Slightly related - there is an existing bugzilla where `oc import-image` and `oc tag` will fail if the "origin" tag references the internal registry with a similar x509 error [1]. Echoing Clayton, please file a bug and if warranted we'll link the two together.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1716835 On Tue, Nov 12, 2019 at 8:42 AM Clayton Coleman <ccole...@redhat.com> wrote: > > > On Nov 12, 2019, at 3:44 AM, Joel Pearson <japear...@agiledigital.com.au> > wrote: > > > > On Tue, 12 Nov 2019 at 15:37, Ben Parees <bpar...@redhat.com> wrote: > >> >> >> On Mon, Nov 11, 2019 at 11:26 PM Joel Pearson < >> japear...@agiledigital.com.au> wrote: >> >>> I've now discovered that the cluster-samples-operator doesn't seem >>> honour the proxy settings, and I see lots of errors in the >>> cluster-samples-operator-xxxx pod logs >>> >>> time="2019-11-12T04:15:49Z" level=warning msg="Image import for >>> imagestream dotnet tag 2.1 generation 2 failed with detailed message >>> Internal error occurred: Get https://I /v2/ >>> <https://registry.redhat.io/v2/>: x509: certificate signed by unknown >>> authority" >>> >>> Is there a way to get that operator to use the same user-ca-bundle? >>> >> >> image import should be using those CAs (it's really about the >> openshift-apiserver, not the samples operator) automatically (sounds like >> another potential bug, but i'll let Oleg weigh in on this one). >> >> However barring that, you can use the mechanism described here to >> setup additional CAs for importing from registries: >> >> https://docs.openshift.com/container-platform/4.2/openshift_images/image-configuration.html#images-configuration-file_image-configuration >> >> you can follow the more detailed instructions here: >> >> https://docs.openshift.com/container-platform/4.2/builds/setting-up-trusted-ca.html#configmap-adding-ca_setting-up-trusted-ca >> > > I tried this approach but it didn't work for me. > > I ran this command: > > oc create configmap registry-cas -n openshift-config \ > --from-file=registry.redhat.io..5000=/path/to/ca.crt \ > --from-file=registry.redhat.io..443=/path/to/ca.crt \ > --from-file=registry.redhat.io=/path/to/ca.crt > > and: > > oc patch image.config.openshift.io/cluster --patch > '{"spec":{"additionalTrustedCA":{"name":"registry-cas"}}}' --type=merge > > And that still didn't work. First I deleted the > cluster-samples-operator-xxxx pod, then I tried forcing the masters to > restart by touching some machine config (I don't know a better way). > But it still didn't work. Maybe the samples operator doesn't let you > easily override the trusted CA certs? > > > No, as Ben said this should be working. Please file a bug. > > > >> >> >> (Brandi/Adam, we should really include the example from that second link, >> in the general "image resource configuration" page from the first link). >> >> Unfortunately it does not allow you to reuse the user-ca-bundle CM since >> the format of the CM is a bit different (needs an entry per registry >> hostname). >> >> _______________________________________________ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > -- Adam Kaplan He/Him Senior Software Engineer - OpenShift Red Hat <https://www.redhat.com/> 100 E. Davie St. Raleigh, NC 27601 USA adam.kap...@redhat.com T: +1-919-754-4843 IM: adambkaplan <https://www.redhat.com/>
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
