-
Type:
Bug
-
Status: Done
-
Resolution: Done
-
Affects Version/s: 7.15.4, 7.19.3
-
Fix Version/s: 7.21.0
-
Component/s: None
-
Labels:None
-
Location:External
Issue:
Some Helm charts, such as cilium, use "Artifact Hub Annotations" in their Chart.yaml file. It appears that this type of annotation is problematic for Artifactory, even after the implementation of Helm annotation support (RTFACT-19846).
When such a chart is deployed in an Artifactory local Helm repository, the repository becomes incompetent, making it impossible to perform an "helm repo update" or pull any other charts from the repository.
Findings:
When such a chart populates the repository's index.yaml file, this is the problematic, un-parsable part that's being added to index.yaml:
annotations: artifacthub.io/crds: "- kind: CiliumNetworkPolicy\n version: "v2n name: ciliumnetworkpolicyn" \ displayName: Cilium Network Policy\n description: |\n Cilium Network\ \ Policies provide additional functionality beyond what\n is provided by\ \ standard Kubernetes NetworkPolicy such as the ability\n to allow traffic\ \ based on FQDNs, or to filter at Layer 7.\n- kind: CiliumClusterwideNetworkPolicy\n\ \ version: "v2n name: ciliumclusterwidenetworkpolicyn displayName: Cilium" \ Clusterwide Network Policy\n description: |\n Cilium Clusterwide Network\ \ Policies support configuring network traffic\n policiies across the entire\ \ cluster, including applying node firewalls.\n- kind: CiliumExternalWorkload\n\ \ version: "v2n name: ciliumnetworkpolicyn displayName: Cilium External" \ Workload\n description: |\n Cilium External Workload supports configuring\ \ the ability for external\n non-Kubernetes workloads to join the cluster.\n\ - kind: CiliumLocalRedirectPolicy\n version: "v2n name: ciliumlocalredirectpolicyn" \ displayName: Cilium Local Redirect Policy\n description: |\n Cilium\ \ Local Redirect Policy allows local redirects to be configured\n within\ \ a node to support use cases like Node-Local DNS or KIAM.\n- kind: CiliumNode\n\ \ version: "v2n name: ciliumnoden displayName: Cilium Noden description:" \ |\n Cilium Node represents a node managed by Cilium. It contains a\n\ \ specification to control various node specific configuration aspects\n\ \ and a status section to represent the status of the node.\n- kind: CiliumIdentity\n\ \ version: "v2n name: ciliumidentityn displayName: Cilium Identityn " \ description: |\n Cilium Identity allows introspection into security identities\ \ that\n Cilium allocates which identify sets of labels that are assigned\ \ to\n individual endpoints in the cluster.\n- kind: CiliumEndpoint\n \ \ version: "v2n name: ciliumendpointn displayName: Cilium Endpointn description:" \ |\n Cilium Endpoint represents the status of individual pods or nodes\ \ in\n the cluster which are managed by Cilium, including enforcement status,\n\ \ IP addressing and whether the networking is succesfully operational.\n"
Also causing this exception in the artifactory-server-service.log:
2021-06-03T08:58:26.544Z [jfrt ] [ERROR] [72fe39b48521e57c] [.a.h.r.m.HelmVirtualMerger:256] [art-exec-2916 ] - Couldn't read index file in local repository a-helm-local : while parsing a block mapping in 'reader', line 27, column 7: artifacthub.io/crds: "- kind: Ci ... ^ expected <block end>, but found '<scalar>' in 'reader', line 27, column 70: ... iliumNetworkPolicy\n version: "v2n name: ciliumnetworkpolicyn" ^ at [Source: (org.jfrog.storage.binstore.common.ReaderTrackingInputStream); line: 27, column: 70] (through reference chain: org.jfrog.repomd.helm.model.HelmIndexYamlMetadata["entries"]->java.util.LinkedHashMap["cilium"]->java.util.TreeSet[0]->org.jfrog.repomd.helm.model.HelmChartMetadata["annotations"])
Steps to reproduce:
1. Download a problematic chart:
repo add cilium https://helm.cilium.io/
helm pull cilium/cilium --version 1.9.5
2. Deploy it to an Artifactory virtual Helm repo (which aggregates a local Helm repo):
curl http://rt:8081/artifactory/a-helm/ -T cilium-1.9.5.tgz
3. Configure your Helm client with the Artifactory virtual Helm repo:
helm repo add a-helm http://rt:8081/artifactory/a-helm --username admin --password ***
4. Perform an "helm repo update" (fails)
5. Deploy another, non problematic Chart to the same repo (causes the exception)
6. Recalculate Index for the repo in UI (adds the new chart to the repo's index.yaml)
7. Attempt to pull the new/old Chart from Artifactory (fails):
helm pull a-helm/cilium
helm pull a-helm/<new-chart>
Workaround:
Manually remove the annotation from a Chart.yaml before deploying it to Artifactory
Recovery:
Delete the affected charts from the Artifactory local repo and recalculate index