Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.14
Component/s: Image Registry
Labels:
- groomed

Severity:
Critical
Regression:
No
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

Install cluster using the payload image built from https://github.com/openshift/cluster-image-registry-operator/pull/867 , then pull image from internal registry will meet 
"x509: certificate signed by unknown authority" error

Version-Release number of selected component (if applicable):

4.14.0-0.ci.test-2023-08-14-055902-ci-ln-qg56r8b-latest

How reproducible:

always

Steps to Reproduce:

1.Install a cluster using the payload image built from https://github.com/openshift/cluster-image-registry-operator/pull/867 
2. Pull the image from internal registry
$oc run nginx --image=image-registry.openshift-image-registry.svc:5000/openshift/nginx:latest --overrides='{"spec":{"securityContext":{"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}}}' -- sleep 300
pod/nginx created 
3.

Actual results:

Check the pod
$oc get pods
NAME             READY   STATUS             RESTARTS   AGE
nginx            0/1     ImagePullBackOff   0          4s

$oc get events
Events:
  Type     Reason          Age                From               Message
  ----     ------          ----               ----               -------
  Normal   Scheduled       20s                default-scheduler  Successfully assigned wxj/nginx to ip-10-0-39-199.us-east-2.compute.internal
  Normal   AddedInterface  18s                multus             Add eth0 [10.129.2.11/23] from openshift-sdn
  Normal   BackOff         16s (x2 over 17s)  kubelet            Back-off pulling image "image-registry.openshift-image-registry.svc:5000/openshift/nginx:latest"
  Warning  Failed          16s (x2 over 17s)  kubelet            Error: ImagePullBackOff
  Normal   Pulling         5s (x2 over 18s)   kubelet            Pulling image "image-registry.openshift-image-registry.svc:5000/openshift/nginx:latest"
  Warning  Failed          5s (x2 over 18s)   kubelet            Failed to pull image "image-registry.openshift-image-registry.svc:5000/openshift/nginx:latest": rpc error: code = Unknown desc = pinging container registry image-registry.openshift-image-registry.svc:5000: Get "https://image-registry.openshift-image-registry.svc:5000/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority
  Warning  Failed          5s (x2 over 18s)   kubelet            Error: ErrImagePull

Expected results:

Could pull image from internal registry after removed node-ca

Additional info:

Check the /etc/docker/cert.d ca in nodes

sh-5.1# ls image-registry.openshift-image-registry.svc..5000 image-registry.openshift-image-registry.svc.cluster.local..5000

They are different with master branch code

sh-5.1# ls
image-registry.openshift-image-registry.svc..5000		 image-registry.openshift-image-registry.svc.cluster.local:5000
image-registry.openshift-image-registry.svc.cluster.local..5000  image-registry.openshift-image-registry.svc:5000

Looks like

image-registry.openshift-image-registry.svc.cluster.local:5000	image-registry.openshift-image-registry.svc:5000

are correct method for internal registry.

Assignee:: Flavian Missi

Reporter:: xiujuan wang

QA Contact:: xiujuan wang

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2023/08/14 9:02 AM

Updated:: 2023/09/07 6:59 AM

Details

Description

Attachments

Activity

People

Dates

Hide