Error when pulling ACR Helm repository (index and chart)

Question

Error when pulling ACR Helm repository (index and chart)

fredgate 26

We use ACR to store Docker images and Helm charts. We use Helm chart with the Helm repository (not the OCI registry).
The URI for the helm repository is : https://contoso.azurecr.io/helm/v1/repo

We have an operator (Flux v2) running inside an kubernetes cluster (AKS) that regularly pulls some charts, and the list of available charts. But sometimes it has error responses from ACR, then some success responses, and later again some error responses and so on without doing anything.

Here is an error from logs from Flux v2 component when pulling a Helm chart :
{"level":"error","ts":"2020-11-10T11:45:33.258Z","logger":"controller","msg":"Reconciler error","reconcilerGroup":"source.toolkit.fluxcd.io","reconcilerKind":"HelmChart","controller":"helmchart","name":"default-cdn","namespace":"cd","error":"failed to fetch https://contoso.azurecr.io/helm/v1/repo/_blobs/cdn-1.0.0.tgz : 500 Internal Server Error","errorVerbose":"failed to fetch https://contoso.azurecr.io/helm/v1/repo/_blobs/cdn-1.0.0.tgz : 500 Internal Server Error\nhelm.sh/helm/v3/pkg/getter.(*HTTPGetter).get

And another error when getting the charts list :
{"level":"error","ts":"2020-11-10T11:46:39.273Z","logger":"controller","msg":"Reconciler error","reconcilerGroup":"source.toolkit.fluxcd.io","reconcilerKind":"HelmRepository","controller":"helmrepository","name":"contoso","namespace":"cd","error":"failed to download repository index: failed to fetch https://contoso.azurecr.io/helm/v1/repo/index.yaml : 500 Internal Server Error"}

What is the cause of this error and how can I get more details about it ?

KarishmaTiwari-MSFT 20,772 Reputation points Microsoft Employee Moderator

2020-11-13T23:24:55.53+00:00

@fredgate I checked in the backend and it looks like we didn't receive any request on 2020-11-10 and there are no 500 response for this registry 'contoso.azurecr.io' for most recent 5 days. Could you confirm if the 500 response came from ACR? Let me know. Thanks.

Accepted answer

2 additional answers

Your answer

KarishmaTiwari-MSFT 20,772 Reputation points Microsoft Employee Moderator

2020-11-13T23:24:55.53+00:00

@fredgate I checked in the backend and it looks like we didn't receive any request on 2020-11-10 and there are no 500 response for this registry 'contoso.azurecr.io' for most recent 5 days. Could you confirm if the 500 response came from ACR? Let me know. Thanks.

Answer 1

KarishmaTiwari-MSFT 20,772 Microsoft Employee Moderator

We checked for your ACR and found that all 500 errors are linked with invalid header field value "xxxxxxxxxxxxxxxxxx\n" for key Origin-User
The mitigation is to trim the ending white space of the username before any auth operations.

We saw this issue in instances when user uses scripts to do login and auth related operations. Due to the line ending differences such as \n and \r\n, the character \r was send as input to the username field.

Let me know if you if you have further questions.

Please Accept as answer if it helped, so that it can help others facing the same issue.

fredgate 26 Reputation points

2020-11-19T08:11:37.35+00:00
Thanks for your response.
I looked at the source code of the flux program, and it never sets the Origin-User header. Moreover this header is not part of the HTTP protocol : there is no documentation about it.
The flux program only sets theses headers :

User-Agent to value like Helm/v3.4.0

Authorization to value Basic username-and-password-base64-encoded
Do you have a reverse proxy that set the Origin-User header to backend by extracting the value from Authorization header ?
fredgate 26 Reputation points

2020-11-19T09:07:11.843+00:00

I did some tests with a small go program that downloads the chart list of our ACR in the same way as the program flow.
I managed to get a 500 response from ACR by executng my program with \r\n added at the end of the user name.
Then I executed again my program with the correct username and I got 200 response with the chart list.
Then I executed again my program by adding again \r\n at the end of the user name, and I did not have the 500 error, but the 200 response with the chart list.
I wait few seconds/minutes and I executed again my program by adding again \r\n at the end of the user name, and I got the 500 error agin.
It seems that you have somewhere a cache that is used and error for username does not occur when a response succeeded shortly before.
fredgate 26 Reputation points

2020-11-19T11:05:44.593+00:00

I confirm that there was a new line character in the Authorization header for the username and password. Fixing that resolved the problem.
But it will be better that server send a 401 response in this cas instead of a 500 response.
Thnaks for the help.
KarishmaTiwari-MSFT 20,772 Reputation points Microsoft Employee Moderator

2020-11-20T01:13:05.703+00:00

Thanks for your valuable feedback and sharing the update. I have relayed that feedback to the product team.
Glad to know that your issue is resolved.

Answer 2

Anonymous

@fredgate

Not really sure I understood what you solution was, where did you fix the problem?

I've run into the same issue using Flux v2 and a HelmRepository backed by ACR.

Answer 3

Anonymous

I should add that my problem was related to the base64 encoding of username/password.

I did like this:

echo "username" | base64

What I didn't know is that echo adds a newline at the end, and the encoded strings ends with: Cg==.

What I had to do was this instead

echo -n "username" | base64

Share via

Error when pulling ACR Helm repository (index and chart)

2 additional answers

Your answer