Always use latest repository credentials #846 bug persists

[madhavdas]

Terraform, Provider, Kubernetes and Helm Versions

Terraform version:
 terraform -v
Terraform v1.9.5
on linux_amd64
+ provider registry.terraform.io/gavinbunney/kubectl v1.14.0
+ provider registry.terraform.io/hashicorp/aws v5.61.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.3.5
+ provider registry.terraform.io/hashicorp/helm v2.15.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.32.0
+ provider registry.terraform.io/hashicorp/null v3.2.3
+ provider registry.terraform.io/hashicorp/time v0.12.1
+ provider registry.terraform.io/hashicorp/tls v4.0.6

Provider version: 
Kubernetes version: 1.30

Affected Resource(s)

• helm_release

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.
/*resource "helm_release" "karpenter" {                                                                                               
  namespace           = "kube-system"                                                                                                 
  name                = "karpenter"                                                                                                   
  repository          = "https://charts.karpenter.sh"                                                                                 
  //buggy fails login, most frustrating "oci://public.ecr.aws/karpenter"                                                    
  //repository_username = data.aws_ecrpublic_authorization_token.token.user_name                                                      
  //repository_password = data.aws_ecrpublic_authorization_token.token.password                                                       
  chart               = "karpenter"                                                                                                   
  version             = var.karpenterchartversion       //1.0.0                                                                              
  wait                = false                                                                                                         
                                                                                                                                      
                                                                                                                                      
  values = [                                                                                                                          
    <<-EOT                                                                                                                            
    serviceAccount:                                                                                                                   
      name: ${module.karpenter.service_account}                                                                                       
    settings:                                                                                                                         
      clusterName: ${module.eks.cluster_name}                                                                                         
      clusterEndpoint: ${module.eks.cluster_endpoint}                                                                                 
      interruptionQueue: ${module.karpenter.queue_name}                                                                               
    EOT                                                                                                                               
  ]                                                                                                                                   
                        

Debug Output

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.
╷
│ Error: could not login to OCI registry "public.ecr.aws": login attempt to https://public.ecr.aws/v2/ failed with status: 403 Forbidden
│
│ with helm_release.karpenter,
│ on eks.tf line 136, in resource "helm_release" "karpenter":
│ 136: resource "helm_release" "karpenter" {
│

NOTE: In addition to Terraform debugging, please set HELM_DEBUG=1 to enable debugging info from helm.
Can't run debug now, have removed the code from terraform and plan on using the helm --install for karpenter on bash prompt.

Panic Output

Steps to Reproduce

1. terraform plan and apply both produce the error. impossible to proceed, tries all tricks available on the net
   In the end, removed the resource from state file and then commented out from the .tf file.

Expected Behavior

See the same as bug #846

Actual Behavior

Login to oci://public.ecr.aws should refresh when a token has expired. Neither deleting ~/.config/helm nor removing the entire .terraform folder helps. Helm login from CLI(bash) works but as a terraform resource 'helm_release' always fails to login to oci://public.ecr.aws

Important Factoids

References

• 🌱 Bump k8s.io/client-go from 0.27.1 to 0.28.1 #1234

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[emalihin]

same with this version of the provider:

├── provider[registry.terraform.io/hashicorp/helm] 2.10.1

[alexsomesan]

I'm unable to reproduce this issue. The configuration quoted above applies correctly without credentials in my case.

Terraform will perform the following actions:

  # helm_release.karpenter will be created
  + resource "helm_release" "karpenter" {
      + atomic                     = false
      + chart                      = "karpenter"
      + cleanup_on_fail            = false
      + create_namespace           = true
      + dependency_update          = false
      + disable_crd_hooks          = false
      + disable_openapi_validation = false
      + disable_webhooks           = false
      + force_update               = false
      + id                         = (known after apply)
      + lint                       = false
      + manifest                   = (known after apply)
      + max_history                = 0
      + metadata                   = (known after apply)
      + name                       = "karpenter"
      + namespace                  = "karpenter"
      + pass_credentials           = false
      + recreate_pods              = false
      + render_subchart_notes      = true
      + replace                    = false
      + repository                 = "oci://public.ecr.aws/karpenter"
      + reset_values               = false
      + reuse_values               = false
      + skip_crds                  = false
      + status                     = "deployed"
      + timeout                    = 300
      + verify                     = false
      + version                    = "0.37.5"
      + wait                       = false
      + wait_for_jobs              = false
    }

Plan: 1 to add, 0 to change, 0 to destroy.
helm_release.karpenter: Creating...
helm_release.karpenter: Creation complete after 1s [id=karpenter]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Can you please elaborate on why your case requires authentication to oci://public.ecr.aws?