Bug: Unable to use private OCI Registry with sub helm charts #6736
Description
📜 Description
We are not able to use private OCI registry with sub helm chart in argo application, We are getting below error while syncing although using helm it is working fine after below step(helm registry login staging-harbor.xyz.info first)
ComparisonError: Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = Manifest generation error (cached): failed to build helm dependencies: failed to build dependencies: failed to get command args to log: helm dependency build failed exit status 1: Error: could not download oci://staging-harbor.xyz.info/xyz/karpenter: pull access denied, repository does not exist or may require authorization: authorization failed: no basic auth credentials (retried 1 times).
👟 Reproduction steps
Create an Argo application as below
kind: Application
metadata:
name: ajay-karpenter-demo
namespace: devtroncd
spec:
destination:
namespace: devtron-demo
server: https://kubernetes.default.svc
project: default
source:
helm:
valueFiles:
- values.yaml
path: ajay-karpenter-devtron-demo
repoURL: https://github.com/xyz/stage-ajay-karpenter.git
targetRevision: master
syncPolicy:
retry:
backoff:
duration: 5s
factor: 2
maxDuration: 5s
limit: 1
status:
conditions:
- lastTransitionTime: 2025-06-18T06:28:01Z
message: "Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = failed to build helm dependencies: failed to build dependencies: failed to get command args to log: `helm dependency build` failed exit status 1: Error: could not download oci://staging-harbor.xyz.info/xyz/karpenter: pull access denied, repository does not exist or may require authorization: authorization failed: no basic auth credentials"
type: ComparisonError
controllerNamespace: devtroncd
health:
status: Healthy
- Registry Secret for OCI registry
apiVersion: v1
data:
enableOCI: "true"
name: xyz
password: xyz
type: helm
url: staging-harbor.xyz.info
username: admin
kind: Secret
metadata
labels:
argocd.argoproj.io/secret-type: repository
name: xyz
namespace: devtroncd
type: Opaque
-
Credentials for this GitOps organisation (https://github.com/xyz) , we are passing through credentials template in argocd cm under(repository.credentials).
-
Try to sync application and you will see the error .
Error Screenshot
My Chart.yaml on gitops repo
apiVersion: v1
dependencies:
- name: sample
repository: sample-url
version: 0.0.0
name: ajay-karpenter
version: 1.0.1
requirements.yaml
dependencies:
- name: karpenter
repository: oci://staging-harbor.xyz.info/badal773
version: 1.5.0
Values.yaml
{"karpenter":{"additionalAnnotations":{},"additionalClusterRoleRules":[],"additionalLabels":{},"affinity":{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"karpenter.sh/nodepool","operator":"DoesNotExist"}]}]}},"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"topologyKey":"kubernetes.io/hostname"}]}},"controller":{"containerName":"controller","env":[],"envFrom":[],"extraVolumeMounts":[],"healthProbe":{"port":8081},"image":{"digest":"sha256:339aef3f5ecdf6f94d1c7cc9d0e1d359c281b4f9b842877bdbf2acd3fa360521","repository":"public.ecr.aws/karpenter/controller","tag":"1.5.0"},"metrics":{"port":8080},"resources":{},"securityContext":{"appArmorProfile":{},"seLinuxOptions":{},"seccompProfile":{}},"sidecarContainer":[],"sidecarVolumeMounts":[]},"dnsConfig":{},"dnsPolicy":"ClusterFirst","extraVolumes":[],"fullnameOverride":"","hostNetwork":false,"imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"initContainers":{},"logErrorOutputPaths":["stderr"],"logLevel":"info","logOutputPaths":["stdout"],"nameOverride":"","nodeSelector":{"kubernetes.io/os":"linux"},"podAnnotations":{},"podDisruptionBudget":{"maxUnavailable":1,"name":"karpenter"},"podLabels":{},"podSecurityContext":{"fsGroup":65532,"runAsNonRoot":false,"seccompProfile":{"type":"RuntimeDefault"}},"priorityClassName":"system-cluster-critical","replicas":2,"revisionHistoryLimit":10,"schedulerName":"default-scheduler","service":{"annotations":{}},"serviceAccount":{"annotations":{},"create":true,"name":""},"serviceMonitor":{"additionalLabels":{},"enabled":false,"endpointConfig":{},"metricRelabelings":[],"relabelings":[]},"settings":{"batchIdleDuration":"1s","batchMaxDuration":"10s","clusterCABundle":"","clusterEndpoint":"","clusterName":"ajay","eksControlPlane":false,"featureGates":{"nodeRepair":false,"reservedCapacity":false,"spotToSpotConsolidation":false},"interruptionQueue":"","isolatedVPC":false,"preferencePolicy":"Respect","reservedENIs":"0","vmMemoryOverheadPercent":0.075},"strategy":{"rollingUpdate":{"maxUnavailable":1}},"terminationGracePeriodSeconds":null,"tolerations":[{"key":"CriticalAddonsOnly","operator":"Exists"}],"topologySpreadConstraints":[{"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"DoNotSchedule"}]}}
a.
Version
v2.13.2
Logs
Repo server logs
level=error msg="finished unary call with code Unknown" error="failed to build helm dependencies: failed to build dependencies: failed to get command args to log: helm dependency build failed exit status 1: Error: could not download oci://staging-harbor.xyz.info/badal773/karpenter: pull access denied, repository does not exist or may require authorization: authorization failed: no basic auth credentials" grpc.code=Unknown grpc.method=GenerateManifest grpc.service=repository.RepoServerService grpc.start_time="2025-06-18T06:58:11Z" grpc.time_ms=843.795 span.kind=server system=grpc
👍 Expected behavior
It should also work in the case of Argocd , in helm templating.
👎 Actual Behavior
It through error while helm templating in argocd
☸ Kubernetes version
1.32
Cloud provider
🌍 Browser
Chrome
🧱 Your Environment
No response
✅ Proposed Solution
No response
👀 Have you spent some time to check if this issue has been raised before?
- I checked and didn't find any similar issue
🏢 Have you read the Code of Conduct?
- I have read the Code of Conduct