Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-60758

OVE: Worker node addition fails with x509 error due to missing mirror registry cert

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • 4.19
    • oc / node-image
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Agent Sprint 277
    • 1
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      As part of a Day 2 operation, when attempting to add a new worker node using an ISO generated from the OVE cluster, the process halts on the Agent TUI screen and throws an x509 certificate validation error.This occurs because the mirror registry certificate is missing from /etc/docker/certs.d/. Without the certificate, the worker node cannot establish trust with the mirror registry and fails to initial validation, resulting in the node addition process being blocked.

      Version-Release number of selected component (if applicable):

      4.19.7

      How reproducible:

      Always

      Steps to Reproduce:

          1. Setup OVE cluster
          2. Run oc adm node-image create --mac-address=$MAC_ADDRESS
          3. Boot the node.iso      

      Actual results:

      Failed, retrying in 1s ... (1/3). Error: initializing source docker://quay.io/openshift-release-dev/ocp-release@sha256:bd4cd954feebfe3a6b2847c20271e8f3ba21e99ac1e234db6ce4cf2207f8955a: (Mirrors also failed: [mirror-registry.ocpqe.arm.eng.rdu2.redhat.com:5000/openshift-release-dev/ocp-release@sha256:bd4cd954feebfe3a6b2847c20271e8f3ba21e99ac1e234db6ce4cf2207f8955a: pinging container registry mirror-registry.ocpqe.arm.eng.rdu2.redhat.com:5000: Get \"https://mirror-registry.ocpqe.arm.eng.rdu2.redhat.com:5000/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown authority]): quay.io/openshift-release-dev/ocp-release@sha256:bd4cd954feebfe3a6b2847c20271e8f3ba21e99ac1e234db6ce4cf2207f8955a: pinging container registry quay.io: Get \"https://quay.io/v2/\": dial tcp 54.205.61.35:443: i/o timeout 

      Expected results:

      Worker node addition should complete without manual intervention and successfully pass the initial mirror registry validation.

      Workaround:

      1. Quit the Agent TUI. 
      2. SSH into the worker node, and add the registry certificate to /etc/docker/certs.d/.
      3. Monitor the worker node using oc adm node-image monitor --ip-addresses $IP_ADDRESS
      4. Wait for worker node to reboot
      5. Follow the step 2 again.

              rwsu1@redhat.com Richard Su
              rhn-support-mhans Manoj Hans
              None
              None
              Manoj Hans Manoj Hans
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: