Rancher 2.5.5 GIT-based chart repository config

According to the Rancher 2.5.5 documentation we see the “Apps & Marketplace” as the new approach for providing/deploying:

  • Helm v3-based container apps

Following the documentation to add a custom “Chart Repository” relying on Git using a certificate with a custom CA for authentication, TLS verification must be disabled by clicking “Edit YAML”.

The challenge: in Rancher 2.5.5 there is no “Edit YAML” entry in the context menu of a chart repository available, just the following menu items:
rancher_chart_repo_config

And “Edit Config” just shows the following options for a “Git Repository containing Helm chart definitions”:

  • Git Repo URL
  • Git Branch
  • Labels with Key/Value pairs
  • Annotations with Key/Value pairs

So, where to configure:

insecureSkipTLSVerify: true

to get rid of the “UNKNOWN” state for this custom Git-based chart repository?

Another option might be to store the public key of the private CA in Rancher’s local keystore to trust it and finally allow access.

Can the community help us?

Documentation and reality for Rancher 2.5.5 seem to differ.

IMHO the configuration need to happen in a YAML file of kind “GitRepo” according to:
https://fleet.rancher.io/gitrepo-add/

Although the possibility via the Rancher WebUI is not offered, is there a workaround to disable the SSL verification for a GIT chart repo directly on the Rancher host and its container? Interesting would also be where the keystore for Rancher is located.

Any hints?

Optionally, in which Rancher version is this issue fixed?

Starting with version 2.5.8 the option to edit the YAML is available. Ideally, take into account an update of the Rancher Management System to that version - better 2.6.3. This can be processed by updating the existing system or setting up a new one and manually provide the configuration on the new system congruent to the old one. Regarding the update procedure follow the guidelines here:

In version 2.5.7, the usage of public Helm chart repositories that were not working on clusters behind a proxy has been fixed, too #29961.

Beyond the WebUI, there is an option to inject directive:

insecure-skip-tls-verify: true

via CLI into the corresponding chart repo of Rancher Management System running in namespace:

cattle-system

This can be done by launching a shell in the WebUI to interact with the Rancher Management system running on K8s as well. Do this on the following cluster where the Rancher Management cluster is running:

local

Just press “Launch kubectl” on the according cluster dashboard. Which commands you need to execute to adjust the chart repo config will follow next week.

Whether this step will finally help to let the chart repository work even in Rancher 2.5.5 needs to be checked. Probably, there is no other option than switching to a higher version - ideally 2.6.3. It’s the actual GA version.

A workaround in Rancher 2.5.5 might be to:

  • create a chart repository in the “Cluster Explorer” of the “local” cluster where the Rancher Management system is running

Therefore, follow these steps:

  1. Choose the “local” cluster in the “Cluster Manager” perspective
  2. Launch the “Cluster Explorer” for this cluster
  3. In the left menu click on “Chart Repositories”
  4. Create a new chart repository there via “Create” button
  5. After the creation you have the option “Edit YAML” that is missing in the Rancher imported K8s cluster, see the screenshot enclosed
  6. inject “insecure-skip-tls-verify: true” and save
  7. in case the triggered download of Rancher via “git clone” still fails (can be verified by clicking on the chart repo name) due to authentication issues please update the rancher management environment to the recommended version that allows specifying authentication credentials.
  8. Check whether the newly created “chart repo” is visible in the imported cluster. Alternatively, remove the custom chart repo there as the config on the imported K8s cluster have apparently priority before the one provided by the “local” cluster where the Rancher Management is running on.

rancher_chart_repo_config3

Does the community know how to configure authentication secrets for a “Chart Repo” - either in the WebUI or via editing the YAML in Rancher 2.5.5? Background: " insecure-skip-tls-verify" only helps to skip the TLS verification for a GIT repo access via HTTPS but it does not solve the missing authentication credentials.

Well, in Rancher 2.5.5 for the “local” cluster the authentication credentials can be referenced in the YAML by:

  1. creating a “secret” using “Basic Auth” in the “Secrets” entry of the “Cluster Explorer” and giving it a name (here: “chart-repo”). This name in combination with the namespace it was created in will then be used in the YAML of the chart repo.
  2. editing the YAML of the custom chart repo and add the following:
spec:
  clientSecret:
    name: chart-repo
    namespace: cattle-global-data
  1. Save the YAML config for the chart repo and Rancher will be able to download the repo content via “git clone”.

Hint: in Rancher 2.5.5 this approach does not work for imported clusters as the “Edit YAML” option is not available there due to a bug. Therefore, an update of the Rancher version is essential.

When using Rancher 2.6.3, authentication credentials can directly be configured when creating the repo. The above workaround is obsolete then. This can be confirmed when looking on a screenshot of a Rancher 2.6.3 cluster where:

  • multiple authentication options like “Create a HTTP Basic Auth Secret” can be chosen
  • in combination with username and password form fields

can be specified during the creation of a chart repository.