monocular icon indicating copy to clipboard operation
monocular copied to clipboard
verified publisher icon helm

Monocular API - TLS Certificate-Authority Issue

Open andiMenge opened this issue 8 years ago • 5 comments

TL;DR the monocular-api uses the urls found in index.yaml of a chart-repo-server to DownloadAndExtractChartTarball instead of the one that is configured in api.config.repos.

I have both monocular and my chart-repo-server running in the same k8s cluster and have configured monocular to use the k8s internal service-object to read from the repo. The issue is that the api uses the url from index.yaml to DownloadAndExtractChartTarball. The url that is configured in index.yaml is a ingress url behind a loadbalancer that has self-signed TLS certs.

This results in the following error:

level=error msg="Error on DownloadAndExtractChartTarball" error="Get https://helm-repo-server.example.com/app1-0.2.0.tgz: x509: certificate signed by unknown authority"

In order to fix this I would need a way to insert my self-signed certificate-authority or to force the api-server to use the kubernetes internal http:// address instead of the https:// ingress address it reads from index.yaml.

Is there a way to insert custom ca files or to force the url?

andiMenge avatar May 12 '17 14:05 andiMenge

I think the correct approach here is to allow adding custom ca files, since Helm will also use the URLs from index.yaml and we should be compatible with that (e.g. you may have your index hosted somewhere different than your chart packages). cc @migmartri

prydonius avatar May 19 '17 09:05 prydonius

This would mean having a directory e.g. ~/.monocular/certs to load custom CA certs from for the http package to use.

prydonius avatar Aug 23 '17 12:08 prydonius

and a way in helm chart to add it :-)

obeyler avatar Aug 13 '18 07:08 obeyler

did this ever gain any traction?

mjschmidt avatar Sep 02 '20 21:09 mjschmidt

or any work arounds?

mjschmidt avatar Sep 02 '20 21:09 mjschmidt