Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pulling a chart from an OCI registry with a self-signed certificate is not possible #1580

Open
BWagenerGenerali opened this issue Feb 5, 2025 · 0 comments
Open

Pulling a chart from an OCI registry with a self-signed certificate is not possible #1580

BWagenerGenerali opened this issue Feb 5, 2025 · 0 comments
Labels
bug

Comments

@BWagenerGenerali
Copy link

BWagenerGenerali commented Feb 5, 2025
edited
Loading

Terraform, Provider, Kubernetes and Helm Versions

Terraform version: v1.9.8
Provider version: tested with both 3.0.0-pre1 and 2.17.0
Kubernetes version: v1.32

Affected Resource(s)

  • resource_helm_release
  • data_helm_template

Terraform Configuration Files

# we do not need to use any configurations for the helm provider for this example

data "helm_template" "argocd" {
  name         = "argocd"
  namespace    = "argocd"
  chart        = "argo-cd"
  version      = "7.8.0"
  kube_version = data.aws_eks_cluster.cluster.version

  repository          = "oci://<self-hosted registry with self-signed cert>/argoproj/argo-helm"
  repository_username = "<username>"
  repository_password = "<password>"
  repository_ca_file  = local_file.self_signed_certificate.filename
}

resource "local_file" "self_signed_certificate" {
  content  = "<content of self-signed certificate>"
  filename = "${path.root}/.terraform/self-signed-cert"
}

Fails with the error message

Failed to log in to OCI registry
"oci://<self-hosted registry with self-signed cert>/argoproj/argo-helm":
could not login to OCI registry
"<self-hosted registry with self-signed cert>": Get "https://gdis-docker-virtual.artifact-repository.generali-gruppe.de/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority}

Steps to Reproduce

  1. replace the placeholder <self-hosted registry with self-signed cert> with the URL of a self-hosted registry with a self-signed certificate
  2. replace the placeholder <content of self-signed certificate> with the content of the self-signed certificate
  3. terraform apply

Expected Behavior

  1. the self-signed certificate provided with the repository_ca_file variable is used in all relevant helm actions, including the registry login

Actual Behavior

  1. certificate error occurs during registry login
  2. from examining the code in data_helm_template.go the self-signed certificate provided with the repository_ca_file is not used for the registry login step (function call OCIRegistryLogin)

Important Factoids

This is a lack of feature parity to the Helm CLI which supports this through the --ca-file option

helm registry login <self-hosted registry with self-signed cert> --username <username >--ca-file "<path-to-self-signed-cert>"
helm pull oci://<self-hosted registry with self-signed cert>/argoproj/argo-helm/argo-cd --version <version> --ca-file "<path-to-self-signed-cert>"

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@BWagenerGenerali