-
Feature Request
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
-
-
-
1. Proposed title of this feature request
imagestream to trust CA added during the installation as a 'additionalTrustBundle' in install-config.yaml.
2. What is the nature and description of the request?
You need to add CA that was used to sign the mirror registry certificate after installation. [1]
Even after you add the CA, some operator pods fail. e.g. prometheus or jaeger from tests:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ oc get imagestream -n openshift oauth-proxy -o yaml
..
message: 'Internal error occurred: [docker.registry.example.net:5000/ocp4/openshift4@sha256:d787f47ee2a410f924ea00b2428f0cf2275eb059adac96ca1b69c71ad20ccb1d:
Get "https://docker.registry.example.net:5000/v2/": x509: certificate signed
by unknown authority, you may not have access to the container image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d787f47ee2a410f924ea00b2428f0cf2275eb059adac96ca1b69c71ad20ccb1d"]'
$ oc describe pod prometheus-7f6c86fc5f-6rlpn
..
Warning Failed 24s (x4 over 53s) kubelet Error: ImagePullBackOff
Warning Failed 10s (x3 over 57s) kubelet Failed to pull image "registry.redhat.io/openshift4/ose-oauth-proxy:v4.4": rpc error: code = Unknown desc = unable to retrieve auth token: invalid username/password: unauthorized: Please login to the Red Hat Registry using your Customer Portal credentials. Further instructions can be found here: https://access.redhat.com/RegistryAuthentication
Warning Failed 10s (x3 over 57s) kubelet Error: ErrImagePull
Normal Pulling 10s (x3 over 57s) kubelet Pulling image "registry.redhat.io/openshift4/ose-oauth-proxy:v4.4"
$ oc describe po jaeger-69b64fb447-jbdnv
..
Normal Pulled 103s kubelet Successfully pulled image "registry.redhat.io/rhosdt/jaeger-all-in-one-rhel8@sha256:fc406efab4b0b6000443da3c795196903136ce00a1f1b73691951eb664f2db10" in 10.11004111s
Normal Created 103s kubelet Created container jaeger
Normal Started 103s kubelet Started container jaeger
Normal Pulling 64s (x3 over 103s) kubelet Pulling image "registry.redhat.io/openshift4/ose-oauth-proxy:latest"
Warning Failed 64s (x3 over 103s) kubelet Failed to pull image "registry.redhat.io/openshift4/ose-oauth-proxy:latest": rpc error: code = Unknown desc = unable to retrieve auth token: invalid username/password: unauthorized: Please login to the Red Hat Registry using your Customer Portal credentials. Further instructions can be found here: https://access.redhat.com/RegistryAuthentication
Warning Failed 64s (x3 over 103s) kubelet Error: ErrImagePull
Normal BackOff 52s (x5 over 103s) kubelet Back-off pulling image "registry.redhat.io/openshift4/ose-oauth-proxy:latest"
Warning Failed 52s (x5 over 103s) kubelet Error: ImagePullBackOff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It may need you to manually remove the imagestream and recreate resources as described in article[2].
[1]https://docs.openshift.com/container-platform/4.10/openshift_images/image-configuration.html#images-configuration-cas_image-configuration
[2]Service Mesh Jaeger and Prometheus can't start in disconnected environment.
-https://access.redhat.com/solutions/5514331
Those issues[3][4] might be related:
[3]https://issues.redhat.com/browse/OCPBUGSM-28321
[4]https://issues.redhat.com/browse/OSSM-247
3. Why does the customer need this? (List the business requirements here)
Currently, it needs a manual intervention. You may need deleting an imagestream and recreating CR.
If 'additionalTrustBundle' is trusted by imagestream, nothing above is needed.
4. List any affected packages or components.
The issue has been monitored on OCP 4.10.13, 4.10.18, 4.10.22.
OCP installation, oauth-proxy imagestream.
- blocks
-
CNV-37749 [GA] HCP/KubeVirt disconnected clusters
- Closed
- relates to
-
OCPBUGS-31446 HCP: imagesStreams on hosted-clusters pointing to image on private registries are failing due to tls verification although the registry is correctly trusted
- Closed