I'm running Harvester 1.5.1 in an airgapped enviro...
# harvesterb
bumpy-portugal-40754
10/06/2025, 2:58 PMI'm running Harvester 1.5.1 in an airgapped environment and want to create a VirtualMachineImage on a 3rd party CSI. The image is located on a local HTTPS source with a private CA certificate. The image importer fails with a TLS error (surprise!!!!):
Copy code
I1006 10:52:07.169314 1 importer.go:107] Starting importer
I1006 10:52:07.170726 1 importer.go:182] begin import process
E1006 10:52:07.210328 1 importer.go:347] Get "<https://user1>:***@host/vm-image/6.1/slemicro6.1.qcow2": tls: failed to verify certificate: x509: certificate signed by unknown authority
HTTP request errored
<http://kubevirt.io/containerized-data-importer/pkg/importer.createHTTPReader|kubevirt.io/containerized-data-importer/pkg/importer.createHTTPReader>
/home/abuild/rpmbuild/BUILD/go/src/kubevirt.io/containerized-data-importer/pkg/importer/http-datasource.go:350
<http://kubevirt.io/containerized-data-importer/pkg/importer.NewHTTPDataSource|kubevirt.io/containerized-data-importer/pkg/importer.NewHTTPDataSource>
/home/abuild/rpmbuild/BUILD/go/src/kubevirt.io/containerized-data-importer/pkg/importer/http-datasource.go:102
main.newDataSource
/home/abuild/rpmbuild/BUILD/go/src/kubevirt.io/containerized-data-importer/cmd/cdi-importer/importer.go:272
main.handleImport
/home/abuild/rpmbuild/BUILD/go/src/kubevirt.io/containerized-data-importer/cmd/cdi-importer/importer.go:184
main.main
/home/abuild/rpmbuild/BUILD/go/src/kubevirt.io/containerized-data-importer/cmd/cdi-importer/importer.go:148
runtime.main
/usr/lib64/go/1.23/src/runtime/proc.go:272
runtime.goexit
/usr/lib64/go/1.23/src/runtime/asm_amd64.s:1700m
millions-microphone-3535
10/06/2025, 9:18 PM@salmon-city-57654 afaict, there isn't a way to change the cdi importer prime pod's spec atm, right?
millions-microphone-3535
10/06/2025, 9:19 PMit looks like the pod can take a
IMPORTER_CERT_DIRmillions-microphone-3535
10/06/2025, 9:20 PMb
bumpy-portugal-40754
10/06/2025, 9:29 PMHm... my go skill is really bad, but there seems to be an insecuretls option. But it looks like I cannot specify it in the Virtual machine image spec.
If there's really no way, I can create a GitHub issue to make it an RFE...
m
millions-microphone-3535
10/06/2025, 9:31 PMyes, you are right - there is also an
INSECURE_TLSmillions-microphone-3535
10/06/2025, 9:32 PMwe are not able to change them (as in the importer pod's spec) directly atm
millions-microphone-3535
10/06/2025, 9:32 PMyes, a GH issue will be helpful - thanks
👍 1
millions-microphone-3535
10/06/2025, 9:34 PManother bit of detail is that i was hoping we can use the existing
additional-camillions-microphone-3535
10/06/2025, 9:35 PMbut the importer pod runs in user's namespace, not the system namespace... so that plan won't work
b
bumpy-portugal-40754
10/06/2025, 9:39 PMadditional-ca is Rancher specific afaik, but maybe it can be used together with certConfigMap? In the end, I don't care about the details, it should "just work" ;-)
m
millions-microphone-3535
10/06/2025, 9:41 PMharvester has the same setting too
millions-microphone-3535
10/06/2025, 9:41 PMbut yeah, you will still need a way to bring your ca certs into the cluster as k8s secrets
b
bumpy-portugal-40754
10/07/2025, 2:34 PMI created a Github issue
bumpy-portugal-40754
10/07/2025, 2:36 PM@millions-microphone-3535 Since we speak: I tried to create that image from the Rancher UI. But I could not select the storage backend. It was always set to "BackingImage", regardless of the fact that I chose a 3rd party storage class. I cannot check whether or not this is already fixed in a newer Harvester version. Are you able to test that? I'd create another issue if it's still present in "latest"...