Search code examples
amazon-web-servicesdocker-registryamazon-ecr

How to push the helm provenance file to ECR

We have a requirement to use signed helm chart and I am trying to push the helm chart and provenance file to ECR but it seems I am always getting error.

helm --debug push mychart-0.1.0.tgz.prov oci://<account_id>.dkr.ecr.<region>.amazonaws.com/mychart
Error: file 'mychart-0.1.0.tgz.prov' does not appear to be a gzipped archive; got 'text/plain; charset=utf-8'
helm.go:84: [debug] file 'mychart-0.1.0.tgz.prov' does not appear to be a gzipped archive; got 'text/plain; charset=utf-8'

I am able to push the helm chart just fine but not the provenance file. How to push the provenance file to AWS ECR , I haven't seen any documentation on this anywhere?

Solution

  • You don't need to push the .prov file (and actually can't, that's the error you're seeing).

    If the .prov file is present next to your chart when you push it, it will be pushed as an additional layer in the manifest.

    Here's an example.

    $ ls
provenance  provenance-0.1.0.tgz  provenance-0.1.0.tgz.prov

$ helm push provenance-0.1.0.tgz oci://123456.dkr.ecr.us-west-2.amazonaws.com/helm-charts
Pushed: 123456.dkr.ecr.us-west-2.amazonaws.com/helm-charts/provenance:0.1.0
Digest: sha256:df420b2600a0818cfe5e8b228e281f10c58cd00a26ff9af62ec331b98c1bc3ed

    Check the manifest, see the prov file as an additional layer.

    $ TOKEN=$(aws ecr get-authorization-token --region us-west-2 --output text --query 'authorizationData[].authorizationToken')

$ curl -s -H "Authorization: Basic $TOKEN" https://123456.dkr.ecr.us-west-2.amazonaws.com/v2/helm-charts/provenance/manifests/0.1.0 | jq
{
  "schemaVersion": 2,
  "config": {
    "mediaType": "application/vnd.cncf.helm.config.v1+json",
    "digest": "sha256:50d3f916d42dc08af94cff9adbbcc90493149580b27a097dc30cbe0dbf0564cc",
    "size": 144
  },
  "layers": [
    {
      "mediaType": "application/vnd.cncf.helm.chart.provenance.v1.prov",
      "digest": "sha256:1dccc47a5f06a5c7c524c82edd53e4cfaa2abf7332ec95daf4c444cb92904426",
      "size": 911
    },
    {
      "mediaType": "application/vnd.cncf.helm.chart.content.v1.tar+gzip",
      "digest": "sha256:f956dd9ca2b0d4978cf45c8d8b10d591216df46ced41504a3dcb5621b1266a6c",
      "size": 3758
    }
  ]
}

    Hope that helps!