Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error importing helm charts for airgapped configuration using private registry certificates #7891

Closed
rossh-iceway opened this issue Mar 24, 2024 · 2 comments
Closed

Error importing helm charts for airgapped configuration using private registry certificates #7891

rossh-iceway opened this issue Mar 24, 2024 · 2 comments
Labels
area/airgap All features for disconnected environments area/docs Documentation external An issue, bug or feature request filed from outside the AWS org

Comments

@rossh-iceway
Copy link

What happened:
When using eksctl anywhere import images on a registry with a private CA, 160 images are pushed successfully using docker, then helm is asked to log in, and fails due to not trusting the certificate of the registry.

This does complete successfully with --insecure on in the eksctl command line, so it's not preventing anything other than good practice.

Log snippet 

V0	Logging in to helm registry	{"registry": "registry.redacted.com"}
V6	Executing command	{"cmd": "/usr/bin/docker exec -i -e HELM_EXPERIMENTAL_OCI=1 -e HTTPS_PROXY= -e HTTP_PROXY= -e NO_PROXY= eksa_1711276022316141685 helm registry login registry.redacted.com --username  --password-stdin"}
V9	docker	{"stderr": "time=\"2024-03-24T10:27:57Z\" level=info msg=\"Error logging in to endpoint, trying next endpoint\" error=\"Get \\\"https://registry.redacted.com/v2/\\\": tls: failed to verify certificate: x509: certificate signed by unknown authority\"\nError: Get \"https://registry.redacted.com/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown authority\n"}

What you expected to happen:
The import command to complete without error.

How to reproduce it (as minimally and precisely as possible):

The error will occur after the docker images are written to the registry.

Anything else we need to know?:

  • My registry is serving on 443, so I have no port number in my /etc/docker/certs.d/ folder entry. Before adding this entry the docker pushes immediately fail (as expected), so the helm parts are never reached.
  • My registry has no authentication, but the eksctl anywhere import command errors unless REGISTRY_USERNAME is set. In my environment both REGISTRY_USERNAME and REGISTRY_PASSWORD are set to empty strings.
  • I have also added the CA to the Admin Machine trusted authorities, with no change in behaviour.
  • I attach my commands and the full output at -v9 to this issue.

Environment:

  • Admin OS: Ubuntu 20.04.6
  • eksctl version: 0.175.0
  • eksctl-anywhere version: v0.19.1 (bundle 61)

import.redacted.log
@chrisdoherty4
Copy link
Member

@rossh-iceway Thanks for the info. We'll take a look asap.

@chrisdoherty4 chrisdoherty4 added external An issue, bug or feature request filed from outside the AWS org area/airgap All features for disconnected environments area/docs Documentation labels Mar 25, 2024
@sp1999
Copy link
Member

sp1999 commented May 14, 2024

We have updated the docs to include the instructions about using --insecure flag when using self-signed certs for the registry.

@sp1999 sp1999 closed this as completed May 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/airgap All features for disconnected environments area/docs Documentation external An issue, bug or feature request filed from outside the AWS org
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chrisdoherty4 @sp1999 @rossh-iceway