1641657 – [3.11] Registry doesn't honors openshift_additional_ca

Bug 1641657 - [3.11] Registry doesn't honors openshift_additional_ca

Summary: [3.11] Registry doesn't honors openshift_additional_ca

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.11.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	3.11.z
Assignee:	Scott Dodson
QA Contact:	Wenjing Zheng
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1647800 (view as bug list)
Depends On:
Blocks:	1642052
TreeView+	depends on / blocked

Reported:	2018-10-22 13:13 UTC by Sergio G.
Modified:	2018-11-20 03:11 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: In 3.10 and newer the apiserver runs as a static pod and only mounted /etc/origin/master and /var/lib/origin inside that pod. Consequence: CAs trusted by the host were not trusted by the apiserver. Fix: The apiserver pod definition now mounts /etc/pki into the pod. Result: The apiserver now trusted all certificate authorities trusted by the host including those defined by the installer variable 'openshift_additional_ca'. This can be used to import image streams from a registry verified by a private CA.
Clone Of:
Clones:	1642052 (view as bug list)
Environment:
Last Closed:	2018-11-20 03:10:46 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3537	0	None	None	None	2018-11-20 03:11:30 UTC

Description Sergio G. 2018-10-22 13:13:28 UTC

Even if openshift_additional_ca is set in the inventory, in order to have a image downloaded using pullthrough (which seems to be defauld since 3.10) it's still required to mount a secret/configmap as described in [1].

Is this the expected behavior? Are there any plans to get this included in someway into OpenShift installer? 

References:
 [1] https://docs.openshift.com/container-platform/3.11/install_config/registry/extended_registry_configuration.html#middleware-repository-pullthrough

Comment 1 Scott Dodson 2018-10-22 15:15:59 UTC

https://github.com/openshift/openshift-ansible/pull/10471 proposed fix

This mounts /etc/pki into the apiserver pod which insures that the pod will trust CAs in the host's trust store.

Comment 2 Sergio G. 2018-10-22 15:20:40 UTC

Hi Scott.
API server does the job if I add the section additionalTrustedCA in /etc/origin/master/master-config.yaml but it's the registry pod which also requires a modification.

I expected the installer to do the job:
 - add additionalTrustedCA in master-config.yml so api server gets the additional CA
 - add the mount into registry pod so registry can have them trusted

But it's not that way, so I wanted to clarify it's correct or not.

Comment 13 XiuJuan Wang 2018-11-06 07:46:49 UTC

Verified this bug with openshift-ansible-3.11.38-1

Install cluster with openshift-ansible-3.11.38-1(not set  penshift_additional_ca in the inventory), imagestream could be imported successfully with external registry.

After update docker-registry pod manually as bug #1592936#36, could resolve pull image from openshift registry with pullthrough policy.

Comment 14 Scott Dodson 2018-11-08 16:09:48 UTC

*** Bug 1647800 has been marked as a duplicate of this bug. ***

Comment 16 errata-xmlrpc 2018-11-20 03:10:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3537

Note You need to log in before you can comment on or make changes to this bug.