Bug 1641657
Summary: | [3.11] Registry doesn't honors openshift_additional_ca | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Sergio G. <sgarciam> | |
Component: | Installer | Assignee: | Scott Dodson <sdodson> | |
Status: | CLOSED ERRATA | QA Contact: | Wenjing Zheng <wzheng> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 3.11.0 | CC: | aos-bugs, bparees, jialiu, jokerman, mmccomas, scuppett, vwalek, wzheng, xiuwang, xtian | |
Target Milestone: | --- | |||
Target Release: | 3.11.z | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: |
Cause: In 3.10 and newer the apiserver runs as a static pod and only mounted /etc/origin/master and /var/lib/origin inside that pod.
Consequence: CAs trusted by the host were not trusted by the apiserver.
Fix: The apiserver pod definition now mounts /etc/pki into the pod.
Result: The apiserver now trusted all certificate authorities trusted by the host including those defined by the installer variable 'openshift_additional_ca'. This can be used to import image streams from a registry verified by a private CA.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1642052 (view as bug list) | Environment: | ||
Last Closed: | 2018-11-20 03:10:46 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1642052 |
Description
Sergio G.
2018-10-22 13:13:28 UTC
https://github.com/openshift/openshift-ansible/pull/10471 proposed fix This mounts /etc/pki into the apiserver pod which insures that the pod will trust CAs in the host's trust store. Hi Scott. API server does the job if I add the section additionalTrustedCA in /etc/origin/master/master-config.yaml but it's the registry pod which also requires a modification. I expected the installer to do the job: - add additionalTrustedCA in master-config.yml so api server gets the additional CA - add the mount into registry pod so registry can have them trusted But it's not that way, so I wanted to clarify it's correct or not. Verified this bug with openshift-ansible-3.11.38-1 Install cluster with openshift-ansible-3.11.38-1(not set penshift_additional_ca in the inventory), imagestream could be imported successfully with external registry. After update docker-registry pod manually as bug #1592936#36, could resolve pull image from openshift registry with pullthrough policy. *** Bug 1647800 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3537 |