Failure in cloning source from Github due to TLS certificate verification error when deploying TAP workload
search cancel

Failure in cloning source from Github due to TLS certificate verification error when deploying TAP workload

book

Article ID: 376140

calendar_today

Updated On:

Products

VMware Tanzu Application Platform

Issue/Introduction

When deploying TAP workload it might fail with cloning source from Github because of "certificate signed by unknown authority" error. For example,

$ tanzu -n tap-java apps workload get tanzu-java-web-app
📡 Overview
   name:        tanzu-java-web-app
   type:        web
   namespace:   tap-java

💾 Source
   type:     git
   url:      https://github.com/myrepo/tanzu-java-web-app
   branch:   main

📦 Supply Chain
   name:   source-test-to-url

   NAME               READY   HEALTHY   UPDATED   RESOURCE
   source-provider    False   False     4s        gitrepositories.source.toolkit.fluxcd.io/tanzu-java-web-app
   source-tester      False   Unknown   7s        not found
   image-provider     False   Unknown   7s        not found
   config-provider    False   Unknown   7s        not found
   app-config         False   Unknown   7s        not found
   service-bindings   False   Unknown   7s        not found
   api-descriptors    False   Unknown   7s        not found
   config-writer      False   Unknown   7s        not found

🚚 Delivery
   name:   delivery-basic

   NAME              READY     HEALTHY   UPDATED   RESOURCE
   source-provider   Unknown   Unknown   4s        imagerepositories.source.apps.tanzu.vmware.com/tanzu-java-web-app-delivery
   deployer          False     Unknown   4s        not found

💬 Messages
   Workload [HealthyConditionRule]:   failed to checkout and determine revision: unable to clone 'https://github.com/myrepo/tanzu-java-web-app': Get "https://github.com/myrepo/tanzu-java-web-app/info/refs?service=git-upload-pack": tls: failed to verify certificate: x509: certificate signed by unknown authority
   Deliverable [MissingValueAtPath]:     waiting to read value [.status.artifact.url] from object [imagerepositories.source.apps.tanzu.vmware.com/tanzu-java-web-app-delivery] in namespace [tap-java]
   Deliverable [HealthyConditionRule]:   condition with type [Ready] not found on resource status

No pods found for workload.

To see logs: "tanzu apps workload tail tanzu-java-web-app --namespace tap-java --timestamp --since 1h"

Cause

The TLS certificate from github.com site is generally signed by well-known CA certificates. So it shouldn't be a problem for verifying Github certificate with default CA store on Kubernetes cluster nodes. However in this case it's required to access github.com through a HTTP proxy server, which also requires TLS communication. So the issue is actually about verifying certificate from HTTP proxy server. 

Resolution

Add HTTP proxy server CA certificate to Kubernetes cluster as a secret. Refer to TAP documents for more details. 

1) Create a secret object in developer namespace (e.g. tap-java) where the workload will be deployed. For example, 

apiVersion: v1
kind: Secret
metadata:
  name: git-secret
  namespace: tap-java
  annotations:
    tekton.dev/git-0: https://github.com        
type: kubernetes.io/basic-auth
stringData:
  username: YOUR-GIT-USERNAME
  password: YOUR-GIT-PASSWORD
  caFile: |
  -----BEGIN CERTIFICATE-----
  HTTP-PROXY-SERVER-CA 
  -----END CERTIFICATE-----
  • YOUR-GIT-USERNAME: your username to access github.com
  • YOUR-GIT-PASSWORD: your password to access github.com
  • HTTP-PROXY-SERVER-CA: the CA certificate for your HTTP proxy server

2) Set the secret (git-secret) created in above step in workload manifest. For example,

apiVersion: carto.run/v1alpha1
kind: Workload
metadata:
  name: tanzu-java-web-app
  namespace: tap-java
  labels:
    apps.tanzu.vmware.com/workload-type: web
    app.kubernetes.io/part-of: tanzu-java-web-app
    apps.tanzu.vmware.com/has-tests: "true"
spec:
  params:
    - name: source_credentials_secret
      value: git-secret
    - name: annotations
      value:
        autoscaling.knative.dev/minScale: "1"
  source:
    git:
      url: https://github.com/myrepo/tanzu-java-web-app
      ref:
        branch: main

3) Deploy the workload with tanzu CLI

$ tanzu apps workload create --file config/workload.yaml

4) Verify the workload is created successfully

$ tanzu -n tap-java apps workload get tanzu-java-web-app