Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

failed to determine artifact digest when creating ocirepository resource #1673

Open
Yusra23 opened this issue Nov 21, 2024 · 4 comments
Open

failed to determine artifact digest when creating ocirepository resource #1673

Yusra23 opened this issue Nov 21, 2024 · 4 comments

Comments

@Yusra23
Copy link

Yusra23 commented Nov 21, 2024
edited
Loading

hi,
can someone assist on creating a resource with kind ocirepository. we run TKG(Vmware Tanzu) and Harbor Registry.
helmrepository resource works, but ocirepo fails with below error on cert . we tried with adding ca.crt/tls.crt/tls.key but that didnt help though

NAME URL READY STATUS
AGE
kj-test oci://harbor.tanzu.com/nginx/mage False failed to determine artifact digest: Get "https://harbor.tanzu.com/v2/": x509: certificate signed by unknown authority; Get "https://harbor.tanzu.com/v2/": x509: certificate signed by unknown authority 2m36s

Not working (ocirepository):

apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: kj-test
namespace: demo
spec:
interval: 10m
url: oci://harbor.tanzu.com/nginx/mage

working one(HelmRepository):

apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: shop
namespace: demo
spec:
type: "oci"
interval: 5m0s
url: oci://harbor.tanzu.com/nginx/mage

NAME URL AGE READY STATUS
shop oci://harbor.tanzu.com/nginx/mage 27h True Helm repository is ready
@makkes
Copy link
Member

makkes commented Nov 21, 2024
edited
Loading

In an OCIRepository resource you can use .spec.certSecretRef and provide a reference to a secret that has the CA certificate. See https://fluxcd.io/flux/components/source/ocirepositories/#cert-secret-reference for details.

@Yusra23
Copy link
Author

Yusra23 commented Nov 22, 2024

Thanks for commenting.
yes, did try with 'certSecretRef' as well. here is the yaml file. The secret is created, but OCIRepository still complains on the 'x509: certificate signed by unknown authority' error. we cross checked and the certs are valid until next year.

in my opinion if its a problem with the certificate licensing then the HelmRepository kind(working one show in previous comment) should also report an error which is not the case. please advise if there is alternate approach

apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: kj-cert-test
namespace: demo
spec:
interval: 5m0s
url: oci://harbor.tanzu.com/nginx/mage
secretRef:
name: kj-hrb-cert

apiVersion: v1
kind: Secret
metadata:
name: kj-hrb-cert
namespace: demo
type: Opaque -------> Tried with 'kubernetes.io/tls' as well
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLRENDQWhDZ0F3SUJBZ0lRRHZDN0JqMkZJWVVJ
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR0VENDQXAyZ0F3SUJBZ0lSQUxuUkVkQUtTaFZZMXVQZmRaN0h2OW93RFFZSkt
tls.key: LS0tLS1CRUdJTiBSU0

@stefanprodan
Copy link
Member

stefanprodan commented Nov 22, 2024
edited
Loading

The config you posted will not work, you need to follow the docs and use .spec.certSecretRef. Also .spec.ref.semver is missing and also the URL is wrong, it cannot be the same as used in the HelmRepository, it should be the full URI to the image.

@Yusra23
Copy link
Author

Yusra23 commented Nov 29, 2024

Thank you. will check by setting the full URI and .semver

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@makkes @stefanprodan @Yusra23