search

controlplaneio-fluxcd / flux-operator

Flux Operator is a Kubernetes controller for managing the lifecycle of Flux CD
https://fluxcd.control-plane.io/operator/
GNU Affero General Public License v3.0
177 stars 5 forks source link

Pull Flux manifests from registry with private PKI certificate #66

Open erikgb opened 4 months ago

erikgb commented 4 months ago

Our cluster does not have a direct connection to the Internet, and must pull all images through a registry proxy. This registry is configured with a certificate chain rooted in our private self-signed CA. How can I make Flux Operator trust this root?

This error is logged from Flux Operator:

{"level":"error","ts":"2024-07-04T12:03:33.625Z","msg":"Reconciler error","controller":"fluxinstance","controllerGroup":"fluxcd.controlplane.io","controllerKind":"FluxInstance","FluxInstance":{"name":"flux","namespace":"flux-system"},"namespace":"flux-system","name":"flux","reconcileID":"90115059-3e19-4cc3-ad0a-8af12fe0f077","error":"pulling artifact oci://<REDACTED>/ghcr-docker-remote/controlplaneio-fluxcd/flux-operator-manifests failed: Get \"https://<REDACTED>/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown authority"}

Flux Operator version: 0.6.0 Flux Operator installation method: OLM (operatorhub.io Subscription)

FluxInstance resource (irrelevant details omitted):

apiVersion: fluxcd.controlplane.io/v1
kind: FluxInstance
metadata:
  name: flux
  namespace: flux-system
spec:
  distribution:
    artifact: 'oci://<REDACTED>/ghcr-docker-remote/controlplaneio-fluxcd/flux-operator-manifests'
    registry: ghcr.io/fluxcd
    version: 2.3.x

Note: Our CRIO config will ensure the registry (for Flux images), is rewritten when images are pulled by our cluster.

stefanprodan commented 4 months ago

If you're using OperatorHub you don't need the artiract, OLM knows how to automatically update the Flux Operator, and the operator has the manifests embedded for air-gapped use. This would only be a problem if you would be an Enterprise customer, the artifact contains the CVE patches that ControlPlane ships for Flux.

erikgb commented 4 months ago

Ahhh, so I can just remove distribution completely, or? I would like to have some control over the Flux version, tho.

stefanprodan commented 4 months ago

You would remove only the .spec.distribution.artifact field. If you look at the example FluxInstance on OperatorHub, you'll see that this field is not there.

stefanprodan commented 4 months ago

Anyway let's keep this issue opened as paying customers will actually have a problem with this.

erikgb commented 4 months ago

You would remove only the .spec.distribution.artifact field. If you look at the example FluxInstance on OperatorHub, you'll see that this field is not there.

I confirm that the suggested fix (simplification) solved our issue in the air-gapped cluster! 🥳 Thanks Stefan! ❤️