Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unable to create a zarf package containing images from a registry with a self-signed certificate #1015

Closed
blancharda opened this issue Nov 16, 2022 · 2 comments
Closed

unable to create a zarf package containing images from a registry with a self-signed certificate #1015

blancharda opened this issue Nov 16, 2022 · 2 comments
Labels
possible-bug 🐛

Comments

@blancharda
Copy link

Context

We are attempting to package a helm chart which uses an image from a private internal docker registry. The registry is configured with a self-signed cert. Our local development environments are configured to properly trust and verify the cert, we are able to interact with the registry using (secure) docker commands.

Error Case

zarf package create fails to pull images -- even when using the --insecure flag.
This may also impact genuinely insecure registries (configured entirely without https), though that is untested.

Environment

Device and OS: MacOS, Ubuntu22.04
Zarf version: v0.22.2

Steps to reproduce

Run zarf package create --insecure -l trace on a package containing an image from a registry with an unverified or otherwise invalid cert.

Expected result

Zarf/Crane will bypass any certificate validation errors while pulling images due to the --insecure flag, resulting in a successful zarf package creation..

Actual Results

MacOS:

...
  ✔  Loading 4 K8s manifests
  DEBUG   Get "https://harbor.valkyrie.lan/v2/": x509: “Valkyrie” certificate is not standards compliant; Get "https://harbor.valkyrie.lan:443/v2/": x509: “Valkyrie” certificate is not standards compliant
└ (/home/runner/work/zarf/zarf/src/internal/message/spinner.go:116)
     ERROR:  Unable to pull the image "harbor.valkyrie.lan/valkyrie/arkime3:latest"
└ (/home/runner/work/zarf/zarf/src/internal/images/pull.go:48)

On MacOS, I believe this specific error is related to a golang issue involving a change to the crypto package. Additional testing indicated this was not the root of the problem -- to validate, we also tested on Ubuntu, shown below.

Ubuntu22.04:

...
  ✔  Loading 4 K8s manifests
  DEBUG   Get "https://harbor.valkyrie.lan/v2/": x509: certificate is not valid for any names, but wanted to match harbor.valkyrie.lan; Get "https://harbor.valkyrie.lan:443/v2/": x509: certificate is not valid for any names, but wanted to match harbor.valkyrie.lan
└ (/home/runner/work/zarf/zarf/src/internal/message/spinner.go:116)
     ERROR:  Unable to pull the image "harbor.valkyrie.lan/valkyrie/arkime3:latest"
└ (/home/runner/work/zarf/zarf/src/internal/images/pull.go:48)

Similarly on Ubuntu, if we eliminate the hostname matching altogether and attempt to pull from the server IP, we see the following despite using the --insecure flag:

...
  ✔  Loading 4 K8s manifests
  DEBUG   Get "https://10.1.25.34/v2/": x509: certificate signed by unknown authority; Get "https://10.1.25.34:443/v2/": x509: certificate signed by unknown authority
└ (/home/runner/work/zarf/zarf/src/internal/message/spinner.go:116)
     ERROR:  Unable to pull the image "10.1.25.34/valkyrie/arkime3:latest"
└ (/home/runner/work/zarf/zarf/src/internal/images/pull.go:48)
@RothAndrew RothAndrew moved this to New Requests in Zarf Project Board Nov 16, 2022
@blancharda
Copy link
Author

May relate to #561

This was referenced Jan 9, 2023
Closed
Closed
rishi-anand added a commit to spectrocloud/zarf that referenced this issue Jan 12, 2023
@rishi-anand
Fixing remote resgistry insecure issues [fix for zarf-dev#1181, zarf-…
3862776 
…dev#1190, zarf-dev#561, zarf-dev#1015]
@rishi-anand rishi-anand mentioned this issue Jan 12, 2023
Closed
6 tasks
@jeff-mccoy jeff-mccoy mentioned this issue Jan 28, 2023
Merged
jeff-mccoy added a commit that referenced this issue Feb 2, 2023
@jeff-mccoy @rishi-anand
add common insecure flag (#1280)
a0b1394 
Migrated from #1191

## Description
Adding support for insecure flag for external registry in `zarf init`.
Fixing `zarf package create` and `zarf package deploy` failures with
external self signed cert registry as mentioned in
#1190 and
#1181

## Related Issue

Fixes # #1190
Fixes # #1181
Fixes # #561
Fixes # #1015

---------

Co-authored-by: Rishi <[email protected]>
@Racer159
Copy link
Contributor

Fixed in #1280

@github-project-automation github-project-automation bot moved this from New Requests to Done in Zarf Project Board Feb 13, 2023
Noxsios pushed a commit that referenced this issue Mar 8, 2023
@jeff-mccoy @rishi-anand
add common insecure flag (#1280)
6576ef2 
Migrated from #1191

## Description
Adding support for insecure flag for external registry in `zarf init`.
Fixing `zarf package create` and `zarf package deploy` failures with
external self signed cert registry as mentioned in
#1190 and
#1181

## Related Issue

Fixes # #1190
Fixes # #1181
Fixes # #561
Fixes # #1015

---------

Co-authored-by: Rishi <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
possible-bug 🐛
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Racer159 @blancharda