Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce --insecure-skip-tls-verify option for self-signed HTTP git URLs #1513

Closed
alexmt opened this issue Apr 23, 2019 · 6 comments · Fixed by #1934
Closed

Introduce --insecure-skip-tls-verify option for self-signed HTTP git URLs #1513

alexmt opened this issue Apr 23, 2019 · 6 comments · Fixed by #1934
Assignees
@alexmt
Labels
enhancement New feature or request
Milestone
v1.2

Comments

@alexmt
Copy link
Collaborator

alexmt commented Apr 23, 2019

Describe the bug
It is impossible to connect repositories using HTTP git url if git server uses self-signed certificate.

To Reproduce
Steps to reproduce the behavior:

  1. Try to connect repo using argocd repo add https://<url> --username <username> --password <password> --insecure-ignore-host-key
  2. The connection fails if server uses self signed cert: x509: cannot validate certificate for <host> because it doesn't contain any IP SANs

Expected behavior
Repository should be successfully connected.
@alexmt alexmt added the bug Something isn't working label Apr 23, 2019
@alexmt alexmt mentioned this issue Apr 23, 2019
Closed
@jessesuen jessesuen removed the bug Something isn't working label May 8, 2019
@jessesuen
Copy link
Member

jessesuen commented May 8, 2019
edited
Loading

This bug is invalid. --insecure-ignore-host-key only apply to SSH host keys and does not make sense in the context of https URLs / x509 errors.

For https URLs, the solution is to supply the self-signed certificates of the repo-server and api-server. Otherwise we can decide to introduce an --insecure-skip-tls-verify flag, so that self-signed certificates to https git repos are accepted.

I will convert this bug to an enhancement for that request.

@jessesuen jessesuen changed the title The --insecure-ignore-host-key option does not work for HTTP git URLs Introduce --insecure-skip-tls-verify option for self-signed HTTP git URLs May 8, 2019
@jessesuen jessesuen added the enhancement New feature or request label May 8, 2019
@gaby
Copy link

gaby commented May 8, 2019

@jessesuen Having a way to add insecure https git repos would be great. In my case, I don't use argocd cli at all. Another option could be to add a field for pasting your CA in ArgoCD UI's when adding a git repo. That's the way Rancher-UI handles custom CA's for pipelines.

@alexec alexec mentioned this issue Jun 18, 2019
Closed
@alexec
Copy link
Contributor

alexec commented Jun 25, 2019

See #1805

@alexmt alexmt self-assigned this Jul 8, 2019
@alexmt
Copy link
Collaborator Author

alexmt commented Jul 8, 2019

PR is in progess

@alexmt alexmt mentioned this issue Jul 9, 2019
Closed
alexmt pushed a commit that referenced this issue Jul 13, 2019
Issues #1513 - Make sure insecure flag works for remote Kustomize bas…
d3c850b 
…es (#1934)

* Make sure insecure flag works for remote Kustomize bases
@alexmt
Copy link
Collaborator Author

alexmt commented Jul 13, 2019
edited
Loading

Done! Thanks to @jannfis for implementing it.

@alexmt alexmt closed this as completed Jul 13, 2019
@alexmt alexmt mentioned this issue Jul 24, 2019
Merged
@alexec alexec added this to the v1.2 milestone Jul 24, 2019
@pvgbabu
Copy link

pvgbabu commented Jul 30, 2020

Describe the bug
It is impossible to connect repositories using HTTP git url if git server uses self-signed certificate.
To Reproduce
Steps to reproduce the behavior:

Try to connect repo using argocd repo add https:// --username --password --insecure-ignore-host-key
The connection fails if server uses self signed cert: x509: cannot validate certificate for because it doesn't contain any IP SANs

Expected behavior
Repository should be successfully connected.
@alexmt
Is this issue resolved , If say could you please let us know how to use --insecure-skip-tls-verify option in kfp.containers._container_builder
Thanks for your help

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexmt alexmt

Labels
enhancement New feature or request
Projects
None yet
Milestone
v1.2
Development

Successfully merging a pull request may close this issue.

Issues #1513 - Make sure insecure flag works for remote Kustomize bases alexmt/argo-cd
5 participants
@alexmt @gaby @alexec @pvgbabu @jessesuen