Skip to content

Improve support for registries with self-signed certs (x509: certificate signed by unknown authority) #3039

New issue
New issue
Closed
#9863
Closed
Improve support for registries with self-signed certs (x509: certificate signed by unknown authority)#3039
#9863
Labels
area/buildarea/registrykind/bugSomething isn't workingpriority/p3agreed that this would be good to have, but no one is available at the moment.
@balchua

Description

@balchua
balchua
opened on Oct 12, 2019

Expected behavior

Skaffold should allow the use of private registries using self signed certificates.

Actual behavior

Skaffold complains about the certificate being signed by unknown authority.

Information

  • Skaffold version: tested with bleeding edge (the version with skipTLS option)
  • Operating system: RedHat 7.5.
  • Contents of skaffold.yaml:
apiVersion: skaffold/v1beta15
kind: Config
profiles:
 - name: sub
    build:
      artifacts:
      - image: my-private-registry.com/balchu/gonuts-sub
        context: sub
        kaniko:
          dockerfile: Dockerfile
          skipTLS: true
          buildContext:
            localDir: {}
          cache:
            repo: my-private-registry.com/balchu/gonuts-sub          
      cluster:
        dockerConfig: 
          secretName: regcred
        namespace: gonuts
      insecureRegistries: #Use this for local registry.  such as microk8s registry.
      - my-private-registry.com
    deploy:
      helm:
        releases:
          - name: gonuts-sub
            chartPath: k8s-manifest/sub
            namespace: gonuts
            wait: true
            values:
              image.repository: my-private-registry.com/balchu/gonuts-sub

Steps to reproduce the behavior

  1. Find a private registry with a self signed certificate
  2. Make sure your Dockerfile's base images are also using the private registry.

For example:

# Use base golang image from Docker Hub
FROM my-private-registry.com/golang:1.12.10 as build

WORKDIR /src/github.com/balchua/gonuts

# Copy go.mod and go.sum 
ADD ./go.mod /src/github.com/balchua/gonuts/
ADD ./go.sum /src/github.com/balchua/gonuts/
# Install dependencies in go.mod and go.sum
RUN go mod download

# Copy application source code
COPY ./main.go /src/github.com/balchua/gonuts

# Compile the application to /app.
RUN go build -o /app -v .

# Now create separate deployment image
FROM my-private-registry.com/distroless/base
COPY --from=build /app /app
# Cause full tracebacks; also serves to identify this image as a Go image for `skaffold debug`
ENV GOTRACEBACK=all
ENTRYPOINT ["/app"]

Skaffold complains about the private registry's certificates and then it fails. It does not even start the Kaniko pod.

Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/buildarea/registrykind/bugSomething isn't workingpriority/p3agreed that this would be good to have, but no one is available at the moment.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions