Description of problem: Tagging an image is throwing x509: certificate signed by unknown authority ``` oc tag image-registry.openshift-image-registry.svc:5000/development-user1/welcome-php @sha256:99fd4920719fc8e7e9d4ff1c4e9a87b22ca802fdce006901a0cdd19fb9f2e14c development-user1/welcome-php:promo te-qa oc describe is welcome-php Name: welcome-php Namespace: development-user1 Created: 6 minutes ago Labels: app=welcome-php app.kubernetes.io/component=welcome-php app.kubernetes.io/instance=welcome-php Annotations: openshift.io/generated-by=OpenShiftNewApp openshift.io/image.dockerRepositoryCheck=2020-01-31T03:07:40Z Image Repository: image-registry.openshift-image-registry.svc:5000/development-user1/welcome-php Image Lookup: local=false Unique Images: 1 Tags: 2 latest no spec tag * image-registry.openshift-image-registry.svc:5000/development-user1/welcome-php@sha256:99fd4920719fc8e7e9 d4ff1c4e9a87b22ca802fdce006901a0cdd19fb9f2e14c 5 minutes ago promote-qa tagged from image-registry.openshift-image-registry.svc:5000/development-user1/welcome-php@sha256:99fd4920 719fc8e7e9d4ff1c4e9a87b22ca802fdce006901a0cdd19fb9f2e14c ! error: Import failed (InternalError): Internal error occurred: image-registry.openshift-image-registry.s vc:5000/development-user1/welcome-php@sha256:99fd4920719fc8e7e9d4ff1c4e9a87b22ca802fdce006901a0cdd19fb9f2e14 c: Get https://image-registry.openshift-image-registry.svc:5000/v2/: x509: certificate signed by unknown aut hority 3 minutes ago ``` Version-Release number of selected component (if applicable): ```$ oc version Client Version: openshift-clients-4.3.0-201910250623-88-g6a937dfe Kubernetes Version: v1.16.2 ``` How reproducible: Steps to Reproduce: 1. Run 4.3.x cluster 2. oc tag an application image to see the result as shown above 3. Actual results: Get https://image-registry.openshift-image-registry.svc:5000/v2/: x509: certificate signed by unknown aut hority Expected results: Successful tag Additional info:
Oleg, I seem to recall we had issues w/ the apiserver not being able to import images from the internal registry via the external route because it didn't trust the router CA, but the apiserver ought to trust the internal server hostname, right?
possible dupe of https://bugzilla.redhat.com/show_bug.cgi?id=1788235
@bparees not a duplicate. 1788235 is tech debt identified by the apiserver team - the current CA mechanics should work as-is.
I am not seeing a "image-import-ca" configmap in the apiserver namespace. So i think this logic got broken somehow: https://github.com/openshift/cluster-openshift-apiserver-operator/blob/master/pkg/operator/workloadcontroller/workload_controller_openshiftapiserver_v311_00.go#L277-L293
(when we fix this we need to add an e2e that confirms that we can import images from the internal registry... especially because there are plans to potentially refactor this CA management in the future).
*** This bug has been marked as a duplicate of bug 1716835 ***