coreydeli
commented
2 years ago This is the same as this issue https://github.com/ansible/awx/issues/12117
Open mooky31 opened 2 years ago
coreydeli
commented
2 years ago This is the same as this issue https://github.com/ansible/awx/issues/12117
mooky31
commented
2 years ago I don't think this is the same : the problem here is that the "Verify SSL" tickbox doesn't work
AlanCoding
commented
2 years ago The EE verify_ssl is implemented in ansible-runner
However, in openshift, it's not the podman CLI but openshift itself that pulls the image. This may be a fairly fundamental issue with how we build the pod spec for container_group jobs. Thanks for the report.
shanemcd
commented
2 years ago I'm not sure if we can really do anything about this for container groups. This might be helpful: https://medium.com/@j.wahidin/kubernetes-day-2-operation-working-with-self-signed-image-registry-bd3c7ff1498d
valkiriaaquatica
commented
1 month ago ISSUE TYPE
- Bug Report
SUMMARY
Can't pull EE from private container registry : can't validate certificate signed by private authority. On Registry credentials, Verify SSL in unchecked.
ENVIRONMENT
- AWX version: 20.0.1
- AWX install method: operator
- AWX deployment target: minikube
- Operating System: RockyLinux 8
- Web Browser: Firefox
STEPS TO REPRODUCE
Try to pull EE from a private registry, with certificates signed by a private authority
EXPECTED RESULTS
EE pulled succesfully
ACTUAL RESULTS
pod/automation-job-30-h9hpg Failed to pull image "registry.local/sdc-sasi/awx:latest": rpc error: code = Unknown desc = Error response from daemon: Get "https://registry.bureautique.itm.lan/v2/": x509: certificate signed by unknown authority
ADDITIONAL INFORMATION
I also tried to add the private CA to the host system, didn't change anything.
Did you finally solve it? If so, how?
mooky31
commented
1 month ago It was a long time ago, so I am not sure. But if I remember well I configured the CA used to sign the registry's certificate to be trusted by the kubernetes host, and it did the trick. That's not really "Ignore certificate verification" tough...
valkiriaaquatica
commented
1 month ago It was a long time ago, so I am not sure. But if I remember well I configured the CA used to sign the registry's certificate to be trusted by the kubernetes host, and it did the trick. That's not really "Ignore certificate verification" tough...
Yes, I tried that, adding the .crt on the cluster nodes but nothing happened... also tried the tickbox of skip ssl, but also doesn't work . In my case is nginx ingress on Harbor private repo :(
mooky31
commented
1 month ago https://docs.podman.io/en/v2.2.0/markdown/podman-pull.1.html#cert-dir-path
Maybe you should put your certs in /etc/containers/certs.d
valkiriaaquatica
commented
4 weeks ago https://docs.podman.io/en/v2.2.0/markdown/podman-pull.1.html#cert-dir-path
Maybe you should put your certs in /etc/containers/certs.d
Hey, thanks! But i'm using rke2 with containerd not podman ,.. I'll keep trying and let here if I find a solution
valkiriaaquatica
commented
3 weeks ago Fnally just ended the problem, was an internal problem with the CA certificate when using the Cloudflare tunnel , no AWX problem at all
https://docs.podman.io/en/v2.2.0/markdown/podman-pull.1.html#cert-dir-path Maybe you should put your certs in /etc/containers/certs.d
Hey, thanks! But i'm using rke2 with containerd not podman ,.. I'll keep trying and let here if I find a solution
ISSUE TYPE
SUMMARY
Can't pull EE from private container registry : can't validate certificate signed by private authority. On Registry credentials, Verify SSL in unchecked.
ENVIRONMENT
STEPS TO REPRODUCE
Try to pull EE from a private registry, with certificates signed by a private authority
EXPECTED RESULTS
EE pulled succesfully
ACTUAL RESULTS
pod/automation-job-30-h9hpg Failed to pull image "registry.local/sdc-sasi/awx:latest": rpc error: code = Unknown desc = Error response from daemon: Get "https://registry.bureautique.itm.lan/v2/": x509: certificate signed by unknown authority
ADDITIONAL INFORMATION
I also tried to add the private CA to the host system, didn't change anything.