Fix repository authentication when updating a helm_release with temporary credentials

[kevinfrommelt]

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the library.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

No

Description

Repository login currently fails during updates when using temporary credentials because the credentials are being pulled from the state rather than from the current plan.

│ Error: OCI Registry Login Failed
│ 
│   with helm_release.karpenter,
│   on main.tf line 325, in resource "helm_release" "karpenter":
│  325: resource "helm_release" "karpenter" {
│ 
│ Failed to log in to OCI registry "oci://public.ecr.aws/karpenter": could
│ not login to OCI registry "public.ecr.aws": login attempt to
│ https://public.ecr.aws/v2/ failed with status: 403 Forbidden

This PR changes Update() to use the credentials from the plan model instead of the state model.

Acceptance tests

• Have you added an acceptance test for the functionality being added?

Release Note

Release note for CHANGELOG:

Fixed repository authentication when updating a helm_release and using temporary credentials

References

Fixes #1660

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[hashicorp-cla-app]

All committers have signed the CLA.

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[kevinfrommelt]

I renamed this variable to plan for clarity, since it is using the plan model.

[platform-skyfed]

Just wondering this is going to change the credentials to be used from the plan and removes it from the state? I assume this is the issue many people are having now where credentials are being saved in state and ephemeral tokens are timing out causing failures?

[kevinfrommelt]

The issue is actually at the bottom of the diff in the Update() function. It's getting the login credentials from the previously applied state, rather than using the currently fetched credentials.

https://github.com/hashicorp/terraform-provider-helm/pull/1687/files#diff-c548ca21c915d6a4918945eb9741a292966d795ca0a4e9e6dfa4f8c8106f5691L1069-R1069

[platform-skyfed]

Ah I see it now, thank you for the clarification. Appreciate you submitting this!

[sylr]

I've built and tested this locally successfully. It resolved the problem I've been having with public.ecr.aws.

@jrhouston could you please review this and have it part of a patch release soon ? Thank you.

[sylr]

Ping @jrhouston @jaylonmcshan19-x

[akorp]

Can this pls be prioritized 🙏. This been an issue for few months now and affecting meny people #1660. Everyone does manual delete/import as an workaround for helm modules on expired secrets.

[veronikaBu]

Hey, any updates here?