Bug 2064800
Summary: | OpenStack proxy job permafailing with: Image signature workflow can push a signed image to openshift registry and verify it | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Adam Kaplan <adam.kaplan> |
Component: | Image Registry | Assignee: | Flavian <fmissi> |
Status: | CLOSED ERRATA | QA Contact: | XiuJuan Wang <xiuwang> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 4.9 | CC: | jitsingh, m.andre, obulatov, pbhattac, pprinett, spandura |
Target Milestone: | --- | ||
Target Release: | 4.9.z | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | 2057990 | Environment: | |
Last Closed: | 2022-06-30 05:31:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2061554 | ||
Bug Blocks: |
Description
Adam Kaplan
2022-03-16 15:06:35 UTC
Depends on https://bugzilla.redhat.com/show_bug.cgi?id=2063284 actually (the 4.9 backport), for which https://github.com/openshift/origin/pull/26903 adds the necessary debugging info. It looks like the pull request which adds the debug information has merged and the extra debug info is showing in the latest runs: https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-shiftstack-shiftstack-ci-main-periodic-4.9-e2e-openstack-proxy/1510698555369590784 Moving this to the Image Registry team. There seem to be a few issues going on here: 1. The image signature workflow test appears to run in 4.9, but is skipped or does not exist at all in 4.10 and above. See https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-shiftstack-shiftstack-ci-main-periodic-4.10-e2e-openstack-proxy/1510698551959621632 2. The build that starts the whole process installs skopeo from the ubi8 repos. The content is served through the cluster's proxy, and we get the following error: ``` Errors during downloading metadata for repository 'cdn-ubi.redhat.com_content_public_ubi_dist_ubi8_8_basearch_appstream_os_': - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/x86_64/appstream/os/repodata/repomd.xml [SSL certificate problem: self signed certificate] Error: Failed to download metadata for repo 'cdn-ubi.redhat.com_content_public_ubi_dist_ubi8_8_basearch_appstream_os_': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried error: build error: error building at STEP "RUN yum install -y skopeo && yum clean all && mkdir -p gnupg && chmod -R 0777 /var/lib/origin": error while running runtime: exit status 1 ``` It is possible that the test is not applying proxy's CA bundle to the cluster, and thus builds can't trust anything that goes through the proxy. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.9.40 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:5180 |