Bug 1677497 - Cannot sync CA from AdditionalTrustedCA to registry pod
Summary: Cannot sync CA from AdditionalTrustedCA to registry pod
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.1.0
Assignee: Oleg Bulatov
QA Contact: Wenjing Zheng
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-15 05:49 UTC by Wenjing Zheng
Modified: 2019-06-04 10:44 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: an old version of API is used that has 2 fields in the config reference Consequence: a wrong field is used for getting the config name Fix: update the API package Result: the proper field is used
Clone Of:
Environment:
Last Closed: 2019-06-04 10:44:00 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 0 None None None 2019-06-04 10:44:07 UTC

Description Wenjing Zheng 2019-02-15 05:49:45 UTC 
Description of problem:
After config AdditionalTrustedCA in image.config.openshift.io cluster, CA cannot be synced to registry pod. So it returns 509 error if using image from external secured registry.

Version-Release number of selected component (if applicable):
oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.0.0-0.nightly-2019-02-13-204401   True        False 

Registry image:
quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:71e61f8419afc2adb7d81151b862d844f8dd5f0e386905e3d3439abe04e8b7aa

Operator image:
quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d4b007bac02753e061e8c3eb34a1817ea135d46d4493c2f38926f6f35c2d3fc5

How reproducible:
always

Steps to Reproduce:
1.Set an secured external registry
2.Copy CA file to local
3.Create a configmap with the CA file
4.Add below to image.config.openshift.io cluster
$oc edit image.config.openshift.io cluster
spec:
  AdditionalTrustedCA:
    name: registry-config
5. Check the CA can be synced into registry pod

Actual results:
$ oc rsh image-registry-77dc78779f-kngmp
sh-4.2$ ls /etc/pki/ca-trust/source/anchors
service-ca.crt


Expected results:
$ oc rsh image-registry-77dc78779f-kngmp
sh-4.2$ ls /etc/pki/ca-trust/source/anchors
ca.crt service-ca.crt


Additional info:
Image can be imported with AdditionalTrustedCA defined
Comment 2 Ben Parees 2019-02-15 05:58:10 UTC 
No, that PR is unrelated.

At a minimum I think this line is wrong:
https://github.com/openshift/cluster-image-registry-operator/blob/master/pkg/resource/caconfig.go#L70

it should be .Name:
https://github.com/openshift/api/blob/master/config/v1/types.go#L20

the api deps in the cluster-image-registry repo probably need to be bumped to fix this.
Comment 3 Oleg Bulatov 2019-02-15 14:57:53 UTC 
https://github.com/openshift/cluster-image-registry-operator/pull/205
Comment 5 Wenjing Zheng 2019-02-19 09:13:32 UTC 
Verify with below version:
]$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.0.0-0.nightly-2019-02-18-224151   True        False         5h43m   Cluster version is 4.0.0-0.nightly-2019-02-18-224151

[wzheng@laptop 4.0]$ oc rsh image-registry-65c774969c-vh94j
sh-4.2$ ls /etc/pki/ca-trust/source/anchors  
docker-registry-default.apps.0219-21e.qe.rhcloud.com  service-ca.crt
Comment 8 errata-xmlrpc 2019-06-04 10:44:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758
Note You need to log in before you can comment on or make changes to this bug.