Details
-
Bug
-
Resolution: Done
-
Undefined
-
None
-
5
-
False
-
None
-
False
-
GITOPS Sprint 213, GITOPS Sprint 216, GITOPS Sprint 214, GITOPS Sprint 217
Description
The customer is running an OCP in a 'private' datacenter with OpenShift GitOps (ArgoCD v2.1.8). ArgoCD needs to connect to several repositories on the public internet via a proxy server. This proxy server terminates the outbound SSL connection and uses its own TLS key pair to sign the certificate of the internet repository.
They have tried to solve this issue by adding the certificate of the proxy server as a CA certificate in ArgoCD for each server they try to access. This works fine for the Git repositories in Azure DevOps (dev.azure.com) and for a Helm chart repository on GitHub (example.github.io).
They are also using an Azure Container Registry as Helm chart repository with the enable-oci parameter set to 'true'. The connection to this repository fails even after having set the insecure parameter to 'true' as well:
Failed Unable to connect to repository: rpc error: code = Unknown desc = `helm registry login example.azurecr.io --username ****** --password ******` failed exit status 1: WARNING: Using --password ****** the CLI is insecure. Use --password-stdin. time="2022-01-06T10:14:40Z" level=info msg="Error logging in to v2 endpoint, trying next endpoint: Get \"https://example.azurecr.io/v2/\": x509: certificate signed by unknown authority" Error: Get "https://example.azurecr.io/v2/": x509: certificate signed by unknown authority
When they try to access this repository from a tools pod in the cluster using openssl and curl and these connections work fine. This seems to be a bug in OpenShift GitOps.
Because of storing Helm charts in an Azure container registry, it is not possible to use OpenShift GitOps in this OpenShift cluster.