Even if openshift_additional_ca is set in the inventory, in order to have a image downloaded using pullthrough (which seems to be defauld since 3.10) it's still required to mount a secret/configmap as described in .
Is this the expected behavior? Are there any plans to get this included in someway into OpenShift installer?
https://github.com/openshift/openshift-ansible/pull/10471 proposed fix
This mounts /etc/pki into the apiserver pod which insures that the pod will trust CAs in the host's trust store.
API server does the job if I add the section additionalTrustedCA in /etc/origin/master/master-config.yaml but it's the registry pod which also requires a modification.
I expected the installer to do the job:
- add additionalTrustedCA in master-config.yml so api server gets the additional CA
- add the mount into registry pod so registry can have them trusted
But it's not that way, so I wanted to clarify it's correct or not.
Verified this bug with openshift-ansible-3.11.38-1
Install cluster with openshift-ansible-3.11.38-1(not set penshift_additional_ca in the inventory), imagestream could be imported successfully with external registry.
After update docker-registry pod manually as bug #1592936#36, could resolve pull image from openshift registry with pullthrough policy.
*** Bug 1647800 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.