cloudfoundry-community/worlds-simplest-service-broker

missing index on charmuseum

Opened this issue · 7 comments

Hello,
im trying to proxy the world simplest broker helm chart from https://helm.starkandwayne.com/ with JCR (Jfrog container registry).
It seems the chartmuseum is missing index for hosted helm charts

drnic commented

Sure. Im getting a 404 from JRC portal when testing the helm remote

image

Here are the log i get from our coporate internet proxy (seems OK 200) :

1578494002.946    635 192.168.116.205 TCP_TUNNEL/200 3635 CONNECT helm.starkandwayne.com:443 - HIER_DIRECT/104.27.162.93 -

And the log from from JCR:

2020-01-03 16:08:17,571 [art-exec-2] [INFO ] (o.a.r.HttpRepo      :470) - harbor downloading https://helm.goharbor.io/index.yaml Unknown content length
2020-01-03 16:08:17,576 [art-exec-2] [INFO ] (o.a.r.HttpRepo      :483) - harbor downloaded  https://helm.goharbor.io/index.yaml 10.24 KB at 2,847.02 KB/sec
2020-01-03 16:08:17,918 [art-exec-2] [INFO ] (o.a.r.HttpRepo      :470) - helm-remote downloading https://storage.googleapis.com/kubernetes-charts/index.yaml 7.10 MB
2020-01-03 16:08:18,403 [art-exec-2] [INFO ] (o.a.r.HttpRepo      :483) - helm-remote downloaded  https://storage.googleapis.com/kubernetes-charts/index.yaml 7.10 MB at 15,123.66 KB/sec
2020-01-03 16:08:20,558 [art-exec-2] [ERROR] (o.a.a.h.r.m.HelmVirtualMerger:213) - Couldn't read index file in remote repository starkandwayne : null
drnic commented

Can you also confirm you can manually fetch the index.yaml? I don't know how to help debug this network/chartmusuem/fate of devops gods bug :/

$ curl https://helm.starkandwayne.com/index.yaml
apiVersion: v1
entries:
  cf-marketplace-servicebroker:
  - apiVersion: v1
    created: "2019-09-27T10:40:00Z"
...

Yes curl is OK for index.yaml ...
Despite pushing the JCR log level, i cant get anymore details ...
By the way, wich version of chartmuseum do you use ?

Hello,
seems the https url is now broken ?

$ curl -vvv  https://helm.starkandwayne.com/index.yaml
*   Trying 192.168.116.80...
* TCP_NODELAY set
* Connected to system-internet-http-proxy.internal.paas (192.168.116.80) port 3128 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to helm.starkandwayne.com:443
> CONNECT helm.starkandwayne.com:443 HTTP/1.1
> Host: helm.starkandwayne.com:443
> User-Agent: curl/7.58.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< 
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.run.pivotal.io
*  start date: Nov 18 00:00:00 2020 GMT
*  expire date: Dec 17 23:59:59 2021 GMT
*  subjectAltName does not match helm.starkandwayne.com
* SSL: no alternative certificate subject name matches target host name 'helm.starkandwayne.com'
* stopped the pause stream!
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (51) SSL: no alternative certificate subject name matches target host name 'helm.starkandwayne.com'

drnic commented

I'll investigate how we might have broken SSL on this URL. We did migrate the app off PWS recently, so I'll assume it was broken during that.