Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HELM install of GitHub hosted charts fail behind corporate proxy #352

Open
Ju-Ru opened this issue Jun 28, 2024 · 1 comment
Open

HELM install of GitHub hosted charts fail behind corporate proxy #352

Ju-Ru opened this issue Jun 28, 2024 · 1 comment

Comments

@Ju-Ru
Copy link

Ju-Ru commented Jun 28, 2024
edited
Loading

Dear community,

as a corporate user, I need to configure development tools to use a corporate proxy and ca authority. This, as such, is causing many problems as you can imagine. However, after some struggles, I got all tools accepting the proxy/ca settings. Only with HELM I found an issue that I cannot easily overcome.

  • The issue is not related to the "repo add" step, which works fine with the "--ca-file" setting, although a repo-agnostic/general setting would be nice to have for this use case.
  • The problem occurs in the "install" step, when HELM seems to try to download a HELM manifest hosted from GitHub.

ChatGPT indicates that it could be related to the strict TLS certificate validation of Go or a problem of confusing certificates as result of a redirect. There seem to be request to both domains ".github.com" and ".github.io" involved. I have a hard time to pin the problem further down. All involved URLs listed below are accessible in a web browser on the same system. In all cases the corporate ca is used.

Minimum steps to reproduce (in corporate setting using proxy):
helm repo add --debug --ca-file $caCertPath oauth2-proxy https://oauth2-proxy.github.io/manifests/
helm repo update
helm install oauth2-proxy oauth2-proxy/oauth2-proxy

The variable $caCertPath is a path to the corporate ca file. I left out the actual proxy configuration, which is correctly adopted by HELM from the environment variables (HTTPS_PROXY, HTTP_PROXY).

This leads to the following error:
Downloading oauth2-proxy from repo https://oauth2-proxy.github.io/manifests/ Save error occurred: could not download https://github.com/oauth2-proxy/manifests/releases/download/oauth2-proxy-6.19.1/oauth2-proxy-6.19.1.tgz: Get "https://github.com/oauth2-proxy/manifests/releases/download/oauth2-proxy-6.19.1/oauth2-proxy-6.19.1.tgz": tls: failed to verify certificate: x509: certificate is valid for github.com, www.github.com, not oauth2-proxy.github.io Error: could not download https://github.com/oauth2-proxy/manifests/releases/download/oauth2-proxy-6.19.1/oauth2-proxy-6.19.1.tgz: Get "https://github.com/oauth2-proxy/manifests/releases/download/oauth2-proxy-6.19.1/oauth2-proxy-6.19.1.tgz": tls: failed to verify certificate: x509: certificate is valid for github.com, www.github.com, not oauth2-proxy.github.io

Tests were done on Ubuntu (WSL2) with HELM version: version.BuildInfo{Version:"v3.15.2", GitCommit:"1a500d5625419a524fdae4b33de351cc4f58ec35", GitTreeState:"clean", GoVersion:"go1.22.4"}

Thanks in advance for your support.
@bbaassssiiee
Copy link

bbaassssiiee commented Nov 14, 2024
edited
Loading

Not an issue of Helm. Your proxy does SSL inspection and does not handle Subject Alternate Names correctly.
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bbaassssiiee @Ju-Ru