Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-29623

Some oc cli commands don't respect --certificate-authority

XMLWordPrintable

      Description of problem:

      When using the oc cli to query information about release images it is not possible to use the --certificate-authority option to specify an alternative CA bundle for verifying connections to the target registry.

      Version-Release number of selected component (if applicable): 4.14.5

      How reproducible: 100%

      Steps to Reproduce:

          1. oc adm release info --registry-config ./auth.json --certificate-authority ./tls-ca-bundle.pem quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64

      Actual results:

      error: unable to read image quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64: Get "https://quay.io/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority

      Expected results:

      Something beginning with:

Name:           4.14.9
Digest:         sha256:f5eaf0248779a0478cfd83f055d56dc7d755937800a68ad55f6047c503977c44
Created:        2024-01-12T06:48:42Z
OS/Arch:        linux/amd64
Manifests:      680
Metadata files: 1

Pull From: quay.io/openshift-release-dev/ocp-release@sha256:f5eaf0248779a0478cfd83f055d56dc7d755937800a68ad55f6047c503977c44

Release Metadata:

      Additional info:

      To fully verify that this was an issue I went through the following steps which should show that the oc command is not using the CA bundle in the provided file and that the command would have worked if oc was using the provided bundle

// show the command works with the system CA bundle

# oc adm release info --registry-config ./auth.json quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64 | head
Name:           4.14.9
Digest:         sha256:f5eaf0248779a0478cfd83f055d56dc7d755937800a68ad55f6047c503977c44
Created:        2024-01-12T06:48:42Z
OS/Arch:        linux/amd64
Manifests:      680
Metadata files: 1

Pull From: quay.io/openshift-release-dev/ocp-release@sha256:f5eaf0248779a0478cfd83f055d56dc7d755937800a68ad55f6047c503977c44

Release Metadata:

// move the system CA bundle to the local directory

# mv /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem .

// show the same command now fails without that bundle file

# oc adm release info --registry-config ./auth.json quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64 | head
error: unable to read image quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64: Get "https://quay.io/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority

// show using that same bundle file with --certificate-authority doesn't work

# oc adm release info --registry-config ./auth.json --certificate-authority ./tls-ca-bundle.pem quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64 | head
error: unable to read image quay.io/openshift-release-dev/ocp-release:4.14.9-x86_64: Get "https://quay.io/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority


Additionally this also seems to be a problem for at least the following commands as well:
oc image info
oc adm release extract

              aguclu@redhat.com Arda Guclu
              ncarboni@redhat.com Nick Carboni
              ying zhou ying zhou
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: