Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

unable to clone: Certificate #298

Closed
Tracked by #2593
charlie-haley opened this issue Jan 20, 2022 · 7 comments
Closed
Tracked by #2593

unable to clone: Certificate #298

charlie-haley opened this issue Jan 20, 2022 · 7 comments

Comments

@charlie-haley
Copy link

I've recently configured image update automations on one of our clusters, all the image repositories and image policies seem to reconcile fine.

However the images never updated and I get this event from the ImageUpdateAutomation - unable to clone: Certificate

---
apiVersion: image.toolkit.fluxcd.io/v1beta1
kind: ImageUpdateAutomation
metadata:
  name: flux-system
  namespace: flux-system
spec:
  interval: 1m0s
  sourceRef:
    kind: GitRepository
    name: flux-system
  git:
    checkout:
      ref:
        branch: master
    commit:
      author:
        email: myfluxbot@users.noreply.github.com
        name: myfluxbot
    push:
      branch: master
  update:
    path: ./manifests
    strategy: Setters
---
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
  name: flux-system
  namespace: flux-system
spec:
  interval: 1m0s
  ref:
    branch: master
  url: ssh://github.com/my/repo
  secretRef:
    name: infra-git-secret

It's referencing the same GitRepository we use in our Flux Kustomizations (which work perfectly)

Here's the Git

Flux version: 0.25.2
Image controller: 0.19.0

@hiddeco
Copy link
Member

hiddeco commented Jan 20, 2022

What is the format of the private key you are making use of?

@charlie-haley
Copy link
Author

charlie-haley commented Jan 20, 2022

What is the format of the private key you are making use of?

It's a public and private key, also with a known_hosts, generated using ed25519

apiVersion: v1
kind: Secret
metadata:
  name: infra-git-secret
  namespace: flux-system
data:
  identity: <redacted>
  identity.pub: <redacted>
  known_hosts: <redacted>

@hiddeco
Copy link
Member

hiddeco commented Jan 20, 2022

Think you are running into fluxcd/source-controller#445, and the private key format is the problem.

We have been working on trying to move from libgit2 1.1.x to 1.2.x (which we use for communicating with the remote, because of other issues with go-git on this front), which adds support for the ED25519 key format on the C library side of things (and improved support for callbacks, providing more information than just the string representation of the error code to signal an error type to the C library), due to other issues with this (and newer) version(s) however. Which we are partly trying to solve upstream, it might take awhile before this has actually been solved.

Until then, the best option is likely to move to ECDSA, which should work properly. Know this isn't the best answer, and I am sorry for the inconvenience.

@charlie-haley
Copy link
Author

Hmm, I just updated the key to ecdsa and I'm still seeing the same error - unable to clone: Certificate, I confirmed I was able to successfully reconcile the GitRepository too

@charlie-haley
Copy link
Author

I moved to a PAT and HTTPS and that seems to have fixed it. It's not ideal, but it's solved the problem for now

@pjbgf
Copy link
Member

pjbgf commented Mar 22, 2022

@charlie-haley Today we are releasing version v0.21.0 which consolidates the git implementation and upgrade libgit2 to version 1.3.0. Both changes combined to a few others we have implemented in the last months should fix your issue.

Can you test it again using the version v0.21.0 and let us know how you get on please?

@pjbgf
Copy link
Member

pjbgf commented May 5, 2022

As mentioned above, version v0.21.0 should have fixed this.

Closing for lack of activity. If the error persists on the latest version of image-automation-controller we can reopen/revisit the issue.

@pjbgf pjbgf closed this as completed May 5, 2022
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants