Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use HELM behind proxy: support insecure repositories when charts get downloaded #7875

Closed
ghost opened this issue Apr 4, 2020 · 7 comments · Fixed by #8039
Closed

Use HELM behind proxy: support insecure repositories when charts get downloaded #7875

ghost opened this issue Apr 4, 2020 · 7 comments · Fixed by #8039
Assignees
@xvzf
Labels
bug Categorizes issue or PR as related to a bug.

Comments

@ghost
Copy link

ghost commented Apr 4, 2020
edited by ghost

Version info

Output of helm version: v3 canary build 4/4/2020
Output of kubectl version: 1.16.2
Cloud Provider/Platform (AKS, GKE, Minikube etc.): Minishift

Context

Recently support for insecure registries has been added:

Although adding the insecure registries works perfectly, we cannot pull/install/upgrade images due to TLS verification still being done.

Configuration:

Helm 'repositories.yaml' configuration:

apiVersion: ""
generated: "0001-01-01T00:00:00Z"
repositories:
- caFile: ""
  certFile: ""
  insecure_skip_tls_verify: true
  keyFile: ""
  name: fluxcd
  password: ""
  url: https://<helm-repository>/repository/helm-fluxcd/
  username: ""

Problem

When pulling the chart we get following error:

bamboo@app-bamboo-agent-5:~$ helm pull fluxcd/flux
Error: Get https://<helm-repository>/repository/helm-fluxcd/flux-1.3.0.tgz: x509: certificate signed by unknown authority

Just making sure by specyfing the repo directly:

bamboo@app-bamboo-agent-5:~$ helm pull fluxcd/flux --repo https://repo.crelan-int.be/repository/helm-fluxcd/
Error: looks like "https://<helm-repository>/repository/helm-fluxcd/" is not a valid chart repository or cannot be reached: Get https://<helm-repository>/repository/helm-fluxcd/index.yaml: x509: certificate signed by unknown authority

Fix

Current pull, install and upgrade commands should keep into account that TLS verification is not required if the repository is marked as insecure.
@ghost ghost mentioned this issue Apr 4, 2020
Merged
@xvzf
Copy link
Contributor

xvzf commented Apr 4, 2020

/assign xvzf

@technosophos technosophos added the bug Categorizes issue or PR as related to a bug. label Apr 6, 2020
@technosophos
Copy link
Member

It looks like @xvzf has self-assigned! Thanks! I have added the bug label. Let me know if you feel that this is more of a feature request.

@ghost ghost mentioned this issue Apr 8, 2020
Closed
@xvzf xvzf mentioned this issue May 1, 2020
Closed
xvzf pushed a commit to xvzf/helm that referenced this issue May 1, 2020
added option --insecure-skip-tls-verify for helm pull, addresses helm…
918deee 
…#7875

Signed-off-by: Matthias Riegler <matthias.riegler@taotesting.com>
@xvzf xvzf mentioned this issue May 1, 2020
Merged
@xvzf
Copy link
Contributor

xvzf commented May 1, 2020

Why this is a draft: Seems like it breaks something with the Kubernetes cluster configuration and I don't know why yet 😞

 ! [lola ~/p/helm] git:(fix_insecure_skip_verify) ✗ go run ./cmd/helm install --insecure-skip-tls-verify test fluxcd/flux
Error: Kubernetes cluster unreachable: Get "https://kubernetes.docker.internal:6443/version?timeout=32s": x509: certificate signed by unknown authority
exit status 1

xvzf pushed a commit to xvzf/helm that referenced this issue May 1, 2020
added option --insecure-skip-tls-verify for helm install, addresses h…
8ff7801 
…elm#7875

Signed-off-by: Matthias Riegler <matthias.riegler@taotesting.com>
@xvzf
Copy link
Contributor

xvzf commented May 1, 2020

Nvm, mitmproxy also proxies the k8s apiserver, PR is done

@paulczar
Copy link
Contributor

It looks like this is resolved, there may still be an issue with helm accessing an insecure k8s cluster, but the repo/charts are good. Feel free to open a new issue if we need to resolve the latter.

@xvzf
Copy link
Contributor

xvzf commented Jun 24, 2020

@paulczar issue is closed by a still open PR - I suggest to keep this open for tracking!

bacongobbler pushed a commit that referenced this issue Jun 24, 2020
Merge pull request #8039 from xvzf/fix_insecure_skip_verify
b167ce0 
added option --insecure-skip-tls-verify for helm pull, install and upgrade, addresses #7875
@bacongobbler
Copy link
Member

merged #8039 just now, so we should be good here.

pmengelbert pushed a commit to pmengelbert/helm that referenced this issue Jun 29, 2020
@pmengelbert
added option --insecure-skip-tls-verify for helm pull, addresses helm…
f2369e0 
…#7875

Signed-off-by: Matthias Riegler <matthias.riegler@taotesting.com>
pmengelbert pushed a commit to pmengelbert/helm that referenced this issue Jun 29, 2020
@pmengelbert
added option --insecure-skip-tls-verify for helm install, addresses h…
34ed2a5 
…elm#7875

Signed-off-by: Matthias Riegler <matthias.riegler@taotesting.com>
vladfr pushed a commit to vladfr/helm that referenced this issue Sep 30, 2020
@vladfr
added option --insecure-skip-tls-verify for helm pull, addresses helm…
bf5da89 
…#7875

Signed-off-by: Matthias Riegler <matthias.riegler@taotesting.com>
vladfr pushed a commit to vladfr/helm that referenced this issue Sep 30, 2020
@vladfr
added option --insecure-skip-tls-verify for helm install, addresses h…
afc76a4 
…elm#7875

Signed-off-by: Matthias Riegler <matthias.riegler@taotesting.com>
@tennashi tennashi mentioned this issue May 17, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xvzf xvzf

Labels
bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
4 participants
@technosophos @bacongobbler @xvzf @paulczar