Clouddriver unable to download artifacts from private github instance due to SSL errors
Issue
An organization may have its own private Github instance for source code management instead of using public Github instance. They may choose to use custom SSL certificates for secure access of the private Github instance. If Spinnaker is configured to fetch artifacts from private Github instance, users may notice SSL errors in Clouddriver logs when trying to fetch artifacts similar to the one below
2021-07-26 10:02:02.326 INFO 1 --- [ MvcAsync3] c.n.s.c.a.gitRepo.GitJobExecutor : Cloning git/repo https://github.wdf.xxx.com/repo/reponame into /tmp/gitrepos/72fe7405e214a959ef3c55848d91da00d90f4f13e4eb1d1dae9361cdf0c93dd5
2021-07-26 10:02:02.355 WARN 1 --- [0.0-7002-exec-3] c.n.s.k.w.e.GenericExceptionHandlers : Handled error in generic exception handlerjava.io.IOException: git clone --branch master --depth 1 https://token:$GIT_TOKEN@github.wdf.xxx.com/repo/reponame failed. Error: Cloning into 'reponame'...
fatal: unable to access 'https://github.wdf.xxx.com/repo/reponame/': SSL certificate problem: unable to get local issuer certificate
Output:
at com.netflix.spinnaker.clouddriver.artifacts.gitRepo.GitJobExecutor.cloneBranchOrTag(GitJobExecutor.java:156) ~[clouddriver-artifacts-8.0.4-20210625060028.jar:8.0.4-20210625060028]
at com.netflix.spinnaker.clouddriver.artifacts.gitRepo.GitJobExecutor.clone(GitJobExecutor.java:138) ~[clouddriver-artifacts-8.0.4-20210625060028.jar:8.0.4-20210625060028]
at com.netflix.spinnaker.clouddriver.artifacts.gitRepo.GitJobExecutor.cloneOrPull(GitJobExecutor.java:98) ~[clouddriver-artifacts-8.0.4-20210625060028.jar:8.0.4-20210625060028]
at com.netflix.spinnaker.clouddriver.artifacts.gitRepo.GitRepoArtifactCredentials.getInputStream(GitRepoArtifactCredentials.java:126) ~[clouddriver-artifacts-8.0.4-20210625060028.jar:8.0.4-20210625060028]
at com.netflix.spinnaker.clouddriver.artifacts.gitRepo.GitRepoArtifactCredentials.getLockedInputStream(GitRepoArtifactCredentials.java:93) ~[clouddriver-artifacts-8.0.4-20210625060028.jar:8.0.4-20210625060028]
at com.netflix.spinnaker.clouddriver.artifacts.gitRepo.GitRepoArtifactCredentials.download(GitRepoArtifactCredentials.java:69) ~[clouddriver-artifacts-8.0.4-20210625060028.jar:8.0.4-20210625060028]
at com.netflix.spinnaker.clouddriver.artifacts.ArtifactDownloader.download(ArtifactDownloader.java:37) ~[clouddriver-artifacts-8.0.4-20210625060028.jar:8.0.4-20210625060028]
at com.netflix.spinnaker.clouddriver.controllers.ArtifactController.lambda$fetch$0(ArtifactController.java:67) ~[clouddriver-web-8.0.4-20210625060028.jar:8.0.4-20210625060028]
at org.springframework.web.servlet.mvc.method.annotation.StreamingResponseBodyReturnValueHandler$StreamingResponseBodyTask.call(StreamingResponseBodyReturnValueHandler.java:111) ~[spring-webmvc-5.2.9.RELEASE.jar:5.2.9.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.StreamingResponseBodyReturnValueHandler$StreamingResponseBodyTask.call(StreamingResponseBodyReturnValueHandler.java:98) ~[spring-webmvc-5.2.9.RELEASE.jar:5.2.9.RELEASE]
at org.springframework.web.context.request.async.WebAsyncManager.lambda$startCallableProcessing$4(WebAsyncManager.java:337) ~[spring-web-5.2.11.RELEASE.jar:5.2.11.RELEASE]
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) ~[na:na]
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[na:na]
at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]2021-07-26 10:02:02.355 ERROR 1 --- [0.0-7002-exec-3] c.n.s.k.w.e.GenericExceptionHandlers : Internal Server Error
Cause
Although the certificate for private github instance may be imported into the java keystore
and later mounted to Clouddriver by following the steps from the knowledge article: https://support.armory.io/support?id=kb_article_view&sysparm_article=KB0010087, it would work only for http
calls that are made by Clouddriver.
However in this particular scenario, Clouddriver pulls the artifacts through git command instead of http and the error by itself is actually from the git command. This can be replicated by running the git commands from the Clouddriver pods.