Bug 1641657

Summary: [3.11] Registry doesn't honors openshift_additional_ca
Product: OpenShift Container Platform Reporter: Sergio G. <sgarciam>
Component: InstallerAssignee: Scott Dodson <sdodson>
Status: CLOSED ERRATA QA Contact: Wenjing Zheng <wzheng>
Severity: high Docs Contact:
Priority: high    
Version: 3.11.0CC: aos-bugs, bparees, jialiu, jokerman, mmccomas, scuppett, vwalek, wzheng, xiuwang, xtian
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: In 3.10 and newer the apiserver runs as a static pod and only mounted /etc/origin/master and /var/lib/origin inside that pod. Consequence: CAs trusted by the host were not trusted by the apiserver. Fix: The apiserver pod definition now mounts /etc/pki into the pod. Result: The apiserver now trusted all certificate authorities trusted by the host including those defined by the installer variable 'openshift_additional_ca'. This can be used to import image streams from a registry verified by a private CA.
 Story Points: ---
Clone Of:
: 1642052 (view as bug list) Environment:
Last Closed: 2018-11-20 03:10:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1642052    

Description Sergio G. 2018-10-22 13:13:28 UTC 
Even if openshift_additional_ca is set in the inventory, in order to have a image downloaded using pullthrough (which seems to be defauld since 3.10) it's still required to mount a secret/configmap as described in [1].

Is this the expected behavior? Are there any plans to get this included in someway into OpenShift installer? 

References:
 [1] https://docs.openshift.com/container-platform/3.11/install_config/registry/extended_registry_configuration.html#middleware-repository-pullthrough
Comment 1 Scott Dodson 2018-10-22 15:15:59 UTC 
https://github.com/openshift/openshift-ansible/pull/10471 proposed fix

This mounts /etc/pki into the apiserver pod which insures that the pod will trust CAs in the host's trust store.
Comment 2 Sergio G. 2018-10-22 15:20:40 UTC 
Hi Scott.
API server does the job if I add the section additionalTrustedCA in /etc/origin/master/master-config.yaml but it's the registry pod which also requires a modification.

I expected the installer to do the job:
 - add additionalTrustedCA in master-config.yml so api server gets the additional CA
 - add the mount into registry pod so registry can have them trusted

But it's not that way, so I wanted to clarify it's correct or not.
Comment 13 XiuJuan Wang 2018-11-06 07:46:49 UTC 
Verified this bug with openshift-ansible-3.11.38-1

Install cluster with openshift-ansible-3.11.38-1(not set  penshift_additional_ca in the inventory), imagestream could be imported successfully with external registry.

After update docker-registry pod manually as bug #1592936#36, could resolve pull image from openshift registry with pullthrough policy.
Comment 14 Scott Dodson 2018-11-08 16:09:48 UTC 
*** Bug 1647800 has been marked as a duplicate of this bug. ***
Comment 16 errata-xmlrpc 2018-11-20 03:10:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3537