Harbor replication corrupts Tailscale helm charts (non-standard URL format)

[vtmocanu]

Description

When using helm-charts-oci-proxy with Harbor replication for Tailscale helm charts, the replicated charts become corrupted. The charts are stored as binary
garbage instead of valid gzip tarballs. This issue is specific to Tailscale charts - other charts (cert-manager, grafana, etc.) work fine through the same setup.

Environment

• helm-charts-oci-proxy version: 0.1.8
• Harbor version: 2.11.1
• Chart repository: pkgs.tailscale.com/helmcharts
• Deployment: Kubernetes with Harbor using chartproxy for helm replication

Steps to Reproduce

1. Set up Harbor registry pointing to chartproxy:

apiVersion: registry.harbor.crossplane.io/v1alpha1
kind: Registry
metadata:
  name: tailscale-helm
spec:
  forProvider:
    endpointUrl: https://chartproxy.example.com/pkgs.tailscale.com/helmcharts
    name: "tailscale helm"
    providerName: docker-registry

2. Create Harbor replication policy for tailscale-operator chart version 1.86.2

3. Run replication - it reports success

4. Try to pull the replicated chart:

helm pull oci://harbor.example.com/repl-tailscale/helm/tailscale-operator --version 1.86.2

5. Check the downloaded file:

file tailscale-operator-1.86.2.tgz
# Output: OpenPGP Secret Key (or similar binary format)
# Expected: gzip compressed data

Expected Behavior

The replicated chart should be a valid gzip-compressed tar archive that Helm can use.

Actual Behavior

The replicated chart is corrupted binary data that Helm cannot process, causing "Error: file does not appear to be a gzipped archive" when trying to use it.

Analysis

The issue appears to be related to Tailscale's non-standard URL format in their index.yaml:

entries:
  tailscale-operator:
    - version: 1.86.2
      digest: 9f1ee41e298aac17db343df700f412b84d349962fbb0f680b102fa5e2c1453fd
      urls:
        - tailscale-operator-1.86.2-1753978303-9f1ee41e298aac17db343df700f412b84d349962fbb0f680b102fa5e2c1453fd.tgz

Note the digest is embedded in the filename itself, which differs from standard helm chart URLs.

Verification Tests

# 1. Direct download from Tailscale: WORKS ✓
curl -L "https://pkgs.tailscale.com/helmcharts/tailscale-operator-1.86.2-[full-name].tgz" -o test.tgz
file test.tgz  # gzip compressed data

# 2. Via chartproxy OCI (direct pull): WORKS ✓
helm pull oci://chartproxy.example.com/pkgs.tailscale.com/helmcharts/tailscale-operator --version 1.86.2
file tailscale-operator-1.86.2.tgz  # gzip compressed data

# 3. Via Harbor after replication: CORRUPTED ✗
helm pull oci://harbor.example.com/repl-tailscale/helm/tailscale-operator --version 1.86.2
file tailscale-operator-1.86.2.tgz  # OpenPGP Secret Key (corrupted)

# 4. Other charts via same Harbor+chartproxy: WORKS ✓
helm pull oci://harbor.example.com/repl-cert-manager/helm/cert-manager --version 1.16.0
file cert-manager-1.16.0.tgz  # gzip compressed data

Additional Information

• The corruption happens during Harbor's replication from chartproxy
• Direct helm pull through chartproxy works correctly
• The issue is reproducible - manual replication triggers show the same corruption
• Harbor API shows the artifact exists with correct size (41538 bytes) but wrong content
• This might be related to issue Harbor replication not working #18 but with the additional complication of data corruption

Possible Root Cause

The non-standard Tailscale URL format (with embedded digest/hash in filename) might be causing the proxy to serve or Harbor to store incorrect data during the
replication process.

[Vad1mo]

thank you we'll take a look into it...

Did you had a look into the file with a text editor? it looks like we have fetched the signature artifact or something.