Add caBundle private CA to chart repository
This document (000021400) is provided subject to the disclaimer at the end of this document.
Environment
Rancher 2.6.x
Rancher 2.7.x
Rancher 2.8.x
Rancher 2.7.x
Rancher 2.8.x
Situation
There are some cases where customers and users have their own custom charts and they would prefer to add them and use them in Rancher Server.
The UI has a section called "Repositories" where they simply add the repository in question and then it will become available in the Charts tab under the given name of that repository.
While adding the repository an error related to the invalidity of the certificate can appear like the following
The UI has a section called "Repositories" where they simply add the repository in question and then it will become available in the Charts tab under the given name of that repository.
While adding the repository an error related to the invalidity of the certificate can appear like the following
"fatal: unable to access 'https://url.chart.repo/some-path/repo.git/': SSL certificate problem: unable to get local issuer certificate"or
Get "https://docker.repo.local/chart/repo/index.yaml": x509: certificate signed by unknown authority
Resolution
The custom CA certificate needs to be added to the ClusterRepo manifest, under the spec.caBundle field.
The documentation reference for that matter can be found here.
The documentation reference for that matter can be found here.
Cause
missing CA certificate when adding a custom or private chart repository.
Additional Information
- In the Apps v1 feature, the management of catalogs was handled centrally within the Rancher process itself. As such, all catalogs were downloaded by Rancher running in the local cluster; and, where additional trusted CAs were added to Rancher, catalogs served by an endpoint with a custom CA certificate were trusted.
- In the Apps v2 feature, the management of cluster repositories is handled within each cluster, by Rancher in the local cluster, but by the cattle-cluster-agent in downstream clusters. It is, therefore, necessary to set the CA in the ClusterRepo definition, as the additional trusted CAs are only trusted by the Rancher process itself in the local cluster, and not by the cattle-cluster-agent which downloads the chart repositories within a downstream cluster.
- In the Apps v2 feature, the management of cluster repositories is handled within each cluster, by Rancher in the local cluster, but by the cattle-cluster-agent in downstream clusters. It is, therefore, necessary to set the CA in the ClusterRepo definition, as the additional trusted CAs are only trusted by the Rancher process itself in the local cluster, and not by the cattle-cluster-agent which downloads the chart repositories within a downstream cluster.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021400
- Creation Date: 13-Mar-2024
- Modified Date:25-Jun-2024
-
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
