I'm creating this as a new topic, although it has partly been discussed
earlier.
Now I have a better understanding of the problem so its best discussed
as a new topic.
The issue is that the certificate that is generated by the ansible
installer for the docker repository is not correct, so any builder
process that tries to push to the repo fails with an error like this:
error: build error: Failed to push image: Get
https://docker-registry.default.svc:5000/v1/_ping
<https://www.google.com/url?q=https%3A%2F%2Fdocker-registry.default.svc%3A5000%2Fv1%2F_ping&sa=D&sntz=1&usg=AFQjCNGK97vHN3_7l5y3l197LvJvBlFWGw>:
x509: certificate is valid for
docker-registry-default.os.informaticsmatters.com, 172.30.148.243, not
docker-registry.default.svc
Looking at the /etc/origin/master/registry.crt certificate that is
generated on the master node its contents confirm this. The key part is
this:
X509v3 Subject Alternative Name:
DNS:docker-registry-default.os.informaticsmatters.com,
DNS:172.30.148.243, IP Address:172.30.148.243
Indeed, docker-registry.default.svc is not included in the names.
The os.informaticsmatters.com related hostname comes from the value of
the openshift_master_cluster_public_hostname and/or the
openshift_master_default_subdomain variables in the inventory file. Is
this present to allow the registry to be exposed externally?
But I'm baffled as to why this is happening. Looking at the code it
looks like this is the key player:
https://github.com/openshift/openshift-ansible/blob/9d4a0c00b0c554a8b7bd7242438806ce901831bc/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml#L70
And if that is the case then it looks like docker-registry.default.svc
should be added.
Is this a bug? If so presumably it should be affecting everyone?
This is using OpenShift Origin 3.6, installing using the ansible
installer from the master branch.
Thanks
Tim
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
