I've now discovered that the cluster-samples-operator doesn't seem honour the proxy settings, and I see lots of errors in the cluster-samples-operator-xxxx pod logs
time="2019-11-12T04:15:49Z" level=warning msg="Image import for imagestream dotnet tag 2.1 generation 2 failed with detailed message Internal error occurred: Get https://registry.redhat.io/v2/
: x509: certificate signed by unknown authority"
Is there a way to get that operator to use the same user-ca-bundle?
image import should be using those CAs (it's really about the openshift-apiserver, not the samples operator) automatically (sounds like another potential bug, but i'll let Oleg weigh in on this one).
However barring that, you can use the mechanism described here to setup additional CAs for importing from registries:
you can follow the more detailed instructions here:
(Brandi/Adam, we should really include the example from that second link, in the general "image resource configuration" page from the first link).
Unfortunately it does not allow you to reuse the user-ca-bundle CM since the format of the CM is a bit different (needs an entry per registry hostname).
Can I use the “trustedCA” part of the proxy configuration without actually specifying an explicit proxy?
you should be able to. Daneyon can you confirm? (if you can't i'd consider it a bug).
It does work! Thanks for that. user-ca-bundle already existed and had my certificate in there, I just needed to reference user-ca-bundle in the proxy config.