[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How to use extra trusted CA certs when pulling images for a builder

Slightly related - there is an existing bugzilla where `oc import-image` and `oc tag` will fail if the "origin" tag references the internal registry with a similar x509 error [1].
Echoing Clayton, please file a bug and if warranted we'll link the two together.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1716835

On Tue, Nov 12, 2019 at 8:42 AM Clayton Coleman <ccoleman redhat com> wrote:

On Nov 12, 2019, at 3:44 AM, Joel Pearson <japearson agiledigital com au> wrote:

On Tue, 12 Nov 2019 at 15:37, Ben Parees <bparees redhat com> wrote:

On Mon, Nov 11, 2019 at 11:26 PM Joel Pearson <japearson agiledigital com au> wrote:
I've now discovered that the cluster-samples-operator doesn't seem honour the proxy settings, and I see lots of errors in the cluster-samples-operator-xxxx pod logs

time="2019-11-12T04:15:49Z" level=warning msg="Image import for imagestream dotnet tag 2.1 generation 2 failed with detailed message Internal error occurred: Get https://I /v2/: x509: certificate signed by unknown authority"

Is there a way to get that operator to use the same user-ca-bundle?

image import should be using those CAs (it's really about the openshift-apiserver, not the samples operator) automatically (sounds like another potential bug, but i'll let Oleg weigh in on this one).  

However barring that, you can use the mechanism described here to setup additional CAs for importing from registries:

you can follow the more detailed instructions here:

I tried this approach but it didn't work for me.

I ran this command:

oc create configmap registry-cas -n openshift-config \
--from-file=registry.redhat.io..5000=/path/to/ca.crt \
--from-file=registry.redhat.io..443=/path/to/ca.crt \


oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-cas"}}}' --type=merge

And that still didn't work. First I deleted the cluster-samples-operator-xxxx pod, then I tried forcing the masters to restart by touching some machine config (I don't know a better way).
But it still didn't work.  Maybe the samples operator doesn't let you easily override the trusted CA certs?

No, as Ben said this should be working.  Please file a bug.


(Brandi/Adam, we should really include the example from that second link, in the general "image resource configuration" page from the first link).

Unfortunately it does not allow you to reuse the user-ca-bundle CM since the format of the CM is a bit different (needs an entry per registry hostname).

users mailing list
users lists openshift redhat com


Adam Kaplan


Senior Software Engineer - OpenShift

Red Hat

100 E. Davie St. Raleigh, NC 27601 USA

adam kaplan redhat com    T: +1-919-754-4843     IM: adambkaplan

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]