It doesn't look like putting the ca in /etc/pki/ca-trust/source/anchors is enough without running update-ca-trust
On 18 November 2017 at 15:40, Lionel Orellana <[email protected]> wrote: > Inside the registry, curl with --cacert pointing to > /etc/pki/ca-trust/source/anchors/<my registry doman>.crt works. > > On 18 November 2017 at 15:11, Lionel Orellana <[email protected]> wrote: > >> I created a secret with the remote ca, mounted it on the registry at >> /etc/pki/ca-trust/source/anchor. The registry still says "certificate >> signed by unknown authority". >> >> On 17 November 2017 at 23:57, Ben Parees <[email protected]> wrote: >> >>> >>> >>> On Fri, Nov 17, 2017 at 12:17 AM, Lionel Orellana <[email protected]> >>> wrote: >>> >>>> Thanks Ben, that makes sense. How do I add remote CAs to the registry >>>> though? >>>> >>> >>> Similar to what is described here to add certs to the registry: >>> https://docs.openshift.org/latest/install_config/registry/se >>> curing_and_exposing_registry.html#securing-the-registry >>> >>> (mount the ca.crt into the system ca cert location within the pod, it >>> should be picked up automatically). >>> >>> >>> >>>> On 17 November 2017 at 15:08, Ben Parees <[email protected]> wrote: >>>> >>>>> The registry CAs are distinct from the image import controller CA. >>>>> They are two different processes running in two different environments. >>>>> >>>>> >>>>> Ben Parees | OpenShift >>>>> >>>>> On Nov 16, 2017 10:58 PM, "Lionel Orellana" <[email protected]> >>>>> wrote: >>>>> >>>>>> Looking at the registry logs, it's not happy with the remote registry >>>>>> cert. >>>>>> >>>>>> time="2017-11-17T03:53:46.591715267Z" level=error msg="response >>>>>> completed with error" err.code="manifest unknown" err.detail=" x509: >>>>>> certificate signed by unknown authority" >>>>>> >>>>>> Given that oc import-image works I was expecting the registry to >>>>>> trust the same ca's. >>>>>> >>>>>> On 17 November 2017 at 12:01, Ben Parees <[email protected]> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Thu, Nov 16, 2017 at 7:57 PM, Lionel Orellana <[email protected] >>>>>>> > wrote: >>>>>>> >>>>>>>> Is pullthrough enabled on your registry? >>>>>>>> >>>>>>>> >>>>>>>> Yes. >>>>>>>> >>>>>>>> "When performing pullthrough, the registry will use pull >>>>>>>>> credentials found in the project associated with the image stream tag >>>>>>>>> that >>>>>>>>> is being referenced" >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> I'm deploying in the same project where the image stream is. I have >>>>>>>> a dockercfg secret in the project with credentials for the remote >>>>>>>> registry. >>>>>>>> I linked that secret to the deployment as pull secret. It works when >>>>>>>> remotePolicy is Source so I know the credentials are Ok. But how does >>>>>>>> the >>>>>>>> registry find the pull credentials to use? I assume it looks for the >>>>>>>> server >>>>>>>> name in the dockercfg secret? >>>>>>>> >>>>>>> >>>>>>> yes. >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 17 November 2017 at 10:01, Ben Parees <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Thu, Nov 16, 2017 at 5:36 PM, Lionel Orellana < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I imported a remote image and set referencePolicy.type to Local >>>>>>>>>> in the resulting tag. When I try to deploy an pod using this image >>>>>>>>>> stream >>>>>>>>>> tag I get "rpc error: code = 2 desc = manifest unknown: manifest >>>>>>>>>> unknown". >>>>>>>>>> >>>>>>>>>> If I change the referencePolicy type to Source then the pod pulls >>>>>>>>>> the image fine from the remote registry. But this requires linking a >>>>>>>>>> pull >>>>>>>>>> secret to the deployment which is an extra step I could do without. I >>>>>>>>>> thought I would get around that by referencing the Local image. >>>>>>>>>> >>>>>>>>>> How do I pull the remote image when referencePolicy is Local? >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Is pullthrough enabled on your registry? >>>>>>>>> https://docs.openshift.org/latest/install_config/registry/ex >>>>>>>>> tended_registry_configuration.html#middleware-repository-pul >>>>>>>>> lthrough >>>>>>>>> >>>>>>>>> also: >>>>>>>>> "When performing pullthrough, the registry will use pull >>>>>>>>> credentials found in the project associated with the image stream tag >>>>>>>>> that >>>>>>>>> is being referenced. " >>>>>>>>> >>>>>>>>> So if your imagestream is in a different project, you need to make >>>>>>>>> sure the credentials are in the right place. >>>>>>>>> >>>>>>>>> >>>>>>>>>> Thanks >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> users mailing list >>>>>>>>>> [email protected] >>>>>>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Ben Parees | OpenShift >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Ben Parees | OpenShift >>>>>>> >>>>>>> >>>>>> >>>> >>> >>> >>> -- >>> Ben Parees | OpenShift >>> >>> >> >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
