[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How to use extra trusted CA certs when pulling images for a builder





On Tue, 12 Nov 2019 at 15:37, Ben Parees <bparees redhat com> wrote:


On Mon, Nov 11, 2019 at 11:26 PM Joel Pearson <japearson agiledigital com au> wrote:
I've now discovered that the cluster-samples-operator doesn't seem honour the proxy settings, and I see lots of errors in the cluster-samples-operator-xxxx pod logs

time="2019-11-12T04:15:49Z" level=warning msg="Image import for imagestream dotnet tag 2.1 generation 2 failed with detailed message Internal error occurred: Get https://I /v2/: x509: certificate signed by unknown authority"

Is there a way to get that operator to use the same user-ca-bundle?

image import should be using those CAs (it's really about the openshift-apiserver, not the samples operator) automatically (sounds like another potential bug, but i'll let Oleg weigh in on this one).  

However barring that, you can use the mechanism described here to setup additional CAs for importing from registries:

you can follow the more detailed instructions here:

I tried this approach but it didn't work for me.

I ran this command:

oc create configmap registry-cas -n openshift-config \
--from-file=registry.redhat.io..5000=/path/to/ca.crt \
--from-file=registry.redhat.io..443=/path/to/ca.crt \
--from-file=registry.redhat.io=/path/to/ca.crt

and: 

oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-cas"}}}' --type=merge

And that still didn't work. First I deleted the cluster-samples-operator-xxxx pod, then I tried forcing the masters to restart by touching some machine config (I don't know a better way).
But it still didn't work.  Maybe the samples operator doesn't let you easily override the trusted CA certs?
 


(Brandi/Adam, we should really include the example from that second link, in the general "image resource configuration" page from the first link).

Unfortunately it does not allow you to reuse the user-ca-bundle CM since the format of the CM is a bit different (needs an entry per registry hostname).


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]