argo-cd icon indicating copy to clipboard operation
argo-cd copied to clipboard
verified publisher icon argoproj

Helm repositories with self signed certs doesn't work when used as umbrella charts

Open MohamedTalhaoui opened this issue 5 years ago • 8 comments

Describe the bug

I have deployed chartmuseum and configured argocd to use it as a helm repository. I have also added the self signed certificate Helm Repository is correctly added and argocd can connect to it.

My chartmuseum hosts a base helm chart that I wish to use as a umbrella chart. I have a git repo containing a child helm chart that depends on my base helm chart

Sync of the child helm chart fails with

x509: certificate signed by unknown authority

To Reproduce

Deploy a chartmuseum Push a base hel chart to the chartmuseum Register chartmuseum as a helm repository in argocd Add the chartmuseum self-signed cert to argocd-tls-certs-cm Create a git repo with a child helm chart depending on the base Create an argocd application to sync the child helm chart The sync fails with

x509: certificate signed by unknown authority

Expected behavior The sync should be succesful

Screenshots

If applicable, add screenshots to help explain your problem.

Version

argocd: v1.5.4+36bade7
  BuildDate: 2020-05-05T19:02:56Z
  GitCommit: 36bade7a2d7b69d1c0b0c4d41191f792a847d61c
  GitTreeState: clean
  GoVersion: go1.14.1
  Compiler: gc
  Platform: darwin/amd64
argocd-server: v1.5.4+36bade7
  BuildDate: 2020-05-05T19:01:57Z
  GitCommit: 36bade7a2d7b69d1c0b0c4d41191f792a847d61c
  GitTreeState: clean
  GoVersion: go1.14.1
  Compiler: gc
  Platform: linux/amd64
  Ksonnet Version: v0.13.1
  Kustomize Version: {Version:kustomize/v3.5.4 GitCommit:3af514fa9f85430f0c1557c4a0291e62112ab026 BuildDate:2020-01-11T03:12:59Z GoOs:linux GoArch:amd64}
  Helm Version: version.BuildInfo{Version:"v3.2.0", GitCommit:"e11b7ce3b12db2941e90399e874513fbd24bcb71", GitTreeState:"clean", GoVersion:"go1.13.10"}
  Kubectl Version: v1.14.0

Logs

Paste any relevant application logs here.

MohamedTalhaoui avatar Jun 02 '20 12:06 MohamedTalhaoui

hello @MohamedTalhaoui ,

Try registering your repository using --insecure-skip-server-verification flag:

argocd repo add <url> --insecure-skip-server-verification --type helm --name <reponame>

Thanks, Alex

alexmt avatar Jun 02 '20 17:06 alexmt

Hi,

I am using declarative setup and the helm repo definition looks like this

- name: chartmuseum-private
   type: helm
   insecure: true
   url: https://chartmuseum....

I still have the error. Important to note that the helm repo is correctly added to my repositories with connection status showing successful. But synchronising an application using this repository fails with the certificate error. Am I missing something ?

MohamedTalhaoui avatar Jun 10 '20 15:06 MohamedTalhaoui

Any update ?

MohamedTalhaoui avatar Jul 15 '20 18:07 MohamedTalhaoui

I can reproduce with latest argocd release 1.6.1 I have also tried removing the insecure flag and importing the server certs in the argocd-tls-certs-cm but that does not help.

Maybe related to https://github.com/argoproj/argo-cd/issues/3539

MohamedTalhaoui avatar Jul 16 '20 07:07 MohamedTalhaoui

I was able to workaround this issue by forcing the use of absolute path in the chartmuseum chart repo. https://github.com/helm/chartmuseum/issues/170

I was able to test with harbor (that uses chartmuseum underneath). I was not able to test with Nexus that does not seem to have a configuration option for this.

Not sure if this issue is still in ArgoCD scope, so I let you guys decided it you want to keep it or close it.

MohamedTalhaoui avatar Aug 10 '20 08:08 MohamedTalhaoui

Almost 2 year old 'relevant' bug. Do you guys have any plan to fix it ?

geowalrus4gh avatar Feb 08 '22 11:02 geowalrus4gh

Is this still reproducible after https://github.com/argoproj/argo-cd/pull/6458?

jgwest avatar Feb 08 '24 20:02 jgwest

I use 2.12.1 and it is still broken

fuzolan avatar Aug 22 '24 15:08 fuzolan