It works if I mount the secret on /etc/pki/tls/certs. Yeh doco on this is non-existent. I've been struggling with this all day but now that you say it a PV with the full ca-trust dir sounds obvious.
On 18 November 2017 at 17:52, Ben Parees <[email protected]> wrote: > > > On Sat, Nov 18, 2017 at 1:31 AM, Lionel Orellana <[email protected]> > wrote: > >> It doesn't look like putting the ca in /etc/pki/ca-trust/source/anchors >> is enough without running update-ca-trust >> > > yeah that makes sense and unfortunately makes it difficult if you don't > mount your ca-trust via a PV since you'll lose the changes whenever your > registry restarts. > > Would you mind opening an issue for us to add some docs(at a minimum) > around this since it seems like they are lacking? > > >> >> On 18 November 2017 at 15:40, Lionel Orellana <[email protected]> wrote: >> >>> Inside the registry, curl with --cacert pointing to >>> /etc/pki/ca-trust/source/anchors/<my registry doman>.crt works. >>> >>> On 18 November 2017 at 15:11, Lionel Orellana <[email protected]> >>> wrote: >>> >>>> I created a secret with the remote ca, mounted it on the registry at >>>> /etc/pki/ca-trust/source/anchor. The registry still says "certificate >>>> signed by unknown authority". >>>> >>>> On 17 November 2017 at 23:57, Ben Parees <[email protected]> wrote: >>>> >>>>> >>>>> >>>>> On Fri, Nov 17, 2017 at 12:17 AM, Lionel Orellana <[email protected]> >>>>> wrote: >>>>> >>>>>> Thanks Ben, that makes sense. How do I add remote CAs to the >>>>>> registry though? >>>>>> >>>>> >>>>> Similar to what is described here to add certs to the registry: >>>>> https://docs.openshift.org/latest/install_config/registry/se >>>>> curing_and_exposing_registry.html#securing-the-registry >>>>> >>>>> (mount the ca.crt into the system ca cert location within the pod, it >>>>> should be picked up automatically). >>>>> >>>>> >>>>> >>>>>> On 17 November 2017 at 15:08, Ben Parees <[email protected]> wrote: >>>>>> >>>>>>> The registry CAs are distinct from the image import controller CA. >>>>>>> They are two different processes running in two different environments. >>>>>>> >>>>>>> >>>>>>> Ben Parees | OpenShift >>>>>>> >>>>>>> On Nov 16, 2017 10:58 PM, "Lionel Orellana" <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Looking at the registry logs, it's not happy with the remote >>>>>>>> registry cert. >>>>>>>> >>>>>>>> time="2017-11-17T03:53:46.591715267Z" level=error msg="response >>>>>>>> completed with error" err.code="manifest unknown" err.detail=" x509: >>>>>>>> certificate signed by unknown authority" >>>>>>>> >>>>>>>> Given that oc import-image works I was expecting the registry to >>>>>>>> trust the same ca's. >>>>>>>> >>>>>>>> On 17 November 2017 at 12:01, Ben Parees <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Thu, Nov 16, 2017 at 7:57 PM, Lionel Orellana < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Is pullthrough enabled on your registry? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Yes. >>>>>>>>>> >>>>>>>>>> "When performing pullthrough, the registry will use pull >>>>>>>>>>> credentials found in the project associated with the image stream >>>>>>>>>>> tag that >>>>>>>>>>> is being referenced" >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I'm deploying in the same project where the image stream is. I >>>>>>>>>> have a dockercfg secret in the project with credentials for the >>>>>>>>>> remote >>>>>>>>>> registry. I linked that secret to the deployment as pull secret. It >>>>>>>>>> works >>>>>>>>>> when remotePolicy is Source so I know the credentials are Ok. But >>>>>>>>>> how does >>>>>>>>>> the registry find the pull credentials to use? I assume it looks for >>>>>>>>>> the >>>>>>>>>> server name in the dockercfg secret? >>>>>>>>>> >>>>>>>>> >>>>>>>>> yes. >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 17 November 2017 at 10:01, Ben Parees <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Thu, Nov 16, 2017 at 5:36 PM, Lionel Orellana < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> I imported a remote image and set referencePolicy.type to >>>>>>>>>>>> Local in the resulting tag. When I try to deploy an pod using this >>>>>>>>>>>> image >>>>>>>>>>>> stream tag I get "rpc error: code = 2 desc = manifest unknown: >>>>>>>>>>>> manifest unknown". >>>>>>>>>>>> >>>>>>>>>>>> If I change the referencePolicy type to Source then the pod >>>>>>>>>>>> pulls the image fine from the remote registry. But this requires >>>>>>>>>>>> linking a >>>>>>>>>>>> pull secret to the deployment which is an extra step I could do >>>>>>>>>>>> without. I >>>>>>>>>>>> thought I would get around that by referencing the Local image. >>>>>>>>>>>> >>>>>>>>>>>> How do I pull the remote image when referencePolicy is Local? >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Is pullthrough enabled on your registry? >>>>>>>>>>> https://docs.openshift.org/latest/install_config/registry/ex >>>>>>>>>>> tended_registry_configuration.html#middleware-repository-pul >>>>>>>>>>> lthrough >>>>>>>>>>> >>>>>>>>>>> also: >>>>>>>>>>> "When performing pullthrough, the registry will use pull >>>>>>>>>>> credentials found in the project associated with the image stream >>>>>>>>>>> tag that >>>>>>>>>>> is being referenced. " >>>>>>>>>>> >>>>>>>>>>> So if your imagestream is in a different project, you need to >>>>>>>>>>> make sure the credentials are in the right place. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> Thanks >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> users mailing list >>>>>>>>>>>> [email protected] >>>>>>>>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Ben Parees | OpenShift >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Ben Parees | OpenShift >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Ben Parees | OpenShift >>>>> >>>>> >>>> >>> >> > > > -- > Ben Parees | OpenShift > >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
