Created attachment 1692828 [details] CAMap and ContainerImagePrepare environment file. Description of problem: When using a CAMap, it is not applied soon enough on the Overcloud nodes. This leads to issues pulling containers from an internal registry that uses a TLS/SSL certificate signed by a custom certificate authority. Version-Release number of selected component (if applicable): RHOSP 16.1 RHEL 8.2 How reproducible: 100% Steps to Reproduce: 1. `openstack overcloud deploy -e ~/ca-map.yaml` Actual results: Error message during deploy: ``` 2020-05-27 14:03:25,676 p=8956 u=mistral | fatal: [overcloud-controller-0]: FAILED! => {"changed": true, "cmd": "pod man pull registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1", "delta": "0:00:05 .435411", "end": "2020-05-27 18:03:25.620966", "msg": "non-zero return code", "rc": 125, "start": "2020-05-27 18:03:2 0.185555", "stderr": "Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20 200524.1...\n Get https://registry-proxy.engineering.redhat.com/v2/: x509: certificate signed by unknown authority\n Error: error pulling image \"registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1\": unable to pull registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1: unable to pull image: Error initializing source docker://registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1: error pinging docker registry registry-proxy.engineering.redhat.com: Get https://registry-proxy.engineering.redhat.com/v2/: x509: certificate signed by unknown authority", "stderr_lines": ["Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1...", " Get https://registry-proxy.engineering.redhat.com/v2/: x509: certificate signed by unknown authority", "Error: error pulling image \"registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1\": unable to pull registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1: unable to pull image: Error initializing source docker://registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1: error pinging docker registry registry-proxy.engineering.redhat.com: Get https://registry-proxy.engineering.redhat.com/v2/: x509: certificate signed by unknown authority"], "stdout": "", "stdout_lines": []} ``` Expected results: The container images should be pulled and the deployment will continue to finish. Additional info: Using the inject-trust-anchor template can be used as a workaround. However, it has the limitation of only allowing one CA trust to be created and managed. ~/templates/environments/ssl/inject-trust-anchor.yaml
Issues with upstream patch - pushed to 16.1.5