-
Bug
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
None
-
False
-
None
-
False
-
-
On an OpenShift 4.12.46 cluster with container image signature validation enabled, the following error occurs when attempting to pull container images from the `registry.redhat.io/amq-streams/` repository:
13s Warning Failed pod/strimzi-rhel8-operator-7fb4599449-qf6fk Failed to pull image "registry.redhat.io/amq-streams/strimzi-rhel8-operator@sha256:fda39fc02a6677a9e3ca870a77e0665d06301f9b34200a6d04bd5837a0bcf9ea": rpc error: code = Unknown desc = Source image rejected: None of the signatures were accepted, reasons: Signature for identity registry.access.redhat.com/amq-streams/strimzi-rhel8-operator:2.5.1-3 is not accepted; Signature for identity registry.access.redhat.com/amq-streams/strimzi-rhel8-operator:2.5.1-3 is not accepted
This occurs on clusters where the image is pulled directly from registry.redhat.io, as well as clusters that have the image deployed via OLM.
Quickest steps to replicate the issue:
- Enable Signature Verification for a cluster as per documentation. For example, 4.12 docs: https://docs.openshift.com/container-platform/4.12/security/container_security/security-container-signature.html
-
butane 51-worker-rh-registry-trust.bu -o 51-worker-rh-registry-trust.yaml
-
oc apply -f 51-worker-rh-registry-trust.yaml
- oc new-project signature-tester && oc new-app registry.redhat.io/amq-streams/strimzi-rhel8-operator@sha256:464b04e622e0b3472e8a1e1ce8a2efd32cf27fc2056d3d589bfe6b5f9ac0bf4e -n signature-tester
For reference, the signature validation `51-worker-rh-registry-trust.bu` butane config has the same contents as that of the provided documentation:
variant: openshift version: 4.12.0 metadata: name: 51-worker-rh-registry-trust labels: machineconfiguration.openshift.io/role: worker storage: files: - path: /etc/containers/policy.json mode: 0644 overwrite: true contents: inline: | { "default": [ { "type": "insecureAcceptAnything" } ], "transports": { "docker": { "registry.access.redhat.com": [ { "type": "signedBy", "keyType": "GPGKeys", "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" } ], "registry.redhat.io": [ { "type": "signedBy", "keyType": "GPGKeys", "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" } ] }, "docker-daemon": { "": [ { "type": "insecureAcceptAnything" } ] } } }
The master nodes are configured in the same manner.
- relates to
-
OCPBUGS-25865 community-operators container image fails signature verification.
-
- Closed
-