porch function runner is unable to pull image from a repository with self-signed certificate

nephio-project / nephio

Nephio is a Kubernetes-based automation platform for deploying and managing highly distributed, interconnected workloads such as 5G Network Functions, and the underlying infrastructure on which those workloads depend.

Apache License 2.0

108 stars 53 forks source link

porch function runner is unable to pull image from a repository with self-signed certificate #819

Open dromie opened 1 day ago

dromie commented 1 day ago

There is no configuration option to add a trusted private certificate authority for pulling docker images.

Mounting a configmap/secret to /etc/ssl/cert.pem does work as a workaround.

Catalin-Stratulat-Ericsson commented 1 day ago

Hello @dromie if your question relates to you trying to pull an image from a registry that requires authentication to access then i believe this PR that has just been merged suits what you are looking for.

Here is some documentation of how to set it up.

Let me know if that suits your needs.

dromie commented 1 day ago

I've seen your PR about authentication, but this issue is about the SSL/TLS certificate of the registry. The actual error message is "cert: x509: certificate signed by unknown authority: Get "https://": tls: failed to verify certificate: x509: certificate signed by unknown authority"

Catalin-Stratulat-Ericsson commented 1 day ago

perhaps you could try this its intended for git deployments over https but it may also work for your use case.

Am i understanding your point correctly? your registry is behind https and the tls certificate required to access it is self signed on your machine and there does not seem to be a means of including that in the function-runner deployment to use in case of TLS requirement on the container registry

Catalin-Stratulat-Ericsson commented 1 day ago

if you could provide a step by step issue reproduction with logs that would be very helpful.

kispaljr commented 1 day ago

Steps to reproduce the issue:

deploy a local container image registry (i.e. Harbor) with a self-signed TLS certificate, that is accessible e.g. at https://local-registry.my/...
push a KRM function into the registry: i.e. local-registry.my/krm-fn/set-labels:1.0
porchctl rpkg init my-pkg --repository my-repo --workspace initial
porchctl rpkg pull ...

edit the Kptfile and add local-registry.my/krm-fn/set-labels:1.0 to the pipeline, i.e.:

apiVersion: kpt.dev/v1
kind: Kptfile
metadata:
name: my-pkg
annotations:
config.kubernetes.io/local-config: "true"
pipeline:
mutators:
- image: local-registry.my/krm-fn/set-labels:1.0

porchctl rpkg push ...

the rendering of the package (that is triggered by push) will fail, because porch (actually the function-runner) will be unable to pull the local-registry.my/krm-fn/set-labels:1.0 KRM function due to "tls: failed to verify certificate: x509: certificate signed by unknown authority".