Skip to content

helm upstream bug causes kapp-controller to fail to fetch oci helm chartΒ #1772

New issue
New issue
Open
Open
helm upstream bug causes kapp-controller to fail to fetch oci helm chart#1772
Labels
bugThis issue describes a defect or unexpected behaviorcarvel-triageThis issue has not yet been reviewed for validity
@gorkemozlu

Description

@gorkemozlu
gorkemozlu
opened on Nov 6, 2025

What steps did you take:
Using kapp-controller 0.58.0 on VKS, using App CR to deploy helmChart via oci but due to a upstream bug with helm, it returns error, 0.58.1 still has still issue.
See the App CR to find details and the error output, 'Helm registry login: exit status 1 (stderr: Error: invalid reference: invalid registry "container-registry.example.com/some-repo/tac"'
What happened:
[A small description of the issue]
Using kapp-controller 0.58.0 on VKS, using App CR to deploy helmChart via oci but due to a upstream bug with helm, it returns error, 0.58.1 still has still issue.

What did you expect:
[A description of what was expected]
To be able to deploy helm applications using App CR to deploy helmChart via oci

Anything else you would like to add:
[Additional information that will assist in solving the issue.]

Upstream helm v3.18.0 has this bug:
helm/helm@ea04cea

This issue is introduced with following change:

v0.57.0...v0.58.0#diff-e715c9dc3715dee01cc7ed47ac7f58ddef0d1be24d0a11642d5aade1bdc504e9R58

This issue is fixed with following upstream helm version
helm/helm#30873
https://github.com/helm/helm/releases/tag/v3.18.1

Environment:

VKr 1.34
kapp-controller 0.58.0

apiVersion: kappctrl.k14s.io/v1alpha1
kind: App
metadata:
  finalizers:
  - finalizers.kapp-ctrl.k14s.io/delete
  generation: 4
  labels:
    kapp.k14s.io/app: "1741348996604017086"
    kapp.k14s.io/association: v1.14c3e8d9d8f4ec82330718fafdd3f0b6
  name: fluxcd
  namespace: packages
spec:
  canceled: false
  defaultNamespace: fluxcd-system
  deploy:
  - kapp:
      rawOptions:
      - --wait-timeout=5m
      - --kube-api-qps=20
      - --kube-api-burst=30
      - --dangerous-override-ownership-of-existing-resources=true
  fetch:
  - helmChart:
      name: flux
      repository:
        secretRef:
          name: regcred
        url: oci://container-registry.example.com/some-repo/tac
      version: 2.4.46
  paused: false
  serviceAccountName: flux-tac-sa
  syncPeriod: 10m0s
  template:
  - helmTemplate:
      namespace: fluxcd-system
      valuesFrom:
      - secretRef:
          name: flux-tac-data-values
      - secretRef:
          name: flux-tac-additional-data-values
  - ytt:
      ignoreUnknownComments: true
      valuesFrom:
      - secretRef:
          name: overlay-secret-flux-tac
status:
  conditions:
  - message: 'Fetching resources: Error (see .status.usefulErrorMessage for details)'
    status: "True"
    type: ReconcileFailed
  consecutiveReconcileFailures: 13
  deploy:
    exitCode: 0
    finished: true
    kapp:
      associatedResources:
        groupKinds:
        - group: ""
          kind: Service
        - group: ""
          kind: ServiceAccount
        - group: apiextensions.k8s.io
          kind: CustomResourceDefinition
        - group: apps
          kind: Deployment
        - group: networking.k8s.io
          kind: NetworkPolicy
        - group: policy
          kind: PodDisruptionBudget
        - group: rbac.authorization.k8s.io
          kind: ClusterRole
        - group: rbac.authorization.k8s.io
          kind: ClusterRoleBinding
        - group: rbac.authorization.k8s.io
          kind: Role
        - group: rbac.authorization.k8s.io
          kind: RoleBinding
        label: kapp.k14s.io/app=1759751871320484082
        namespaces:
        - (cluster)
        - fluxcd-system
    startedAt: "2025-11-05T08:16:10Z"
    stdout: |-
      Target cluster 'https://10.197.0.1:443' (nodes: clusterName-node, 6+)
      Changes
      Namespace  Name  Kind  Age  Op  Op st.  Wait to  Rs  Ri
      Op:      0 create, 0 delete, 0 update, 0 noop, 0 exists
      Wait to: 0 reconcile, 0 delete, 0 noop
      Succeeded
    updatedAt: "2025-11-05T08:16:10Z"
  fetch:
    error: 'Fetching resources: Error (see .status.usefulErrorMessage for details)'
    exitCode: 1
    startedAt: "2025-11-05T09:16:03Z"
    stderr: |
      vendir: Error: Syncing directory '0':
        Syncing directory '.' with helm chart contents:
          Helm registry login: exit status 1 (stderr: Error: invalid reference: invalid registry "container-registry.example.com/some-repo/tac"
      )
    updatedAt: "2025-11-05T09:16:03Z"
  friendlyDescription: 'Reconcile failed: Fetching resources: Error (see .status.usefulErrorMessage
    for details)'
  observedGeneration: 4
  template:
    exitCode: 0
    updatedAt: "2025-11-05T08:16:10Z"
  usefulErrorMessage: |
    vendir: Error: Syncing directory '0':
      Syncing directory '.' with helm chart contents:
        Helm registry login: exit status 1 (stderr: Error: invalid reference: invalid registry "container-registry.example.com/some-repo/tac"
    )

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

πŸ‘ "I would like to see this addressed as soon as possible"
πŸ‘Ž "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugThis issue describes a defect or unexpected behaviorcarvel-triageThis issue has not yet been reviewed for validity

    Type

    No type

    Projects

    Carvel

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions