Bug 1601918
| Summary: | jib maven plugin fails due to mismatching registry certificates | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Online | Reporter: | Siamak Sadeghianfar <ssadeghi> | ||||
| Component: | Image Registry | Assignee: | Ben Parees <bparees> | ||||
| Status: | CLOSED UPSTREAM | QA Contact: | Dongbo Yan <dyan> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | unspecified | CC: | aos-bugs, bparees, ssadeghi | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-08-03 14:23:53 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Siamak Sadeghianfar
2018-07-17 13:02:53 UTC
not sure who's responsible for setting up the registry cert in pro, but let's start w/ Stefanie. The registry cert itself seems fine. It matches the hostname registry.pro-us-east-1.openshift.com: [dakini@localhost ~]$ curl -v --head https://registry.pro-us-east-1.openshift.com * Server certificate: * subject: C=US; ST=North Carolina; L=Raleigh; O=Red Hat Inc.; OU=RHC Cloud Operations; CN=*.pro-us-east-1.openshift.com * start date: May 19 00:00:00 2018 GMT * expire date: May 23 12:00:00 2019 GMT * subjectAltName: host "registry.pro-us-east-1.openshift.com" matched cert's "*.pro-us-east-1.openshift.com" * issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA any idea where b9ad.pro-us-east-1.openshiftapps.com would be coming from? (In reply to Ben Parees from comment #3) > any idea where b9ad.pro-us-east-1.openshiftapps.com would be coming from? The subdomain b9ad.pro-us-east-1.openshiftapps.com is what I see assigned to me on Online. All apps I create are under that domain but not sure how the registry is getting mixed up with that. Seems like a jib issue to me. Can you get some verbose output from maven so maybe we can see what it actually thinks it is doing? Created attachment 1459734 [details]
maven logs
I get a completely different error: [ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:0.9.6:build (default-cli) on project spring-petclinic: Build image failed: Tried to retrieve authentication method for registry.pro-us-east-1.openshift.com but failed because: Failed get authentication method from 'WWW-Authenticate' header | If this is a bug, please file an issue at https://github.com/GoogleContainerTools/jib/issues/new: Failed to authenticate with the registry because: 'service' was not found in the 'WWW-Authenticate' header, tried to parse: Bearer realm="https://registry.pro-us-east-1.openshift.com/openshift/token" -> [Help 1] but fundamentally i think you're more likely to get resolution to this by opening a Jib issue, it doesn't seem like our registry is configured incorrectly, so it may have something to do with how they are connecting to it/authenticating to it. (I performed a local docker login to the registry, so my docker config.json should have proper credentials, which Jib doc indicates it will use by default). I also can't get it to push to docker.io, with a different resulting error, i'm curious if you managed to get that working as a starting point? Created a jib issue: https://github.com/GoogleContainerTools/jib/issues/659 Based on the latest comments on the issue it sounds like this is resolved. https://github.com/GoogleContainerTools/jib/issues/659#issuecomment-406369597 |