When deploying TAP workload it might fail with cloning source from Github because of "certificate signed by unknown authority" error. For example,
$ tanzu -n tap-java apps workload get tanzu-java-web-app
📡 Overview
name: tanzu-java-web-app
type: web
namespace: tap-java
💾 Source
type: git
url: https://github.com/myrepo/tanzu-java-web-app
branch: main
📦 Supply Chain
name: source-test-to-url
NAME READY HEALTHY UPDATED RESOURCE
source-provider False False 4s gitrepositories.source.toolkit.fluxcd.io/tanzu-java-web-app
source-tester False Unknown 7s not found
image-provider False Unknown 7s not found
config-provider False Unknown 7s not found
app-config False Unknown 7s not found
service-bindings False Unknown 7s not found
api-descriptors False Unknown 7s not found
config-writer False Unknown 7s not found
🚚 Delivery
name: delivery-basic
NAME READY HEALTHY UPDATED RESOURCE
source-provider Unknown Unknown 4s imagerepositories.source.apps.tanzu.vmware.com/tanzu-java-web-app-delivery
deployer False Unknown 4s not found
💬 Messages
Workload [HealthyConditionRule]: failed to checkout and determine revision: unable to clone 'https://github.com/myrepo/tanzu-java-web-app': Get "https://github.com/myrepo/tanzu-java-web-app/info/refs?service=git-upload-pack": tls: failed to verify certificate: x509: certificate signed by unknown authority
Deliverable [MissingValueAtPath]: waiting to read value [.status.artifact.url] from object [imagerepositories.source.apps.tanzu.vmware.com/tanzu-java-web-app-delivery] in namespace [tap-java]
Deliverable [HealthyConditionRule]: condition with type [Ready] not found on resource status
No pods found for workload.
To see logs: "tanzu apps workload tail tanzu-java-web-app --namespace tap-java --timestamp --since 1h"
The TLS certificate from github.com site is generally signed by well-known CA certificates. So it shouldn't be a problem for verifying Github certificate with default CA store on Kubernetes cluster nodes. However in this case it's required to access github.com through a HTTP proxy server, which also requires TLS communication. So the issue is actually about verifying certificate from HTTP proxy server.
Add HTTP proxy server CA certificate to Kubernetes cluster as a secret. Refer to TAP documents for more details.
1) Create a secret object in developer namespace (e.g. tap-java) where the workload will be deployed. For example,
apiVersion: v1
kind: Secret
metadata:
name: git-secret
namespace: tap-java
annotations:
tekton.dev/git-0: https://github.com
type: kubernetes.io/basic-auth
stringData:
username: YOUR-GIT-USERNAME
password: YOUR-GIT-PASSWORD
caFile: |
-----BEGIN CERTIFICATE-----
HTTP-PROXY-SERVER-CA
-----END CERTIFICATE-----
2) Set the secret (git-secret) created in above step in workload manifest. For example,
apiVersion: carto.run/v1alpha1
kind: Workload
metadata:
name: tanzu-java-web-app
namespace: tap-java
labels:
apps.tanzu.vmware.com/workload-type: web
app.kubernetes.io/part-of: tanzu-java-web-app
apps.tanzu.vmware.com/has-tests: "true"
spec:
params:
- name: source_credentials_secret
value: git-secret
- name: annotations
value:
autoscaling.knative.dev/minScale: "1"
source:
git:
url: https://github.com/myrepo/tanzu-java-web-app
ref:
branch: main
3) Deploy the workload with tanzu CLI
$ tanzu apps workload create --file config/workload.yaml
4) Verify the workload is created successfully
$ tanzu -n tap-java apps workload get tanzu-java-web-app