Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to pull Charts from Private Registry #202

Open
sujith1594 opened this issue Oct 16, 2023 · 4 comments
Open

Unable to pull Charts from Private Registry #202

sujith1594 opened this issue Oct 16, 2023 · 4 comments
Labels
bug Something isn't working

Comments

@sujith1594
Copy link

What happened?

I'm trying to create a Helm Release using helm-provider, but I'm getting "Certificate Signed by Unknown authority even after adding "insecureSkipTLSVerify: true". Can some one help me how to fix the cert issue or how can I skip the TLS verification?

How can we reproduce it?

apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
  name: helm-testing
spec:
  forProvider:
    insecureSkipTLSVerify: true
    chart:
      pullSecretRef:
        name: helm-secret
        namespace: default
      name: <Chart Name>
      repository: oci://<Private Registry>
      version: 0.1.1
    namespace: default
    values:
      cluster_name: crossplane
  providerConfigRef:
    name: default

What environment did it happen in?

Crossplane version: 1.13.2

Include at least the version or commit of Crossplane you were running. Consider
also including your:

  • Cloud provider : AWS
  • Kubernetes version (use kubectl version): 1.25
  • Kubernetes distribution (e.g. Tectonic, GKE, OpenShift) EKS
  • OS (e.g. from /etc/os-release) amzn linux
@sujith1594 sujith1594 added the bug Something isn't working label Oct 16, 2023
@jbw976 jbw976 mentioned this issue Oct 27, 2023
Open
@jbw976
Copy link
Member

jbw976 commented Oct 27, 2023

In terms of the insecureSkipTLSVerify option, looks like support for that was added to helm v3.12.0, and we're currently on v3.10.2 in this repo. So perhaps upgrading our dependency would make insecureSkipTLSVerify start working 🤔

Are you interested in testing that out in your environment? 🙏

There may be further work to make end to end TLS work, but it's hard to tell what may be wrong there without setting up a specific repro environment that we have full control over - otherwise there's too many unknown variables in the environment for which this issue was opened in.

@csantanapr
Copy link

Thanks for looking into this @jbw976

So it looks like insecureSkipTLSVerify works with http based helm registry, but never worked when using oci:// registry

@sujith1594 which registry you are using, is it based on an open source and could you provide how is it setup?

@sujith1594
Copy link
Author

Hi @csantanapr, We are using Redhat Quay which is built on top of Openshift Cluster. Quay is an OCI Registry

@philippart
Copy link

I've got the same problem with Zot OCI registry:

forProvider:
  chart:
    name: scheduler
    pullSecretRef:
      name: ""
      namespace: ""
    repository: oci://zot.default.svc.cluster.local:5000/charts
    version: 0.1.0
  insecureSkipTLSVerify: true

The provider-helm Release returns this error:
Warning CannotCreateExternalResource 1s (x6 over 10s) managed/release.helm.crossplane.io failed to install release: failed to pull chart: failed to do request: Head "https://zot.default.svc.cluster.local:5000/v2/charts/scheduler/manifests/0.1.0": tls: failed to verify certificate: x509: certificate signed by unknown authority

My certificate has the proper FQDN and SAN but was signed by a self-signed root CA. I'm going to try with the cluster CA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@csantanapr @jbw976 @philippart @sujith1594