Skip to content

3.1.0: helm_release fails to fetch chart with basic credential not found when multiple registry entries are configured #1719

New issue
New issue
Open
Open
3.1.0: helm_release fails to fetch chart with basic credential not found when multiple registry entries are configured#1719
Labels
bug
@tequeter

Description

@tequeter
tequeter
opened on Nov 4, 2025

Terraform, Provider, Kubernetes and Helm Versions

Terraform version: v1.13.4
Provider version: v3.1.0

Affected Resource(s)

  • helm_release

Terraform Configuration Files

terraform {
  required_providers {
    helm = {
      source  = "hashicorp/helm"
      version = "3.1.0"
    }
  }
}

provider "helm" {
  debug = true
  kubernetes = {
    config_path = "~/.kube/config"
  }

  registries = [
    {
      url      = "oci://registry1.internal"
      username = "user1"
      password = "pass1"
    },
    {
      url      = "oci://registry2.internal"
      username = "user1"
      password = "pass1"
    },
  ]
}

resource "helm_release" "app1" {
  name       = "app1"
  repository = "oci://registry1.internal/helm-charts"
  chart      = "app1"
  namespace  = "app1"
  version    = "1.2.0"
}

To reproduce the issue, you'll need actual password-protected registries listening at registry[12].internal.

Debug Output

https://gist.github.com/tequeter/3ef7294e9ec05b69e7f56dc7b7441636

Steps to Reproduce

  1. terraform init
  2. terraform plan

Expected Behavior

A plan to create helm_release.app1 should have been displayed.

Actual Behavior

│ Error: Error locating chart
│
│   with helm_release.app1,
│   on main.tf line 30, in resource "helm_release" "app1":
│   30: resource "helm_release" "app1" {
│
│ Unable to locate chart oci://registry1.internal/helm-charts/app1: failed to perform "FetchReference" on source: GET
│ "https://registry1.internal/v2/helm-charts/app1/manifests/1.2.0": basic credential not found

Important Factoids

  1. Removing "oci://registry2.internal" from the configuration allows the test to pass. Of course, in real life we have multiple internal registries and need them defined to deploy our apps.
  2. Downgrading to provider version 3.0.2 also works.
  3. I cleared the contents of the password manager acting as a secret service before the test (see Helm's config.json at the bottom of the gist).

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions