On Nov 12, 2019, at 3:44 AM, Joel Pearson <japear...@agiledigital.com.au> wrote:
On Tue, 12 Nov 2019 at 15:37, Ben Parees <bpar...@redhat.com> wrote: > > > On Mon, Nov 11, 2019 at 11:26 PM Joel Pearson < > japear...@agiledigital.com.au> wrote: > >> I've now discovered that the cluster-samples-operator doesn't seem honour >> the proxy settings, and I see lots of errors in the >> cluster-samples-operator-xxxx pod logs >> >> time="2019-11-12T04:15:49Z" level=warning msg="Image import for >> imagestream dotnet tag 2.1 generation 2 failed with detailed message >> Internal error occurred: Get https://I /v2/ >> <https://registry.redhat.io/v2/>: x509: certificate signed by unknown >> authority" >> >> Is there a way to get that operator to use the same user-ca-bundle? >> > > image import should be using those CAs (it's really about the > openshift-apiserver, not the samples operator) automatically (sounds like > another potential bug, but i'll let Oleg weigh in on this one). > > However barring that, you can use the mechanism described here to > setup additional CAs for importing from registries: > > https://docs.openshift.com/container-platform/4.2/openshift_images/image-configuration.html#images-configuration-file_image-configuration > > you can follow the more detailed instructions here: > > https://docs.openshift.com/container-platform/4.2/builds/setting-up-trusted-ca.html#configmap-adding-ca_setting-up-trusted-ca > I tried this approach but it didn't work for me. I ran this command: oc create configmap registry-cas -n openshift-config \ --from-file=registry.redhat.io..5000=/path/to/ca.crt \ --from-file=registry.redhat.io..443=/path/to/ca.crt \ --from-file=registry.redhat.io=/path/to/ca.crt and: oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-cas"}}}' --type=merge And that still didn't work. First I deleted the cluster-samples-operator-xxxx pod, then I tried forcing the masters to restart by touching some machine config (I don't know a better way). But it still didn't work. Maybe the samples operator doesn't let you easily override the trusted CA certs? No, as Ben said this should be working. Please file a bug. > > > (Brandi/Adam, we should really include the example from that second link, > in the general "image resource configuration" page from the first link). > > Unfortunately it does not allow you to reuse the user-ca-bundle CM since > the format of the CM is a bit different (needs an entry per registry > hostname). > > _______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
