Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1745493

Summary: Imagestream cannot be imported in cluster which enables trusted CA for cluster proxy
Product: OpenShift Container Platform Reporter: Wenjing Zheng <wzheng>
Component: Image RegistryAssignee: Adam Kaplan <adam.kaplan>
Status: CLOSED ERRATA QA Contact: Wenjing Zheng <wzheng>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.2.0CC: adam.kaplan, aos-bugs, gpei, wewang, xiuwang, xtian
Target Milestone: ---   
Target Release: 4.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-16 06:37:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1747260    
Bug Blocks:    

Description Wenjing Zheng 2019-08-26 08:54:09 UTC 
Description of problem:
user-ca-bundle under openshift-config is mounted to trusted-ca under openshift-image-registry, but imagestream return 509 error:
$ oc describe is ruby -n openshift

  ! error: Import failed (InternalError): Internal error occurred: Get https://registry.redhat.io/v2/: proxyconnect tcp: x509: certificate signed by unknown authority
      4 hours ago


Version-Release number of selected component (if applicable):
4.2.0-0.nightly-2019-08-24-002347

How reproducible:
always

Steps to Reproduce:
1.Enable trusted CA for proxy cluster
Trusted CA:
    Name:  user-ca-bundle
2.Check "trusted-ca" under "openshift-image-registry"
3.Describe openshift imagestream

Actual results:
509 error returns.

Expected results:
Should be imported.

Additional info:
It seems there is no trusted CA of cluster proxy mounted inside openshift-apiserver pod.
Comment 2 Oleg Bulatov 2019-08-26 13:23:56 UTC 
I believe the PR [1] is intended to fix it.

[1]: https://github.com/openshift/cluster-openshift-apiserver-operator/pull/226
Comment 17 Wenjing Zheng 2019-09-09 03:17:08 UTC 
Verified on 4.2.0-0.nightly-2019-09-08-180038:
Imagestream can be imported successfully in https_proxy enabled cluster.
Comment 18 errata-xmlrpc 2019-10-16 06:37:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922