Adopt Helm best practice for altering build affix in versions when pushing to OCI

[erickpeirson]

Output of helm version: 3.7.0

According to https://helm.sh/docs/chart_best_practices/conventions/#version-numbers, chart versions should follow SemVer 2. OCI labels choke on +.

When SemVer versions are stored in Kubernetes labels, we conventionally alter the + character to an _ character, as labels do not allow the + sign as a value.

It would be great to see that convention adopted when publishing Helm charts to an OCI registry.

Currently, when I include a build affix in the version, I can package the chart but not push it.

apiVersion: v2
name: foo
description: The Foo Chart

type: application
version: 0.1.0+3d53eea
appVersion: "1.0.0"

[foo] helm package .
Successfully packaged chart and saved it to: /some/path/to/foo/foo-0.1.0+3d53eea.tgz
[foo] helm push foo-0.1.0+3d53eea.tgz oci://12345.dkr.ecr.us-west-1.amazonaws.com/some-namespace
Error: unexpected status: 400 Bad Request

But if I use an _ instead of an +:

helm package .
Error: validation: chart.metadata.version "0.1.0_3d53eea" is invalid

Ideally, I would use the + separator for the build affix (per SemVer 2), and Helm would apply the documented convention and push an image label with _ substituted for +.

[naphta]

having the exact same issue myself, only with a github packages destination. Without the build metadata it works just fine, changing the + to a _ results in a 404, and passing in the version with a _ to helm package results in the invalid error you have too.

[SimonAlling]

Same issue here, although Harbor responds with an HTTP 401 instead of the more reasonable 400.

$ helm push foo-0.1.0+3d53eea.tgz oci://harbor.example.com/some-project
Error: unexpected status: 401 Unauthorized

[scottrigby]

As we work to move Helm OCI out of experimental, this should be fixed. Moving to milestone
We'll also need to update the docs to reflect this once fixed.

[isutton]

Would be the case that meta.Metadata.Version contents should be escaped to be used in the resulting ref?

helm/internal/experimental/pusher/ocipusher.go

Lines 78 to 81 in 4884ca0

	ref := fmt.Sprintf("%s:%s",
	path.Join(strings.TrimPrefix(href, fmt.Sprintf("%s://", registry.OCIScheme)), meta.Metadata.Name),
	meta.Metadata.Version)

This behavior corroborates with the reported 404 and 401 status codes, as artifacts names might get decoded wrongly on the repositories side.