source-controller icon indicating copy to clipboard operation
source-controller copied to clipboard

Published 20 hours ago verified publisher icon fluxcd

Helm repository - no way to configure CA for Basic Auth

Open zulrang opened this issue 2 years ago • 6 comments

Using basic auth with username and password, the getter ignores the caFile in the secret:

failed to download repository index: Get "https://my-private-repo/index.yaml": x509: certificate signed by unknown authority

Using curl with the same ca file and url from the command line works. It seems that the getter will either use TLS with the cert, key, and caFile, or use username/password and ignore the caFile

zulrang avatar Aug 07 '21 16:08 zulrang

Please post here the secret as it is on your cluster (remove the base64 values), it would also be helpful if you can specify which version of source-controller are you using by posting the flux check output.

stefanprodan avatar Aug 08 '21 06:08 stefanprodan 

$ flux check
► checking prerequisites
✔ kubectl 1.20.4 >=1.18.0-0
✔ Kubernetes 1.20.6+vmware.1 >=1.16.0-0
► checking controllers
✔ helm-controller: deployment ready
► ghcr.io/fluxcd/helm-controller:v0.11.2
✔ kustomize-controller: deployment ready
► ghcr.io/fluxcd/kustomize-controller:v0.13.3
✔ notification-controller: deployment ready
► ghcr.io/fluxcd/notification-controller:v0.15.1
✔ source-controller: deployment ready
► ghcr.io/fluxcd/source-controller:v0.15.4
✔ all checks passed

$ kubectl get secret -n flux-system harbor-credentials -o yaml
apiVersion: v1
data:
  caFile: <base64>
  certFile: ""
  keyFile: ""
  password: <base64>
  username: <base64>
kind: Secret
metadata:  
  name: harbor-credentials
  namespace: flux-system
type: Opaque

(managed fields removed)

After reading the code, I've tried both with and without the blank certFile and keyFile values. Neither way works.

zulrang avatar Aug 13 '21 13:08 zulrang

I used the private self signed harbor as the helm chart warehouse and encountered the same problem.

QQGoblin avatar Aug 16 '21 01:08 QQGoblin

I found that I was using an old certificate, and go1.15 obsoleted the "Common Name" field in the certificate. The problem was solved after replacing the certificate with the SAN certificate.

QQGoblin avatar Aug 16 '21 03:08 QQGoblin

Is there any workaround for this? This is a big stoppage for us. Can I manually install a CA into the source-controller?

zulrang avatar Aug 17 '21 13:08 zulrang

We had the corporate ca issue. Solved with a policy and mounting correct /etc/ssl/certificate in the source controller pod. Now GitRepository is able to use the ca in Secrets (with gitlib client). Unsure about HelmRepo ? Is this still an issue @stefanprodan ?

poblin-orange avatar Oct 07 '22 16:10 poblin-orange