Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-5469

Umbrella Chart shows "x509: certificate signed by unknown authority" when using custom CA

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 1.13.2
    • ArgoCD
    • False
    • None
    • False
    • Moderate

      Description of problem:

      This is a follow-up issue to GITOPS-3811 and GITOPS-5081. In GITOPS-3811 and GITOPS-5081 issues related to CA certificates have been resolved. Customer confirmed that these bugfixes resolved the issue.

      Altough the customer can now directly deploy Helm charts from OCI registries using a corporate CA, the same does not work for umbrella helm charts containing the OCI chart as a dependency.

      apiVersion: v2
name: umbrella-chart
description: A Helm chart for Kubernetes
version: 0.1.0
appVersion: 1.16.0

dependencies:
  - name: exampleproject/exampledep
    version: ~0.1.6
    repository: oci://example.nexus.example.com

      Creating an ArgoCD application with the above umbrella chart will result in the following error:

      Unable to create application: application spec for oci-umbrella is invalid: InvalidSpecError: Unable to generate manifests in .: rpc error: code = Unknown desc = `helm dependency build` failed exit status 1: Error: could not retrieve list of tags for repository oci://example.nexus.example.com: Get "https://example.nexus.example.com/v2/exampleproject/exampledep/tags/list": tls: failed to verify certificate: x509: certificate signed by unknown authority

      Directly in argocd-repo-server pod where in "/app/config/tls/" the certificate is located:

      helm dependency build
Saving 1 charts
Downloading exampleproject/exampledep from repo oci://example.nexus.example.com
Save error occurred:  could not download oci://example.nexus.example.com/exampleproject/exampledep: failed to do request: Head "https://example.nexus.example.com/v2/exampleproject/exampledep/manifests/4.0.3": tls: failed to verify certificate: x509: certificate signed by unknown authority
Error: could not download oci://example.nexus.example.com/exampleproject/exampledep: failed to do request: Head "https://example.nexus.example.com/v2/exampleproject/exampledep/manifests/4.0.3": tls: failed to verify certificate: x509: certificate signed by unknown authority

      Steps to Reproduce

      1. GitOps 1.13 / Argo CD 2.11
      2. Set up custom certificates as per https://access.redhat.com/solutions/7061382
      3. Confirm that deploying the Helm chart directly works as expected
      4. Use the above umbrella chart to deploy the Helm chart as a dependency

      Actual results:

      Fails with

      Unable to create application: application spec for oci-umbrella is invalid: InvalidSpecError: Unable to generate manifests in .: rpc error: code = Unknown desc = `helm dependency build` failed exit status 1: Error: could not retrieve list of tags for repository oci://example.nexus.example.com: Get "https://example.nexus.example.com/v2/exampleproject/exampledep/tags/list": tls: failed to verify certificate: x509: certificate signed by unknown authority

      Expected results:

      Custom CA is used also when using an umbrella certificate

      Additional information

      • Support Case attached

              Unassigned Unassigned
              rhn-support-skrenger Simon Krenger
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: