Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-13622

Automatic generation of trusted-ca-bundle for openshift-apiserver


    • No
    • Rejected
    • False
    • Hide




      Description of the Issue: 

      1. Grafana and Kibana pods missing after an upgrade and the issue got resolved using the 
         KCS : https://access.redhat.com/solutions/6967523 

      2. Looking for the RCA to know why the `imagestream` doesn't trust the registry and appending the CA cert. of the external image registry. Why all other pulls from this registry for the various openshift images succeed.

      3. We have checked the  openshift-apiserver image-import-ca configmap. 

      4. The proxy/cluster is deployed at the nodes and some POD level, where the CA used for the image-registry seems consumed at the POD level only.

      Clarification given to customer : 

      About the `image-import-ca configmap`: It's created and maintained by the openshift apiserver operator. 

      The operator bases it from these places:

      • The internal configmap `image-registry-certificates` which is created by the image registry operator.
      • The user provided trusted CA bundle for images from the image.config.openshift.io/cluster
      • The trusted-ca-bundle. the cluster network operator manages the contents of this configmap (see the [docs](https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html) for info on this one, in particular the NOTE distinguishing install time and run time trust bundles)

      Need help : 

      Customer expectation is that the openshift-apiserver should use the same CA bundles as other components (e.g. image-registry) for consistency,
      so customer ask from Red Hat is to fix it by simply including CA certificates from the user-ca-bundle configmap in openshift-config namespace in the automatic generation of trusted-ca-bundle for openshift-apiserver

      We asked the customer query in slack channel (#Forum-imageregistry) : https://redhat-internal.slack.com/archives/C013VBYBJQH/p1672015421280469

            Unassigned Unassigned
            nikijain@redhat.com Nikita Jain
            Rahul Gangwar Rahul Gangwar
            Vincent Lours, Vivek Yoganand A
            0 Vote for this issue
            3 Start watching this issue