source-controller icon indicating copy to clipboard operation
source-controller copied to clipboard

Published 20 hours ago verified publisher icon fluxcd

Receiving chart pull error on environment with a proxy - EOF

Open Valgueiro opened this issue 1 month ago • 9 comments

Environment

I have my k8s cluster deployed behind a firewall, that only allows connections from a proxy that is on the same network.

image

Setup

Flux version: v2.1.2 Source controller version: 1.1.2 I've setup the gotk as such to be able to use the proxy to fetch things.

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - gotk-components.yaml
patches:
  - patch: |
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: all
      spec:
        template:
          spec:
            containers:
              - name: manager
                env:
                  - name: "HTTPS_PROXY"
                    value: "http://proxy.com:3128"
                  - name: "NO_PROXY"
                    value: ".cluster.local.,.cluster.local,cluster.local,.svc,127.0.0.0/8,10.0.0.0/8"  
                  - name: "https_proxy"
                    value: "http://proxy.com:3128"
                  - name: "no_proxy"
                    value: ".cluster.local.,.cluster.local,cluster.local,.svc,127.0.0.0/8,10.0.0.0/8"     
    target:
      kind: Deployment
      labelSelector: app.kubernetes.io/part-of=flux

And I have HelmRelease and helmrepo configured like this:

apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: keda
  namespace: keda
spec:
  interval: 5m0s
  releaseName: keda
  install:
    createNamespace: true
  chart:
    spec:
      chart: keda
      version: '2.12.1'
      sourceRef:
        kind: HelmRepository
        name: charts
        namespace: keda
  valuesFrom:
  - kind: ConfigMap
    name: keda-values
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
  name: charts
  namespace: keda
spec:
  type: "oci"
  interval: 5m0s
  url: oci://<acr>/sre/charts/
  secretRef:
    name: registry-pull-secret
  certSecretRef:
    name: tls-ca

My HelmRepo is showing as active, but the HelmChart is showing as "Reconciling" and I can see the following error:

chart pull error: failed to download chart for remote reference: failed to get 'oci://<acr>/sre/charts/keda:2.12.1': failed to do request: Head "https://<acr>/v2/sre/charts/keda/manifests/2.12.1": EOF

I thought that this could be related to this issue about http_proxy on busybox images: https://github.com/mirror/busybox/issues/21 , and after that I tried with this docker image as source-controller:

FROM <acr>/sre/fluxcd/source-controller:v1.1.2
USER root

COPY zscaler.crt /etc/ssl/certs/
RUN update-ca-certificates

RUN apk --no-cache -U add openssl wget ca-certificates
# wget https://httpbin.org/get

USER 65534:65534

But I continued to receive the same error.

Do you guys have any idea of what I can do to fix this?

Valgueiro avatar May 13 '24 22:05 Valgueiro