copy link

tirelibirefe commented Jan 3, 2023

Here's a write-up with a custom action that works for me. It bundles the tar and places it in the gh-pages branch next to index.yaml so you can reference and auth the same way helm references the github raw url for index.yaml

https://im5tu.io/article/2022/01/creating-a-private-helm-repository-using-github-pages-enterprise/

Seems the fundamental problem is in how Github pages doesn't allow you to authenticate with basic auth as helm tries to do when hitting a private page. Instead it returns a login page with some yaml that confuses and errors out helm

error converting YAML to JSON: yaml: line 165: mapping values are not allowed in this context

So until this changes both the index and tarz need to be at https://raw.githubusercontent.com/

@Jon-Call
you're the man!
It worked; very good solution!
I am very appreciated.
Thank you

@jizi
Copy link

jizi commented Sep 24, 2024

I created a new project -> https://github.com/pete911/hcr

@pete911 this worked for us very well. Thank you! But now seems it is not available anymore? Have you moved it somewhere?

@pete911
Copy link

pete911 commented Sep 24, 2024

@jizi should be working now. No idea why the project shows as forked ... I will most likely need to re-created it in the future.

@radupopa369
Copy link

#52 (comment)

This still is a useful workaround as of today. Thank you @Jon-Call

@andresromerodev
Copy link

This can now be solved by using the packages_with_index flag:

- name: Run chart-releaser
  uses: helm/chart-releaser-action@v1.6.0
  with:
    packages_with_index: true
  env:
    CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

packages_with_index: When you set this to true, it will upload chart packages directly into publishing branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests