search

fluxcd / helm-operator

Successor: https://github.com/fluxcd/helm-controller ā€” The Flux Helm Operator, once upon a time a solution for declarative Helming.
https://docs.fluxcd.io/projects/helm-operator/
Apache License 2.0
649 stars 262 forks source link

Mounted ca.crt not repected, got x509: certificate signed by unknown authority #587

Closed hatzhang closed 2 years ago

hatzhang commented 3 years ago

I followed the manual about mount repositories and cert file into helm operator pod, but it does not work.
Here is the pod:

$ k describe -n flux pod helm-operator-5d87bd5b9d-927tc
Name:         helm-operator-5d87bd5b9d-927tc
Namespace:    flux
Priority:     0
Node:         test-control-plane/172.21.0.2
Start Time:   Fri, 05 Feb 2021 11:52:31 +0800
Labels:       app=helm-operator
              pod-template-hash=5d87bd5b9d
              release=helm-operator
Annotations:  checksum/repositories: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Status:       Running
IP:           10.244.0.22
IPs:
  IP:           10.244.0.22
Controlled By:  ReplicaSet/helm-operator-5d87bd5b9d
Containers:
  flux-helm-operator:
    Container ID:  containerd://7bbf9c4af189fc9565a558e807f5cd38cb790d7779066cf5400eee0a2d14678f
    Image:         docker.io/fluxcd/helm-operator:1.2.0
    Image ID:      docker.io/fluxcd/helm-operator@sha256:91dc5e42f9aed503e4eae8663b43ecbc1bab9164dd8a5ad3e1421db4656e1c62
    Port:          3030/TCP
    Host Port:     0/TCP
    Args:
      --enabled-helm-versions=v3
      --helm-repository-import=v3:/root/.helm/repository/repositories.yaml
      --kubeconfig=/root/.kube/config
      --log-format=fmt
      --git-timeout=20s
      --git-poll-interval=5m
      --charts-sync-interval=3m
      --status-update-interval=30s
      --update-chart-deps=true
      --log-release-diffs=false
      --workers=4
      --tiller-namespace=kube-system
    State:          Running
      Started:      Fri, 05 Feb 2021 11:52:32 +0800
    Ready:          True
    Restart Count:  0
    Requests:
      cpu:        50m
      memory:     64Mi
    Liveness:     http-get http://:3030/healthz delay=1s timeout=5s period=10s #success=1 #failure=3
    Readiness:    http-get http://:3030/healthz delay=1s timeout=5s period=10s #success=1 #failure=3
    Environment:  <none>
    Mounts:
      /etc/fluxd/ssh from git-key (ro)
      /root/.cache/helm/repository from repositories-cache (rw,path="v3")
      /root/.helm/repository/repositories.yaml from repositories-yaml (ro,path="repositories.yaml")
      /root/.kube from config (ro)
      /var/certs/ca.crt from flux-helm-repository-certs (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from helm-operator-token-mkzvs (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             True
  ContainersReady   True
  PodScheduled      True
Volumes:
  config:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      helm-operator-kube-config
    Optional:  false
  git-key:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  helm-operator-git-deploy
    Optional:    false
  repositories-yaml:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  flux-helm-repositories
    Optional:    false
  repositories-cache:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:  <unset>
  flux-helm-repository-certs:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  flux-helm-repository-certs
    Optional:    false
  helm-operator-token-mkzvs:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  helm-operator-token-mkzvs
    Optional:    false
QoS Class:       Burstable
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                 node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason     Age   From               Message
  ----    ------     ----  ----               -------
  Normal  Scheduled  16m   default-scheduler  Successfully assigned flux/helm-operator-5d87bd5b9d-927tc to test-control-plane
  Normal  Pulled     15m   kubelet            Container image "docker.io/fluxcd/helm-operator:1.2.0" already present on machine
  Normal  Created    15m   kubelet            Created container flux-helm-operator
  Normal  Started    15m   kubelet            Started container flux-helm-operator

And the repositories.yml

$ k exec -n flux pod/helm-operator-5d87bd5b9d-927tc -- cat /root/.helm/repository/repositories.yaml
apiVersion: ""
generated: "0001-01-01T00:00:00Z"
repositories:
- caFile: /var/certs/ca.crt
  certFile: ""
  insecure_skip_tls_verify: false
  keyFile: ""
  name: myrepo
  password: test1234
  url: https://192.168.10.120:8443/chartrepo/myrepo
  username: test

And the log

$ k logs -n flux pod/helm-operator-5d87bd5b9d-927tc | tail -2
ts=2021-02-05T04:13:32.904630101Z caller=release.go:79 component=release release=default-accounting targetNamespace=default resource=default:helmrelease/accounting helmVersion=v3 info="starting sync run"
ts=2021-02-05T04:13:32.932277904Z caller=release.go:85 component=release release=default-accounting targetNamespace=default resource=default:helmrelease/accounting helmVersion=v3 error="failed to prepare chart for release: chart unavailable: looks like \"https://192.168.10.120:8443/chartrepo/myrepo\" is not a valid chart repository or cannot be reached: Get \"https://192.168.10.120:8443/chartrepo/myrepo/index.yaml\": x509: certificate signed by unknown authority"
kingdonb commented 2 years ago

Sorry if your issue remains unresolved. The Helm Operator is in maintenance mode, we recommend everybody upgrades to Flux v2 and Helm Controller.

A new release of Helm Operator is out this week, 1.4.4.

We will continue to support Helm Operator in maintenance mode for an indefinite period of time, and eventually archive this repository.

Please be aware that Flux v2 has a vibrant and active developer community who are actively working through minor releases and delivering new features on the way to General Availability for Flux v2.

In the mean time, this repo will still be monitored, but support is basically limited to migration issues only. I will have to close many issues today without reading them all in detail because of time constraints. If your issue is very important, you are welcome to reopen it, but due to staleness of all issues at this point a new report is more likely to be in order. Please open another issue if you have unresolved problems that prevent your migration in the appropriate Flux v2 repo.

Helm Operator releases will continue as possible for a limited time, as a courtesy for those who still cannot migrate yet, but these are strongly not recommended for ongoing production use as our strict adherence to semver backward compatibility guarantees limit many dependencies and we can only upgrade them so far without breaking compatibility. So there are likely known CVEs that cannot be resolved.

We recommend upgrading to Flux v2 which is actively maintained ASAP.

I am going to go ahead and close every issue at once today, Thanks for participating in Helm Operator and Flux! šŸ’š šŸ’™