Description of problem:
Docker registry is exposed with tls passthrough route. All is working fine.
However, client is getting openshift's self-signed certificate when connected to the service.
Attempts to change route to anything else other then tls-passthrough brick authentication. Even login is successfull, push fails. Here is an example:
# docker login -u test -p 5ah1OnexCWZA-OVi1I1aqP3QGRwurfdodx6qZYmfD4A docker-registry-default.apps.lex.lab
# docker push docker-registry-default.apps.lex.lab/test1/alpine
The push refers to a repository [docker-registry-default.apps.lex.lab/test1/alpine]
5bef08742407: Pushing [==================================================>] 3.962 MB/3.962 MB
unauthorized: authentication required
Version-Release number of selected component (if applicable):
Steps to Reproduce:
I smell a promising bugfix candidate: https://github.com/openshift/origin/pull/14866
I'll confirm this soon.
Unfortunately, https://github.com/openshift/origin/pull/14866 doesn't fix the issue. I'm debugging further.
Fixed in upstream, rebase  merged into 3.7.
Added doc text.
This needs to be double-checked.
@tomckay found out that with the fix in question, :443 suffix added to registry names causes timeouts.
We need to make sure that our registry can be addressed both with&without the :443 suffix because many customers added it to their external registries as a work-around for the broken port forwarding.
This needs to be further investigated.
I've successfully pushed with&without the :443 to the recent docker registry with the fix applied.
Therefore, I'm switching this to QA for confirmation. And I'll start with the back-porting effort.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.