-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.14
-
Critical
-
No
-
Rejected
-
False
-
Description of problem:
Install cluster using the payload image built from https://github.com/openshift/cluster-image-registry-operator/pull/867 , then pull image from internal registry will meet "x509: certificate signed by unknown authority" error
Version-Release number of selected component (if applicable):
4.14.0-0.ci.test-2023-08-14-055902-ci-ln-qg56r8b-latest
How reproducible:
always
Steps to Reproduce:
1.Install a cluster using the payload image built from https://github.com/openshift/cluster-image-registry-operator/pull/867 2. Pull the image from internal registry $oc run nginx --image=image-registry.openshift-image-registry.svc:5000/openshift/nginx:latest --overrides='{"spec":{"securityContext":{"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}}}' -- sleep 300 pod/nginx created 3.
Actual results:
Check the pod $oc get pods NAME READY STATUS RESTARTS AGE nginx 0/1 ImagePullBackOff 0 4s $oc get events Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 20s default-scheduler Successfully assigned wxj/nginx to ip-10-0-39-199.us-east-2.compute.internal Normal AddedInterface 18s multus Add eth0 [10.129.2.11/23] from openshift-sdn Normal BackOff 16s (x2 over 17s) kubelet Back-off pulling image "image-registry.openshift-image-registry.svc:5000/openshift/nginx:latest" Warning Failed 16s (x2 over 17s) kubelet Error: ImagePullBackOff Normal Pulling 5s (x2 over 18s) kubelet Pulling image "image-registry.openshift-image-registry.svc:5000/openshift/nginx:latest" Warning Failed 5s (x2 over 18s) kubelet Failed to pull image "image-registry.openshift-image-registry.svc:5000/openshift/nginx:latest": rpc error: code = Unknown desc = pinging container registry image-registry.openshift-image-registry.svc:5000: Get "https://image-registry.openshift-image-registry.svc:5000/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority Warning Failed 5s (x2 over 18s) kubelet Error: ErrImagePull
Expected results:
Could pull image from internal registry after removed node-ca
Additional info:
Check the /etc/docker/cert.d ca in nodes
sh-5.1# ls image-registry.openshift-image-registry.svc..5000 image-registry.openshift-image-registry.svc.cluster.local..5000
They are different with master branch code
sh-5.1# ls image-registry.openshift-image-registry.svc..5000 image-registry.openshift-image-registry.svc.cluster.local:5000 image-registry.openshift-image-registry.svc.cluster.local..5000 image-registry.openshift-image-registry.svc:5000
Looks like
image-registry.openshift-image-registry.svc.cluster.local:5000 image-registry.openshift-image-registry.svc:5000
are correct method for internal registry.