Pulling a chart from an OCI registry with a self-signed certificate is not possible

[BWagenerGenerali]

Terraform, Provider, Kubernetes and Helm Versions

Terraform version: v1.9.8
Provider version: tested with both 3.0.0-pre1 and 2.17.0
Kubernetes version: v1.32

Affected Resource(s)

• resource_helm_release
• data_helm_template

Terraform Configuration Files

# we do not need to use any configurations for the helm provider for this example

data "helm_template" "argocd" {
  name         = "argocd"
  namespace    = "argocd"
  chart        = "argo-cd"
  version      = "7.8.0"
  kube_version = data.aws_eks_cluster.cluster.version

  repository          = "oci://<self-hosted registry with self-signed cert>/argoproj/argo-helm"
  repository_username = "<username>"
  repository_password = "<password>"
  repository_ca_file  = local_file.self_signed_certificate.filename
}

resource "local_file" "self_signed_certificate" {
  content  = "<content of self-signed certificate>"
  filename = "${path.root}/.terraform/self-signed-cert"
}

Fails with the error message

Failed to log in to OCI registry
"oci://<self-hosted registry with self-signed cert>/argoproj/argo-helm":
could not login to OCI registry
"<self-hosted registry with self-signed cert>": Get "https://<self-hosted registry with self-signed cert>/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority}

Steps to Reproduce

1. replace the placeholder <self-hosted registry with self-signed cert> with the URL of a self-hosted registry with a self-signed certificate
2. replace the placeholder <content of self-signed certificate> with the content of the self-signed certificate
3. terraform apply

Expected Behavior

1. the self-signed certificate provided with the repository_ca_file variable is used in all relevant helm actions, including the registry login

Actual Behavior

1. certificate error occurs during registry login
2. from examining the code in data_helm_template.go the self-signed certificate provided with the repository_ca_file is not used for the registry login step (function call OCIRegistryLogin)

Important Factoids

This is a lack of feature parity to the Helm CLI which supports this through the --ca-file option

helm registry login <self-hosted registry with self-signed cert> --username <username >--ca-file "<path-to-self-signed-cert>"
helm pull oci://<self-hosted registry with self-signed cert>/argoproj/argo-helm/argo-cd --version <version> --ca-file "<path-to-self-signed-cert>"

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[github-actions]

Marking this issue as stale due to inactivity. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. This helps our maintainers find and focus on the active issues. Maintainers may also remove the stale label at their discretion. Thank you!

[BWagenerGenerali]

not stale