argocd-image-updater icon indicating copy to clipboard operation
argocd-image-updater copied to clipboard

Published 20 hours ago verified publisher icon argoproj-labs

Certificate signed by unknown authority when using nexus image repo

Open Idan-Maimon opened this issue 2 years ago • 7 comments

While using the test command to check for latest tags from nexus image repository an error is observed about unknown certificate. I've configured the registries conf and used insecure: true, yet the image-updater pod trying to access my registry using https. two question:

  1. how to disable SSL verification for an image registry
  2. how to add certificate to the image-updater pod.. I did not see any documentation about that.

for example:

argocd-image-updater test nexus3:2000/nginx

error received: could not tags: Get "https://nexus3:2000/v2": x509 certificate signed by unknown authority application=test image_alias= image_name="nexus3:2000/nginx registry_url="nexus3:2000"

side note: Argocd server is up and running and have the certificate in question added as config map.

Idan-Maimon avatar Apr 03 '22 09:04 Idan-Maimon

Can you please share your registries.conf?

jannfis avatar Apr 04 '22 12:04 jannfis

Same issue with docker hub (https://registry-1.docker.io)

gai6948 avatar Apr 11 '22 04:04 gai6948

i got the some problem

argocd-image-updater test 192.168.207.1:22443/nodeinfo/podinfo --registries-conf-path ~/registries.conf                                                                                               [17:20:41]
DEBU[0000] Creating in-cluster Kubernetes client        
INFO[0000] retrieving information about image            image_alias= image_name="192.168.207.1:22443/nodeinfo/podinfo" registry_url="192.168.207.1:22443"
DEBU[0000] rate limiting is disabled                     prefix= registry="https://192.168.207.1:22443"
DEBU[0000] Setting default registry endpoint to         
DEBU[0000] Previous default registry was docker.io      
INFO[0000] Loaded 1 registry configurations from /home/z/registries.conf 
DEBU[0000] setting rate limit to 20 requests per second  prefix="192.168.207.1:22443" registry="https://192.168.207.1:22443"
DEBU[0000] Inferred registry from prefix 192.168.207.1:22443 to use API https://192.168.207.1:22443 
INFO[0000] Fetching available tags and metadata from registry  application=test image_alias= image_name="192.168.207.1:22443/nodeinfo/podinfo" registry_url="192.168.207.1:22443"
FATA[0000] could not get tags: Get "https://192.168.207.1:22443/v2/": x509: certificate signed by unknown authority  application=test image_alias= image_name="192.168.207.1:22443/nodeinfo/podinfo" registry_url="192.168.207.1:22443"

cat ~/registries.conf                                                                                                                                                                                 [17:20:43]
registries:
- name: dev
  api_url: https://192.168.207.1:22443
  default: true
  insecure: true

fangxingfu avatar Apr 15 '22 09:04 fangxingfu

Hi team,

I'm having the exact same issue.... Do we have anything on how to add certificate to the image-updater pod? It would be great if the pod would have used the same config maps as argocd server pod but any workaround will be great for short term.

Thanks !

devopsteam605 avatar Apr 25 '22 14:04 devopsteam605

I have the same problem, running v0.12.0 on arm64.

time="2022-06-02T20:03:03Z" level=error msg="Could not get tags from registry: Get \"https://registry-1.docker.io/v2/\": x509: certificate signed by unknown authority" alias=image application=[...] image_name=[...] image_tag=[...] registry=

LarssonOliver avatar Jun 02 '22 20:06 LarssonOliver

This seems to no longer be an issue in the image tagged "latest" so hopefully it's fixed in 0.13.0 :)

LarssonOliver avatar Jun 04 '22 14:06 LarssonOliver

Please verify this for version 0.13.0 We are using the ARM arch and v.0.12.0 have this issue while latest does not!

fabioaraujopt avatar Aug 01 '22 18:08 fabioaraujopt

I am facing the same issue. I have tried using latest, but still the issue remains. I am using harbor registry. Any update on when the release with the fix would be out?

naru014 avatar Nov 04 '22 05:11 naru014

Same issue with private, self-hosted repository with certificate signed by Let's encrypt.

Any news on this?

LonguCodes avatar Feb 16 '23 18:02 LonguCodes

I have also encountered this issue using v0.12.0. Following the discussion I have set up the following configuration:

(after updating to latest tag*)

apiVersion: v1
data:
  log.level: debug
  registries.conf: | # set up registry for nexus
    registries:
    - name: corpnexus
      prefix: "corpnexus.corp.my-org.net:8082"
      default: true
      api_url: https://corpnexus.corp.my-org.net:8082
      insecure: true
kind: ConfigMap
metadata:
  annotations:
  creationTimestamp: "2023-04-02T10:39:10Z"
  labels:
    app.kubernetes.io/name: argocd-image-updater-config
    app.kubernetes.io/part-of: argocd-image-updater
  name: argocd-image-updater-config
  namespace: gitops

I executed into the argocd-image-updater pod and tested the connection to nexus:

# content of app/config inside argocd-image-updater container (k8s)
/app/config $ ls
registries.conf  ssh

# content of regisries config
/app/config $ cat registries.conf
registries:
- name: corpnexus
  prefix: "corpnexus.corp.my-org.net:8082"
  default: true
  api_url: https://corpnexus.corp.my-org.net:8082
  insecure: true
  
# Testing connection to nexus
/app/config $ argocd-image-updater test corpnexus.corp.my-org.net:8082/digital/my-org.digital.an_app/build_sprint_13_an_app --registries-conf-path
 ./registries.conf
DEBU[0000] Creating in-cluster Kubernetes client
INFO[0000] retrieving information about image            image_alias= image_name="corpnexus.corp.my-org.net:8082/digital/my-org.digital.an_app/build_sprint_13_an_app" registry_url="corpnexus.corp.my-org.net:8082"
DEBU[0000] rate limiting is disabled                     prefix="corpnexus.corp.my-org.net:8082" registry="https://corpnexus.corp.my-org.net:8082"
DEBU[0000] Setting default registry endpoint to corpnexus.corp.my-org.net:8082
DEBU[0000] Previous default registry was docker.io
INFO[0000] Loaded 1 registry configurations from ./registries.conf
INFO[0000] Fetching available tags and metadata from registry  application=test image_alias= image_name="corpnexus.corp.my-org.net:8082/digital/my-org.digital.an_app/build_sprint_13_an_app" registry_url="corpnexus.corp.my-org.net:8082"
INFO[0000] Found 1 tags in registry                      application=test image_alias= image_name="corpnexus.corp.my-org.net:8082/digital/my-org.digital.an_app/build_sprint_13_an_app" registry_url="corpnexus.corp.my-org.net:8082"
DEBU[0000] could not parse input tag latest as semver: Invalid Semantic Version
INFO[0000] no newer version of image found               application=test image_alias= image_name="corpnexus.corp.my-org.net:8082/digital/my-org.digital.an_app/build_sprint_13_an_app" registry_url="corpnexus.corp.my-org.net:8082"

This seems to solve the issue, note: without directing the test command to configuration file it will fail. i.e., : argocd-image-updater test corpnexus.corp.my-org.net:8082/digital/my-org.digital.an_app/an_app --registries-conf-path ./registries.conf

Tiriyon avatar Apr 02 '23 12:04 Tiriyon

I had to add docker hub to the list of registries with insecure option set to true to make image updater work with images from docker hub.

apiVersion: v1
data:
  log.level: debug
  registries.conf: |
    registries:
    - name: docker.io
      prefix: docker.io
      default: true
      api_url: https://registry-1.docker.io
      insecure: true
kind: ConfigMap
metadata:
  name: argocd-image-updater-config
  namespace: argocd

MohammadAlavi1986 avatar Jun 21 '23 19:06 MohammadAlavi1986