Building a docker image using a Dockerfile then pushing it to registry with CA error (OD-2453)

dvhandsome123 opened 7 months ago

I have add the self-signed both on server and agent. Also used curl -v https://code.sjyc.com/v2/ with successed. But when I use the CICD push the image with 'tls: failed to verify certificate: x509: certificate signed by unknown authority' error. Anywhere wrong with my config?

version: 39
jobs:
- name: deploy
  jobExecutor: dev-executor
  steps:
  - !CheckoutStep
    name: clone
    cloneCredential: !DefaultCredential {}
    withLfs: false
    withSubmodules: false
    checkoutPath: src
    condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL
  - !BuildImageStep
    name: buidImage
    buildPath: src
    output: !RegistryOutput
      tags: '@server@/@project_path@/@project_name@:@script:builtin:get-build-number@'
    registryLogins:
    - registryUrl: '@server_url@'
      userName: '@job_token@'
      passwordSecret: token
    condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL
  retryCondition: never
  maxRetries: 3
  retryDelay: 30
  timeout: 14400

I aslo and the crt both in server and agent trust-certs

Activities

Robin Shen commented 7 months ago

The self-signed certificate trust doc does not cover docker interations. For this to work, please refer to this tutorial:

https://docs.onedev.io/tutorials/cicd/insecure-docker-registry
dvhandsome123 commented 7 months ago

I have add the insecure both in agent and server still no change.
Robin Shen commented 7 months ago

Have you configured the buildx builder to also trust the insecure registries?

If so, please build and push image manually from terminal using docker buildx with configured builder to see if it works.
dvhandsome123 commented 7 months ago
dvhandsome123 commented 7 months ago

Yes, when I use ip+port got http and https error, use domain with ca error
dvhandsome123 commented 7 months ago

Anything else that I haven't seen? Wish you help soon. Thanks
Robin Shen commented 7 months ago

Do you mean that pushing image from command line also fails? If so, I think it is not a OneDev issue then, you may need to check if insecure entries are added correctly for your buildx builder.

At least, the image pushing should be working from command line.
dvhandsome123 commented 7 months ago

It works from command line. But not for ci/cd.
Robin Shen commented 7 months ago

To narrow down the issue, please install a test OneDev instance in bare metal mode, and start it from same command line where you can push image successfully by running bin/server.sh console. Then point your frontend to this test instance, and add build/push a test image to see if it works.
dvhandsome123 commented 7 months ago

You mean that I need to install OneDev without docker mode and try again?
Robin Shen commented 7 months ago

Yes. This will help to narrow down the issue.
Robin Shen commented 7 months ago

Or you can use the Kaniko image build step and specify certificate to trust directly in the step settings. Downside of this step is that it can not build multi-arch images.
dvhandsome123 commented 7 months ago

I build OneDev in local and use server docker also get same error
dvhandsome123 commented 7 months ago

I work this in local by create builder manual. add the buildkit.toml and buildx create onedev with --config /etc/buildkit/buildkitd.toml
dvhandsome123 commented 7 months ago

I also work this in dind by create buildx manual. exec into onedev docker then create buildx with config and login registry.
dvhandsome123 commented 7 months ago

For dind or local by create buildx manual and update-ca-certificates can resolve this issue
dvhandsome123 changed state to 'Closed' 7 months ago
Previous Value Current Value
Open

Closed
Login to comment

Previous Value	Current Value
Open	Closed

Type	Question
Priority	Critical
Assignee	Robin Shen
Labels	No labels

Issue Votes (0)

Watchers (4)

Reference

OD-2453