-
Bug
-
Resolution: Done
-
Major
-
1.12.3
-
5
-
False
-
None
-
False
-
-
-
-
5
-
GitOps Crimson - Sprint 3260, GitOps Crimson - Sprint 3261, GitOps Crimson - Sprint 3262
-
Important
Description of problem:
Issue has already been reported in GITOPS-3811. However customer upgraded to GitOps v1.12.3 and is still seeing the issue.
Customer is trying to render a Helm chart from an internal repository that has a custom CA. When trying to render the Helm chart, this fails with the following error:
Unable to create application: application spec for test is invalid: InvalidSpecError: Unable to generate manifests in : rpc error: code = Unknown desc = `helm pull oci://kompass.nexus.example.ch/examplerepo/kompass2 --version 0.1.16 --destination /tmp/49e33554-00b3-425f-b809-591787f23963` failed exit status 1: Error: failed to do request: Head "https://kompass.nexus.example.ch/v2/examplerepo/kompass2/manifests/0.1.16": tls: failed to verify certificate: x509: certificate signed by unknown authority
However, customer has added the required certificate to the "argocd-tls-certs-cm" ConfigMap:
oc get cm argocd-tls-certs-cm -o yaml
apiVersion: v1
data:
kompass.nexus.example.ch: |
-----BEGIN CERTIFICATE-----
<SNIPPED>
-----END CERTIFICATE-----
nexus.example.ch: |
-----BEGIN CERTIFICATE-----
<SNIPPED>
-----END CERTIFICATE-----
repo.example.ch: |
-----BEGIN CERTIFICATE-----
<SNIPPED>
-----END CERTIFICATE-----
kind: ConfigMap
metadata:
creationTimestamp: "2023-12-21T12:12:18Z"
labels:
app.kubernetes.io/managed-by: argocd
app.kubernetes.io/name: argocd-tls-certs-cm
app.kubernetes.io/part-of: argocd
name: argocd-tls-certs-cm
namespace: example-gitops-d
So despite adding the CA to this ConfigMap (both the wildcard cert and also the specific cert), it fails. Note that the "helm pull" command seems not to use the certificates at all.
Prerequisites (if any, like setup, operators/versions):
OpenShift Container Platform 4.14
openshift-gitops-operator.v1.12.3 (bundling ArgoCD v2.10.10+9b3d0c0)
Steps to Reproduce
# Add a Helm chart as an OCI artifact to an OCI repository. Set up the OCI repository with a custom CA certificate.
Creation fails with a "tls: failed to verify certificate: x509: certificate signed by unknown authority" error.
Expected results:
Creation succeeds when the certificate is added to the ConfigMap above.
Reproducibility (Always/Intermittent/Only Once):
On customer side
Additional info (Such as Logs, Screenshots, etc):
* GitOps must-gather is available in Support Case 03688120 (see comment #57)
- The same issue has already been raised in GITOPS-3811
- is related to
-
GITOPS-4587 Helm pull against OCI registry (still) failing
- Closed
- links to
-
RHBA-2024:139668 Errata Advisory for Red Hat OpenShift GitOps v1.14.1
-
RHSA-2024:136863 Errata Advisory for Red Hat OpenShift GitOps v1.13.2 security update