Imagescan: x509: certificate signed by unknown authority

[mverleun]

Is there an existing issue for this?

• [X] I have searched the existing issues

Current Behavior

When imageScan tries to connect to a private registry (Harbor) which is configured with a private CA the tls connection fails.

Expected Behavior

This is expected behaviour because Imagescan does not allow to configure a private CA, only a secretRef to connect to a (private) registry.

Steps To Reproduce

Create an Imagescan object in a cluster that is using a private CA. Try to connect to a registry which is also using a private CA, but a different one. Check the logs of fleet-controller or look at the status of the object:

apiVersion: fleet.cattle.io/v1alpha1
kind: ImageScan
metadata:
...
spec:
  gitrepoName: image-tooling
  image: harbor.local/image-name
  interval: 0s
  policy:
    alphabetical:
      order: asc
    semver:
      range: '*'
  tagName: comm-docs
status:
  conditions:
    - lastUpdateTime: '2024-03-19T11:55:22Z'
      message: >-
        Get "https://harbor.local/v2/": tls: failed to verify
        certificate: x509: certificate signed by unknown authority; Get
        "http://harbor.local/v2/": dial tcp 10.1.1.1:80: i/o
        timeout
      reason: Error
      status: 'False'
      type: ImageScanned
  lastScanTime: null

Environment

- Architecture: x64
- Fleet Version: 0.9.0
- Cluster:
  - Provider: Rancher, K3S
  - Options: Installed as part of Rancher
  - Kubernetes Version: 1.27.9+k3s2

Logs

No response

Anything else?

No response

[georgeyaodi]

I was blocked with the same error on my validation environment, I am validating fleet with image scanning function to automate the CD work. I configured secret for the harbor, since my harbor used the private CA, the GitRepo can not be created as expected, Rancher prompted "certificate signed by unknown authority."