Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-22019

Not able to proxy Helm repository running on Azure Container Registry

    XMLWordPrintable

    Details

    • Severity:
      High
    • Release Notes:
      Yes

      Description

      For HelmCenter, we are trying to proxy and cache helm repositories running on Azure Container Registry.

      Example: https://promitor.azurecr.io/helm/v1/repo

      Using curl, I'm able to fetch the index file and the charts from that repo.

      Inspecting the requests, I can see that every request is redirected to a signed URL like this:

      → curl -v https://promitor.azurecr.io/helm/v1/repo/index.yaml
      *   Trying 13.69.64.95...
      * TCP_NODELAY set
      * Connected to promitor.azurecr.io (RESTRICTED_IP) port 443 (#0)
      * ALPN, offering h2
      * ALPN, offering http/1.1
      * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
      * successfully set certificate verify locations:
      *   CAfile: /etc/ssl/cert.pem
        CApath: none
      * TLSv1.2 (OUT), TLS handshake, Client hello (1):
      * TLSv1.2 (IN), TLS handshake, Server hello (2):
      * TLSv1.2 (IN), TLS handshake, Certificate (11):
      * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
      * TLSv1.2 (IN), TLS handshake, Server finished (14):
      * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
      * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
      * TLSv1.2 (OUT), TLS handshake, Finished (20):
      * TLSv1.2 (IN), TLS change cipher, Client hello (1):
      * TLSv1.2 (IN), TLS handshake, Finished (20):
      * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
      * ALPN, server did not agree to a protocol
      * Server certificate:
      *  subject: CN=*.azurecr.io
      *  start date: May  2 16:59:03 2020 GMT
      *  expire date: May 16 16:59:03 2020 GMT
      *  subjectAltName: host "promitor.azurecr.io" matched cert's "*.azurecr.io"
      *  issuer: C=US; ST=California; O=Zscaler Inc.; OU=Zscaler Inc.; CN=Zscaler Intermediate Root CA (zscaler.net) (t)
      *  SSL certificate verify ok.
      > GET /helm/v1/repo/index.yaml HTTP/1.1
      > Host: promitor.azurecr.io
      > User-Agent: curl/7.54.0
      > Accept: */*
      >
      < HTTP/1.1 307 Temporary Redirect
      < Server: openresty
      < Date: Mon, 04 May 2020 20:30:06 GMT
      < Content-Type: text/html; charset=utf-8
      < Content-Length: 417
      < Connection: keep-alive
      < Access-Control-Expose-Headers: Docker-Content-Digest
      < Access-Control-Expose-Headers: WWW-Authenticate
      < Access-Control-Expose-Headers: Link
      < Access-Control-Expose-Headers: X-Ms-Correlation-Request-Id
      < Docker-Distribution-Api-Version: registry/2.0
      < Location: https://weumanaged19.blob.core.windows.net/2d0d994199874e139a3800c72a530625-artifact-nkxe60asba//docker/registry/v2/blobs/sha256/02/025f506bfc4065f9d6814973a83b27e47ee564480e18495fedb69ff385ac003c/data?se=2020-05-04T20%3A50%3A06Z&sig=4%2FKK1kP5vKJzA8BWywuX9KGHzmVPNZfhkSN%2FqGQKNGs%3D&sp=r&sr=b&sv=2016-05-31&regid=2d0d994199874e139a3800c72a530625&anon=true
      < Strict-Transport-Security: max-age=31536000; includeSubDomains
      < X-Content-Type-Options: nosniff
      < X-Ms-Correlation-Request-Id: 8e24d753-aa4a-4fc8-ae94-bf278f4f392f
      < Strict-Transport-Security: max-age=31536000; includeSubDomains
      <
      <a href="https://weumanaged19.blob.core.windows.net/2d0d994199874e139a3800c72a530625-artifact-nkxe60asba//docker/registry/v2/blobs/sha256/02/025f506bfc4065f9d6814973a83b27e47ee564480e18495fedb69ff385ac003c/data?se=2020-05-04T20%3A50%3A06Z&amp;sig=4%2FKK1kP5vKJzA8BWywuX9KGHzmVPNZfhkSN%2FqGQKNGs%3D&amp;sp=r&amp;sr=b&amp;sv=2016-05-31&amp;regid=2d0d994199874e139a3800c72a530625&amp;anon=true">Temporary Redirect</a>.
      
      * Connection #0 to host promitor.azurecr.io left intact
      

      When I try to add this repo as a remote helm repository in Artifactory and resolve the same index file, I get an authentication error:

      → curl https://helmcenterstg.jfrog.io/artifactory/promitor-remote/index.yaml
      {
        "errors" : [ {
          "status" : 404,
          "message" : "Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature."
        } ]
      }%
      

      I can't see any useful information in the logs.

        Attachments

          Activity

              People

              Assignee:
              aviva Aviv Anidjar
              Reporter:
              eliom Elio Marcolino
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: