Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pull Flux manifests from registry with private PKI certificate #66

Open
erikgb opened this issue Jul 4, 2024 · 5 comments
Open

Pull Flux manifests from registry with private PKI certificate #66

erikgb opened this issue Jul 4, 2024 · 5 comments
Labels
area/update-automation Flux update automation related issues and pull requests

Comments

@erikgb
Copy link

erikgb commented Jul 4, 2024

Our cluster does not have a direct connection to the Internet, and must pull all images through a registry proxy. This registry is configured with a certificate chain rooted in our private self-signed CA. How can I make Flux Operator trust this root?

This error is logged from Flux Operator:

{"level":"error","ts":"2024-07-04T12:03:33.625Z","msg":"Reconciler error","controller":"fluxinstance","controllerGroup":"fluxcd.controlplane.io","controllerKind":"FluxInstance","FluxInstance":{"name":"flux","namespace":"flux-system"},"namespace":"flux-system","name":"flux","reconcileID":"90115059-3e19-4cc3-ad0a-8af12fe0f077","error":"pulling artifact oci://<REDACTED>/ghcr-docker-remote/controlplaneio-fluxcd/flux-operator-manifests failed: Get \"https://<REDACTED>/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown authority"}

Flux Operator version: 0.6.0
Flux Operator installation method: OLM (operatorhub.io Subscription)

FluxInstance resource (irrelevant details omitted):

apiVersion: fluxcd.controlplane.io/v1
kind: FluxInstance
metadata:
  name: flux
  namespace: flux-system
spec:
  distribution:
    artifact: 'oci://<REDACTED>/ghcr-docker-remote/controlplaneio-fluxcd/flux-operator-manifests'
    registry: ghcr.io/fluxcd
    version: 2.3.x

Note: Our CRIO config will ensure the registry (for Flux images), is rewritten when images are pulled by our cluster.
@stefanprodan
Copy link
Member

stefanprodan commented Jul 4, 2024
edited
Loading

If you're using OperatorHub you don't need the artiract, OLM knows how to automatically update the Flux Operator, and the operator has the manifests embedded for air-gapped use. This would only be a problem if you would be an Enterprise customer, the artifact contains the CVE patches that ControlPlane ships for Flux.

@erikgb
Copy link
Author

erikgb commented Jul 4, 2024

Ahhh, so I can just remove distribution completely, or? I would like to have some control over the Flux version, tho.

@stefanprodan
Copy link
Member

stefanprodan commented Jul 4, 2024
edited
Loading

You would remove only the .spec.distribution.artifact field. If you look at the example FluxInstance on OperatorHub, you'll see that this field is not there.

@stefanprodan
Copy link
Member

Anyway let's keep this issue opened as paying customers will actually have a problem with this.

@stefanprodan stefanprodan added the area/update-automation Flux update automation related issues and pull requests label Jul 4, 2024
@erikgb
Copy link
Author

erikgb commented Jul 5, 2024

You would remove only the .spec.distribution.artifact field. If you look at the example FluxInstance on OperatorHub, you'll see that this field is not there.

I confirm that the suggested fix (simplification) solved our issue in the air-gapped cluster! 🥳 Thanks Stefan! ❤️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/update-automation Flux update automation related issues and pull requests
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@erikgb @stefanprodan