Unable to pull Charts from Private Registry

crossplane-contrib / provider-helm

Crossplane Helm Provider

Apache License 2.0

98 stars 63 forks source link

Unable to pull Charts from Private Registry #202

Open sujith1594 opened 8 months ago

sujith1594 commented 8 months ago

What happened?

I'm trying to create a Helm Release using helm-provider, but I'm getting "Certificate Signed by Unknown authority even after adding "insecureSkipTLSVerify: true". Can some one help me how to fix the cert issue or how can I skip the TLS verification?

How can we reproduce it?

apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
  name: helm-testing
spec:
  forProvider:
    insecureSkipTLSVerify: true
    chart:
      pullSecretRef:
        name: helm-secret
        namespace: default
      name: <Chart Name>
      repository: oci://<Private Registry>
      version: 0.1.1
    namespace: default
    values:
      cluster_name: crossplane
  providerConfigRef:
    name: default

What environment did it happen in?

Crossplane version: 1.13.2

Include at least the version or commit of Crossplane you were running. Consider also including your:

Cloud provider : AWS
Kubernetes version (use kubectl version): 1.25
Kubernetes distribution (e.g. Tectonic, GKE, OpenShift) EKS
OS (e.g. from /etc/os-release) amzn linux

jbw976 commented 8 months ago

In terms of the insecureSkipTLSVerify option, looks like support for that was added to helm v3.12.0, and we're currently on v3.10.2 in this repo. So perhaps upgrading our dependency would make insecureSkipTLSVerify start working 🤔

Are you interested in testing that out in your environment? 🙏

There may be further work to make end to end TLS work, but it's hard to tell what may be wrong there without setting up a specific repro environment that we have full control over - otherwise there's too many unknown variables in the environment for which this issue was opened in.

csantanapr commented 8 months ago

Thanks for looking into this @jbw976

So it looks like insecureSkipTLSVerify works with http based helm registry, but never worked when using oci:// registry

@sujith1594 which registry you are using, is it based on an open source and could you provide how is it setup?

sujith1594 commented 8 months ago

Hi @csantanapr, We are using Redhat Quay which is built on top of Openshift Cluster. Quay is an OCI Registry

philippart commented 4 days ago

I've got the same problem with Zot OCI registry:

forProvider:
  chart:
    name: scheduler
    pullSecretRef:
      name: ""
      namespace: ""
    repository: oci://zot.default.svc.cluster.local:5000/charts
    version: 0.1.0
  insecureSkipTLSVerify: true

The provider-helm Release returns this error: Warning CannotCreateExternalResource 1s (x6 over 10s) managed/release.helm.crossplane.io failed to install release: failed to pull chart: failed to do request: Head "https://zot.default.svc.cluster.local:5000/v2/charts/scheduler/manifests/0.1.0": tls: failed to verify certificate: x509: certificate signed by unknown authority

My certificate has the proper FQDN and SAN but was signed by a self-signed root CA. I'm going to try with the cluster CA.