Closed codering closed 2 days ago
Hi @codering, self-signed certificates should already be supported; have you tried specifying a secret from your self-signed cert and referencing it in your GitRepo, as explained here?
Looks like we only use the cert for go-getter URLs. Not for OCI.
@manno I'd could add support for this based on the work in #2238
I can confirm this worked for me running 2.9
.
I installed a private docker
registry with self-signed certs and no auth.
In my case my certs folder looks like this:
ll /home/xavi/dev/docker-registry/1/certs/
total 12K
-rw-r--r-- 1 xavi xavi 985 Jul 4 14:09 domain.crt
-r-------- 1 xavi xavi 916 Jul 4 14:07 domain.key
-rw-r--r-- 1 xavi xavi 436 Jul 4 14:08 san.cnf
I'm starting the registry with:
docker run --rm \
--name registry \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-p 5000:5000 \
registry
I created a secret this way:
kubectl create secret -n fleet-local generic helm --from-file=cacerts=/home/xavi/dev/docker-registry/1/certs/domain.crt
And finally added the secret to my GitRepo
apiVersion: fleet.cattle.io/v1alpha1
kind: GitRepo
metadata:
name: sample
namespace: fleet-local
spec:
repo: "https://github.com/0xavi0/fleet-examples"
branch: test-2265
helmSecretName: helm
paths:
- test-2265
Fleet yaml file:
namespace: fleet-local
helm:
releaseName: fleet-test-configmap
chart: "oci://192.168.1.43:5000/superchart"
repo: ""
version: "1.0.0"
Hope it helps.
I'm closing this issue as I also tested the go-getter
option and both work.
I use k8s to deploy docker-registry, and set up a self-signed certificate to host my helm charts, but fleet cannot currently obtain my charts. For example, my
fleet.yaml
the following error message will be reported: