Bug 2064800 - OpenStack proxy job permafailing with: Image signature workflow can push a signed image to openshift registry and verify it
Summary: OpenStack proxy job permafailing with: Image signature workflow can push a si...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry
Version: 4.9
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.9.z
Assignee: Flavian
QA Contact: XiuJuan Wang
Depends On: 2061554
TreeView+ depends on / blocked
Reported: 2022-03-16 15:06 UTC by Adam Kaplan
Modified: 2022-06-30 05:31 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2057990
Last Closed: 2022-06-30 05:31:20 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift origin pull 27189 0 None open Bug 2064800: skip imageregistry serial test on disconnected environments 2022-05-30 09:33:03 UTC
Red Hat Product Errata RHBA-2022:5180 0 None None None 2022-06-30 05:31:54 UTC

Description Adam Kaplan 2022-03-16 15:06:35 UTC
+++ This bug was initially created as a clone of Bug #2057990 +++

OpenShift-on-OpenStack 4.9 Proxy tests are permafailing[1]. The  test consistently failing is: "[sig-imageregistry][Serial][Suite:openshift/registry/serial] Image signature workflow can push a signed image to openshift registry and verify it [Suite:openshift/conformance/serial]".

The same test is consistently succeeding on OCP v4.10.

This possibly is a follow-up to Bug 2041358

[1]: https://prow.ci.openshift.org/job-history/gs/origin-ci-test/logs/periodic-ci-shiftstack-shiftstack-ci-main-periodic-4.9-e2e-openstack-proxy

Comment 1 Martin André 2022-03-23 13:55:21 UTC
Depends on https://bugzilla.redhat.com/show_bug.cgi?id=2063284 actually (the 4.9 backport), for which https://github.com/openshift/origin/pull/26903 adds the necessary debugging info.

Comment 2 Corey Daley 2022-04-06 13:33:53 UTC
It looks like the pull request which adds the debug information has merged and the extra debug info is showing in the latest runs: https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-shiftstack-shiftstack-ci-main-periodic-4.9-e2e-openstack-proxy/1510698555369590784

Comment 3 Adam Kaplan 2022-04-06 19:12:29 UTC
Moving this to the Image Registry team.

There seem to be a few issues going on here:

1. The image signature workflow test appears to run in 4.9, but is skipped or does not exist at all in 4.10 and above. See https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-shiftstack-shiftstack-ci-main-periodic-4.10-e2e-openstack-proxy/1510698551959621632

2. The build that starts the whole process installs skopeo from the ubi8 repos. The content is served through the cluster's proxy, and we get the following error:

Errors during downloading metadata for repository 'cdn-ubi.redhat.com_content_public_ubi_dist_ubi8_8_basearch_appstream_os_':
  - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/x86_64/appstream/os/repodata/repomd.xml [SSL certificate problem: self signed certificate]
Error: Failed to download metadata for repo 'cdn-ubi.redhat.com_content_public_ubi_dist_ubi8_8_basearch_appstream_os_': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
error: build error: error building at STEP "RUN yum install -y skopeo &&     yum clean all && mkdir -p gnupg && chmod -R 0777 /var/lib/origin": error while running runtime: exit status 1

It is possible that the test is not applying proxy's CA bundle to the cluster, and thus builds can't trust anything that goes through the proxy.

Comment 11 errata-xmlrpc 2022-06-30 05:31:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.9.40 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.