New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug: (or docs issue): Games Example doesn't work on zarf 0.13.3 when using cert imported from Lets Encrypt Free CA #193
Comments
One of our issues right now is Zarf is changing faster than the docs can keep up. Mostly expected given the early beta mode we are in, but still a pain. Let's create a new issue to track to update the docs related to the doom game demo (with @neoakris as a user/stakeholder/guinea pig), and use this issue to track the outlined use case. @edengebrezgi and @wadedesir (with @YrrepNoj 's help as needed), can you please:
|
I suspect there's something else going on here than just the doom example not working. The use case laid out here does extra things that aren't part of the base demo. Where is Edit: Ah there it is, you're adding it to your hosts file |
I'm working on recreating the way you're doing it (it looks to be working fine when when you don't import certs and use
Running
I thought we fixed that by adding the IP SAN it was looking for for 127.0.0.1, so I'm not expecting to see an x509 error here. Will look into it. |
Addl note: We should create docs for doing the doom example with an imported cert like we do here, as a step for a more advanced user. |
If I add
|
I added registry.bigbang.dev to /etc/hosts It's why the following works
Also the cert / key pair I pull in my copy pasteable example is from a public repo, and it's a Lets Encrypt Free Wildcard Cert / Signed by Public Internet CA The reason you got cert invalid is because you didn't copy paste my reproducible example / you used bigbang.dev instead of registry.bigbang.dev |
ahh gotcha, I didn't realize the cert didn't include the base So I think we're left with why |
I mentioned in the original post "I tried the game example doc (with and without slight modifications)" Without slight modifications from your directions was me trying it with zarf's auto generated cert, but I couldn't figure out how to get it to work either, since you had success with that route I'll revisit it. / I'll refresh my environment and try it with the auto generated certs again to see if I fair any better this time. |
That could be the problem, in that version the injected certs include 127.0.0.1, a generated cert wouldn't normally. We might need to update docs or wait for the native apply which makes that point irrelevant. |
oh! That's a good point. I didn't think of that. That's the reason for sure. When we generate the cert we include 127.0.0.1 but we aren't generating the cert in this case. I'm writing up an issue to add an E2E test for using an imported cert and a host other than |
I must have typo'd some where the first time I tried it using a zarf generated cert and couldn't get it to work I got it to work by retrying from scratch using the following slight changes.
I'll update the title to clarify imported cert |
) ### Breaking Changes: * `localhost` is no longer a valid option for cluster ingress when initializing a zarf cluster. Instead you have to use a `127.0.0.1` or some other local ip found via `ifconfig` ### Fixes: * No longer depends on 127.0.0.1 local bindings for the registry / gitops service * should fix #193 * Resolve outstanding issues with image hostname swapping and * fixes #18 * fixes #44 * fixes #194 ### Features: * Adds `before` and `after` script options when defining a `zarf.yaml` with an optional retry flag * Add symlink to ZarfFile for creating links to places files * Add template boolean to ZarfFile to allow injection of zarf variables into text files * Adds a new `zarf tool` command to print out config schema and commit the output to the repo (will need to make a git hook or something later on) * Changes `zarf destroy` command to run any script that starts with `zarf-clean` instead of only running the k3s-remove script * Add new ZarfState and `.zarf-state.yaml` for persisting host information from `zarf init` to `zarf package deploy` * Remove all hard-coded logic for k3s install, now uses only standard zarf component features like everything else * Add user prompt with host/IP address suggestions for ingress #### Misc: * Upgrades k3s from v1.21.2 to v1.21.6 * Adds optional regex filter for when performing RecursiveFileList() * Adds more description to the components in zarf.yaml * Renames type ZarfConfig to ZarfPackage in the config pkg * Handful of general code organizing changes (moving yaml related functions to the `...../utils/yaml.go`, etc.) * Expose execCommand() with stdout control * Move traefik to standalone component and drop the internal k3s install of traefik * Use the airgap tarball of K3s instead of manually listing images * Cleanup init prompt logic
) ### Breaking Changes: * `localhost` is no longer a valid option for cluster ingress when initializing a zarf cluster. Instead you have to use a `127.0.0.1` or some other local ip found via `ifconfig` ### Fixes: * No longer depends on 127.0.0.1 local bindings for the registry / gitops service * should fix #193 * Resolve outstanding issues with image hostname swapping and * fixes #18 * fixes #44 * fixes #194 ### Features: * Adds `before` and `after` script options when defining a `zarf.yaml` with an optional retry flag * Add symlink to ZarfFile for creating links to places files * Add template boolean to ZarfFile to allow injection of zarf variables into text files * Adds a new `zarf tool` command to print out config schema and commit the output to the repo (will need to make a git hook or something later on) * Changes `zarf destroy` command to run any script that starts with `zarf-clean` instead of only running the k3s-remove script * Add new ZarfState and `.zarf-state.yaml` for persisting host information from `zarf init` to `zarf package deploy` * Remove all hard-coded logic for k3s install, now uses only standard zarf component features like everything else * Add user prompt with host/IP address suggestions for ingress #### Misc: * Upgrades k3s from v1.21.2 to v1.21.6 * Adds optional regex filter for when performing RecursiveFileList() * Adds more description to the components in zarf.yaml * Renames type ZarfConfig to ZarfPackage in the config pkg * Handful of general code organizing changes (moving yaml related functions to the `...../utils/yaml.go`, etc.) * Expose execCommand() with stdout control * Move traefik to standalone component and drop the internal k3s install of traefik * Use the airgap tarball of K3s instead of manually listing images * Cleanup init prompt logic Signed-off-by: Jeff McCoy <code@jeffm.us>
) ### Breaking Changes: * `localhost` is no longer a valid option for cluster ingress when initializing a zarf cluster. Instead you have to use a `127.0.0.1` or some other local ip found via `ifconfig` ### Fixes: * No longer depends on 127.0.0.1 local bindings for the registry / gitops service * should fix #193 * Resolve outstanding issues with image hostname swapping and * fixes #18 * fixes #44 * fixes #194 ### Features: * Adds `before` and `after` script options when defining a `zarf.yaml` with an optional retry flag * Add symlink to ZarfFile for creating links to places files * Add template boolean to ZarfFile to allow injection of zarf variables into text files * Adds a new `zarf tool` command to print out config schema and commit the output to the repo (will need to make a git hook or something later on) * Changes `zarf destroy` command to run any script that starts with `zarf-clean` instead of only running the k3s-remove script * Add new ZarfState and `.zarf-state.yaml` for persisting host information from `zarf init` to `zarf package deploy` * Remove all hard-coded logic for k3s install, now uses only standard zarf component features like everything else * Add user prompt with host/IP address suggestions for ingress #### Misc: * Upgrades k3s from v1.21.2 to v1.21.6 * Adds optional regex filter for when performing RecursiveFileList() * Adds more description to the components in zarf.yaml * Renames type ZarfConfig to ZarfPackage in the config pkg * Handful of general code organizing changes (moving yaml related functions to the `...../utils/yaml.go`, etc.) * Expose execCommand() with stdout control * Move traefik to standalone component and drop the internal k3s install of traefik * Use the airgap tarball of K3s instead of manually listing images * Cleanup init prompt logic Signed-off-by: Jeff McCoy <code@jeffm.us>
Edit -- TLDR summary of findings:
Zarf fails to populate it's container registry, when imported HTTPS certs are used that don't allow for 127.0.0.1 (so public internet CA signed ones won't work), but zarf's self generated HTTPS certs will work.
Summary:
So about the docs... I've messed with zarf several times, but have never been able to get anything beyond zarf init to work correctly. (which offers an empty git repo + empty registry)
(This is why I didn't realize that zarf can populates it's registry + git repo, when I talked over zoom with @jeff-mccoy)
I tried the game example doc (with and without slight modifications) and I get image pull backoff, which shows the registry never got populated.
Before I go into steps to reproduce the bug I think you'll find my desired use case valuable.
Background context info about my ultimate use case:
Copy Paste-able Reproducibility commands:
The text was updated successfully, but these errors were encountered: