OCI support in Okteto Enterprise built in registry

It would be useful if the built-in okteto image registry was OCI enabled. By doing so we could also push helm chart artifacts there, and tightly integrate with the helm chart catalog feature built into Okteto.

I tested helm interactions with the built in registry yesterday. Im able to login but adding the repo, or pushing to the repo both fail.

helm registry login -u andrew.popp registry.xxx.xxx.net
Password:
Login Succeeded
helm repo add sandbox https://registry.xxx.xxx.net
Error: looks like "https://registry.xxx.xxx.net" is not a valid chart repository or cannot be reached: failed to fetch https://registry.xxx.xxx.net/index.yaml : 404 Not Found
helm push /Users/xxx/working/cps-api/cps-api-0.0.0.tgz oci://registry.xxx.xxx.net
Error: failed to authorize: failed to fetch oauth token: unexpected status: 401 Unauthorized

Hi @apopp

I have been testing it and it should work but I think there is something missing in the push command I’ll explain it.

When you push to the Okteto registry, you should specify the okteto namespace where the chart will be pushed. As we explain here: Okteto Registry | Okteto Documentation, in the Okteto registry each namespace has its own space to store images. When you work with the Okteto CLI, you can use the notation okteto.dev/<image> and it is automatically expanded by the CLI to registry.cloud.okteto.net/<okteto-namespace>/<image>

Something similar happens when you try to push the chart artifacts. I’m going to show you how it works using our movies example GitHub - okteto/movies: React + Node multi service application, which contains some helm chart. For this case, I will use the chart within the api folder.

The first thing you need, is to login in the registry with helm as you did

helm registry login -u <user> registry.cloud.okteto.net
Password:
Login Succeeded

then, within the api folder, I execute the following the command to package the chart

helm package chart
Successfully packaged chart and saved it to: /Users/xxxx/xxxxx/okteto-movies/api/movies-api-0.1.0.tgz

Once you have it, you can run the following command to push the artifacts to the registry. If you look at the command, the registry URL contains at the end the okteto-namespace where the artifacts will be pushed. As you see, it is the same than using a docker image like it is explained in the article I pasted above.

helm push /Users/xxxx/xxxxx/okteto-movies/api/movies-api-0.1.0.tgz oci://registry.cloud.okteto.net/<okteto-namespace>
Pushed: registry.cloud.okteto.net/<okteto-namespace>/movies-api:0.1.0
Digest: sha256:07805....

Now, the artifact is pushed into the registry and you should be able to pull it:

helm pull oci://registry.cloud.okteto.net/<okteto-namespace>/movies-api --version 0.1.0
Pulled: registry.cloud.okteto.net/<okteto-namespace>/movies-api:0.1.0
Digest: sha256:0780569....

NOTE: One thing to bear in mind, this example is using the registry for Cloud. If you are using a teams or self hosted instance, you should use the url oci://<registry-domain>/<okteto-namespace>

I hope this might help you. let us know if it works!

3 Likes

Thanks Nacho!
Ill have a look here. Seems like I was just missing the namespace value.

@nacho
I think it would be useful if the docs included something about helm chart support in the built-in registry. What do you think ?

Could be as simple as the steps you just described above ? The key part for me was understanding the namespacing which i overlooked :smiley:

wrt the namespacing, will all users be allowed to pull helm charts from a centralized namespace ? Or will users need to be permissioned into a namespace before then can pull from the charts there ?

Its important that whatever namespace we do use to store the helm charts, that it is accessible to all okteto users by default.

Hi @apopp

I opened an internal ticket to include the documentation about the helm chart support in the registry.

Regarding your question about the namespaces. In order to pull, the user pulling the chart has to have read access to the repository. In other to allow the scenario you are describing, there is a special namespace you can use. If you use the namespace okteto (in Cloud it is not supported), only an admin can push to that namespace but any other user have read access to it, so they should be able to pull it. This scenario is not documented but we already have a ticket to include it, we hope to have it soon.

If you have any issue trying to use okteto namespace let us know and we’ll help you

1 Like

@apopp we have been working on samples, but there is a fix we need at the app level for this to work properly. I will let you know when the fix (and sample) is available.