Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-49315

OLMv1 cannot get the custom CA automatically: x509 error

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • 4.18.0, 4.19.0
    • OLM
    • Important
    • None
    • Eevee OLM Sprint 265, Flareon OLM Sprint 266
    • 2
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Release Note Not Required
    • In Progress

      This is a clone of issue OCPBUGS-48795. The following is the description of the original issue:

      Description of problem:

          jiazha-mac:catalogd jiazha$ oc get clustercatalog cc-redhat-operator-index-v4-17  -o yaml
apiVersion: olm.operatorframework.io/v1
kind: ClusterCatalog
metadata:
  creationTimestamp: "2025-01-23T09:40:54Z"
  finalizers:
  - olm.operatorframework.io/delete-server-cache
  generation: 1
  labels:
    olm.operatorframework.io/metadata.name: cc-redhat-operator-index-v4-17
  name: cc-redhat-operator-index-v4-17
  resourceVersion: "88637"
  uid: a653fe59-b621-4a12-ae2c-ccf62c6b92fd
spec:
  availabilityMode: Available
  priority: 0
  source:
    image:
      ref: my-route-zhouy.apps.jianl012301.qe.gcp.devcluster.openshift.com/redhat/redhat-operator-index:v4.17
    type: Image
status:
  conditions:
  - lastTransitionTime: "2025-01-23T09:40:54Z"
    message: 'source catalog content: error resolving canonical reference: error creating
      image source: pinging container registry my-route-zhouy.apps.jianl012301.qe.gcp.devcluster.openshift.com:
      Get "https://my-route-zhouy.apps.jianl012301.qe.gcp.devcluster.openshift.com/v2/":
      tls: failed to verify certificate: x509: certificate signed by unknown authority'
    observedGeneration: 1
    reason: Retrying
    status: "True"
    type: Progressing

      Version-Release number of selected component (if applicable):

          4.18.0-0.nightly-2025-01-22-203827

      How reproducible:

          always

      Steps to Reproduce:

      1, oc  new-app --image quay.io/openshifttest/registry@sha256:1106aedc1b2e386520bc2fb797d9a7af47d651db31d8e7ab472f2352da37d1b3 REGISTRY_STORAGE_DELETE_ENABLED=true --import-mode=PreserveOriginal
2, oc create route edge my-route --service=registry
3, oc set volume deploy registry --add -t pvc  --claim-size=30G -m /var/lib/registry --overwrite
4, oc --kubeconfig=/home/cloud-user/kubeconfig extract secret/router-ca -n openshift-ingress-operator --to=/tmp --confirm
5, oc create -n openshift-config configmap trusted-ca-73124 --from-file=my-route-zhouy.apps.jianl012301.qe.gcp.devcluster.openshift.com=/tmp/tls.crt --from-file=updateservice-registry=/tmp/tls.crt
6, oc  patch image.config.openshift.io/cluster -p '{"spec": {"additionalTrustedCA": {"name": "trusted-ca-73124"}}}' --type=merge
7, create a clustercatalog by using the image on the internal image registry.

      Actual results:

      OLMv1 fail to get the custom CA.

       status:
  conditions:
  - lastTransitionTime: "2025-01-23T09:40:54Z"
    message: 'source catalog content: error resolving canonical reference: error creating
      image source: pinging container registry my-route-zhouy.apps.jianl012301.qe.gcp.devcluster.openshift.com:
      Get "https://my-route-zhouy.apps.jianl012301.qe.gcp.devcluster.openshift.com/v2/":
      tls: failed to verify certificate: x509: certificate signed by unknown authority'
    observedGeneration: 1
    reason: Retrying
    status: "True"
    type: Progressing

      Expected results:

      OLMv1 can get the user custom CA.

      Additional info:

              tshort@redhat.com Todd Short
              openshift-crt-jira-prow OpenShift Prow Bot
              Jian Zhang Jian Zhang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: