Uploaded image for project: 'OpenShift API Server'
  1. OpenShift API Server
  2. API-1548

Automatic generation of trusted-ca-bundle for openshift-apiserver

XMLWordPrintable

    • False
    • None
    • False
    • Moderate
    • Customer Facing

       

      Description of the Issue: 

      1. Grafana and Kibana pods missing after an upgrade and the issue got resolved using the 
         KCS : https://access.redhat.com/solutions/6967523 

      2. Looking for the RCA to know why the `imagestream` doesn't trust the registry and appending the CA cert. of the external image registry. Why all other pulls from this registry for the various openshift images succeed.

      3. We have checked the  openshift-apiserver image-import-ca configmap. 

      4. The proxy/cluster is deployed at the nodes and some POD level, where the CA used for the image-registry seems consumed at the POD level only.

      Clarification given to customer : 

      About the `image-import-ca configmap`: It's created and maintained by the openshift apiserver operator. 

      The operator bases it from these places:

      • The internal configmap `image-registry-certificates` which is created by the image registry operator.
      • The user provided trusted CA bundle for images from the image.config.openshift.io/cluster
      • The trusted-ca-bundle. the cluster network operator manages the contents of this configmap (see the [docs](https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html) for info on this one, in particular the NOTE distinguishing install time and run time trust bundles)

      Need help : 

      Customer expectation is that the openshift-apiserver should use the same CA bundles as other components (e.g. image-registry) for consistency,
      so customer ask from Red Hat is to fix it by simply including CA certificates from the user-ca-bundle configmap in openshift-config namespace in the automatic generation of trusted-ca-bundle for openshift-apiserver

      We asked the customer query in slack channel (#Forum-imageregistry) : https://redhat-internal.slack.com/archives/C013VBYBJQH/p1672015421280469

              mfojtik@redhat.com Michal Fojtik (Inactive)
              nikijain@redhat.com Nikita Jain
              Vincent Lours, Vivek Yoganand A
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: