-
Type:
Bug
-
Status: Done
-
Resolution: Done
-
Affects Version/s: 6.12.2, 6.20.1
-
Component/s: Helm, Remote Repository
-
Labels:
-
Severity:High
-
Release Notes:Yes
For HelmCenter, we are trying to proxy and cache helm repositories running on Azure Container Registry.
Example: https://promitor.azurecr.io/helm/v1/repo
Using curl, I'm able to fetch the index file and the charts from that repo.
Inspecting the requests, I can see that every request is redirected to a signed URL like this:
→ curl -v https://promitor.azurecr.io/helm/v1/repo/index.yaml * Trying 13.69.64.95... * TCP_NODELAY set * Connected to promitor.azurecr.io (RESTRICTED_IP) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=*.azurecr.io * start date: May 2 16:59:03 2020 GMT * expire date: May 16 16:59:03 2020 GMT * subjectAltName: host "promitor.azurecr.io" matched cert's "*.azurecr.io" * issuer: C=US; ST=California; O=Zscaler Inc.; OU=Zscaler Inc.; CN=Zscaler Intermediate Root CA (zscaler.net) (t) * SSL certificate verify ok. > GET /helm/v1/repo/index.yaml HTTP/1.1 > Host: promitor.azurecr.io > User-Agent: curl/7.54.0 > Accept: */* > < HTTP/1.1 307 Temporary Redirect < Server: openresty < Date: Mon, 04 May 2020 20:30:06 GMT < Content-Type: text/html; charset=utf-8 < Content-Length: 417 < Connection: keep-alive < Access-Control-Expose-Headers: Docker-Content-Digest < Access-Control-Expose-Headers: WWW-Authenticate < Access-Control-Expose-Headers: Link < Access-Control-Expose-Headers: X-Ms-Correlation-Request-Id < Docker-Distribution-Api-Version: registry/2.0 < Location: https://weumanaged19.blob.core.windows.net/2d0d994199874e139a3800c72a530625-artifact-nkxe60asba//docker/registry/v2/blobs/sha256/02/025f506bfc4065f9d6814973a83b27e47ee564480e18495fedb69ff385ac003c/data?se=2020-05-04T20%3A50%3A06Z&sig=4%2FKK1kP5vKJzA8BWywuX9KGHzmVPNZfhkSN%2FqGQKNGs%3D&sp=r&sr=b&sv=2016-05-31®id=2d0d994199874e139a3800c72a530625&anon=true < Strict-Transport-Security: max-age=31536000; includeSubDomains < X-Content-Type-Options: nosniff < X-Ms-Correlation-Request-Id: 8e24d753-aa4a-4fc8-ae94-bf278f4f392f < Strict-Transport-Security: max-age=31536000; includeSubDomains < <a href="https://weumanaged19.blob.core.windows.net/2d0d994199874e139a3800c72a530625-artifact-nkxe60asba//docker/registry/v2/blobs/sha256/02/025f506bfc4065f9d6814973a83b27e47ee564480e18495fedb69ff385ac003c/data?se=2020-05-04T20%3A50%3A06Z&sig=4%2FKK1kP5vKJzA8BWywuX9KGHzmVPNZfhkSN%2FqGQKNGs%3D&sp=r&sr=b&sv=2016-05-31&regid=2d0d994199874e139a3800c72a530625&anon=true">Temporary Redirect</a>. * Connection #0 to host promitor.azurecr.io left intact
When I try to add this repo as a remote helm repository in Artifactory and resolve the same index file, I get an authentication error:
→ curl https://helmcenterstg.jfrog.io/artifactory/promitor-remote/index.yaml { "errors" : [ { "status" : 404, "message" : "Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature." } ] }%
I can't see any useful information in the logs.