-
Bug
-
Resolution: Done
-
Major
-
None
-
openshift-4.9.z
-
False
-
None
-
False
-
-
-
Moderate
-
Customer Facing
Description of the Issue:
1. Grafana and Kibana pods missing after an upgrade and the issue got resolved using the
KCS : https://access.redhat.com/solutions/6967523
2. Looking for the RCA to know why the `imagestream` doesn't trust the registry and appending the CA cert. of the external image registry. Why all other pulls from this registry for the various openshift images succeed.
3. We have checked the openshift-apiserver image-import-ca configmap.
4. The proxy/cluster is deployed at the nodes and some POD level, where the CA used for the image-registry seems consumed at the POD level only.
Clarification given to customer :
About the `image-import-ca configmap`: It's created and maintained by the openshift apiserver operator.
The operator bases it from these places:
- The internal configmap `image-registry-certificates` which is created by the image registry operator.
- The user provided trusted CA bundle for images from the image.config.openshift.io/cluster
- The trusted-ca-bundle. the cluster network operator manages the contents of this configmap (see the [docs](https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html) for info on this one, in particular the NOTE distinguishing install time and run time trust bundles)
Need help :
Customer expectation is that the openshift-apiserver should use the same CA bundles as other components (e.g. image-registry) for consistency,
so customer ask from Red Hat is to fix it by simply including CA certificates from the user-ca-bundle configmap in openshift-config namespace in the automatic generation of trusted-ca-bundle for openshift-apiserver
We asked the customer query in slack channel (#Forum-imageregistry) : https://redhat-internal.slack.com/archives/C013VBYBJQH/p1672015421280469