Closed mitesh-devops closed 3 years ago
ok :
registry
container, trying to connect to portus
, sending exactly https://registry.domain.com/v2/webhooks/events (he confirms to registry "Yes, I got your notification, thank you, you can stop resending the webhook")portus
instead of registry
, is because of a very special configuration you have in your nginx.conf
, which you found in Portus git repo. Do you agree it is weird to call https://registry.domain.com/v2/webhooks/events , while you actually want to connect to https://portus.domain.com/v2/webhooks/events ?*.kinsta.com
*.kinsta.com
registry.domain.com
, but registry.kinsta.com
, and same thing for portus.kinsta.com. Other possibility is that they all have hostname docker.kinsta.com
, but it's weird, .think of hub.docker.com and docker.io/yourname/portus:2.4.3
.... (ping -c 4 docker.io
). Use : PORTUS_MACHINE_FQDN=portus.kinsta.com
on portus
(must match portus.crt
TLS cert CN Common Name), and docker config (you're devops)
auth:
token:
realm: https://PORTUS_SERVICE_FQDN_JINJA2_VAR:3000/v2/token
service: OCI_REGISTRY_SERVICE_FQDN_JINJA2_VAR
issuer: PORTUS_SERVICE_FQDN_JINJA2_VAR
rootcertbundle: /secrets/portus.crt
notifications:
endpoints:
timeout: 500ms threshold: 5 backoff: 1s secret: SECRET_PORTUS_API_KEY_JINJA2_VAR
Hi, Thank you for your quick response! I couldn't figure out the need for different hostnames prior as couldn't find anything mentioned in a document to use the different hostname for portus and registry.
I have now changed hostnames with portus.domain.com and regisrty.domain.com(I am using the actual wildcard SSL issued to *.domain.com for both containers). and .env hostname to portus.domain.com as you suggested. However, now I am getting requested access to the resource is denied when uploading to registry.domain.com/admin/.
I didn't get you for the PORTUS_SERVICE_FQDN_JINJA2_VAR changes. Can you please explain a bit about it? I don't have this variable in .env.
Thank you once again!
@mitesh-devops please give :
docker-compose.yml
file.env
# So just asking you to take special care to markdown format the
# content of those two files, like this
# So just asking you to take special care to markdown format the
# content of those two files, like this
PORTUS_SERVICE_FQDN
: look into your docker-compose.yml
, and I will require that you work more than that, or advise you to forget about using portus or harbor, immediately, because you can't afford the work time required for that. docker-compose.yml
, and probably not a lot in the docs. Take some time on that, or you will have some questions I will not answer : bear in mind I am not form the Portus Team, I am answering just for the pleasure.PORTUS_SERVICE_FQDN=registry.domain.com
in your docker-compose.yml
When I have that, I will ask more questions, and then answer.
Hello @Jean-Baptiste-Lasselle,
Thank you for sparing time to look into it!
Let me give you a short summary of what setup I am doing.
I have one Ubuntu machine at my office premises where I am setting up this. I just cloned this project and started working on this file https://github.com/SUSE/Portus/tree/master/examples/compose I required to perform few changes in the compose file to make things work.
I have wildcard certificate which I am using in portus.domain.com and registry.domain.com.
What is working:
What is not working:
registry_1 | time="2020-04-23T05:32:36Z" level=error msg="retryingsink: error writing events: httpSink{https://portus.domain.com/v2/webhooks/events}: error posting: Post https://portus.domain.com/v2/webhooks/events: x509: certificate is valid for *.kinsta.com, kinsta.com, not portus.domain.com, retrying" registry_1 | time="2020-04-23T05:32:36Z" level=warning msg="httpSink{https://portus.domain.com/v2/webhooks/events} encountered too many errors, backing off"
Note: Kinsta.com has nothing to do here as it is not our domain name. It seems that it is trying to go outside the public network and check for SSL. But, the SSL is working within an internal network only as it we are not exposing it to a public network by reissue of the ssl with 2 new common names.
I have added both compose and .env file.
More on this. The following curl request is successful from inside all the containers which seem that ssl is correctly Identified.
'curl -v -X POST https://portus.domain.com/v2/webhooks/events'
Also, the first time pushed image is visible on UI but after that, it doesn't sync any new images to Portus.
I hope this information helps to debug. Can you please provide me any POST request example with header,body which I can try from registry container console and see if any clue is identified?
@mitesh-devops Just a quick remark before answser :
registry_1 | time="2020-04-23T05:32:36Z" level=error msg="retryingsink: error writing events: httpSink{https://portus.domain.com/v2/webhooks/events}: error posting: Post https://portus.domain.com/v2/webhooks/events: x509: certificate is valid for *.kinsta.com, kinsta.com, not portus.domain.com, retrying" registry_1 | time="2020-04-23T05:32:36Z" level=warning msg="httpSink{https://portus.domain.com/v2/webhooks/events} encountered too many errors, backing off"
*.kinsta.com
has to do with what you (and noone else) configuredttyl im at work
Hi again @mitesh-devops So, I asked you :
your docker-compose.yml
file (ok I have it)
your .env
(ok I have it)
and it is fine if you give them as files, instaed of content of both of those files markdown formated
Additionnally, I will also need :
nginx.conf
,/home/mitesh/vscode/myproject/docker-compose.yml
Ok, this is stupid : we are on github, and we are exchanging files with http link... : could you just commit and push to a git repository all the files in the folder where you ran docker-compose up
?
One remark :
portus
, and look for a much simpler solution (find a "your docker private regsitry" tutorial, until you find one where you succeed)You are informed. Unless you provide the requested files, I will assume you chose the first option.
JB.
hi @mitesh-devops I update my last message,
Treating portus issue https://github.com/SUSE/Portus/issues/2297
export OPS_HOME=$(pwd)/jblanswerabout
export DESIRED_VERSION=feature/preparing-first-release
git clone https://github.com/Jean-Baptiste-Lasselle/mitesh-dialog ${OPS_HOME}
cd ${OPS_HOME}
git checkout ${DESIRED_VERSION}
cd mitesh
cat README.md | head -n 1
docker-compose config |grep image:
echo ""
echo "So you used portus image [opensuse/portus:head]"
opensuse/portus:head
: which does not exists on any public docker registryportus
: another thing that I miss, to reproduce your case.I now do not need any more work to tell you :
Portus
,The good news, is now you can have a nice restful week-end.
JB.
Thanks for all your contributions! This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
I am using wildcard ssl and using the .crt with a combination of CA bundle file + certificate. The SSL works correctly when I add in portus UI. The push is also working but the webhook call is somehow not working. the registry container has the following error.
registry_1 | time="2020-04-21T15:09:30Z" level=error msg="retryingsink: error writing events: httpSink{https://registry.domain.com/v2/webhooks/events}: error posting: Post https://registry.domain.com/v2/webhooks/events: x509: certificate is valid for *.kinsta.com, kinsta.com, not registry.domain.com, retrying"
We have added appropriate entries with extra_hosts and it works on internal IP correctly but the above error somehow indicated that webhook is being called on a public network.
compose.txt
I have tried the solution given on https://github.com/SUSE/Portus/issues/1496. Please advice.