Bug 1641657 - [3.11] Registry doesn't honors openshift_additional_ca
Summary: [3.11] Registry doesn't honors openshift_additional_ca
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.11.z
Assignee: Scott Dodson
QA Contact: Wenjing Zheng
: 1647800 (view as bug list)
Depends On:
Blocks: 1642052
TreeView+ depends on / blocked
Reported: 2018-10-22 13:13 UTC by Sergio G.
Modified: 2018-11-20 03:11 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: In 3.10 and newer the apiserver runs as a static pod and only mounted /etc/origin/master and /var/lib/origin inside that pod. Consequence: CAs trusted by the host were not trusted by the apiserver. Fix: The apiserver pod definition now mounts /etc/pki into the pod. Result: The apiserver now trusted all certificate authorities trusted by the host including those defined by the installer variable 'openshift_additional_ca'. This can be used to import image streams from a registry verified by a private CA.
Clone Of:
: 1642052 (view as bug list)
Last Closed: 2018-11-20 03:10:46 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3537 0 None None None 2018-11-20 03:11:30 UTC

Description Sergio G. 2018-10-22 13:13:28 UTC
Even if openshift_additional_ca is set in the inventory, in order to have a image downloaded using pullthrough (which seems to be defauld since 3.10) it's still required to mount a secret/configmap as described in [1].

Is this the expected behavior? Are there any plans to get this included in someway into OpenShift installer? 

 [1] https://docs.openshift.com/container-platform/3.11/install_config/registry/extended_registry_configuration.html#middleware-repository-pullthrough

Comment 1 Scott Dodson 2018-10-22 15:15:59 UTC
https://github.com/openshift/openshift-ansible/pull/10471 proposed fix

This mounts /etc/pki into the apiserver pod which insures that the pod will trust CAs in the host's trust store.

Comment 2 Sergio G. 2018-10-22 15:20:40 UTC
Hi Scott.
API server does the job if I add the section additionalTrustedCA in /etc/origin/master/master-config.yaml but it's the registry pod which also requires a modification.

I expected the installer to do the job:
 - add additionalTrustedCA in master-config.yml so api server gets the additional CA
 - add the mount into registry pod so registry can have them trusted

But it's not that way, so I wanted to clarify it's correct or not.

Comment 13 XiuJuan Wang 2018-11-06 07:46:49 UTC
Verified this bug with openshift-ansible-3.11.38-1

Install cluster with openshift-ansible-3.11.38-1(not set  penshift_additional_ca in the inventory), imagestream could be imported successfully with external registry.

After update docker-registry pod manually as bug #1592936#36, could resolve pull image from openshift registry with pullthrough policy.

Comment 14 Scott Dodson 2018-11-08 16:09:48 UTC
*** Bug 1647800 has been marked as a duplicate of this bug. ***

Comment 16 errata-xmlrpc 2018-11-20 03:10:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.