-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ApplicationSet controller receives x509: certificate signed by unknown authority, when using SCM, PR or Git generator with private bitbucket server #9607
Comments
Observations:
|
ApplicationSet CRD with status events
|
Yeah it's a bug |
+1 same problem using GitLab on-premisses |
+1 same problem... |
+1 same |
Is there a workaround possible? |
I'm not aware of any workaround. We need to provide a way to set TLS configurations for various endpoints. For certain generators (PR generator?) it might make sense to pull the TLS config from any already-configured repo creds in the argocd namespace. For others (SCM generator), we'll probably need a separate ConfigMap (maybe reuse argocd-cm?) to store the TLS config. As always, PRs welcome. If a core contributor manages to pick this up, they'll drop a note here. 🙂 |
a blocker for us to use applicationsets. is there a way to allow unsafe certificates instead of trusting them? |
+1, this is a showstopper for us. We're experiencing this issue when using a Helm chart source with a cert signed by our custom CA, despite having explicitly mounted the cert chain in /etc/ssl/certs on the filesystem of the pods of the controller, server, repo server and applicationset controller. Argo CD 2.5.3+0c7de21 installed with helm chart v5.9.1 |
Ran into this issue today, this is the workaround I found (keep in mind we're using an on premise setup of argocd and gitlab and thus don't need the usual certificates): In the values.yaml of the argocd deployment add: applicationSet: This will mount the tls certificates from argocd's config-map into the default ssl certificate folder of golang's http client, getting around the issue. It does however override the other certificates so this isn't ideal, maybe someone can further improve on it in the future, at least until an option is made available to append these tls certificates. Best of luck! |
Hi,
This way we also get to keep whatever default certificates argo throws in /etc/ssl/certs! Hope this helps others who are having the same issues. I noticed there are quite a few issues registered here with similar or directly related problems:
I still find it odd that certificates added to argo proper (e.g. via the UI or declaratively in the configmap for trusted tls certificates) do not register as valid when it comes to Argo CD using the Helm client. That seems to be a common thread with all these issues. |
We have a self-signed CA that needs to apply for all URLs so we BYOI. Isn't as clean as a volume mount but also works.
|
I'm not entirely sure but I believe I'm having the same issue when using Helm through Kustomize. But not when using Helm directly. |
Hi @guydolinksy @crenshaw-dev @D-BlindSide @zetti12345 @flaviohrocha We are also facing the same issue. We are using Openshift operator to install ArogoCd i tried to update applicationSet by creating the secret as mentioned above but after i add volume section operator reloads and removes the volumes which i added. Please help if there is any other workaround or how to solve this issue |
We have the same issue under Openshift 4.13 running the Openshift GitOps Operator (ArgoCD v2.6.7).
The repositories inside ArgoCD are not "insecure", so the certificates are implemented correct. But the scmProvider generator obviously has problems with them. |
They might solve it for GitLab. We'd need equivalent PRs for other SCM providers. I do think it's a miss that ApplicationSet doesn't know how to use the existing configured certificates. There's a similar problem with repositories, because there's incongruence between accessing an SCM's git interface and accessing its broader API. |
My simple workaround for the Pull Request Generator was to add the Cert at settings / Repository certificates and known hosts.
|
I had the same experience as @ThomasVitt with ApplicationSet generators - the git generator connects successfully, but the scmProvider generator (with bitbucketServer) fails with "x509: certificate signed by unknown authority". Both generators are configured with the same protocol (https:) and the same Bitbucket Server hostname. The Bitbucket Server hostname matches an Argo CD "repository certificate" stored in argocd-tls-certs-cm, which must be sufficient for the git generator. |
@ThomasVitt still running into this error on 2.8 with BitBucket Server. No workaround available for us so this is an impediment. Anyone working on this? Any planning for this one? |
@crenshaw-dev in regards to: #9607 (comment) I would like to provide a pr with the following in mind: Add a configMapKeyRef on the PullRequest and SCMProvider configuration. This CM should hold the tls certs to be trusted. When the appSetController runs in the same namespace as argo applicationController it will be possible to configure the tls certs through argo. Those certs are stored in the argocd-tls-certs-cm and can then, via this configuration , be used by the applicationSet. It this way we also tackle another issue with the solutions provided in earlies PR's. That is that we can use an envVar to point to certs on the file system, however, the RedHat GitOps operator doesn't allow extraVolumeMounts, see redhat-developer/gitops-operator#620 Which means that workaround is not usably for the users of that operator. By using a CM, we overcome that issue entirely. Would love to give this a try, please provide any feedback. |
for BitBucketServer by allowing to pass a CM holding trusted certificates. Refactors implementation for GitLab. Signed-off-by: asjervanasten <[email protected]>
for BitBucketServer by allowing to pass a CM holding trusted certificates. Refactors implementation for GitLab. Signed-off-by: asjervanasten <[email protected]>
for BitBucketServer by allowing to pass a CM holding trusted certificates. Refactors implementation for GitLab. Signed-off-by: asjervanasten <[email protected]>
for BitBucketServer by allowing to pass a CM holding trusted certificates. Refactors implementation for GitLab. Signed-off-by: asjervanasten <[email protected]>
for BitBucketServer by allowing to pass a CM holding trusted certificates. Refactors implementation for GitLab. Signed-off-by: asjervanasten <[email protected]>
for BitBucketServer by allowing to pass a CM holding trusted certificates. Refactors implementation for GitLab. Signed-off-by: asjervanasten <[email protected]>
for BitBucketServer by allowing to pass a CM holding trusted certificates. Refactors implementation for GitLab. Signed-off-by: asjervanasten <[email protected]>
for BitBucketServer by allowing to pass a CM holding trusted certificates. Refactors implementation for GitLab. Signed-off-by: asjervanasten <[email protected]>
for BitBucketServer by allowing to pass a CM holding trusted certificates. Refactors implementation for GitLab. Signed-off-by: asjervanasten <[email protected]>
for BitBucketServer by allowing to pass a CM holding trusted certificates. Refactors implementation for GitLab. Signed-off-by: asjervanasten <[email protected]>
for BitBucketServer by allowing to pass a CM holding trusted certificates. Refactors implementation for GitLab. Signed-off-by: asjervanasten <[email protected]>
for BitBucketServer by allowing to pass a CM holding trusted certificates. Refactors implementation for GitLab. Signed-off-by: asjervanasten <[email protected]>
for BitBucketServer by allowing to pass a CM holding trusted certificates. Refactors implementation for GitLab. Signed-off-by: asjervanasten <[email protected]>
@ishitasequeira this shouldn't be closed. There are still providers / generators which hold no implementation of insecure tls or passing private certificates. For example the pr mentioned above: #18501 |
For those who can't use the newest Argo CD version with
applicationSet:
extraVolumeMounts:
- name: tls-certs # Uses the existing certificates volume
mountPath: /etc/ssl/certs/your-scm-fqdn.crt
subPath: your-scm-fqdn # Must match your key in argocd-tls-certs-cm equivalent you can patch it by changing the application-set-deployment This mounts your certificate from the existing tls-certs volume to a specific path that ApplicationSet will recognize.
|
Slack conversation thread : https://cloud-native.slack.com/archives/C01U45M2SVB/p1654569552211179
Checklist:
argocd version
.Describe the bug
Receive
x509: certificate signed by unknown authority
when application set controller with an SCM generator attempts to connect to a private bitbucket server.To Reproduce
Expected behavior
Expected the application set controller to be able to communicate with bitbucket server API's to list repositories and automate ArgoCD application generation.
Screenshots
Version
Logs
The text was updated successfully, but these errors were encountered: