+++ This bug was initially created as a clone of Bug #2057990 +++ OpenShift-on-OpenStack 4.9 Proxy tests are permafailing[1]. The test consistently failing is: "[sig-imageregistry][Serial][Suite:openshift/registry/serial] Image signature workflow can push a signed image to openshift registry and verify it [Suite:openshift/conformance/serial]". The same test is consistently succeeding on OCP v4.10. This possibly is a follow-up to Bug 2041358 [1]: https://prow.ci.openshift.org/job-history/gs/origin-ci-test/logs/periodic-ci-shiftstack-shiftstack-ci-main-periodic-4.9-e2e-openstack-proxy
Depends on https://bugzilla.redhat.com/show_bug.cgi?id=2063284 actually (the 4.9 backport), for which https://github.com/openshift/origin/pull/26903 adds the necessary debugging info.
It looks like the pull request which adds the debug information has merged and the extra debug info is showing in the latest runs: https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-shiftstack-shiftstack-ci-main-periodic-4.9-e2e-openstack-proxy/1510698555369590784
Moving this to the Image Registry team. There seem to be a few issues going on here: 1. The image signature workflow test appears to run in 4.9, but is skipped or does not exist at all in 4.10 and above. See https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-shiftstack-shiftstack-ci-main-periodic-4.10-e2e-openstack-proxy/1510698551959621632 2. The build that starts the whole process installs skopeo from the ubi8 repos. The content is served through the cluster's proxy, and we get the following error: ``` Errors during downloading metadata for repository 'cdn-ubi.redhat.com_content_public_ubi_dist_ubi8_8_basearch_appstream_os_': - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/x86_64/appstream/os/repodata/repomd.xml [SSL certificate problem: self signed certificate] Error: Failed to download metadata for repo 'cdn-ubi.redhat.com_content_public_ubi_dist_ubi8_8_basearch_appstream_os_': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried error: build error: error building at STEP "RUN yum install -y skopeo && yum clean all && mkdir -p gnupg && chmod -R 0777 /var/lib/origin": error while running runtime: exit status 1 ``` It is possible that the test is not applying proxy's CA bundle to the cluster, and thus builds can't trust anything that goes through the proxy.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.9.40 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:5180