pipeline: x509 certificate signed by unknown authority

Expected Behavior

I am trying to run a container from my private registry within Tekton. I would like Tekton to invoke the entrypoint defined in the container rather than specify a command. Per, https://github.com/tektoncd/pipeline/blob/master/docs/container-contract.md I have added an ImagePullSecret to the service account running my pipeline.

I would expect Tekton to be able to pull my image, read the entrypoint and execute that in the pipeline.

Actual Behavior

In reality I am getting a certificate error from the entrypoint binary that is inserted into the execution.

Failed to create build pod "[my-pod-name]": couldn't create redirected TaskSpec: failed to add entrypoint to steps of TaskRun [my-pod-name]: Failed to fetch remote image [myprivateregistry.com]/pierretasci/tests:latest: Failed to get container image info from registry [myprivateregistry.com]/pierretasci/tests:latest: Get https://[myprivateregistry.com]/v2/: x509: certificate signed by unknown authority

The weird thing is that if I specify the command in the entrypoint, then this works. It is able to pull the image and execute it. It is only within the task execution when I don’t specify a command that this happens.

Steps to Reproduce the Problem

  1. Use a private docker repo like Artifactory
  2. Create a k8s image pull secret for this and add it to your service account
  3. Define a pipeline with a task that does not specify a command and references a container from the private docker

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 1
  • Comments: 16 (7 by maintainers)

Most upvoted comments

I was able to workaround this based on the suggestion here: https://github.com/google/ko/issues/142#issuecomment-598837434, but I don’t think the process would scale easily. It could be nice to have some kind of --skip-tls-verify option, like what can be used in the kaniko image to push to a private registry with a self-signed certificate.

Some details about the workaround: I copied the registry’s self-signed certificate into a configmap in the tekton-pipelines namespace, and mounted that into the tekton-pipelines-controller deployment. Then I just needed to add the SSL_CERT_FILE environment variable pointing to that file. Basically these were the additions to the controller deployment:

spec:
  template:
    spec:
      containers:
        env:
        - name: SSL_CERT_FILE
          value: /etc/registry-cert/tls.crt
...
        volumeMounts:
        - mountPath: /etc/registry-cert
          name: registry-cert
...
      volumes:
      - configMap:
          name: registry-cert
        name: registry-cert
+3
JustinKuli on Mar 15, 2020

I hit the same problem in my use case,any process for this issue?

+3
hougangliu on Nov 5, 2019
Read more comments on GitHub
← pipeline: Using Kaniko catalog with ECR does not seem to work
triggers: CLI tool for manual Trigger runs →