helm: helm 3.0.0-beta4: ca-file does not work for helm repo add/update

We are using an internal helm repository with a certificate signed by our internal company CA. When using this repository in helm 3.0.0-beta4 I get this x509 error:

$ helm repo add name https://repourl --ca-file /path/to/ca.pem
Error: looks like "https://repourl" is not a valid chart repository or cannot be reached: Get https://repourl/index.yaml: x509: certificate signed by unknown authority

The same happens when I migrate my existing helm v2 repository config and call helm repo update.

Executing the exact same commands in helm v2.14.3 with the same repository configuration and same ca.pem file is working fine.

Output of helm version:

version.BuildInfo{Version:"v3.0.0-beta.4", GitCommit:"7ffc879f137bd3a69eea53349b01f05e3d1d2385", GitTreeState:"dirty", GoVersion:"go1.13.1"}

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 17 (10 by maintainers)

Most upvoted comments

see #6913.

+2
bacongobbler on Nov 8, 2019

I think here, the user is trying to pass --ca-file, the Certificate Authority’s (CA) public key, to verify if the public key (ssl cert) of the repo endpoint is valid, as it’s possible that the ssl certificate was signed by a CA who’s not trusted by the system. For example, an internal CA.

This is exactly what I am trying to do. I don’t have access to the private key for that cert.

So I would really appreciate the suggested change for that condition.

+1
pkoehlers on Nov 8, 2019
Read more comments on GitHub
← helm: Helm 3.0.0 beta 4 - can't upgrade charts (existing resource conflict)
helm: Helm 3.0.0-rc.1 doesn't support downloading charts from a URL containing local →