HELM install of GitHub hosted charts fail behind corporate proxy

[Ju-Ru]

Dear community,

as a corporate user, I need to configure development tools to use a corporate proxy and ca authority. This, as such, is causing many problems as you can imagine. However, after some struggles, I got all tools accepting the proxy/ca settings. Only with HELM I found an issue that I cannot easily overcome.

• The issue is not related to the "repo add" step, which works fine with the "--ca-file" setting, although a repo-agnostic/general setting would be nice to have for this use case.
• The problem occurs in the "install" step, when HELM seems to try to download a HELM manifest hosted from GitHub.

ChatGPT indicates that it could be related to the strict TLS certificate validation of Go or a problem of confusing certificates as result of a redirect. There seem to be request to both domains ".github.com" and ".github.io" involved. I have a hard time to pin the problem further down. All involved URLs listed below are accessible in a web browser on the same system. In all cases the corporate ca is used.

Minimum steps to reproduce (in corporate setting using proxy): helm repo add --debug --ca-file $caCertPath oauth2-proxy https://oauth2-proxy.github.io/manifests/ helm repo update helm install oauth2-proxy oauth2-proxy/oauth2-proxy

The variable $caCertPath is a path to the corporate ca file. I left out the actual proxy configuration, which is correctly adopted by HELM from the environment variables (HTTPS_PROXY, HTTP_PROXY).

This leads to the following error: Downloading oauth2-proxy from repo https://oauth2-proxy.github.io/manifests/ Save error occurred: could not download https://github.com/oauth2-proxy/manifests/releases/download/oauth2-proxy-6.19.1/oauth2-proxy-6.19.1.tgz: Get "https://github.com/oauth2-proxy/manifests/releases/download/oauth2-proxy-6.19.1/oauth2-proxy-6.19.1.tgz": tls: failed to verify certificate: x509: certificate is valid for github.com, www.github.com, not oauth2-proxy.github.io Error: could not download https://github.com/oauth2-proxy/manifests/releases/download/oauth2-proxy-6.19.1/oauth2-proxy-6.19.1.tgz: Get "https://github.com/oauth2-proxy/manifests/releases/download/oauth2-proxy-6.19.1/oauth2-proxy-6.19.1.tgz": tls: failed to verify certificate: x509: certificate is valid for github.com, www.github.com, not oauth2-proxy.github.io

Tests were done on Ubuntu (WSL2) with HELM version: version.BuildInfo{Version:"v3.15.2", GitCommit:"1a500d5625419a524fdae4b33de351cc4f58ec35", GitTreeState:"clean", GoVersion:"go1.22.4"}

Thanks in advance for your support.

[bbaassssiiee]

Not an issue of Helm. Your proxy does SSL inspection and does not handle Subject Alternate Names correctly.