Description of problem:
When Tekton tries to pull an image from the internal OpenShift Image Registry, the task receives an x509 error saying the certificate is signed by an unknown authority:
Missing or invalid Task security-oc-dev/normalizer-tasks: translating
TaskSpec to Pod: error getting image manifest: Get
certificate signed by unknown authority
To work around this problem, followed this GitHub issue https://github.com/tektoncd/pipeline/issues/1171.
For this we need to export the root ca from the internal OpenShift image registry and store it in a OpenShift ConfigMap inside the openshift-pipelines project/namespace.
After that changing the tekton-pipelines-controller deployment to mount the configmap inside the deployment. And add the certificate path the the environment variable SSL_CERT_FILE (See yaml file in diagnostic files).
This fixed the problem but when the root-ca of our image registry is updated all our pipelines will fail.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
pulling image is now failing in tekton
We would like this to be automatically handled by OpenShift. pulling the image should be successfull.
This should be fixed in upstream tektoncd/pipeline release 0.18, which will be part of Red Hat OpenShift Pipelines 1.3.
See upstream PR : https://github.com/tektoncd/pipeline/pull/2787