-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.16
Description of problem:
AdditionalTrustedCA is not wired correctly so the configmap is not found my its operator. This feature is meant to be exposed by XCMSTRAT-590, but at the moment it seems to be broken
Version-Release number of selected component (if applicable):
4.16.5
How reproducible:
Always
Steps to Reproduce:
1. Create a configmap containing a registry and PEM cert, like https://github.com/openshift/openshift-docs/blob/ef75d891786604e78dcc3bcb98ac6f1b3a75dad1/modules/images-configuration-cas.adoc#L17 2. Refer to it in .spec.configuration.image.additionalTrustedCA.name 3. image-registry-config-operator is not able to find the cm and the CO is degraded
Actual results:
CO is degraded
Expected results:
certs are used.
Additional info:
I think we may miss a copy of the configmap from the cluster NS to the target ns. It should be also deleted if it is deleted.
% oc get hc -n ocm-adecorte-2d525fsstsvtbv1h8qss14pkv171qhdd -o jsonpath="{.items[0].spec.configuration.image.additionalTrustedCA}" | jq { "name": "registry-additional-ca-q9f6x5i4" }
% oc get cm -n ocm-adecorte-2d525fsstsvtbv1h8qss14pkv171qhdd registry-additional-ca-q9f6x5i4 NAME DATA AGE registry-additional-ca-q9f6x5i4 1 16m
logs of cluster-image-registry operator
E0814 13:22:32.586416 1 imageregistrycertificates.go:141] ImageRegistryCertificatesController: unable to sync: failed to update object *v1.ConfigMap, Namespace=openshift-image-registry, Name=image-registry-certificates: image-registry-certificates: configmap "registry-additional-ca-q9f6x5i4" not found, requeuing
CO is degraded
% oc get co
NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE
console 4.16.5 True False False 3h58m
csi-snapshot-controller 4.16.5 True False False 4h11m
dns 4.16.5 True False False 3h58m
image-registry 4.16.5 True False True 3h58m ImageRegistryCertificatesControllerDegraded: failed to update object *v1.ConfigMap, Namespace=openshift-image-registry, Name=image-registry-certificates: image-registry-certificates: configmap "registry-additional-ca-q9f6x5i4" not found
ingress 4.16.5 True False False 3h59m
insights 4.16.5 True False False 4h
kube-apiserver 4.16.5 True False False 4h11m
kube-controller-manager 4.16.5 True False False 4h11m
kube-scheduler 4.16.5 True False False 4h11m
kube-storage-version-migrator 4.16.5 True False False 166m
monitoring 4.16.5 True False False 3h55m
- blocks
-
OCPBUGS-39225 [4.17] AdditionalTrustedCA in ImageConfig is not wired correctly
- Closed
- is cloned by
-
OCPBUGS-39225 [4.17] AdditionalTrustedCA in ImageConfig is not wired correctly
- Closed
- links to
-
RHEA-2024:6122 OpenShift Container Platform 4.18.z bug fix update
- mentioned on