Bug 1302956 - LivenessProbe Fails for Secured Integrated Registry
LivenessProbe Fails for Secured Integrated Registry
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry (Show other bugs)
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Michail Kargakis
Wei Sun
: 1303118 1304101 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2016-01-29 01:42 EST by Andrew Block
Modified: 2016-06-13 14:46 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-06-13 14:46:05 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Origin (Github) 1500 None None None 2016-01-29 12:36 EST

  None (edit)
Description Andrew Block 2016-01-29 01:42:32 EST
Description of problem:
A liveness probe was reintroduced in OpenShift Enterprise 3.1.1 for the integrated registry. The default scheme for the probe is HTTP. When a secured registry is configured, the probe fails causing the running pod to be killed and is repeatedly killed

Version-Release number of selected component (if applicable): 
Atomic OpenShift Enterprise 3.1.1

How reproducible:
Always when the registry is secured

Steps to Reproduce:
1. Follow instructions on how to secure the registry (https://docs.openshift.com/enterprise/3.1/install_config/install/docker_registry.html#securing-the-registry)

oadm ca create-server-cert --signer-cert=/etc/origin/master/ca.crt --signer-key=/etc/origin/master/ca.key --signer-serial=/etc/origin/master/ca.serial.txt --hostnames="docker-registry.default.svc.cluster.local,"--cert=/etc/origin/master/registry.crt --key=/etc/origin/master/registry.key

oc secrets new registry-secret /etc/origin/master/registry.crt /etc/origin/master/registry.key

oc secrets add serviceaccounts/default secrets/registry-secret

oc volume dc/docker-registry --add --type=secret --secret-name=registry-secret -m /etc/secrets
oc env dc/docker-registry REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt  REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key

Actual results:

Monitor pods:

oc get pods -w

Pod containing registry terminates repeatedly

Expected results:
The registry deploys and runs successfully without downtime

Additional info:
The following command can be used to correct the issue where the deployment config name is docker-registry

oc get dc docker-registry -o yaml | sed -e 's/scheme: HTTP/scheme: HTTPS/g' | oc replace -f -
Comment 1 Michail Kargakis 2016-01-29 08:49:55 EST
Reproduced. This feels more of a doc bug rather than a bug in the code. It's the responsibility of the user to update the probes alongside the envs in the DC. The only thing that concerns me is that the update should happen in one step (update both probes + envs) and not two (update envs, update probes) which makes `oc env` useless here. I am thinking that this should probably be a job for oadm registry.
Comment 2 Jordan Liggitt 2016-01-29 12:33:37 EST
*** Bug 1303118 has been marked as a duplicate of this bug. ***
Comment 3 Jordan Liggitt 2016-01-29 12:34:25 EST
It's either a doc bug or part of the CLI (though the CLI doesn't let you create a secured registry today)
Comment 4 Jordan Liggitt 2016-01-29 12:35:05 EST
Details for docs added in https://github.com/openshift/openshift-docs/issues/1500
Comment 6 openshift-github-bot 2016-02-01 09:01:34 EST
Commits pushed to master at https://github.com/openshift/openshift-docs

Bug 1302956: update scheme in probes when securing a registry

Merge pull request #1510 from kargakis/bug-1302956

Bug 1302956: update scheme in probes when securing a registry
Comment 7 Wei Sun 2016-02-02 01:38:27 EST
Following the doc ,the bug was fixed.

# openshift version
openshift v3.1.1.6
kubernetes v1.1.0-origin-1107-g4c8e6f4
etcd 2.1.2
Comment 8 Scott Dodson 2016-02-04 13:23:29 EST
*** Bug 1304101 has been marked as a duplicate of this bug. ***
Comment 9 Scott Dodson 2016-06-13 14:46:05 EDT
Was fixed in

Note You need to log in before you can comment on or make changes to this bug.