Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-26006

Charts with Artifact Hub Annotations break Artifactory helm repos

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Resolution: Done
    • Affects Version/s: 7.15.4, 7.19.3
    • Fix Version/s: 7.21.0
    • Component/s: None
    • Labels:
      None
    • Location:
      External

      Description

      Issue:
      Some Helm charts, such as cilium, use "Artifact Hub Annotations" in their Chart.yaml file. It appears that this type of annotation is problematic for Artifactory, even after the implementation of Helm annotation support (RTFACT-19846).

      When such a chart is deployed in an Artifactory local Helm repository, the repository becomes incompetent, making it impossible to perform an "helm repo update" or pull any other charts from the repository.

       

      Findings:

      When such a chart populates the repository's index.yaml file, this is the problematic, un-parsable part that's being added to index.yaml:

      annotations:
      artifacthub.io/crds: "- kind: CiliumNetworkPolicy\n  version: "v2n  name: ciliumnetworkpolicyn"
        \  displayName: Cilium Network Policy\n  description: |\n    Cilium Network\
        \ Policies provide additional functionality beyond what\n    is provided by\
        \ standard Kubernetes NetworkPolicy such as the ability\n    to allow traffic\
        \ based on FQDNs, or to filter at Layer 7.\n- kind: CiliumClusterwideNetworkPolicy\n\
        \  version: "v2n  name: ciliumclusterwidenetworkpolicyn  displayName: Cilium"
        \ Clusterwide Network Policy\n  description: |\n    Cilium Clusterwide Network\
        \ Policies support configuring network traffic\n    policiies across the entire\
        \ cluster, including applying node firewalls.\n- kind: CiliumExternalWorkload\n\
        \  version: "v2n  name: ciliumnetworkpolicyn  displayName: Cilium External"
        \ Workload\n  description: |\n    Cilium External Workload supports configuring\
        \ the ability for external\n    non-Kubernetes workloads to join the cluster.\n\
        - kind: CiliumLocalRedirectPolicy\n  version: "v2n  name: ciliumlocalredirectpolicyn"
        \  displayName: Cilium Local Redirect Policy\n  description: |\n    Cilium\
        \ Local Redirect Policy allows local redirects to be configured\n    within\
        \ a node to support use cases like Node-Local DNS or KIAM.\n- kind: CiliumNode\n\
        \  version: "v2n  name: ciliumnoden  displayName: Cilium Noden  description:"
        \ |\n    Cilium Node represents a node managed by Cilium. It contains a\n\
        \    specification to control various node specific configuration aspects\n\
        \    and a status section to represent the status of the node.\n- kind: CiliumIdentity\n\
        \  version: "v2n  name: ciliumidentityn  displayName: Cilium Identityn "
        \ description: |\n    Cilium Identity allows introspection into security identities\
        \ that\n    Cilium allocates which identify sets of labels that are assigned\
        \ to\n    individual endpoints in the cluster.\n- kind: CiliumEndpoint\n \
        \ version: "v2n  name: ciliumendpointn  displayName: Cilium Endpointn  description:"
        \ |\n    Cilium Endpoint represents the status of individual pods or nodes\
        \ in\n    the cluster which are managed by Cilium, including enforcement status,\n\
        \    IP addressing and whether the networking is succesfully operational.\n"

      Also causing this exception in the artifactory-server-service.log:

      2021-06-03T08:58:26.544Z [jfrt ] [ERROR] [72fe39b48521e57c] [.a.h.r.m.HelmVirtualMerger:256] [art-exec-2916       ] - Couldn't read index file in local repository a-helm-local : while parsing a block mapping
 in 'reader', line 27, column 7:
          artifacthub.io/crds: "- kind: Ci ...
          ^
expected <block end>, but found '<scalar>'
 in 'reader', line 27, column 70:
     ... iliumNetworkPolicy\n  version: "v2n  name: ciliumnetworkpolicyn"
                                         ^ at [Source: (org.jfrog.storage.binstore.common.ReaderTrackingInputStream); line: 27, column: 70] (through reference chain: org.jfrog.repomd.helm.model.HelmIndexYamlMetadata["entries"]->java.util.LinkedHashMap["cilium"]->java.util.TreeSet[0]->org.jfrog.repomd.helm.model.HelmChartMetadata["annotations"])

       

      Steps to reproduce:

      1. Download a problematic chart:

      repo add cilium https://helm.cilium.io/
helm pull cilium/cilium --version 1.9.5

      2. Deploy it to an Artifactory virtual Helm repo (which aggregates a local Helm repo):

      curl http://rt:8081/artifactory/a-helm/ -T cilium-1.9.5.tgz

      3. Configure your Helm client with the Artifactory virtual Helm repo:

      helm repo add a-helm http://rt:8081/artifactory/a-helm --username admin --password *** 

      4. Perform an "helm repo update" (fails)

      5. Deploy another, non problematic Chart to the same repo (causes the exception)

      6. Recalculate Index for the repo in UI (adds the new chart to the repo's index.yaml)

      7. Attempt to pull the new/old Chart from Artifactory (fails):

      helm pull a-helm/cilium
helm pull a-helm/<new-chart>

       

      Workaround:

      Manually remove the annotation from a Chart.yaml before deploying it to Artifactory

      Recovery:

      Delete the affected charts from the Artifactory local repo and recalculate index

        Attachments

          Activity

              People

              Assignee:
              Unassigned
              Reporter:
              joeyn Joey Naor (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Sync Status

                  Connection: RTFACT Sync
                  RTMID-26007 -
                  SYNCHRONIZED
                  • Last Sync Date: