provider-helm
provider-helm copied to clipboard
crossplane-contrib
Unable to pull Charts from Private Registry
What happened?
I'm trying to create a Helm Release using helm-provider, but I'm getting "Certificate Signed by Unknown authority even after adding "insecureSkipTLSVerify: true". Can some one help me how to fix the cert issue or how can I skip the TLS verification?
How can we reproduce it?
apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
name: helm-testing
spec:
forProvider:
insecureSkipTLSVerify: true
chart:
pullSecretRef:
name: helm-secret
namespace: default
name: <Chart Name>
repository: oci://<Private Registry>
version: 0.1.1
namespace: default
values:
cluster_name: crossplane
providerConfigRef:
name: default
What environment did it happen in?
Crossplane version: 1.13.2
Include at least the version or commit of Crossplane you were running. Consider also including your:
- Cloud provider : AWS
- Kubernetes version (use
kubectl version): 1.25 - Kubernetes distribution (e.g. Tectonic, GKE, OpenShift) EKS
- OS (e.g. from /etc/os-release) amzn linux
In terms of the insecureSkipTLSVerify option, looks like support for that was added to helm v3.12.0, and we're currently on v3.10.2 in this repo. So perhaps upgrading our dependency would make insecureSkipTLSVerify start working 🤔
Are you interested in testing that out in your environment? 🙏
There may be further work to make end to end TLS work, but it's hard to tell what may be wrong there without setting up a specific repro environment that we have full control over - otherwise there's too many unknown variables in the environment for which this issue was opened in.
Thanks for looking into this @jbw976
So it looks like insecureSkipTLSVerify works with http based helm registry, but never worked when using oci:// registry
@sujith1594 which registry you are using, is it based on an open source and could you provide how is it setup?
Hi @csantanapr, We are using Redhat Quay which is built on top of Openshift Cluster. Quay is an OCI Registry