Mirror Helm Charts
This command mirrors the Witboost Helm chart (and its dependencies) from a source Helm repository to a target registry, which can be either an OCI registry or an HTTP/S Helm repository.
Prerequisites
- Helm must be installed
- The CLI has internet access, this is mandatory to reach the Agilelab registry.
- The CLI has been initialized (i.e.
witboost init)
Usage
witboost-infra mirror-chart --witboost-version <version> --target <registry>
Required Options
| Option | Description |
|---|---|
--witboost-version <string> | Witboost Helm chart version to mirror |
--target <string> | Target registry or repository URL (e.g., oci://harbor.internal/helm or https://chartmuseum.internal) |
Optional Options
| Option | Description | Default |
|---|---|---|
--target-type <string> | Target type: oci or helm. If not specified, auto-detected from --target | oci |
--dry-run | Show what would be mirrored without actually performing the operation | false |
--target-username <string> | Target registry/repository username | None |
--target-password <string> | Target registry/repository password | None |
--witboost-versionmust be a valid semantic version (e.g.2.1.15,v2.1.15,2.1.15-rc1).--target-typeis auto-detected from--targetif not provided:- Starts with
oci://→oci - Starts with
http://orhttps://→helm - Otherwise → defaults to
oci
- Starts with
- Source credentials are loaded from the
initconfiguration (registryUsernameandregistryPassword) and are not passed explicitly on the CLI.
Examples
Dry run
Use this to inspect which charts would be mirrored (Witboost + dependencies) without pushing anything:
witboost-infra mirror-chart \
--witboost-version 2.1.15 \
--target oci://my-registry.internal/witboost-helm \
--dry-run
Basic Chart Mirroring (OCI target, auto-detected)
witboost-infra mirror-chart \
--witboost-version 2.1.15 \
--target oci://registry.internal/witboost-helm \
--target-username <target-username> \
--target-password <target-password>
Target type is auto-detected as oci because --target starts with oci://. For each chart and dependency, the chart is pulled using helm pull and pushed to the OCI registry using helm push.
AWS ECR
For AWS Elastic Container Registry (ECR), you need to generate temporary credentials using the AWS CLI.
When using AWS ECR as the target, ensure that all repositories Helm will push charts to already exist in ECR. This is necessary because Helm appends the chart name to the target path when pushing OCI artifacts.
For example, if your target is oci://<AWS-ACCID>.dkr.ecr.<region-name>.amazonaws.com, Helm will push to oci://<AWS-ACCID>.dkr.ecr.<region-name>.amazonaws.com/witboost (where witboost is the chart name). The pre-created repository name in ECR must match the chart name being mirrored; otherwise, the mirror command will fail with a "repository not found" error.
To prepare, use the witboost mirror-chart --dry-run command to list all charts that will be mirrored, then create the corresponding repositories in ECR using aws ecr create-repository before starting the mirroring process.
# Get ECR login token
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-west-2.amazonaws.com
# Mirror with ECR credentials
witboost-infra mirror-chart \
--witboost-version 2.1.15 \
--target oci://<account>.dkr.ecr.<region>.amazonaws.com \
--target-username AWS \
--target-password "$(aws ecr get-login-password --region <region>)"
Note: The --target-password is dynamically generated using aws ecr get-login-password which provides a temporary token valid for 12 hours.
Azure ACR
For Azure Container Registry (ACR), there are several authentication methods you can use, you can find more here.
The following example uses Individual Microsoft Entra identity as the authentication mechanism.
# Get login token
az acr login --name myregistry --expose-token --query accessToken --output tsv
# Mirror with user token
witboost-infra mirror-chart \
--witboost-version 2.1.15 \
--target oci://<registry>.azurecr.io \
--target-username 00000000-0000-0000-0000-000000000000 \
--target-password $(az acr login --name myregistry --expose-token --query accessToken --output tsv)