I created a secret with the remote ca, mounted it on the registry at /etc/pki/ca-trust/source/anchor. The registry still says "certificate signed by unknown authority".
On 17 November 2017 at 23:57, Ben Parees <[email protected]> wrote: > > > On Fri, Nov 17, 2017 at 12:17 AM, Lionel Orellana <[email protected]> > wrote: > >> Thanks Ben, that makes sense. How do I add remote CAs to the registry >> though? >> > > Similar to what is described here to add certs to the registry: > https://docs.openshift.org/latest/install_config/registry/securing_and_ > exposing_registry.html#securing-the-registry > > (mount the ca.crt into the system ca cert location within the pod, it > should be picked up automatically). > > > >> On 17 November 2017 at 15:08, Ben Parees <[email protected]> wrote: >> >>> The registry CAs are distinct from the image import controller CA. They >>> are two different processes running in two different environments. >>> >>> >>> Ben Parees | OpenShift >>> >>> On Nov 16, 2017 10:58 PM, "Lionel Orellana" <[email protected]> wrote: >>> >>>> Looking at the registry logs, it's not happy with the remote registry >>>> cert. >>>> >>>> time="2017-11-17T03:53:46.591715267Z" level=error msg="response >>>> completed with error" err.code="manifest unknown" err.detail=" x509: >>>> certificate signed by unknown authority" >>>> >>>> Given that oc import-image works I was expecting the registry to trust >>>> the same ca's. >>>> >>>> On 17 November 2017 at 12:01, Ben Parees <[email protected]> wrote: >>>> >>>>> >>>>> >>>>> On Thu, Nov 16, 2017 at 7:57 PM, Lionel Orellana <[email protected]> >>>>> wrote: >>>>> >>>>>> Is pullthrough enabled on your registry? >>>>>> >>>>>> >>>>>> Yes. >>>>>> >>>>>> "When performing pullthrough, the registry will use pull credentials >>>>>>> found in the project associated with the image stream tag that is being >>>>>>> referenced" >>>>>>> >>>>>> >>>>>> >>>>>> I'm deploying in the same project where the image stream is. I have >>>>>> a dockercfg secret in the project with credentials for the remote >>>>>> registry. >>>>>> I linked that secret to the deployment as pull secret. It works when >>>>>> remotePolicy is Source so I know the credentials are Ok. But how does the >>>>>> registry find the pull credentials to use? I assume it looks for the >>>>>> server >>>>>> name in the dockercfg secret? >>>>>> >>>>> >>>>> yes. >>>>> >>>>> >>>>>> >>>>>> >>>>>> On 17 November 2017 at 10:01, Ben Parees <[email protected]> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Thu, Nov 16, 2017 at 5:36 PM, Lionel Orellana <[email protected] >>>>>>> > wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I imported a remote image and set referencePolicy.type to Local in >>>>>>>> the resulting tag. When I try to deploy an pod using this image stream >>>>>>>> tag >>>>>>>> I get "rpc error: code = 2 desc = manifest unknown: manifest >>>>>>>> unknown". >>>>>>>> >>>>>>>> If I change the referencePolicy type to Source then the pod pulls >>>>>>>> the image fine from the remote registry. But this requires linking a >>>>>>>> pull >>>>>>>> secret to the deployment which is an extra step I could do without. I >>>>>>>> thought I would get around that by referencing the Local image. >>>>>>>> >>>>>>>> How do I pull the remote image when referencePolicy is Local? >>>>>>>> >>>>>>> >>>>>>> >>>>>>> Is pullthrough enabled on your registry? >>>>>>> https://docs.openshift.org/latest/install_config/registry/ex >>>>>>> tended_registry_configuration.html#middleware-repository-pullthrough >>>>>>> >>>>>>> also: >>>>>>> "When performing pullthrough, the registry will use pull credentials >>>>>>> found in the project associated with the image stream tag that is being >>>>>>> referenced. " >>>>>>> >>>>>>> So if your imagestream is in a different project, you need to make >>>>>>> sure the credentials are in the right place. >>>>>>> >>>>>>> >>>>>>>> Thanks >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> users mailing list >>>>>>>> [email protected] >>>>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Ben Parees | OpenShift >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Ben Parees | OpenShift >>>>> >>>>> >>>> >> > > > -- > Ben Parees | OpenShift > >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
