Skip to content

Cannot deploy Application with Helm chart pointed by digest #25078

New issue
New issue
Open
#25079
Open
Cannot deploy Application with Helm chart pointed by digest#25078
#25079
Assignees
pgodowski
Labels
bugSomething isn't workingtriage/pendingThis issue needs further triage to be correctly classified
@pgodowski

Description

@pgodowski
pgodowski
opened on Oct 25, 2025

Checklist:

  • I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug.
  • I've pasted the output of argocd version.

Describe the bug

In my organisation, we install Helm charts packaged into OCI repository, by pointing them via digest, e.g.

helm install example-registry-quay-openshift-operators.apps.quay-gori.cp.example.com/piotr/charts/test-nginx-chart/nginx@sha256:4b5007efa6ea560d18fb7cb7d4f268e180ef8f8e577861abeb8db38ad39a49eb

Unfortunately this does not work when using Helm OCI repository - since Argo CD adds the --version flag to helm commands, which are not expected to be provided, when helm chart is pointed by the digest.

This is a followup of #24970 , yet this time with the identified root cause and shortly to be proposed PR with the fix.

The underlying problem is with the Helm CLI commands produced by Argo, when image digest is being used, i.e.: the usage of --version flag, which Helm CLI tries to parse as a semver version, which obviously would fail when sha256 digest value is provided.

To Reproduce

  • Create Helm OCI repository:
- connectionState:
    attemptedAt: "2025-10-15T12:26:59Z"
    message: ""
    status: Successful
  enableOCI: true
  name: quay-oci-repo
  repo: example-registry-quay-openshift-operators.apps.quay-gori.cp.example.com/piotr/charts
  type: helm
  • Create Application
project: default
source:
  repoURL: >-
    example-registry-quay-openshift-operators.apps.quay-gori.cp.example.com/piotr/charts
  chart: test-nginx-chart/nginx
  targetRevision: sha256:4b5007efa6ea560d18fb7cb7d4f268e180ef8f8e577861abeb8db38ad39a49eb
destination:
  server: https://kubernetes.default.svc/
  namespace: nginx-demo
syncPolicy:
  automated:
    prune: true
    selfHeal: true

which fails with

Unable to save changes: application spec for nginx-oci-app is invalid:
InvalidSpecError: Unable to generate manifests in : 
rpc error: code = Unknown desc = invalid revision:
failed to determine semver constraint: improper constraint: 
sha256:4b5007efa6ea560d18fb7cb7d4f268e180ef8f8e577861abeb8db38ad39a49eb

the actual error comes from the Helm CLI:

helm pull oci://example-registry-quay-openshift-operators.apps.quay-gori.cp.example.com/piotr/charts/test-nginx-chart/nginx --version sha256:4b5007efa6ea560d18fb7cb7d4f268e180ef8f8e577861abeb8db38ad39a49eb --destination /tmp/8ecd5c56-695d-426b-82c0-5a6201e137b2 --insecure-skip-tls-verify
Error: improper constraint: sha256:4b5007efa6ea560d18fb7cb7d4f268e180ef8f8e577861abeb8db38ad39a49eb

In this case, helm pull is constructed with the --version flag, with its value being sha256 digest, which ends up with Helm CLI reporting above error.

There were a lot of discussions in Helm community, how to exactly pass the digest to the helm CLI, see

The conclusion of above is that when digest is used, there must not be --version flag used, since the digest explicitly 'pins' the version of the helm chart OCI image.

Specifically, when one tries manually (note: there is no --version flag used), Helm CLI works just fine:

helm pull oci://example-registry-quay-openshift-operators.apps.quay-gori.cp.example.com/piotr/charts/test-nginx-chart/nginx@sha256:4b5007efa6ea560d18fb7cb7d4f268e180ef8f8e577861abeb8db38ad39a49eb --destination /tmp/8ecd5c56-695d-426b-82c0-5a6201e137b2 --insecure-skip-tls-verify

The proposed fix shall change the helm CLI commands generated by Argo, to use --version flag only when digest is NOT used in targetRevision.

Expected behavior

Helm chart should be successfully installed from Helm OCI repository, when helm chart is pointed by digest.

Screenshots

Image

Version

argocd: v3.1.8+becb020
  BuildDate: 2025-09-30T16:04:21Z
  GitCommit: becb020064fe9be5381bf6e5818ff8587ca8f377
  GitTreeState: clean
  GoVersion: go1.24.6
  Compiler: gc
  Platform: linux/amd64
argocd-server: v3.1.8+becb020
  BuildDate: 2025-09-30T15:33:46Z
  GitCommit: becb020064fe9be5381bf6e5818ff8587ca8f377
  GitTreeState: clean
  GoVersion: go1.24.6
  Compiler: gc
  Platform: linux/amd64
  Kustomize Version: v5.7.0 2025-06-28T07:00:07Z
  Helm Version: v3.18.4+gd80839c
  Kubectl Version: v0.33.1
  Jsonnet Version: v0.21.0

Logs

time="2025-10-22T16:45:10Z" level=error msg="`helm pull oci://example-registry-quay-openshift-operators.apps.quay-gori.cp.example.com/piotr/charts/test-nginx-chart/nginx --version sha256:4b5007efa6ea560d18fb7cb7d4f268e180ef8f8e577861abeb8db38ad39a49eb --destination /tmp/66a0b110-c10e-40f0-aed0-071631e82e18 --insecure-skip-tls-verify` failed exit status 1: Error: improper constraint: sha256:4b5007efa6ea560d18fb7cb7d4f268e180ef8f8e577861abeb8db38ad39a49eb" execID=d8c4a

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingtriage/pendingThis issue needs further triage to be correctly classified

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions