Bug 1696113 - unable to retrieve image names for stage registry with x509 certificate error
Summary: unable to retrieve image names for stage registry with x509 certificate error
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Service Broker
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: 3.10.z
Assignee: Jack Ottofaro
QA Contact: Cuiping HUO
URL:
Whiteboard:
: 1732433 (view as bug list)
Depends On: 1678158
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-04-04 07:47 UTC by Zihan Tang
Modified: 2019-10-14 08:49 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Under certain circumstances, e.g. testing, you may not have valid certificates for your registry and don't want to or cannot obtain valid certs. Consequence: Unable to retrieve image names for registry due to "x509: certificate signed by unknown authority" error. Fix: Add config option that allows user to skip SSL verification. Result: If `skip_verify_tls` is `true`, the TLS certificate of the remote registry will not be verified and therefore no error. Defaults to `false`.
Clone Of: 1678158
Environment:
Last Closed: 2019-10-14 08:49:42 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2987 0 None None None 2019-10-14 08:49:45 UTC

Comment 1 Jian Zhang 2019-07-23 11:53:40 UTC
*** Bug 1732433 has been marked as a duplicate of this bug. ***

Comment 4 Jesus M. Rodriguez 2019-08-08 14:43:54 UTC
TO fix this we need to backport this PR https://github.com/automationbroker/bundle-lib/commit/276cf89bb8ce729d65e6b27ca077cb87d75c522d to bundle-lib 0.1.x release.
The bundle-lib branch is https://github.com/automationbroker/bundle-lib/tree/release-0.1

Then once that gets merged we need to update the version of bundle-lib used by the service broker in this file https://github.com/openshift/ansible-service-broker/blob/release-1.2/Gopkg.toml#L40

Comment 9 Jesus M. Rodriguez 2019-08-27 11:55:23 UTC
The PR with the fix for skip_verify_tls is https://github.com/openshift/ansible-service-broker/pull/1241

Comment 17 Cuiping HUO 2019-09-25 03:03:24 UTC
Verified.
cluster version: 3.10.174
asb version: 1.2.23

broker-config
registry:
  - type: rhcc
    name: rh
    url: https://registry.access.stage.redhat.com
    org: 
    tag: v3.10.174
    white_list: [u'.*-apb$']
    auth_type: ""
    auth_name: ""
    skip_verify_tls: true
    images:
      - openshift3/mediawiki-apb
      - openshift3/postgresql-apb
      - openshift3/mariadb-apb
      - openshift3/mysql-apb

$ oc logs -f asb-3-9x6rk -n openshift-ansible-service-broker
Using config file mounted to /etc/ansible-service-broker/config.yaml
============================================================
==           Creating Ansible Service Broker...           ==
============================================================
[2019-09-25T02:56:59.202Z] [NOTICE] - Initializing clients...
time="2019-09-25T02:56:59Z" level=info msg="OpenShift version: v3.10.174"
time="2019-09-25T02:56:59Z" level=info msg="Kubernetes version: v1.10.0+b81c8f8"
time="2019-09-25T02:56:59Z" level=info msg="== REGISTRY CX == "
time="2019-09-25T02:56:59Z" level=info msg="Name: rh"
time="2019-09-25T02:56:59Z" level=info msg="Type: rhcc"
time="2019-09-25T02:56:59Z" level=info msg="Url: https://registry.access.stage.redhat.com"
time="2019-09-25T02:56:59Z" level=warning msg="skipping verification of registry TLS certificate per adapter configuration"
============================================================
==           Starting Ansible Service Broker...           ==
============================================================
[2019-09-25T02:56:59.214Z] [INFO] - Initiating Recovery Process
[2019-09-25T02:56:59.224Z] [INFO] - Recovery complete
[2019-09-25T02:56:59.224Z] [NOTICE] - recover called
[2019-09-25T02:56:59.224Z] [INFO] - Broker configured to bootstrap on startup
[2019-09-25T02:56:59.224Z] [INFO] - Attempting bootstrap...
[2019-09-25T02:56:59.224Z] [INFO] - AnsibleBroker::Bootstrap
[2019-09-25T02:57:00.11Z] [NOTICE] - Broker successfully bootstrapped on startup
time="2019-09-25T02:57:00Z" level=info msg="Validating specs..."
time="2019-09-25T02:57:00Z" level=info msg="All specs passed validation!"
time="2019-09-25T02:57:00Z" level=info msg="APBs filtered by white/blacklist filter:-> openshift4/apb-tools-> cnv-tech-preview/kubevirt-apb-> openshift4/apb-base-> rhv4-tech-preview/ovirt-flexvolume-driver-apb-> mobile-1-tech-preview/mobile-developer-console-apb-> openshift3/apb-tools-> cnv-tech-preview/import-vm-apb-> mobile-1-tech-preview/mobile-app-metrics-apb-> mobile-1-tech-preview/mobile-identity-management-apb-> mobile-1-tech-preview/mobile-sync-app-apb-> mobile-1-tech-preview/mobile-unifiedpush-server-apb-> openshift3/mariadb-apb-> openshift3/mysql-apb-> openshift3/postgresql-apb-> openshift4/postgres-apb-> openshift4/postgresql-apb-> rhpam-7/rhpam-apb-> codeready-workspaces-beta/server-apb-> openshift3/apb-base-> openshift3/automation-broker-apb-> openshift4/mariadb-apb-> openshift4/mysql-apb-> openshift3/mediawiki-apb-> openshift4/mediawiki-apb"
[2019-09-25T02:57:00.513Z] [NOTICE] - Listening on https://[::]:1338
[2019-09-25T02:57:00.514Z] [NOTICE] - Ansible Service Broker Starting
ERROR: logging before flag.Parse: I0925 02:57:00.514419       1 serve.go:89] Serving securely on [::]:1338

Comment 19 errata-xmlrpc 2019-10-14 08:49:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2987


Note You need to log in before you can comment on or make changes to this bug.