Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

flux bootstrap git cannot clone repo with custom CA certificate #1775

Closed
1 task done
makkes opened this issue Aug 31, 2021 · 1 comment · Fixed by #1782
Closed
1 task done

flux bootstrap git cannot clone repo with custom CA certificate #1775

makkes opened this issue Aug 31, 2021 · 1 comment · Fixed by #1782
Assignees
@makkes

Comments

@makkes
Copy link
Member

makkes commented Aug 31, 2021
edited

Describe the bug

I'm running into a problem bootstrapping a repository served from a custom CA:

 flux bootstrap git --password=git123 --username=git --url=https://git.172.18.100.0.sslip.io/repo --path=flux --ca-file=ca.crt
► cloning branch "main" from Git repository "https://git.172.18.100.0.sslip.io/repo"
✗ failed to clone repository: Get "https://git.172.18.100.0.sslip.io/repo/info/refs?service=git-upload-pack": x509: certificate signed by unknown authority

The ca.crt file, however, contains the certificate that was used to sign the git server's certificate.

Steps to reproduce

  1. start a kind cluster
  2. start a Git server with a self-signed certificate or one signed by a custom CA
  3. run above command

Expected behavior

Bootstrapping works properly.

Screenshots and recordings

No response

OS / Distro

Ubuntu 20.04.3

Flux version

0.17

Flux check

► checking prerequisites
✔ kubectl 1.20.2 >=1.18.0-0
✔ Kubernetes 1.21.1 >=1.16.0-0
► checking controllers
✔ helm-controller: deployment ready
► ghcr.io/fluxcd/helm-controller:v0.11.2
✔ kustomize-controller: deployment ready
► ghcr.io/fluxcd/kustomize-controller:v0.14.0
✔ notification-controller: deployment ready
► ghcr.io/fluxcd/notification-controller:v0.16.0
✔ source-controller: deployment ready
► ghcr.io/fluxcd/source-controller:v0.15.4
✔ all checks passed

Git provider

No response

Container Registry provider

No response

Additional context

Discussion on Slack

Code of Conduct

  • I agree to follow this project's Code of Conduct
@kingdonb
Copy link
Member

Max raised this issue yesterday via Slack and when we looked into it, we found that go-git was not configured to use the CA cert, but apparently could be. He is working on a PR to make this possible as a bootstrap-time configuration, this should fix another edge case where certain configurations cannot use bootstrap. 💯

Thanks for looking into this @makkes

makkes pushed a commit to makkes/flux2 that referenced this issue Sep 1, 2021
feat: enable bootstrap with custom CA locally
e98f114 
When a user provided the `--ca-file` flag to the `bootstrap` command,
the given CA file wasn't taken into account for cloning the repository
locally. It was just passed along to the CR that is created so Flux
can make use of it when cloning the repository in-cluster.

However, users may not want to add a custom CA to their local host's
trust chain and may expect the `--ca-file` flag to be respected also
for cloning the repository locally. This is what this commit
accomplishes.

closes fluxcd#1775

Signed-off-by: Max Jonas Werner <mail@makk.es>
@makkes makkes mentioned this issue Sep 1, 2021
Merged
@makkes makkes mentioned this issue Oct 20, 2021
Closed
5 tasks
makkes pushed a commit that referenced this issue Nov 7, 2021
feat: enable bootstrap with custom CA locally
306b054 
When a user provided the `--ca-file` flag to the `bootstrap` command,
the given CA file wasn't taken into account for cloning the repository
locally. It was just passed along to the CR that is created so Flux
can make use of it when cloning the repository in-cluster.

However, users may not want to add a custom CA to their local host's
trust chain and may expect the `--ca-file` flag to be respected also
for cloning the repository locally. This is what this commit
accomplishes.

closes #1775

Signed-off-by: Max Jonas Werner <mail@makk.es>
@kallaics kallaics mentioned this issue Nov 16, 2021
Closed
1 task
souleb pushed a commit to souleb/flux2 that referenced this issue Jul 10, 2023
@souleb
feat: enable bootstrap with custom CA locally
1cd9a81 
When a user provided the `--ca-file` flag to the `bootstrap` command,
the given CA file wasn't taken into account for cloning the repository
locally. It was just passed along to the CR that is created so Flux
can make use of it when cloning the repository in-cluster.

However, users may not want to add a custom CA to their local host's
trust chain and may expect the `--ca-file` flag to be respected also
for cloning the repository locally. This is what this commit
accomplishes.

closes fluxcd#1775

Signed-off-by: Max Jonas Werner <mail@makk.es>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@makkes makkes

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: enable bootstrap with custom CA locally makkes/flux2
2 participants
@makkes @kingdonb