Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-5081

Certificate error when trying to render Helm chart from internal OCI repository with path in repoURL

XMLWordPrintable

    • 5
    • False
    • None
    • False
    • Hide
      Before this update, Argo CD was unable to retrieve the correct TLS certificate for Helm OCI registries if the URL contained a path or port number. With this update, a fix has been made in upstream Argo CD to correctly parse the URL and return a valid certificate.
      Show
      Before this update, Argo CD was unable to retrieve the correct TLS certificate for Helm OCI registries if the URL contained a path or port number. With this update, a fix has been made in upstream Argo CD to correctly parse the URL and return a valid certificate.
    • 5
    • GitOps Crimson - Sprint 3260, GitOps Crimson - Sprint 3261, GitOps Crimson - Sprint 3262
    • Important

      Description of problem:

      Issue has already been reported in GITOPS-3811. However customer upgraded to GitOps v1.12.3 and is still seeing the issue.

      Customer is trying to render a Helm chart from an internal repository that has a custom CA. When trying to render the Helm chart, this fails with the following error:

      Unable to create application: application spec for test is invalid: InvalidSpecError: Unable to generate manifests in : rpc error: code = Unknown desc = `helm pull oci://kompass.nexus.example.ch/examplerepo/kompass2 --version 0.1.16 --destination /tmp/49e33554-00b3-425f-b809-591787f23963` failed exit status 1: Error: failed to do request: Head "https://kompass.nexus.example.ch/v2/examplerepo/kompass2/manifests/0.1.16": tls: failed to verify certificate: x509: certificate signed by unknown authority

      However, customer has added the required certificate to the "argocd-tls-certs-cm" ConfigMap:

      oc get cm argocd-tls-certs-cm -o yaml
      apiVersion: v1
      data:
        kompass.nexus.example.ch: |
          -----BEGIN CERTIFICATE-----
          <SNIPPED>
          -----END CERTIFICATE-----
        nexus.example.ch: |
          -----BEGIN CERTIFICATE-----
          <SNIPPED>
          -----END CERTIFICATE-----
        repo.example.ch: |
          -----BEGIN CERTIFICATE-----
          <SNIPPED>
          -----END CERTIFICATE-----
      kind: ConfigMap
      metadata:
        creationTimestamp: "2023-12-21T12:12:18Z"
        labels:
          app.kubernetes.io/managed-by: argocd
          app.kubernetes.io/name: argocd-tls-certs-cm
          app.kubernetes.io/part-of: argocd
        name: argocd-tls-certs-cm
        namespace: example-gitops-d

      So despite adding the CA to this ConfigMap (both the wildcard cert and also the specific cert), it fails. Note that the "helm pull" command seems not to use the certificates at all.

      Prerequisites (if any, like setup, operators/versions):

      OpenShift Container Platform 4.14
      openshift-gitops-operator.v1.12.3 (bundling ArgoCD v2.10.10+9b3d0c0)

      Steps to Reproduce

       # Add a Helm chart as an OCI artifact to an OCI repository. Set up the OCI repository with a custom CA certificate.

      1. Create an application using this helm chart
         

        Actual results:

      Creation fails with a "tls: failed to verify certificate: x509: certificate signed by unknown authority" error.

      Expected results:

      Creation succeeds when the certificate is added to the ConfigMap above.

      Reproducibility (Always/Intermittent/Only Once):

      On customer side

      Additional info (Such as Logs, Screenshots, etc):

       * GitOps must-gather is available in Support Case 03688120 (see comment #57)

      • The same issue has already been raised in GITOPS-3811

            rh-ee-sghadi Siddhesh Ghadi
            rhn-support-skrenger Simon Krenger
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: