Inside the registry, curl with --cacert pointing to /etc/pki/ca-trust/source/anchors/<my registry doman>.crt works.
On 18 November 2017 at 15:11, Lionel Orellana <[email protected]> wrote: > I created a secret with the remote ca, mounted it on the registry at > /etc/pki/ca-trust/source/anchor. The registry still says "certificate > signed by unknown authority". > > On 17 November 2017 at 23:57, Ben Parees <[email protected]> wrote: > >> >> >> On Fri, Nov 17, 2017 at 12:17 AM, Lionel Orellana <[email protected]> >> wrote: >> >>> Thanks Ben, that makes sense. How do I add remote CAs to the registry >>> though? >>> >> >> Similar to what is described here to add certs to the registry: >> https://docs.openshift.org/latest/install_config/registry/ >> securing_and_exposing_registry.html#securing-the-registry >> >> (mount the ca.crt into the system ca cert location within the pod, it >> should be picked up automatically). >> >> >> >>> On 17 November 2017 at 15:08, Ben Parees <[email protected]> wrote: >>> >>>> The registry CAs are distinct from the image import controller CA. They >>>> are two different processes running in two different environments. >>>> >>>> >>>> Ben Parees | OpenShift >>>> >>>> On Nov 16, 2017 10:58 PM, "Lionel Orellana" <[email protected]> wrote: >>>> >>>>> Looking at the registry logs, it's not happy with the remote registry >>>>> cert. >>>>> >>>>> time="2017-11-17T03:53:46.591715267Z" level=error msg="response >>>>> completed with error" err.code="manifest unknown" err.detail=" x509: >>>>> certificate signed by unknown authority" >>>>> >>>>> Given that oc import-image works I was expecting the registry to trust >>>>> the same ca's. >>>>> >>>>> On 17 November 2017 at 12:01, Ben Parees <[email protected]> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Thu, Nov 16, 2017 at 7:57 PM, Lionel Orellana <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Is pullthrough enabled on your registry? >>>>>>> >>>>>>> >>>>>>> Yes. >>>>>>> >>>>>>> "When performing pullthrough, the registry will use pull credentials >>>>>>>> found in the project associated with the image stream tag that is being >>>>>>>> referenced" >>>>>>>> >>>>>>> >>>>>>> >>>>>>> I'm deploying in the same project where the image stream is. I have >>>>>>> a dockercfg secret in the project with credentials for the remote >>>>>>> registry. >>>>>>> I linked that secret to the deployment as pull secret. It works when >>>>>>> remotePolicy is Source so I know the credentials are Ok. But how does >>>>>>> the >>>>>>> registry find the pull credentials to use? I assume it looks for the >>>>>>> server >>>>>>> name in the dockercfg secret? >>>>>>> >>>>>> >>>>>> yes. >>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>> On 17 November 2017 at 10:01, Ben Parees <[email protected]> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Nov 16, 2017 at 5:36 PM, Lionel Orellana < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I imported a remote image and set referencePolicy.type to Local >>>>>>>>> in the resulting tag. When I try to deploy an pod using this image >>>>>>>>> stream >>>>>>>>> tag I get "rpc error: code = 2 desc = manifest unknown: manifest >>>>>>>>> unknown". >>>>>>>>> >>>>>>>>> If I change the referencePolicy type to Source then the pod pulls >>>>>>>>> the image fine from the remote registry. But this requires linking a >>>>>>>>> pull >>>>>>>>> secret to the deployment which is an extra step I could do without. I >>>>>>>>> thought I would get around that by referencing the Local image. >>>>>>>>> >>>>>>>>> How do I pull the remote image when referencePolicy is Local? >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Is pullthrough enabled on your registry? >>>>>>>> https://docs.openshift.org/latest/install_config/registry/ex >>>>>>>> tended_registry_configuration.html#middleware-repository-pul >>>>>>>> lthrough >>>>>>>> >>>>>>>> also: >>>>>>>> "When performing pullthrough, the registry will use pull >>>>>>>> credentials found in the project associated with the image stream tag >>>>>>>> that >>>>>>>> is being referenced. " >>>>>>>> >>>>>>>> So if your imagestream is in a different project, you need to make >>>>>>>> sure the credentials are in the right place. >>>>>>>> >>>>>>>> >>>>>>>>> Thanks >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> users mailing list >>>>>>>>> [email protected] >>>>>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Ben Parees | OpenShift >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Ben Parees | OpenShift >>>>>> >>>>>> >>>>> >>> >> >> >> -- >> Ben Parees | OpenShift >> >> >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
