Uploaded image for project: 'OpenShift Windows Containers'
  1. OpenShift Windows Containers
  2. WINC-1291

Use all existing CAs for TLS auth when pulling images

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Critical Critical
    • WMCO 10.16.0
    • None
    • None
    • BU Product Work
    • 5
    • False
    • None
    • False
    • OCPSTRAT-619 - Support Windows Containers in disconnected environments
    • WINC - Sprint 255

      Description

      This story covers supporting TLS in containerd's mirror registry config. Users may use registries that require TLS verification as mirrors –

      1. we should import all user provided certificates (through "user-ca-bundle" configmap or additionalTrustBundle field in install config) to the Windows nodes regardless of cluster settings
        1. We are currently missing certs provided through additionalTrustBundle field in install config, these are not injected into the ProxyCertsConfigMap that WMCO watches
        2. This is done today only when proxy is enabled
      2. the containerd hosts files should point mirrors to use the certificate bundle 

      Acceptance Criteria

      • User custom certs for image registries are imported onto Windows nodes
      • containerd uses these certs when pulling from mirror repos
      • Disconnected CI job does not hit TLS error when pulling Windows images
      • write docs calling out disconnected/image mirroring support - previous "docs"
      • mark disconnected job as required

            rh-ee-mankulka Mansi Kulkarni
            mohashai Mohammad Shaikh
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: