Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-39225

[4.17] AdditionalTrustedCA in ImageConfig is not wired correctly

XMLWordPrintable

    • Important
    • None
    • Hypershift Sprint 258, Hypershift Sprint 259
    • 2
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, the `AdditionalTrustedCA` that was specified in the hosted cluster image configuration was not reconciled into the `openshift-config` namespace, as expected by the `image-registry-operator`, and the component did not become available. With this release, the issue is resolved. (link:https://issues.redhat.com/browse/OCPBUGS-39225[*OCPBUGS-39225*])
      Show
      * Previously, the `AdditionalTrustedCA` that was specified in the hosted cluster image configuration was not reconciled into the `openshift-config` namespace, as expected by the `image-registry-operator`, and the component did not become available. With this release, the issue is resolved. (link: https://issues.redhat.com/browse/OCPBUGS-39225 [* OCPBUGS-39225 *])
    • Bug Fix
    • Done

      This is a clone of issue OCPBUGS-38474. The following is the description of the original issue:

      Description of problem:

          AdditionalTrustedCA is not wired correctly so the configmap is not found my its operator. This feature is meant to be exposed by XCMSTRAT-590, but at the moment it seems to be broken

      Version-Release number of selected component (if applicable):

          4.16.5

      How reproducible:

          Always

      Steps to Reproduce:

      1. Create a configmap containing a registry and PEM cert, like https://github.com/openshift/openshift-docs/blob/ef75d891786604e78dcc3bcb98ac6f1b3a75dad1/modules/images-configuration-cas.adoc#L17  
      2. Refer to it in .spec.configuration.image.additionalTrustedCA.name     
      3. image-registry-config-operator is not able to find the cm and the CO is degraded
          

      Actual results:

         CO is degraded

      Expected results:

          certs are used.

      Additional info:

      I think we may miss a copy of the configmap from the cluster NS to the target ns. It should be also deleted if it is deleted.

       

       % oc get hc -n ocm-adecorte-2d525fsstsvtbv1h8qss14pkv171qhdd -o jsonpath="{.items[0].spec.configuration.image.additionalTrustedCA}" | jq
      {
        "name": "registry-additional-ca-q9f6x5i4"
      }

       

       

      % oc get cm -n ocm-adecorte-2d525fsstsvtbv1h8qss14pkv171qhdd registry-additional-ca-q9f6x5i4
      NAME                              DATA   AGE
      registry-additional-ca-q9f6x5i4   1      16m

       

       

      logs of cluster-image-registry operator

       

      E0814 13:22:32.586416       1 imageregistrycertificates.go:141] ImageRegistryCertificatesController: unable to sync: failed to update object *v1.ConfigMap, Namespace=openshift-image-registry, Name=image-registry-certificates: image-registry-certificates: configmap "registry-additional-ca-q9f6x5i4" not found, requeuing

       

       

      CO is degraded

       

      % oc get co
      NAME                                       VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
      console                                    4.16.5    True        False         False      3h58m
      csi-snapshot-controller                    4.16.5    True        False         False      4h11m
      dns                                        4.16.5    True        False         False      3h58m
      image-registry                             4.16.5    True        False         True       3h58m   ImageRegistryCertificatesControllerDegraded: failed to update object *v1.ConfigMap, Namespace=openshift-image-registry, Name=image-registry-certificates: image-registry-certificates: configmap "registry-additional-ca-q9f6x5i4" not found
      ingress                                    4.16.5    True        False         False      3h59m
      insights                                   4.16.5    True        False         False      4h
      kube-apiserver                             4.16.5    True        False         False      4h11m
      kube-controller-manager                    4.16.5    True        False         False      4h11m
      kube-scheduler                             4.16.5    True        False         False      4h11m
      kube-storage-version-migrator              4.16.5    True        False         False      166m
      monitoring                                 4.16.5    True        False         False      3h55m

       

       

              sjenning Seth Jennings
              openshift-crt-jira-prow OpenShift Prow Bot
              He Liu He Liu
              Brendan Daly Brendan Daly
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: