Bug 1884566 - Tekton - x509 certificate signed by unknown authority when using OpenShift Image Registry
Summary: Tekton - x509 certificate signed by unknown authority when using OpenShift Im...
Alias: None
Product: Red Hat OpenShift Pipelines
Classification: Red Hat
Component: pipelines
Version: unspecified
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Vincent Demeester
QA Contact: Ruchir Garg
Robert Krátký
Depends On:
TreeView+ depends on / blocked
Reported: 2020-10-02 10:23 UTC by rehan
Modified: 2020-12-28 05:51 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

Description rehan 2020-10-02 10:23:17 UTC
Description of problem:

When Tekton tries to pull an image from the internal OpenShift Image Registry, the task receives an x509 error saying the certificate is signed by an unknown authority:

Missing or invalid Task security-oc-dev/normalizer-tasks: translating
        TaskSpec to Pod: error getting image manifest: Get
        https://image-registry.openshift-image-registry.svc:5000/v2/: x509:
        certificate signed by unknown authority
To work around this problem, followed this GitHub issue https://github.com/tektoncd/pipeline/issues/1171.

For this we need to export the root ca from the internal OpenShift image registry and store it in a OpenShift ConfigMap inside the openshift-pipelines project/namespace.

After that changing the tekton-pipelines-controller deployment to mount the configmap inside the deployment. And add the certificate path the the environment variable SSL_CERT_FILE (See yaml file in diagnostic files).

This fixed the problem but when the root-ca of our image registry is updated all our pipelines will fail.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

pulling image is now failing in tekton

Expected results:

We would like this to be automatically handled by OpenShift. pulling the image should be successfull. 

Additional info:

Comment 1 Vincent Demeester 2020-10-06 15:01:07 UTC
This should be fixed in upstream tektoncd/pipeline release 0.18, which will be part of Red Hat OpenShift Pipelines 1.3.
See upstream PR : https://github.com/tektoncd/pipeline/pull/2787

Note You need to log in before you can comment on or make changes to this bug.