Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: 4.16.0
Affects Version/s: 4.14.z, 4.15.z, 4.16.0
Component/s: oc
Labels:

Severity:
Important
Regression:
No
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.16.0
Target Backport Versions:

4.14.z, 4.15.z

SFDC Cases Counter:
SFDC Cases Links:

Description

Description of problem:

When using the oc cli to query information about release images it is not possible to use the --certificate-authority option to specify an alternative CA bundle for verifying connections to the target registry.

Version-Release number of selected component (if applicable): 4.14.5

How reproducible: 100%

Steps to Reproduce:

    1. oc adm release info --registry-config ./auth.json --certificate-authority ./tls-ca-bundle.pem quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64

Actual results:

error: unable to read image quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64: Get "https://quay.io/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority

Expected results:

Something beginning with:

Name:           4.14.9
Digest:         sha256:f5eaf0248779a0478cfd83f055d56dc7d755937800a68ad55f6047c503977c44
Created:        2024-01-12T06:48:42Z
OS/Arch:        linux/amd64
Manifests:      680
Metadata files: 1

Pull From: quay.io/openshift-release-dev/ocp-release@sha256:f5eaf0248779a0478cfd83f055d56dc7d755937800a68ad55f6047c503977c44

Release Metadata:

Additional info:

To fully verify that this was an issue I went through the following steps which should show that the oc command is not using the CA bundle in the provided file and that the command would have worked if oc was using the provided bundle

// show the command works with the system CA bundle

# oc adm release info --registry-config ./auth.json quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64 | head
Name:           4.14.9
Digest:         sha256:f5eaf0248779a0478cfd83f055d56dc7d755937800a68ad55f6047c503977c44
Created:        2024-01-12T06:48:42Z
OS/Arch:        linux/amd64
Manifests:      680
Metadata files: 1

Pull From: quay.io/openshift-release-dev/ocp-release@sha256:f5eaf0248779a0478cfd83f055d56dc7d755937800a68ad55f6047c503977c44

Release Metadata:

// move the system CA bundle to the local directory

# mv /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem .

// show the same command now fails without that bundle file

# oc adm release info --registry-config ./auth.json quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64 | head
error: unable to read image quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64: Get "https://quay.io/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority

// show using that same bundle file with --certificate-authority doesn't work

# oc adm release info --registry-config ./auth.json --certificate-authority ./tls-ca-bundle.pem quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64 | head
error: unable to read image quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64: Get "https://quay.io/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority


Additionally this also seems to be a problem for at least the following commands as well:
oc image info
oc adm release extract

Attachments

Issue Links

blocks

OCPBUGS-27238 Ironic agent inspection fails

links to

openshift/oc#1693: OCPBUGS-29623: Introduce certificate-authority flag for image related commands

RHEA-2024:0041 OpenShift Container Platform 4.16.z bug fix update

Activity

People

Assignee:: Arda Guclu

Reporter:: Nick Carboni

QA Contact:: ying zhou

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 2024/02/16 4:42 PM

Updated:: 2024/03/12 8:10 PM