Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to pull Charts from Private Registry #202

Open
sujith1594 opened this issue Oct 16, 2023 · 5 comments
Open

Unable to pull Charts from Private Registry #202

sujith1594 opened this issue Oct 16, 2023 · 5 comments
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@sujith1594
Copy link

What happened?

I'm trying to create a Helm Release using helm-provider, but I'm getting "Certificate Signed by Unknown authority even after adding "insecureSkipTLSVerify: true". Can some one help me how to fix the cert issue or how can I skip the TLS verification?

How can we reproduce it?

apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
  name: helm-testing
spec:
  forProvider:
    insecureSkipTLSVerify: true
    chart:
      pullSecretRef:
        name: helm-secret
        namespace: default
      name: <Chart Name>
      repository: oci://<Private Registry>
      version: 0.1.1
    namespace: default
    values:
      cluster_name: crossplane
  providerConfigRef:
    name: default

What environment did it happen in?

Crossplane version: 1.13.2

Include at least the version or commit of Crossplane you were running. Consider
also including your:

  • Cloud provider : AWS
  • Kubernetes version (use kubectl version): 1.25
  • Kubernetes distribution (e.g. Tectonic, GKE, OpenShift) EKS
  • OS (e.g. from /etc/os-release) amzn linux
@jbw976
Copy link
Member

jbw976 commented Oct 27, 2023

In terms of the insecureSkipTLSVerify option, looks like support for that was added to helm v3.12.0, and we're currently on v3.10.2 in this repo. So perhaps upgrading our dependency would make insecureSkipTLSVerify start working 🤔

Are you interested in testing that out in your environment? 🙏

There may be further work to make end to end TLS work, but it's hard to tell what may be wrong there without setting up a specific repro environment that we have full control over - otherwise there's too many unknown variables in the environment for which this issue was opened in.

@csantanapr
Copy link

Thanks for looking into this @jbw976

So it looks like insecureSkipTLSVerify works with http based helm registry, but never worked when using oci:// registry

@sujith1594 which registry you are using, is it based on an open source and could you provide how is it setup?

@sujith1594
Copy link
Author

Hi @csantanapr, We are using Redhat Quay which is built on top of Openshift Cluster. Quay is an OCI Registry

@philippart
Copy link

I've got the same problem with Zot OCI registry:

forProvider:
  chart:
    name: scheduler
    pullSecretRef:
      name: ""
      namespace: ""
    repository: oci://zot.default.svc.cluster.local:5000/charts
    version: 0.1.0
  insecureSkipTLSVerify: true

The provider-helm Release returns this error:
Warning CannotCreateExternalResource 1s (x6 over 10s) managed/release.helm.crossplane.io failed to install release: failed to pull chart: failed to do request: Head "https://zot.default.svc.cluster.local:5000/v2/charts/scheduler/manifests/0.1.0": tls: failed to verify certificate: x509: certificate signed by unknown authority

My certificate has the proper FQDN and SAN but was signed by a self-signed root CA. I'm going to try with the cluster CA.

@turkenh
Copy link
Collaborator

turkenh commented Nov 13, 2024

Looks like helm added a --plain-http different than insecure skip tls verify for this kind of scenarios: helm/helm#12128

We would need a corresponding spec in the API type and pass it to our helm clients here.

Contributions are welcome 🙏

@turkenh turkenh added the good first issue Good for newcomers label Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working good first issue Good for newcomers
Projects
None yet
Development

No branches or pull requests

5 participants