Bug: Unauthorized Authentication Failure when Deploying Helm Chart stored in GCP Artifact Registry via Devtron

[kshitijdhara]

📜 Description

When attempting to deploy a custom Helm chart from a GCP Artifact Registry (OCI) using Devtron, the deployment fails with an authentication error. The chart is visible in Devtron's chart store, but deployment returns:

rpc error: code = Unknown desc = helm registry login us-central1-docker.pkg.dev --username ****** --password ** ... failed exit status 1: WARNING: Using --password ****** the CLI is insecure. Use --password-stdin. Error: Get "https://us-central1-docker.pkg.dev/v2/": unauthorized: authentication failed

Authentication is configured in Devtron using a GCP service account JSON key with both Artifact Registry Administrator and Reader roles.

👟 Reproduction steps

1. Package and push a Helm chart to a GCP Artifact Registry repository (OCI).
2. In Devtron, configure the OCI registry integration using the service account JSON key.
3. Confirm the chart appears in Devtron's chart store.
4. Attempt to deploy the chart via Devtron.
5. Observe the authentication failure error during deployment.

👍 Expected behavior

Devtron should successfully authenticate with GCP Artifact Registry using the provided service account and deploy the Helm chart without errors.

👎 Actual Behavior

Deployment fails with an authentication error, indicating that Devtron is unable to authenticate with Artifact Registry, despite the service account having the necessary roles. The error specifically mentions unauthorized access during the Helm registry login step.

☸ Kubernetes version

GKE Standard v1.32.3-gke.1785003

Cloud provider

Google Cloud Platform - GKE Standard

🌍 Browser

Safari

🧱 Your Environment

1. Devtron installed via Helm
2. OCI registry integration set up in Devtron
3. Service account JSON key used for authentication
4. Service account has Artifact Registry Administrator and Reader roles

✅ Proposed Solution

1. Confirm that the service account has the correct IAM roles at both the project and repository level, as described in the Artifact Registry access control documentation.
2. Verify that Devtron is using the correct authentication method for Helm and GCP Artifact Registry. According to Google's documentation, using an access token with the username oauth2accesstoken and the token as the password is the recommended approach for Helm registry login.
3. Ensure that the service account key is referenced via the GOOGLE_APPLICATION_CREDENTIALS environment variable if required by the underlying process.
4. Consider whether Devtron is passing credentials using --password-stdin instead of --password, as the warning suggests. This might affect the authentication process.
5. Reference Helm authentication troubleshooting and Stack Overflow discussions for additional context and workaround attempts.

👀 Have you spent some time to check if this issue has been raised before?

• I checked and didn't find any similar issue

🏢 Have you read the Code of Conduct?

• I have read the Code of Conduct