This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1475868 - [RFE] Provide an easier way to add a CA to the default trust in OpenShift images.
[RFE] Provide an easier way to add a CA to the default trust in OpenShift ima...
Status: NEW
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE (Show other bugs)
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Paul Weil
Xiaoli Tian
Depends On:
  Show dependency treegraph
Reported: 2017-07-27 09:47 EDT by Ryan Howe
Modified: 2017-07-27 09:47 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ryan Howe 2017-07-27 09:47:33 EDT
Description of problem:
At this time if one needs to add a CA to the default trust store of an image, they would need to build the image running. 

For example if a user needs to add a Trusted CA to the docker registry for proxy pulls they would need to rebuild the image to add the ca to the image. 

$ cp ca.cert your_internalCA.crt
$ cat > /tmp/dockerfile << EOF 
FROM openshift3/ose-docker-registry
USER root
ADD your_internalCA.crt /etc/pki/ca-trust/source/anchors
RUN /bin/update-ca-trust
USER 1001
$ cd /tmp
$ sudo docker build ./ -t ExternalRegistryURL:openshift3/ose-docker-registry-custom:latest
$ sudo docker push ExternalRegistryURL:openshift3/ose-docker-registry-custom:latest

Then change the DC of the registry, changing the image to point to the image that was created: 
# oc edit dc docker-registry

Looking for a way to provide a secret to an image that would automatically add the CA data to the catrust for OpenShift image.

Note You need to log in before you can comment on or make changes to this bug.