Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-29623

Some oc cli commands don't respect --certificate-authority

XMLWordPrintable

    • Important
    • No
    • False
    • Hide

      None

      Show
      None
    • Release Note Not Required
    • In Progress

      Description of problem:

      When using the oc cli to query information about release images it is not possible to use the --certificate-authority option to specify an alternative CA bundle for verifying connections to the target registry.
      

      Version-Release number of selected component (if applicable): 4.14.5

      How reproducible: 100%

      Steps to Reproduce:

          1. oc adm release info --registry-config ./auth.json --certificate-authority ./tls-ca-bundle.pem quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64
      

      Actual results:

      error: unable to read image quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64: Get "https://quay.io/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority
      

      Expected results:

      Something beginning with:
      
      Name:           4.14.9
      Digest:         sha256:f5eaf0248779a0478cfd83f055d56dc7d755937800a68ad55f6047c503977c44
      Created:        2024-01-12T06:48:42Z
      OS/Arch:        linux/amd64
      Manifests:      680
      Metadata files: 1
      
      Pull From: quay.io/openshift-release-dev/ocp-release@sha256:f5eaf0248779a0478cfd83f055d56dc7d755937800a68ad55f6047c503977c44
      
      Release Metadata:
      

      Additional info:

      To fully verify that this was an issue I went through the following steps which should show that the oc command is not using the CA bundle in the provided file and that the command would have worked if oc was using the provided bundle
      
      // show the command works with the system CA bundle
      
      # oc adm release info --registry-config ./auth.json quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64 | head
      Name:           4.14.9
      Digest:         sha256:f5eaf0248779a0478cfd83f055d56dc7d755937800a68ad55f6047c503977c44
      Created:        2024-01-12T06:48:42Z
      OS/Arch:        linux/amd64
      Manifests:      680
      Metadata files: 1
      
      Pull From: quay.io/openshift-release-dev/ocp-release@sha256:f5eaf0248779a0478cfd83f055d56dc7d755937800a68ad55f6047c503977c44
      
      Release Metadata:
      
      // move the system CA bundle to the local directory
      
      # mv /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem .
      
      // show the same command now fails without that bundle file
      
      # oc adm release info --registry-config ./auth.json quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64 | head
      error: unable to read image quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64: Get "https://quay.io/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority
      
      // show using that same bundle file with --certificate-authority doesn't work
      
      # oc adm release info --registry-config ./auth.json --certificate-authority ./tls-ca-bundle.pem quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64 | head
      error: unable to read image quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64: Get "https://quay.io/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority
      
      
      Additionally this also seems to be a problem for at least the following commands as well:
      oc image info
      oc adm release extract

            aguclu@redhat.com Arda Guclu
            ncarboni@redhat.com Nick Carboni
            ying zhou ying zhou
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: