Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-3093

imagestream to trust CA added during the installation

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • Installer
    • None
    • False
    • None
    • False
    • Not Selected

      1. Proposed title of this feature request

      imagestream to trust CA added during the installation as a 'additionalTrustBundle' in install-config.yaml.

      2. What is the nature and description of the request?

      You need to add CA that was used to sign the mirror registry certificate after installation. [1]

      Even after you add the CA, some operator pods fail. e.g. prometheus or jaeger from tests:
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      $ oc get imagestream -n openshift oauth-proxy -o yaml
      ..
      message: 'Internal error occurred: [docker.registry.example.net:5000/ocp4/openshift4@sha256:d787f47ee2a410f924ea00b2428f0cf2275eb059adac96ca1b69c71ad20ccb1d:
      Get "https://docker.registry.example.net:5000/v2/": x509: certificate signed
      by unknown authority, you may not have access to the container image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d787f47ee2a410f924ea00b2428f0cf2275eb059adac96ca1b69c71ad20ccb1d"]'

      $ oc describe pod prometheus-7f6c86fc5f-6rlpn
      ..
      Warning Failed 24s (x4 over 53s) kubelet Error: ImagePullBackOff
      Warning Failed 10s (x3 over 57s) kubelet Failed to pull image "registry.redhat.io/openshift4/ose-oauth-proxy:v4.4": rpc error: code = Unknown desc = unable to retrieve auth token: invalid username/password: unauthorized: Please login to the Red Hat Registry using your Customer Portal credentials. Further instructions can be found here: https://access.redhat.com/RegistryAuthentication
      Warning Failed 10s (x3 over 57s) kubelet Error: ErrImagePull
      Normal Pulling 10s (x3 over 57s) kubelet Pulling image "registry.redhat.io/openshift4/ose-oauth-proxy:v4.4"

      $ oc describe po jaeger-69b64fb447-jbdnv
      ..
      Normal Pulled 103s kubelet Successfully pulled image "registry.redhat.io/rhosdt/jaeger-all-in-one-rhel8@sha256:fc406efab4b0b6000443da3c795196903136ce00a1f1b73691951eb664f2db10" in 10.11004111s
      Normal Created 103s kubelet Created container jaeger
      Normal Started 103s kubelet Started container jaeger
      Normal Pulling 64s (x3 over 103s) kubelet Pulling image "registry.redhat.io/openshift4/ose-oauth-proxy:latest"
      Warning Failed 64s (x3 over 103s) kubelet Failed to pull image "registry.redhat.io/openshift4/ose-oauth-proxy:latest": rpc error: code = Unknown desc = unable to retrieve auth token: invalid username/password: unauthorized: Please login to the Red Hat Registry using your Customer Portal credentials. Further instructions can be found here: https://access.redhat.com/RegistryAuthentication
      Warning Failed 64s (x3 over 103s) kubelet Error: ErrImagePull
      Normal BackOff 52s (x5 over 103s) kubelet Back-off pulling image "registry.redhat.io/openshift4/ose-oauth-proxy:latest"
      Warning Failed 52s (x5 over 103s) kubelet Error: ImagePullBackOff
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

      It may need you to manually remove the imagestream and recreate resources as described in article[2].

      [1]https://docs.openshift.com/container-platform/4.10/openshift_images/image-configuration.html#images-configuration-cas_image-configuration
      [2]Service Mesh Jaeger and Prometheus can't start in disconnected environment.
      -https://access.redhat.com/solutions/5514331

      Those issues[3][4] might be related:

      [3]https://issues.redhat.com/browse/OCPBUGSM-28321
      [4]https://issues.redhat.com/browse/OSSM-247

      3. Why does the customer need this? (List the business requirements here)

      Currently, it needs a manual intervention. You may need deleting an imagestream and recreating CR.
      If 'additionalTrustBundle' is trusted by imagestream, nothing above is needed.

      4. List any affected packages or components.

      The issue has been monitored on OCP 4.10.13, 4.10.18, 4.10.22.
      OCP installation, oauth-proxy imagestream.

       

            DanielMesser Daniel Messer
            rhn-support-jseunghw Hwanii Seung Hwan Jung
            Votes:
            1 Vote for this issue
            Watchers:
            17 Start watching this issue

              Created:
              Updated: