Bug 1475868

Summary: [RFE] Provide an easier way to add a CA to the default trust in OpenShift images.
Product: OpenShift Container Platform Reporter: Ryan Howe <rhowe>
Component: RFEAssignee: Matt Rogers <mrogers>
Status: CLOSED DEFERRED QA Contact: Xiaoli Tian <xtian>
Severity: medium Docs Contact:
Priority: high    
Version: 3.5.0CC: aivaras.laimikis, ansverma, aos-bugs, awestbro, bbennett, clichybi, decarr, dmoessne, egolov, eminguez, erich, fcami, fshaikh, itewksbu, jmalde, jokerman, jrosenta, knewcome, knewcomer, mbarrett, mchappel, mjahangi, mmccomas, mmckinst, mrogers, mtaru, myllynen, sgaikwad, sjr
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-30 13:29:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ryan Howe 2017-07-27 13:47:33 UTC 
Description of problem:
At this time if one needs to add a CA to the default trust store of an image, they would need to build the image running. 

For example if a user needs to add a Trusted CA to the docker registry for proxy pulls they would need to rebuild the image to add the ca to the image. 

```
$ cp ca.cert your_internalCA.crt
$ cat > /tmp/dockerfile << EOF 
FROM openshift3/ose-docker-registry
USER root
ADD your_internalCA.crt /etc/pki/ca-trust/source/anchors
RUN /bin/update-ca-trust
USER 1001
EOF
$ cd /tmp
$ sudo docker build ./ -t ExternalRegistryURL:openshift3/ose-docker-registry-custom:latest
$ sudo docker push ExternalRegistryURL:openshift3/ose-docker-registry-custom:latest

Then change the DC of the registry, changing the image to point to the image that was created: 
# oc edit dc docker-registry
```

Looking for a way to provide a secret to an image that would automatically add the CA data to the catrust for OpenShift image.
Comment 1 Eduardo Minguez 2017-11-08 13:32:09 UTC 
Related? https://github.com/openshift/origin/issues/1753
Comment 2 Ryan Howe 2017-11-14 21:54:25 UTC 
This is also wanted for S2i builds when a proxy requires all traffic leaving to trust its CA.
Comment 22 Ian Tewksbury 2019-05-28 21:27:16 UTC 
YIPPY. Excited to see movement here.
Comment 23 Kirsten Newcomer 2019-05-30 13:27:29 UTC 
This issue has been moved to https://jira.coreos.com/browse/RFE-144