Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-9466

OpenShift Gitops Operator 1.6 does not automatically provide the user-ca-bundle to the argocd containers

XMLWordPrintable

    • None
    • Unspecified
    • If docs needed, set a value

      Description of problem:
      OpenShift Gitops Operator 1.6 does not automatically provide the user-ca-bundle to the argocd containers, causing helm, argo and git to not trust repositories using and internal CA.

      Version-Release number of selected component (if applicable):
      GitOps 1.6
      Argo CD 2.4.3

      How reproducible:
      Everytime I install on a cluster with an Internal CA or Custom PKI

      Steps to Reproduce:
      1. Install a cluster using that requires trusting an internal CA or a Proxy certificate
      2. Install openshift gitops
      3. Pull helm charts from internal repository

      Actual results:
      the Argocd-repo-server gives the following error:
      time="2022-08-08T12:35:35Z" level=error msg="`helm dependency build` failed exit status 1: Error: could not download oci://quay/middleware/helm/global-chart: failed to do request: Head \"https://quay/v2/middleware/helm/global-chart/manifests/1.0.0\": x509: certificate signed by unknown authority" execID=ddfce
      time="2022-08-08T12:35:35Z" level=info msg=Trace args="[helm dependency build]" dir=/tmp/_argocd-repo/772eb36c-3777-4808-971c-9ba5ce4128c0/rpadossierloggingapi operation_name="exec helm" time_ms=90.49812999999999
      time="2022-08-08T12:35:35Z" level=error msg="finished unary call with code Unknown" error="`helm dependency build` failed exit status 1: Error: could not download oci://quay/middleware/helm/global-chart: failed to do request: Head \"https://quay/v2/middleware/helm/global-chart/manifests/1.0.0\": x509: certificate signed by unknown authority" grpc.code=Unknown grpc.method=GenerateManifest grpc.service=repository.RepoServerService grpc.start_time="2022-08-08T12:35:32Z" grpc.time_ms=2212.219 span.kind=server system=grpc

      Expected results:
      Helm chart and all dependencies work pull.

      Additional info:
      I was able to work around this by enabling the certificate injection using operators:
      https://docs.openshift.com/container-platform/4.11/networking/configuring-a-custom-pki.html#certificate-injection-using-
      operators_configuring-a-custom-pki

      and using a volume mount in the argocd CR in the openshift-gitops namesace:
      repo:
      logFormat: text
      logLevel: debug
      resources:
      limits:
      cpu: '1'
      memory: 1Gi
      requests:
      cpu: 250m
      memory: 256Mi
      volumeMounts:

      • mountPath: /etc/pki/ca-trust/extracted/pem
        name: trusted-ca
        readOnly: true
        volumes:
      • configMap:
        items:
      • key: ca-bundle.crt
        path: tls-ca-bundle.pem
        name: ca-inject
        name: trusted-ca

      With ArgoCD being written in go, it will automatically look in /etc/ssl/certs/ and at the /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem for the custom CA.

      We need to ensure that the custom CA/root CA is available there.

            tocampbe@redhat.com Tony Campbell
            rhn-support-awyatt Albert Wyatt
            Tony Campbell Tony Campbell
            Red Hat Employee
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: