-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ApplicationSet controller receives x509: certificate signed by unknown authority, when using SCM, PR or Git generator with private bitbucket server #9607
Comments
Observations:
|
ApplicationSet CRD with status events
|
Yeah it's a bug |
+1 same problem using GitLab on-premisses |
+1 same problem... |
+1 same |
Is there a workaround possible? |
I'm not aware of any workaround. We need to provide a way to set TLS configurations for various endpoints. For certain generators (PR generator?) it might make sense to pull the TLS config from any already-configured repo creds in the argocd namespace. For others (SCM generator), we'll probably need a separate ConfigMap (maybe reuse argocd-cm?) to store the TLS config. As always, PRs welcome. If a core contributor manages to pick this up, they'll drop a note here. 🙂 |
a blocker for us to use applicationsets. is there a way to allow unsafe certificates instead of trusting them? |
+1, this is a showstopper for us. We're experiencing this issue when using a Helm chart source with a cert signed by our custom CA, despite having explicitly mounted the cert chain in /etc/ssl/certs on the filesystem of the pods of the controller, server, repo server and applicationset controller. Argo CD 2.5.3+0c7de21 installed with helm chart v5.9.1 |
Ran into this issue today, this is the workaround I found (keep in mind we're using an on premise setup of argocd and gitlab and thus don't need the usual certificates): In the values.yaml of the argocd deployment add: applicationSet: This will mount the tls certificates from argocd's config-map into the default ssl certificate folder of golang's http client, getting around the issue. It does however override the other certificates so this isn't ideal, maybe someone can further improve on it in the future, at least until an option is made available to append these tls certificates. Best of luck! |
Hi,
This way we also get to keep whatever default certificates argo throws in /etc/ssl/certs! Hope this helps others who are having the same issues. I noticed there are quite a few issues registered here with similar or directly related problems:
I still find it odd that certificates added to argo proper (e.g. via the UI or declaratively in the configmap for trusted tls certificates) do not register as valid when it comes to Argo CD using the Helm client. That seems to be a common thread with all these issues. |
We have a self-signed CA that needs to apply for all URLs so we BYOI. Isn't as clean as a volume mount but also works.
|
I'm not entirely sure but I believe I'm having the same issue when using Helm through Kustomize. But not when using Helm directly. |
Hi @guydolinksy @crenshaw-dev @D-BlindSide @zetti12345 @flaviohrocha We are also facing the same issue. We are using Openshift operator to install ArogoCd i tried to update applicationSet by creating the secret as mentioned above but after i add volume section operator reloads and removes the volumes which i added. Please help if there is any other workaround or how to solve this issue |
We have the same issue under Openshift 4.13 running the Openshift GitOps Operator (ArgoCD v2.6.7).
The repositories inside ArgoCD are not "insecure", so the certificates are implemented correct. But the scmProvider generator obviously has problems with them. |
They might solve it for GitLab. We'd need equivalent PRs for other SCM providers. I do think it's a miss that ApplicationSet doesn't know how to use the existing configured certificates. There's a similar problem with repositories, because there's incongruence between accessing an SCM's git interface and accessing its broader API. |
My simple workaround for the Pull Request Generator was to add the Cert at settings / Repository certificates and known hosts.
|
I had the same experience as @ThomasVitt with ApplicationSet generators - the git generator connects successfully, but the scmProvider generator (with bitbucketServer) fails with "x509: certificate signed by unknown authority". Both generators are configured with the same protocol (https:) and the same Bitbucket Server hostname. The Bitbucket Server hostname matches an Argo CD "repository certificate" stored in argocd-tls-certs-cm, which must be sufficient for the git generator. |
@ThomasVitt still running into this error on 2.8 with BitBucket Server. No workaround available for us so this is an impediment. Anyone working on this? Any planning for this one? |
Slack conversation thread : https://cloud-native.slack.com/archives/C01U45M2SVB/p1654569552211179
Checklist:
argocd version
.Describe the bug
Receive
x509: certificate signed by unknown authority
when application set controller with an SCM generator attempts to connect to a private bitbucket server.To Reproduce
Expected behavior
Expected the application set controller to be able to communicate with bitbucket server API's to list repositories and automate ArgoCD application generation.
Screenshots
Version
Logs
The text was updated successfully, but these errors were encountered: