Description of problem: openshift-samples-operator is reporting degraded=true and progressing=true after a cluster installation with proxy enabled. Version-Release number of selected component (if applicable): 4.2.0-0.okd-2019-08-29-220902 How reproducible: Always Steps to Reproduce: 1. Install a cluster on aws with proxy enabled 2. oc get clusteroperator/openshift-samples Actual results: $ oc get clusteroperator/openshift-samples NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE openshift-samples 4.2.0-0.okd-2019-08-29-220902 True True True 16h Expected results: $ oc get clusteroperator/openshift-samples NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE openshift-samples 4.2.0-0.okd-2019-08-29-220902 True False False 16h Additional info: coperator pod is making external https calls to https://registry.redhat.io/v2 and failing due to: certificate signed by unknown authority<imagestream/fuse7-java-openshift><imagestream/jboss-webserver31-tomcat7-openshift>Internal Since this is considered an external call, the operator should be consuming proxy env vars and mounting the trust bundle.
I submitted https://github.com/openshift/cluster-samples-operator/pull/181 to fix this issue. With the PR I can see the proxy env vars and mounted trust bundle in the operator container, but I'm still hitting the x509 cert error: $ oc exec -it cluster-samples-operator-7d88d5867f-g9ccr -n openshift-cluster-samples-operator env | grep PROX HTTP_PROXY=http://jcallen:6cpbEH6uCepwEhNr2iB05ixP@52.73.102.120:3129 HTTPS_PROXY=http://jcallen:6cpbEH6uCepwEhNr2iB05ixP@52.73.102.120:3129 NO_PROXY=.cluster.local,.svc,.us-west-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.latest-proxy.devcluster.openshift.com,api.latest-proxy.devcluster.openshift.com,etcd-0.latest-proxy.devcluster.openshift.com,etcd-1.latest-proxy.devcluster.openshift.com,etcd-2.latest-proxy.devcluster.openshift.com,localhost $ oc get cm/trusted-ca -n openshift-cluster-samples-operator -o yaml apiVersion: v1 data: ca-bundle.crt: | -----BEGIN CERTIFICATE----- <SNIP> $ oc exec -it cluster-samples-operator-7d88d5867f-g9ccr -n openshift-cluster-samples-operator cat /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -----BEGIN CERTIFICATE----- <SNIP> $ oc logs cluster-samples-operator-7d88d5867f-g9ccr -n openshift-cluster-samples-operator <SNIP> time="2019-08-30T19:44:32Z" level=warning msg="Image import for imagestream redhat-sso70-openshift tag 1.3 generation 2 failed with detailed message Internal error occurred: Get https://registry.redhat.io/v2/: x509: certificate signed by unknown authority" time="2019-08-30T19:44:32Z" level=warning msg="Image import for imagestream fuse7-java-openshift tag 1.0 generation 2 failed with detailed message Internal error occurred: Get https://registry.redhat.io/v2/: x509: certificate signed by unknown authority" time="2019-08-30T19:44:32Z" level=warning msg="Image import for imagestream redhat-openjdk18-openshift tag 1.0 generation 2 failed with detailed message Internal error occurred: Get https://registry.redhat.io/v2/: x509: certificate signed by unknown authority"
@Daneyon The imagestream import is run by the openshift-apiserver, not by the samples operator. The log is echoing the error message from the imagestream. The operator today reports itself degraded if imagestreams fail to import.
Might be fixed by https://github.com/openshift/cluster-openshift-apiserver-operator/pull/231
*** Bug 1748633 has been marked as a duplicate of this bug. ***
*** This bug has been marked as a duplicate of bug 1747260 ***