Bug 1677497
| Summary: | Cannot sync CA from AdditionalTrustedCA to registry pod | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Wenjing Zheng <wzheng> |
| Component: | Image Registry | Assignee: | Oleg Bulatov <obulatov> |
| Status: | CLOSED ERRATA | QA Contact: | Wenjing Zheng <wzheng> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.1.0 | CC: | aos-bugs, bparees |
| Target Milestone: | --- | ||
| Target Release: | 4.1.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: an old version of API is used that has 2 fields in the config reference
Consequence: a wrong field is used for getting the config name
Fix: update the API package
Result: the proper field is used
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-04 10:44:00 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
No, that PR is unrelated. At a minimum I think this line is wrong: https://github.com/openshift/cluster-image-registry-operator/blob/master/pkg/resource/caconfig.go#L70 it should be .Name: https://github.com/openshift/api/blob/master/config/v1/types.go#L20 the api deps in the cluster-image-registry repo probably need to be bumped to fix this. Verify with below version: ]$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.0.0-0.nightly-2019-02-18-224151 True False 5h43m Cluster version is 4.0.0-0.nightly-2019-02-18-224151 [wzheng@laptop 4.0]$ oc rsh image-registry-65c774969c-vh94j sh-4.2$ ls /etc/pki/ca-trust/source/anchors docker-registry-default.apps.0219-21e.qe.rhcloud.com service-ca.crt Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758 |
Description of problem: After config AdditionalTrustedCA in image.config.openshift.io cluster, CA cannot be synced to registry pod. So it returns 509 error if using image from external secured registry. Version-Release number of selected component (if applicable): oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.0.0-0.nightly-2019-02-13-204401 True False Registry image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:71e61f8419afc2adb7d81151b862d844f8dd5f0e386905e3d3439abe04e8b7aa Operator image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d4b007bac02753e061e8c3eb34a1817ea135d46d4493c2f38926f6f35c2d3fc5 How reproducible: always Steps to Reproduce: 1.Set an secured external registry 2.Copy CA file to local 3.Create a configmap with the CA file 4.Add below to image.config.openshift.io cluster $oc edit image.config.openshift.io cluster spec: AdditionalTrustedCA: name: registry-config 5. Check the CA can be synced into registry pod Actual results: $ oc rsh image-registry-77dc78779f-kngmp sh-4.2$ ls /etc/pki/ca-trust/source/anchors service-ca.crt Expected results: $ oc rsh image-registry-77dc78779f-kngmp sh-4.2$ ls /etc/pki/ca-trust/source/anchors ca.crt service-ca.crt Additional info: Image can be imported with AdditionalTrustedCA defined