Installing OSUS 5.0.1 on a CA cert enabled proxy cluster, graph-builder failed to scrape release images. Seems like cluster-wide cert is not well injected to graph-builder.

$ oc get pod
NAME                                      READY   STATUS    RESTARTS      AGE
sample-75d49bdb84-xldt6                   1/2     Running   5 (29s ago)   5m32s
updateservice-operator-8569497f56-p5g5l   1/1     Running   0             4h15m


$ oc rsh sample-75d49bdb84-xldt6
Defaulted container "graph-builder" out of: graph-builder, policy-engine, graph-data (init)
sh-4.4$ ls /etc/pki/ca-trust/extracted/pem/cluster-ca-bundle.crt
sh-4.4$ 
sh-4.4$ exit

$ oc logs sample-75d49bdb84-xldt6
47 [2023-02-07T12:27:12Z DEBUG graph_builder::graph] graph update triggered
 48 [2023-02-07T12:27:12Z TRACE cincinnati::plugins] Running next plugin 'release-scrape-dockerv2'
 49 [2023-02-07T12:27:12Z ERROR graph_builder::graph] failed to fetch all release metadata from quay.io/openshifttest/ocp4/openshift4-re    lease-images
 50 [2023-02-07T12:27:12Z ERROR graph_builder::graph] http transport error: error sending request for url (https://quay.io/v2/): error t    rying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915    : (self signed certificate in certificate chain)
 51 [2023-02-07T12:27:12Z ERROR graph_builder::graph] error sending request for url (https://quay.io/v2/): error trying to connect: erro    r:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (self signed certifi    cate in certificate chain)
 52 [2023-02-07T12:27:12Z ERROR graph_builder::graph] error trying to connect: error:1416F086:SSL routines:tls_process_server_certificat    e:certificate verify failed:ssl/statem/statem_clnt.c:1915: (self signed certificate in certificate chain)
 53 [2023-02-07T12:27:12Z ERROR graph_builder::graph] error:1416F086:SSL routines:tls_process_server_certificate:certificate verify fail    ed:ssl/statem/statem_clnt.c:1915: (self signed certificate in certificate chain)
 54 [2023-02-07T12:27:12Z ERROR graph_builder::graph] error:1416F086:SSL routines:tls_process_server_certificate:certificate verify fail    ed:ssl/statem/statem_clnt.c:1915:


 

cincinnati-container-v5.0.1-3
cincinnati-operator-container-v5.0.1-3
cincinnati-operator-bundle-container-v5.0.1-1

Always

1. Install a 4.12 https_proxy cluster with CA cert
2. Install OSUS 5.0.1 on the cluster
3.

Graph builder failed to scrape release images

# oc get pod 
NAME                                      READY   STATUS    RESTARTS      AGE
sample-75d49bdb84-xldt6                   1/2     Running   5 (29s ago)   5m32s
updateservice-operator-8569497f56-p5g5l   1/1     Running   0             4h15m

# oc get pod
NAME                                      READY   STATUS             RESTARTS      AGE
sample-75d49bdb84-xldt6                   0/2     CrashLoopBackOff   6 (37s ago)   9m10s
updateservice-operator-8569497f56-p5g5l   1/1     Running            0             4h19m

OSUS is installed successfully

# oc get proxy/cluster -oyaml
apiVersion: config.openshift.io/v1
kind: Proxy
metadata:
  creationTimestamp: "2023-02-07T03:50:55Z"
  generation: 1
  name: cluster
  resourceVersion: "523"
  uid: fb2fd121-0f8b-40fe-8b02-deab70ca0017
spec:
  httpProxy: xxx
  httpsProxy: xxx
  noProxy: test.no-proxy.com
  trustedCA:
    name: user-ca-bundle
status:
  httpProxy: xxx
  httpsProxy: xxx
  noProxy: xxx,test.no-proxy.com

# oc get cm -n openshift-config
NAME                               DATA   AGE
admin-acks                         0      9h
admin-kubeconfig-client-ca         1      9h
etcd-ca-bundle                     1      9h
etcd-metric-serving-ca             1      9h
etcd-serving-ca                    1      9h
initial-kube-apiserver-server-ca   1      9h
kube-root-ca.crt                   1      9h
openshift-install-manifests        2      9h
openshift-service-ca.crt           1      9h
user-ca-bundle                     1      9h


# oc get cm -n openshift-update-service
NAME                       DATA   AGE
cluster-trusted-ca         1      25m
kube-root-ca.crt           1      4h36m
openshift-service-ca.crt   1      4h36m
sample-config              1      25m
sample-env                 7      25m


# oc get cm cluster-trusted-ca -oyaml -n openshift-update-service apiVersion: v1
data:
  ca-bundle.crt: |
    -----BEGIN CERTIFICATE-----
    MIIFqTCCA5GgAwIBAgICEAAwDQYJKoZIh
    ......
    -----END CERTIFICATE-----
kind: ConfigMap
metadata:
  annotations:
    release.openshift.io/create-only: "true"
  creationTimestamp: "2023-02-07T12:27:08Z"
  labels:
    config.openshift.io/inject-trusted-cabundle: "true"
  name: cluster-trusted-ca
  namespace: openshift-update-service
  ownerReferences:
  - apiVersion: updateservice.operator.openshift.io/v1
    blockOwnerDeletion: true
    controller: true
    kind: UpdateService
    name: sample
    uid: 5614fb00-58dc-46fc-ab78-4fd109eb3e3e
  resourceVersion: "194355"
  uid: 0a29477d-3347-47e6-a644-ef85fc49c06c


# oc get pod sample-75d49bdb84-xldt6 -oyaml -n openshift-update-service | grep cluster-trusted-ca -a6
    - mountPath: /var/lib/cincinnati/graph-data
      name: cincinnati-graph-data
    - mountPath: /var/lib/cincinnati/registry-credentials
      name: pull-secret
      readOnly: true
    - mountPath: /etc/pki/ca-trust/extracted/pem/cluster-ca-bundle.crt
      name: cluster-trusted-ca
      readOnly: true
      subPath: ca-bundle.crt
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-pmdzh
      readOnly: true
  - args:
--
      secretName: sample-pull-secret
  - configMap:
      defaultMode: 420
      items:
      - key: ca-bundle.crt
        path: cluster-ca-bundle.crt
      name: cluster-trusted-ca
    name: cluster-trusted-ca
.....