[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How to use extra trusted CA certs when pulling images for a builder





On Mon, Nov 11, 2019 at 11:26 PM Joel Pearson <japearson agiledigital com au> wrote:
I've now discovered that the cluster-samples-operator doesn't seem honour the proxy settings, and I see lots of errors in the cluster-samples-operator-xxxx pod logs

time="2019-11-12T04:15:49Z" level=warning msg="Image import for imagestream dotnet tag 2.1 generation 2 failed with detailed message Internal error occurred: Get https://registry.redhat.io/v2/: x509: certificate signed by unknown authority"

Is there a way to get that operator to use the same user-ca-bundle?

image import should be using those CAs (it's really about the openshift-apiserver, not the samples operator) automatically (sounds like another potential bug, but i'll let Oleg weigh in on this one).  

However barring that, you can use the mechanism described here to setup additional CAs for importing from registries:
https://docs.openshift.com/container-platform/4.2/openshift_images/image-configuration.html#images-configuration-file_image-configuration

you can follow the more detailed instructions here:
https://docs.openshift.com/container-platform/4.2/builds/setting-up-trusted-ca.html#configmap-adding-ca_setting-up-trusted-ca

(Brandi/Adam, we should really include the example from that second link, in the general "image resource configuration" page from the first link).

Unfortunately it does not allow you to reuse the user-ca-bundle CM since the format of the CM is a bit different (needs an entry per registry hostname).

 

On Tue, 12 Nov 2019 at 14:46, Joel Pearson <japearson agiledigital com au> wrote:


On Tue, 12 Nov 2019 at 06:56, Ben Parees <bparees redhat com> wrote:
 

Can I use the “trustedCA” part of the proxy configuration without actually specifying an explicit proxy?

you should be able to.  Daneyon can you confirm?  (if you can't i'd consider it a bug).

It does work! Thanks for that. user-ca-bundle already existed and had my certificate in there, I just needed to reference user-ca-bundle in the proxy config.

apiVersion: config.openshift.io/v1
kind: Proxy
metadata:
  name: cluster
spec:
  trustedCA:
    name: user-ca-bundle




--
Ben Parees | OpenShift


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]