The masters should be pulling from the system certs, which would be the OS level trusted CAs. We don't support an additional flag for that today (IIRC)
On May 5, 2017, at 10:15 AM, lmi <[email protected]> wrote: Hi We have been struggling with getting oc import-image commands to work against our own external Docker registry to work as the certificate that we are using on our Docker registry is not trusted. So the commands we are issuing look like this: oc import-image --all=true --confirm=true --from=our.repo.domain:5000/repository/someimage someimage --namespace=openshift and the logs from the master-api performing the import commands looks: importer.go:376] importing remote Docker repository registry= https://our.repo.domain:5000 repository=repository/someimage insecure=false round_trippers.go:318] GET https://our.repo.domain:5000/v2/ in 30 milliseconds importer.go:380] unable to access repository &importer.importRepository{Ref:api.DockerImageReference{Registry:"our.repo.domain:5000", Namespace:"openshift", Name:"openjdk18-openshift", Tag:"", ID:""}, Registry:(*url.URL)(0xc426172ea0), Name:"repository/someimage", Insecure:false, Tags:[]importer.importTag(nil), Digests:[]importer.importDigest(nil), MaximumTags:5, AdditionalTags:[]string(nil), Err:error(nil)}: &url.Error{Op:"Get", URL:" https://our.repo.domain:5000/v2/";, Err:x509.UnknownAuthorityError{cert:(*x509.Certificate)(0xc422419b00), hintErr:error(nil), hintCert:(*x509.Certificate)(nil)}} rest.go:243] create new stream: &api.ImageStream{TypeMeta:unversioned.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:api.ObjectMeta{Name:"someimage", GenerateName:"", Namespace:"openshift", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:unversioned.Time{Time:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*unversioned.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string{"openshift.io/image.dockerRepositoryCheck":"2017-05-05T13:51:20Z"}, OwnerReferences:[]api.OwnerReference(nil), Finalizers:[]string(nil), ClusterName:""}, Spec:api.ImageStreamSpec{DockerImageRepository:"", Tags:map[string]api.TagReference(nil)}, Status:api.ImageStreamStatus{DockerImageRepository:"", Tags:map[string]api.TagEventList(nil)}} We can of course add "--insecure=true" to then command but would also like to find where we would add the public key from the Certificate Authority that we would like to trust. This have been discussed a number of times, in different fora and issues but I have still to find a working solution. We have fully understood how the Docker pull process works with its certificates to trust placed in /etc/docker/certs.d/, so that is not our problem. I would expect this to go to something like the /etc/origin/master/ca-bundle.crt files, but that doesn't look to be the case - followed by a restart of master-api service "systemctl restart origin-master-api". So if anyone here can answer/help it would be much appreciated. We are running OpenShift Origin 1.4.1 on RHEL 7.3. Best regards Lars Milland _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
