Bug 1464562

Summary: [RFE] Support reencrypt routing on docker-registry service
Product: OpenShift Container Platform Reporter: Josh Foots <jfoots>
Component: RFEAssignee: Ben Parees <bparees>
Status: CLOSED CURRENTRELEASE QA Contact: Xiaoli Tian <xtian>
Severity: low Docs Contact:
Priority: unspecified    
Version: 3.5.0CC: aos-bugs, bparees, bpritche, dherrman, erich, jokerman, mmccomas, pweil, rbost
Target Milestone: ---   
Target Release: 3.12.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-14 14:44:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Foots 2017-06-23 18:36:17 UTC 
What problem/issue/behavior are you having trouble with?  What do you expect to see?

Recently we upgraded to Openshift 3.5 for our stand-alone registry service. Before the upgrade, we had a configuration working where a reencrypt route was used on top of the registry service to successfully support secured traffic to our docker-registry. However with the new 3.5 docker-registry image, this configuration broke when pushing images. This issue seems to be the exact thing we're experiencing: https://github.com/openshift/origin/issues/14249.

I do realize that the documentation for the registry service says passthrough encryption is the only supported TLS option here: https://docs.openshift.com/container-platform/latest/install_config/registry/securing_and_exposing_registry.html#exposing-the-registry

We would like to see reencrypt supported as well (preferably through openshift-ansible code) with examples, or the change to the v3.5 registry that broke reencrypt routing reverted so we can keep our working configuration. The former option would be preferred.

When does the behavior occur? Frequently?  Repeatedly?   At certain times?

Always
Comment 1 Ben Pritchett 2017-08-04 16:55:01 UTC 
We would need to figure this out before our team considers an upgrade to 3.6. Is there any suggestion for workaround while a reencrypt configuration is looked at for the stand-alone registry?