As part of a Day 2 operation, when attempting to add a new worker node using an ISO generated from the OVE cluster, the process halts on the Agent TUI screen and throws an x509 certificate validation error.This occurs because the mirror registry certificate is missing from /etc/docker/certs.d/. Without the certificate, the worker node cannot establish trust with the mirror registry and fails to initial validation, resulting in the node addition process being blocked.

4.19.7

Always

    1. Setup OVE cluster
    2. Run oc adm node-image create --mac-address=$MAC_ADDRESS
    3. Boot the node.iso      

Failed, retrying in 1s ... (1/3). Error: initializing source docker://quay.io/openshift-release-dev/ocp-release@sha256:bd4cd954feebfe3a6b2847c20271e8f3ba21e99ac1e234db6ce4cf2207f8955a: (Mirrors also failed: [mirror-registry.ocpqe.arm.eng.rdu2.redhat.com:5000/openshift-release-dev/ocp-release@sha256:bd4cd954feebfe3a6b2847c20271e8f3ba21e99ac1e234db6ce4cf2207f8955a: pinging container registry mirror-registry.ocpqe.arm.eng.rdu2.redhat.com:5000: Get \"https://mirror-registry.ocpqe.arm.eng.rdu2.redhat.com:5000/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown authority]): quay.io/openshift-release-dev/ocp-release@sha256:bd4cd954feebfe3a6b2847c20271e8f3ba21e99ac1e234db6ce4cf2207f8955a: pinging container registry quay.io: Get \"https://quay.io/v2/\": dial tcp 54.205.61.35:443: i/o timeout 

Worker node addition should complete without manual intervention and successfully pass the initial mirror registry validation.

1. Quit the Agent TUI. 
2. SSH into the worker node, and add the registry certificate to /etc/docker/certs.d/.
3. Monitor the worker node using oc adm node-image monitor --ip-addresses $IP_ADDRESS
4. Wait for worker node to reboot
5. Follow the step 2 again.