Troubleshooting and Tips

This section provides solutions and examples for common issues encountered during the Quay workshop, such as TLS problems, insecure registries, and certificate handling across tools like podman, helm, or cosign.

TLS and Insecure Registry Configuration

When using self-signed certificates or non-trusted CAs, you might need to disable TLS verification or configure trust stores.

podman examples

podman login ${QUAY_HOSTNAME} --tls-verify=false
podman push --encryption-key jwe:public-key.pem ${QUAY_HOSTNAME}/demo/mysql-80:80 --tls-verify=false

helm examples

helm registry login ${QUAY_HOSTNAME} --insecure
helm push demo-chart-0.0.3.tgz oci://${QUAY_HOSTNAME}/demo/helm
helm env

If your system uses self-signed certificates, ensure the certificate is trusted by your OS or container tools.

Debian-based systems:

sudo cp quay.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Fedora-based systems:

sudo cp quay.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

cosign and Registry Trust Issues

In some cases, cosign sign fails to use the --allow-insecure-registry flag.

Workaround:

Download the full certificate chain from your registry:
```
curl -k https://${QUAY_HOSTNAME}/v2/ > quay.crt
```
Add it to your system trust as shown in the previous section.

Then retry:

cosign sign --key cosign.key ${QUAY_HOSTNAME}/demo/app:latest

GPG Key Cleanup

If you created temporary GPG keys for image signing, remove them after finishing the workshop.

gpg --delete-secret-and-public-key "[email protected]"