Closed svghadi closed 3 weeks ago
I did some digging, if the the repoURL
contains oci
scheme, the getCAPath
func will return the correct CA cert even if the url contains path.
https://github.com/argoproj/argo-cd/blob/3d77d9ced03c1e619df05c319a8257db5d98a47d/pkg/apis/application/v1alpha1/repository_types.go#L239-L240
However, when I try to set the oci
scheme in the url, eg. oci://my-registry.default/helm-charts
, the creation of the repo fails with OCI Helm repository URL should include hostname and port only
from cli. From UI, the repo is created but oci://
is truncated.
PR #5888 introduced this change to disallow oci scheme in URL. @alexmt, I noticed that you implemented this change. Do you think this can be reverted as helm now supports oci://
prefix?
https://helm.sh/docs/topics/registries/#other-subcommands
Support for the oci:// protocol is also available in various other subcommands. Here is a complete list:
An alternative simple solution to fix this bug could be to explicitly add oci://
scheme during fetching of the CA certs if the repo has EnableOCI
set to true so that the url parsing correctly detects the hostname.
Another case(https://github.com/argoproj/argo-cd/pull/8508#issuecomment-1630996731) of incorrect hostname parsing when repoURL contains port.
Describe the bug
I am try to deploy a chart from a private OCI Helm registry with self-signed certificates. I have added the tls certificate for my domain
my-registry.default
inargocd-tls-certs-cm
configmap.When I create a Helm repository with
my-registry.default
repository URL everything works as expected. However, if the repository URL contains a path eg:my-registry.default/helm-charts
, the tls certificate for the domain i.emy-registry.default
is not picked up by Argo CD and results intox509: certificate signed by unknown authority
errors.To Reproduce
Expected behavior
Argo CD should connect successfully to the registry
Screenshots
Version
Didn't test with
master
but I think should be reproducible with it.Logs Repo server logs