search

SUSE / Portus

Authorization service and frontend for Docker registry (v2)
http://port.us.org/
Apache License 2.0
3k stars 471 forks source link

Error writing events with webhook #2297

Closed mitesh-devops closed 3 years ago

mitesh-devops commented 4 years ago

I am using wildcard ssl and using the .crt with a combination of CA bundle file + certificate. The SSL works correctly when I add in portus UI. The push is also working but the webhook call is somehow not working. the registry container has the following error.

registry_1 | time="2020-04-21T15:09:30Z" level=error msg="retryingsink: error writing events: httpSink{https://registry.domain.com/v2/webhooks/events}: error posting: Post https://registry.domain.com/v2/webhooks/events: x509: certificate is valid for *.kinsta.com, kinsta.com, not registry.domain.com, retrying"

We have added appropriate entries with extra_hosts and it works on internal IP correctly but the above error somehow indicated that webhook is being called on a public network.

compose.txt

I have tried the solution given on https://github.com/SUSE/Portus/issues/1496. Please advice.

Jean-Baptiste-Lasselle commented 4 years ago

ok :

mitesh-devops commented 4 years ago

Hi, Thank you for your quick response! I couldn't figure out the need for different hostnames prior as couldn't find anything mentioned in a document to use the different hostname for portus and registry.

I have now changed hostnames with portus.domain.com and regisrty.domain.com(I am using the actual wildcard SSL issued to *.domain.com for both containers). and .env hostname to portus.domain.com as you suggested. However, now I am getting requested access to the resource is denied when uploading to registry.domain.com/admin/.

I didn't get you for the PORTUS_SERVICE_FQDN_JINJA2_VAR changes. Can you please explain a bit about it? I don't have this variable in .env.

Thank you once again!

Jean-Baptiste-Lasselle commented 4 years ago

@mitesh-devops please give : 

# So just asking you to take special care to markdown format the 
# content of those two files, like this

# So just asking you to take special care to markdown format the 
# content of those two files, like this

When I have that, I will ask more questions, and then answer.

mitesh-devops commented 4 years ago

Hello @Jean-Baptiste-Lasselle,

Thank you for sparing time to look into it!

Let me give you a short summary of what setup I am doing.

I have one Ubuntu machine at my office premises where I am setting up this. I just cloned this project and started working on this file https://github.com/SUSE/Portus/tree/master/examples/compose I required to perform few changes in the compose file to make things work.

I have wildcard certificate which I am using in portus.domain.com and registry.domain.com.

What is working:

  1. UI is accessible with SSL at https://portus.domain.com:3000
  2. I am able to create admin user and docker login registry.domain.com from CLI with that admin credentials.
  3. Add registry from UI is working with green reachable status.
  4. Push from CLI registry.domain.com/admin/image

What is not working:

  1. visibility of the images on UI. Getting the same webhook error.

registry_1 | time="2020-04-23T05:32:36Z" level=error msg="retryingsink: error writing events: httpSink{https://portus.domain.com/v2/webhooks/events}: error posting: Post https://portus.domain.com/v2/webhooks/events: x509: certificate is valid for *.kinsta.com, kinsta.com, not portus.domain.com, retrying" registry_1 | time="2020-04-23T05:32:36Z" level=warning msg="httpSink{https://portus.domain.com/v2/webhooks/events} encountered too many errors, backing off"

Note: Kinsta.com has nothing to do here as it is not our domain name. It seems that it is trying to go outside the public network and check for SSL. But, the SSL is working within an internal network only as it we are not exposing it to a public network by reissue of the ssl with 2 new common names.

I have added both compose and .env file.

docker-compose.txt env.txt

mitesh-devops commented 4 years ago

More on this. The following curl request is successful from inside all the containers which seem that ssl is correctly Identified.

'curl -v -X POST https://portus.domain.com/v2/webhooks/events'

curl-logs.txt

Also, the first time pushed image is visible on UI but after that, it doesn't sync any new images to Portus.

I hope this information helps to debug. Can you please provide me any POST request example with header,body which I can try from registry container console and see if any clue is identified?

Jean-Baptiste-Lasselle commented 4 years ago

@mitesh-devops Just a quick remark before answser :

ttyl im at work

Jean-Baptiste-Lasselle commented 4 years ago

Hi again @mitesh-devops So, I asked you :

Ok, this is stupid : we are on github, and we are exchanging files with http link... : could you just commit and push to a git repository all the files in the folder where you ran docker-compose up ?

One remark :

You are informed. Unless you provide the requested files, I will assume you chose the first option.

JB.

Jean-Baptiste-Lasselle commented 4 years ago

hi @mitesh-devops I update my last message,

Treating portus issue https://github.com/SUSE/Portus/issues/2297

export OPS_HOME=$(pwd)/jblanswerabout
export DESIRED_VERSION=feature/preparing-first-release
git clone https://github.com/Jean-Baptiste-Lasselle/mitesh-dialog ${OPS_HOME}
cd ${OPS_HOME}
git checkout ${DESIRED_VERSION}

cd mitesh
cat README.md | head -n 1

docker-compose config |grep image:
echo ""
echo "So you used portus image [opensuse/portus:head]"

I now do not need any more work to tell you :

The good news, is now you can have a nice restful week-end.

JB.

stale[bot] commented 3 years ago

Thanks for all your contributions! This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.