0

I am having issues with adding repos with helm on a docker container. The command I am trying to run is: helm repo add dask https://helm.dask.org/. The output from running it in the docker container is:

Error: looks like "https://helm.dask.org/" is not a valid chart repository or cannot be reached: Get "https://helm.dask.org/index.yaml": x509: certificate signed by unknown authority

I tried the same command outside of the docker container and I am getting the right output (I am working on MacOS Catalina and I have installed helm with Homebrew):

"dask" has been added to your repositories

I tried looking online (Helm 3: x509 error when connecting to local Kubernetes, docker container ssl certificates, https://github.com/fluxcd/flux/issues/1637). the last resource is pointing to adding the same local certificates of the host running the container, however I have not been able to do that.

I have also tried the stable chart repo with no luck (helm repo add stable https://charts.helm.sh/stable).

Any suggestions?

EDIT: If I add this to the helm add repo, --insecure-skip-tls-verify the repo is added correctly. Of course this does not solve the bigger problem as I would like to have the right certificates in place.

Guido Muscioni
  • 1,203
  • 3
  • 15
  • 37
  • Are there any configured proxies? – MaartenDev Mar 27 '21 at 19:11
  • Hi @MaartenDev, so initially I though it was the VPN I am on, as outside it, the docker container is able to pull the repo. However, the host is able to pull the repo on VPN as well. Hope this help. – Guido Muscioni Mar 27 '21 at 19:13
  • Hello, could you please add the [minimal, reproducible example](https://stackoverflow.com/help/minimal-reproducible-example)? Are you doing this from Kubernetes cluster (like within Docker Desktop with Kubernetes) or pure Docker container). – Dawid Kruk Mar 29 '21 at 16:23

1 Answers1

0

Depending on your Dockerfile's base image, you can use your respective package manager, to include common/well-known certificate authority certificates within your container.

For example, for an Ubuntu based image: RUN apt add ca-certificates.

Are you getting errors when trying to add common CA certificates to the container?

The certificate for the domain is valid, your container just doesn't trust the CA because it doesn't have those certificates locally

helm.dask.org cert info

Simon
  • 865
  • 1
  • 5
  • 15
  • I just run `yum install -y ca-certificates` but the output was that ca-certificates are already installed. I have also tries `update-ca-trust`, but no luck. – Guido Muscioni Mar 27 '21 at 19:44
  • with this `--insecure-skip-tls-verify` the add repo work. – Guido Muscioni Mar 27 '21 at 19:47
  • Maybe try retriving the certificate from the host using this answer: https://serverfault.com/a/192731/625369 Then append it to your truststore by adding another RUN command to the Dockerfile? cat foo.crt >>/etc/pki/tls/certs/ca-bundle.crt – Simon Mar 27 '21 at 20:05
  • You may need to use a different path, I just assumed CentOS since you mentioned yum – Simon Mar 27 '21 at 20:07
  • An update-ca-trust for good measure after you've appended to your bundle is also recommended (required?). – Simon Mar 27 '21 at 20:09