The registry CAs are distinct from the image import controller CA. They are two different processes running in two different environments.
Ben Parees | OpenShift On Nov 16, 2017 10:58 PM, "Lionel Orellana" <[email protected]> wrote: > Looking at the registry logs, it's not happy with the remote registry cert. > > time="2017-11-17T03:53:46.591715267Z" level=error msg="response completed > with error" err.code="manifest unknown" err.detail=" x509: certificate > signed by unknown authority" > > Given that oc import-image works I was expecting the registry to trust the > same ca's. > > On 17 November 2017 at 12:01, Ben Parees <[email protected]> wrote: > >> >> >> On Thu, Nov 16, 2017 at 7:57 PM, Lionel Orellana <[email protected]> >> wrote: >> >>> Is pullthrough enabled on your registry? >>> >>> >>> Yes. >>> >>> "When performing pullthrough, the registry will use pull credentials >>>> found in the project associated with the image stream tag that is being >>>> referenced" >>>> >>> >>> >>> I'm deploying in the same project where the image stream is. I have >>> a dockercfg secret in the project with credentials for the remote registry. >>> I linked that secret to the deployment as pull secret. It works when >>> remotePolicy is Source so I know the credentials are Ok. But how does the >>> registry find the pull credentials to use? I assume it looks for the server >>> name in the dockercfg secret? >>> >> >> yes. >> >> >>> >>> >>> On 17 November 2017 at 10:01, Ben Parees <[email protected]> wrote: >>> >>>> >>>> >>>> On Thu, Nov 16, 2017 at 5:36 PM, Lionel Orellana <[email protected]> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> I imported a remote image and set referencePolicy.type to Local in >>>>> the resulting tag. When I try to deploy an pod using this image stream tag >>>>> I get "rpc error: code = 2 desc = manifest unknown: manifest unknown". >>>>> >>>>> If I change the referencePolicy type to Source then the pod pulls the >>>>> image fine from the remote registry. But this requires linking a pull >>>>> secret to the deployment which is an extra step I could do without. I >>>>> thought I would get around that by referencing the Local image. >>>>> >>>>> How do I pull the remote image when referencePolicy is Local? >>>>> >>>> >>>> >>>> Is pullthrough enabled on your registry? >>>> https://docs.openshift.org/latest/install_config/registry/ex >>>> tended_registry_configuration.html#middleware-repository-pullthrough >>>> >>>> also: >>>> "When performing pullthrough, the registry will use pull credentials >>>> found in the project associated with the image stream tag that is being >>>> referenced. " >>>> >>>> So if your imagestream is in a different project, you need to make sure >>>> the credentials are in the right place. >>>> >>>> >>>>> Thanks >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> users mailing list >>>>> [email protected] >>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>> >>>>> >>>> >>>> >>>> -- >>>> Ben Parees | OpenShift >>>> >>>> >>> >> >> >> -- >> Ben Parees | OpenShift >> >> >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
