operator-controller icon indicating copy to clipboard operation
operator-controller copied to clipboard
verified publisher icon operator-framework

ClusterExtension - tls: failed to verify certificate

Open psimms-cs opened this issue 1 year ago • 2 comments

I am trying to setup quay-operator on my k8 cluster

I have setup the below

  • operator-controller - v0.13.0 - Using install.sh
  • catalogd - v0.20.0 - Using install.sh
  • operatorhubio clusterCatalog setup with insecureSkipTLSVerify set to true
  • quay-operator clusterExtension

But I am getting a tls verify error for the clusterExtenstion

      message: >-
        error fetching image descriptor: Get "https://quay.io/v2/": tls: failed
        to verify certificate: x509: certificate signed by unknown authority

Can I skip this like for clusterCatalog?

clusterCatalog

apiVersion: catalogd.operatorframework.io/v1alpha1
kind: ClusterCatalog
metadata:
  name: operatorhubio
spec:
  source:
    type: image
    image:
      ref: quay.io/operatorhubio/catalog:latest
      insecureSkipTLSVerify: true
      pollInterval: 10m

clusterExtenstion

apiVersion: olm.operatorframework.io/v1alpha1
kind: ClusterExtension
metadata:
  name: project-quay-cluster-extension
spec:
  installNamespace: quay-enterprise
  serviceAccount:
    name: default
  packageName: project-quay
  channel: stable-3.12
  version: 3.12.0

psimms-cs avatar Aug 22 '24 10:08 psimms-cs

It's odd to me that you are running into certificate verification issues with quay.io. I would expect those certs to be valid.

Unfortunately there is not currently a way to disable TLS verification on the ClusterExtension when fetching a bundle. I do believe there is a way to mount a CA cert as a volume and have operator-controller trust it. This would require some manual modifications of the operator-controller-manager deployment though.

I think @tmshort was the one that implemented that functionality so he may have some more details on how to do it off the top of his head.

everettraven avatar Aug 22 '24 13:08 everettraven

Standing up a fresh KinD cluster I don't run into this cert issue when hitting quay.io. It looks like the right location to mount a new volume with the ca.crt to trust would be to the /var/certs/ directory: https://github.com/operator-framework/operator-controller/blob/main/config/components/tls/patches/manager_deployment_cert.yaml

everettraven avatar Aug 22 '24 14:08 everettraven

Issues go stale after 90 days of inactivity. If there is no further activity, the issue will be closed in another 30 days.

github-actions[bot] avatar Aug 04 '25 01:08 github-actions[bot]

This issue has been closed due to inactivity.

github-actions[bot] avatar Sep 04 '25 01:09 github-actions[bot]