Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

porch function runner is unable to pull image from a repository with self-signed certificate #819

Open
dromie opened this issue Nov 7, 2024 · 5 comments
Open

porch function runner is unable to pull image from a repository with self-signed certificate #819

dromie opened this issue Nov 7, 2024 · 5 comments
Assignees
@Catalin-Stratulat-Ericsson
Labels
area/platform area/porch Porch related issues

Comments

@dromie
Copy link

dromie commented Nov 7, 2024

There is no configuration option to add a trusted private certificate authority for pulling docker images.

Mounting a configmap/secret to /etc/ssl/cert.pem does work as a workaround.
@Catalin-Stratulat-Ericsson
Copy link
Contributor

Catalin-Stratulat-Ericsson commented Nov 7, 2024
edited
Loading

Hello @dromie if your question relates to you trying to pull an image from a registry that requires authentication to access then i believe this PR that has just been merged suits what you are looking for.

Here is some documentation of how to set it up.

Let me know if that suits your needs.

@dromie
Copy link
Author

dromie commented Nov 7, 2024

I've seen your PR about authentication, but this issue is about the SSL/TLS certificate of the registry.
The actual error message is "cert: x509: certificate signed by unknown authority: Get "https://": tls: failed to verify certificate: x509: certificate signed by unknown authority"

@Catalin-Stratulat-Ericsson
Copy link
Contributor

Catalin-Stratulat-Ericsson commented Nov 7, 2024
edited
Loading

perhaps you could try this
its intended for git deployments over https but it may also work for your use case.

Am i understanding your point correctly? your registry is behind https and the tls certificate required to access it is self signed on your machine and there does not seem to be a means of including that in the function-runner deployment to use in case of TLS requirement on the container registry

@Catalin-Stratulat-Ericsson
Copy link
Contributor

if you could provide a step by step issue reproduction with logs that would be very helpful.

@kispaljr
Copy link
Contributor

kispaljr commented Nov 7, 2024
edited
Loading

Steps to reproduce the issue:

  1. deploy a local container image registry (i.e. Harbor) with a self-signed TLS certificate, that is accessible e.g. at https://local-registry.my/...
  2. push a KRM function into the registry: i.e. local-registry.my/krm-fn/set-labels:1.0
  3. porchctl rpkg init my-pkg --repository my-repo --workspace initial
  4. porchctl rpkg pull ...
  5. edit the Kptfile and add local-registry.my/krm-fn/set-labels:1.0 to the pipeline, i.e.:
apiVersion: kpt.dev/v1
kind: Kptfile
metadata:
  name: my-pkg
  annotations:
    config.kubernetes.io/local-config: "true"
pipeline:
  mutators:
  - image: local-registry.my/krm-fn/set-labels:1.0
  1. porchctl rpkg push ...

the rendering of the package (that is triggered by push) will fail, because porch (actually the function-runner) will be unable to pull the local-registry.my/krm-fn/set-labels:1.0 KRM function due to "tls: failed to verify certificate: x509: certificate signed by unknown authority".

Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Catalin-Stratulat-Ericsson Catalin-Stratulat-Ericsson

Labels
area/platform area/porch Porch related issues
Projects
R4
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kispaljr @dromie @Catalin-Stratulat-Ericsson