[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Trusting certificate in oc import-image on own Docker registry

The masters should be pulling from the system certs, which would be the OS level trusted CAs.  We don't support an additional flag for that today (IIRC)

On May 5, 2017, at 10:15 AM, lmi <lmi mailme dk> wrote:



We have been struggling with getting oc import-image commands to work against our own external Docker registry to work as the certificate that we are using on our Docker registry is not trusted.

So the commands we are issuing look like this:

oc import-image --all=true --confirm=true --from=our.repo.domain:5000/repository/someimage someimage --namespace=openshift


and the logs from the master-api performing the import commands looks:


importer.go:376] importing remote Docker repository registry=https://our.repo.domain:5000 repository=repository/someimage insecure=false 

round_trippers.go:318] GET https://our.repo.domain:5000/v2/ in 30 milliseconds

importer.go:380] unable to access repository &importer.importRepository{Ref:api.DockerImageReference{Registry:"our.repo.domain:5000", Namespace:"openshift", Name:"openjdk18-openshift", Tag:"", ID:""}, Registry:(*url.URL)(0xc426172ea0), Name:"repository/someimage", Insecure:false, Tags:[]importer.importTag(nil), Digests:[]importer.importDigest(nil), MaximumTags:5, AdditionalTags:[]string(nil), Err:error(nil)}: &url.Error{Op:"Get", URL:"https://our.repo.domain:5000/v2/", Err:x509.UnknownAuthorityError{cert:(*x509.Certificate)(0xc422419b00), hintErr:error(nil), hintCert:(*x509.Certificate)(nil)}}

rest.go:243] create new stream: &api.ImageStream{TypeMeta:unversioned.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:api.ObjectMeta{Name:"someimage", GenerateName:"", Namespace:"openshift", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:unversioned.Time{Time:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*unversioned.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string{"openshift.io/image.dockerRepositoryCheck":"2017-05-05T13:51:20Z"}, OwnerReferences:[]api.OwnerReference(nil), Finalizers:[]string(nil), ClusterName:""}, Spec:api.ImageStreamSpec{DockerImageRepository:"", Tags:map[string]api.TagReference(nil)}, Status:api.ImageStreamStatus{DockerImageRepository:"", Tags:map[string]api.TagEventList(nil)}}


We can of course add "--insecure=true" to then command but would also like to find where we would add the public key from the Certificate Authority that we would like to trust.

This have been discussed a number of times, in different fora and issues but I have still to find a working solution. We have fully understood how the Docker pull process works with its certificates to trust placed in /etc/docker/certs.d/, so that is not our problem.

I would expect this to go to something like the /etc/origin/master/ca-bundle.crt files, but that doesn't look to be the case - followed by a restart of master-api service "systemctl restart origin-master-api". 

So if anyone here can answer/help it would be much appreciated.


We are running OpenShift Origin 1.4.1 on RHEL 7.3. 

Best regards Lars Milland
users mailing list
users lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]