1642052 – [3.10] Registry doesn't honors openshift_additional_ca

Bug 1642052 - [3.10] Registry doesn't honors openshift_additional_ca

Summary: [3.10] Registry doesn't honors openshift_additional_ca

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.10.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	3.10.z
Assignee:	Scott Dodson
QA Contact:	Johnny Liu
Docs Contact:
URL:
Whiteboard:
Depends On:	1641657
Blocks:
TreeView+	depends on / blocked

Reported:	2018-10-23 13:32 UTC by Brenton Leanhardt
Modified:	2018-11-11 16:40 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: In 3.10 and newer the apiserver runs as a static pod and only mounted /etc/origin/master and /var/lib/origin inside that pod. Consequence: CAs trusted by the host were not trusted by the apiserver. Fix: The apiserver pod definition now mounts /etc/pki into the pod. Result: The apiserver now trusted all certificate authorities trusted by the host including those defined by the installer variable 'openshift_additional_ca'. This can be used to import image streams from a registry verified by a private CA.
Clone Of:	1641657
Environment:
Last Closed:	2018-11-11 16:40:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:2709	0	None	None	None	2018-11-11 16:40:15 UTC

Comment 1 Scott Dodson 2018-10-23 13:37:04 UTC

https://github.com/openshift/openshift-ansible/pull/10486 release-3.10 backport

Comment 3 Johnny Liu 2018-10-24 10:48:20 UTC

Verified this bug with openshift-ansible-3.10.62-1.git.0.563a1ec.el7.noarch, and PASS.

In this testing, no need to set openshfit_additional_ca.

After install, checking:
# oc get po master-api-qe-jialiu10-master-etcd-nfs-1 -o yaml -n kube-system
<--snip-->
    - mountPath: /etc/pki
      name: master-pki
<--snip-->
  - hostPath:
      path: /etc/pki
      type: ""
    name: master-pki
<--snip-->

# oc -n kube-system rsh  master-api-qe-jialiu10-master-etcd-nfs-1
sh-4.2# ls /etc/pki
CA  ca-trust  consumer	entitlement  java  nss-legacy  nssdb  product  product-default	rpm-gpg  rsyslog  tls

Once pki is mounted to api static pod, imagestream could be retrieved succesfully.

# oc get is nodejs -o yaml -n openshift
<--snip-->
  - items:
    - created: 2018-10-24T10:08:37Z
      dockerImageReference: registry.access.stage.redhat.com/rhscl/nodejs-4-rhel7@sha256:6bdbb943fd3401752cc11b07e574c418558205ffa9105435238f74dba1c1f328
      generation: 2
      image: sha256:6bdbb943fd3401752cc11b07e574c418558205ffa9105435238f74dba1c1f328
    tag: "4"
  - items:
    - created: 2018-10-24T10:08:37Z
      dockerImageReference: registry.access.stage.redhat.com/rhscl/nodejs-6-rhel7@sha256:7346279b0e853f4b8b1ef7eb81462093e264222f503311a07a5f78193960847f
      generation: 2
      image: sha256:7346279b0e853f4b8b1ef7eb81462093e264222f503311a07a5f78193960847f
    tag: "6"
  - items:
    - created: 2018-10-24T10:08:37Z
      dockerImageReference: registry.access.stage.redhat.com/rhscl/nodejs-8-rhel7@sha256:04ee2876638fd4f010ef712b53538f0b58b29f3582e8785e1188bc1183e83f81
      generation: 2
      image: sha256:04ee2876638fd4f010ef712b53538f0b58b29f3582e8785e1188bc1183e83f81
    tag: "8"
  - items:
    - created: 2018-10-24T10:08:37Z
      dockerImageReference: registry.access.stage.redhat.com/rhoar-nodejs/nodejs-8@sha256:e1ab94574a1c008d717e967f69574f93af3bcd63036ee13b102502eea6bfd91c
      generation: 2
      image: sha256:e1ab94574a1c008d717e967f69574f93af3bcd63036ee13b102502eea6bfd91c
    tag: 8-RHOAR
  - items:
    - created: 2018-10-24T10:08:37Z
      dockerImageReference: registry.access.stage.redhat.com/rhscl/nodejs-8-rhel7@sha256:04ee2876638fd4f010ef712b53538f0b58b29f3582e8785e1188bc1183e83f81
      generation: 2
      image: sha256:04ee2876638fd4f010ef712b53538f0b58b29f3582e8785e1188bc1183e83f81
    tag: latest

BTW, this PR fix do not help docker pullthrough issue, user have to mount it in docker-registry pod manually just like what was discussed in initial report.

Comment 5 errata-xmlrpc 2018-11-11 16:40:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2709

Note You need to log in before you can comment on or make changes to this bug.