helm operator: x509: certificate signed by unknown authority

[florianrusch]

I'm trying to pull a helm chart from a private registry with a self-signed certificate.
Now the helm operator logs this message:

ts=2019-01-08T12:13:18.11620482Z caller=chartsync.go:244 component=chartsync info="Start of releasesync"
ts=2019-01-08T12:13:18.173598161Z caller=chartsync.go:340 component=chartsync info="chart download failed" releaseName=umbrella resource=dev:helmrelease/umbrella err="Looks like \"https://helm.example.com/chartrepo/test\" is not a valid chart repository or cannot be reached: Get https://helm.example.com/chartrepo/test/index.yaml: x509: certificate signed by unknown authority"
ts=2019-01-08T12:13:18.173670137Z caller=chartsync.go:249 component=chartsync info="End of releasesync"

I've already tried to set the repository.yaml as here described:

repositories:
- caFile: ""
  cache: helm-test-index.yaml
  certFile: ""
  keyFile: ""
  name: helm-test
  password: xxx
  url: https://helm.example.com/chartrepo/test
  username: xxx

Does someone know whats wrong or what I've missed?

[squaremo]

I would expect you have to supply the CA cert -- you could include it in the same secret as repository.yaml, and refer to it as a file in the same directory.

[2opremio]

@florianrusch Did that solve the issue?

[florianrusch]

@2opremio I hadn't the chance to test it again. But I think a flag like the insecure-skip-tls-verify: true like it is used (1) in the .kube/config file would be nice.

(1): https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/#define-clusters-users-and-contexts

[hiddeco]

I hadn't the chance to test it again. But I think a flag like the insecure-skip-tls-verify: true like it is used (1) in the .kube/config file would be nice.

The repository plugin Helm has does not have a flag like the insecure-tls-verify of kubectl. Instead you should configure the caFile key to point towards the CA cert you signed your certs with.

[sukrit007]

@hiddeco I think helm chart will need to be modified to support passing caFile. Currently, it does not automatically mount the same. Should I submit a PR for the same ?

[ghost]

Insecure connections are ongoing:

• Add --insecure-skip-tls-verify for repositories helm/helm#7254
• Use HELM behind proxy: support insecure repositories when charts get downloaded helm/helm#7875

The only way for now is to add caFile indeed..

[jtgorny]

I'm running into a similar issue here. I've tried to add --insecure-skip-tls-verify as part of the bootstrap command. I've also tried including the --certificate-authority. I'm still having trouble with the Kustomization reconciling.
Here is the output from flux logs --level=error

2022-02-11T18:55:31.811Z error GitRepository/flux-system.flux-system - Reconciler error unable to clone 'xyz': Get "xyz/flux-cd.git/info/refs?service=git-upload-pack": x509: certificate signed by unknown authority

Here is the output from flux get sources all --all-namespaces

flux-system	gitrepository/flux-system	False	unable to clone 'https://xyz/flux-cd.git': Get "https://xyz/flux-cd.git/info/refs?service=git-upload-pack": x509: certificate signed by unknown authority	        	False

[kingdonb]

@jtgorny FYI, this is the fluxcd/flux repo for Flux v1 Legacy project.

The flux bootstrap git CLI command does have an option:

--insecure-skip-tls-verify               If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure

But it is not related to anything from this issue report, since this repo is for Flux v1. I'm not sure what limitations there are on how insecure-skip-tls-verify can be used, but please file an issue on fluxcd/flux2 if you are having trouble.

I had a look through issues that were about certificate verification, and I found this (fluxcd/source-controller#283):

This feature will only work with the libgit2 https transport implementation as it has a certificate callback which allows for custom x509 certificate validation when the system is not able to. All other implementations will return an error if a user attempts to set a value for caFile in the secret.

Then later this (fluxcd/source-controller#324):

With this change we can now add --ca-file to bootstrap and allow people to use self-signed certs for GitHub/GitLab on-prem

Did you set caFile with the default go-git setting for spec.gitImplentation or are you using libgit2? (*Edit - it must be go-git, because bootstrap is not implemented on libgit2) – Please include the full definition of your GitRepository as well, if you wind up reopening this issue on the flux2 repo.