Closed julien-blanchon closed 1 year ago
May be related with this https://github.com/argoproj/argo-workflows/issues/5582
Hi,
In the case of argo-workflows we don't any special logic in the Bitnami packaging, so I believe it should be argo-workflows team the ones that should advise on how to fix this issue. If there's anything we need to change in the chart to allow any extra settting, we will work on that.
Thanks for you answert @javsalgar !
Yes, it's more a kubernetes issues.
I did fix this by mounting my ca in each node with
apiVersion: kind.x-k8s.io/v1alpha4
kind: Cluster
nodes:
- role: control-plane
extraPortMappings:
- containerPort: 31923
hostPort: 8080
# mount our root certificate in a separate folder
extraMounts:
- hostPath: ./kubernetes/.ssl/root-ca.pem
containerPath: /opt/ca-certificates/root-ca.pem
readOnly: true
- hostPath: ./kubernetes/.ssl/root-ca.pem
containerPath: /etc/ssl/certs/ca-certificates.crt
readOnly: true
- containerPath: /usr/local/share/ca-certificates/mon-autorite.crt
hostPath: ./kubernetes/.ssl/root-ca.pem
readOnly: true
- containerPath: /etc/docker/certs.d/artefacts.robert.local/mon-autorite.crt
hostPath: ./kubernetes/.ssl/root-ca.pem
readOnly: true
- role: worker
# mount our root certificate in a separate folder
extraMounts:
- hostPath: ./kubernetes/.ssl/root-ca.pem
containerPath: /opt/ca-certificates/root-ca.pem
readOnly: true
- hostPath: ./kubernetes/.ssl/root-ca.pem
containerPath: /etc/ssl/certs/ca-certificates.crt
readOnly: true
- containerPath: /usr/local/share/ca-certificates/mon-autorite.crt
hostPath: ./kubernetes/.ssl/root-ca.pem
readOnly: true
- containerPath: /etc/docker/certs.d/artefacts.robert.local/mon-autorite.crt
hostPath: ./kubernetes/.ssl/root-ca.pem
readOnly: true
Thanks anyway, I'm closing the isue
Error pulling private registry images in Argo Workflows
When using Argo Workflows with a private Docker registry (Harbor in my case), I'm getting
tls: failed to verify certificate: x509: certificate signed by unknown authority
errors when Workflows try to pull images.It seems the root CA for the Harbor certificate is not being trusted on the Workflow pod, even though it should be available on all nodes.
Steps to Reproduce
Install Harbor using Helm, with a certificate from cert-manager
Install Argo Workflows using Helm, with a certificate from cert-manager
Create a docker-secret with credentials for the Harbor registry
Create a Workflow that uses an image from the private Harbor registry, with
imagePullSecrets
set to the docker-secret:The Workflow fails with a TLS verification error pulling the image
Expected Behavior
The Workflow should pull the private Docker image from the Harbor registry successfully.
Environment
Certificates
Argo RBAC
Giving Argo access to docker registry secret:
kind config
Mounting root CA on nodes:
Possible Cause
It seems the root CA is not being trusted on the Workflow pod, even though it should be available to all nodes.
Could the Workflow pod have a separate trust store that needs the CA added? Or is there a problem mounting the node CAs into the Workflow pod?
Any ideas appreciated on how to resolve the TLS verification errors when using private registries with Argo Workflows. Thanks!
What do you see instead?
Architecture Graph
EDIT:
Mounting a volume with my CA in
/etc/ssl/certs
in the argo controller & server did fix a first x509 error (the first one used to crash at the start of the init). But I still got a x509 error.Here is my updated argo values for the volume:
Note that the issues also appear when using kubectl run test --image=$IMAGE_FROM_HARBOR. This might be a kubernetes/harbor error