Uploaded image for project: 'AMQ Streams'
  1. AMQ Streams
  2. ENTMQST-5672

amq-streams/strimzi-rhel8-operator signature verification error

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • None
    • False
    • None
    • False

      On an OpenShift 4.12.46 cluster with container image signature validation enabled, the following error occurs when attempting to pull container images from the `registry.redhat.io/amq-streams/` repository:

       

      13s         Warning   Failed              pod/strimzi-rhel8-operator-7fb4599449-qf6fk    Failed to pull image "registry.redhat.io/amq-streams/strimzi-rhel8-operator@sha256:fda39fc02a6677a9e3ca870a77e0665d06301f9b34200a6d04bd5837a0bcf9ea": rpc error: code = Unknown desc = Source image rejected: None of the signatures were accepted, reasons: Signature for identity registry.access.redhat.com/amq-streams/strimzi-rhel8-operator:2.5.1-3 is not accepted; Signature for identity registry.access.redhat.com/amq-streams/strimzi-rhel8-operator:2.5.1-3 is not accepted

       

      This occurs on clusters where the image is pulled directly from registry.redhat.io, as well as clusters that have the image deployed via OLM.

       

       

      Quickest steps to replicate the issue:

      1. Enable Signature Verification for a cluster as per documentation. For example, 4.12 docs: https://docs.openshift.com/container-platform/4.12/security/container_security/security-container-signature.html
        1. butane 51-worker-rh-registry-trust.bu -o 51-worker-rh-registry-trust.yaml
        1. oc apply -f 51-worker-rh-registry-trust.yaml
      1. oc new-project signature-tester && oc new-app registry.redhat.io/amq-streams/strimzi-rhel8-operator@sha256:464b04e622e0b3472e8a1e1ce8a2efd32cf27fc2056d3d589bfe6b5f9ac0bf4e -n signature-tester

       

      For reference, the signature validation `51-worker-rh-registry-trust.bu` butane config has the same contents as that of the provided documentation:

       

      variant: openshift
      version: 4.12.0
      metadata:
        name: 51-worker-rh-registry-trust
        labels:
          machineconfiguration.openshift.io/role: worker
      storage:
        files:
        - path: /etc/containers/policy.json
          mode: 0644
          overwrite: true
          contents:
            inline: |
              {
                "default": [
                  {
                    "type": "insecureAcceptAnything"
                  }
                ],
                "transports": {
                  "docker": {
                    "registry.access.redhat.com": [
                      {
                        "type": "signedBy",
                        "keyType": "GPGKeys",
                        "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
                      }
                    ],
                    "registry.redhat.io": [
                      {
                        "type": "signedBy",
                        "keyType": "GPGKeys",
                        "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
                      }
                    ]
                  },
                  "docker-daemon": {
                    "": [
                      {
                        "type": "insecureAcceptAnything"
                      }
                    ]
                  }
                }
              }

       

      The master nodes are configured in the same manner.

       

            Unassigned Unassigned
            rhn-support-dedgar Douglas Edgar
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: