On Sat, Nov 18, 2017 at 1:31 AM, Lionel Orellana <lione...@gmail.com> wrote:
> It doesn't look like putting the ca in /etc/pki/ca-trust/source/anchors > is enough without running update-ca-trust > yeah that makes sense and unfortunately makes it difficult if you don't mount your ca-trust via a PV since you'll lose the changes whenever your registry restarts. Would you mind opening an issue for us to add some docs(at a minimum) around this since it seems like they are lacking? > > On 18 November 2017 at 15:40, Lionel Orellana <lione...@gmail.com> wrote: > >> Inside the registry, curl with --cacert pointing to >> /etc/pki/ca-trust/source/anchors/<my registry doman>.crt works. >> >> On 18 November 2017 at 15:11, Lionel Orellana <lione...@gmail.com> wrote: >> >>> I created a secret with the remote ca, mounted it on the registry at >>> /etc/pki/ca-trust/source/anchor. The registry still says "certificate >>> signed by unknown authority". >>> >>> On 17 November 2017 at 23:57, Ben Parees <bpar...@redhat.com> wrote: >>> >>>> >>>> >>>> On Fri, Nov 17, 2017 at 12:17 AM, Lionel Orellana <lione...@gmail.com> >>>> wrote: >>>> >>>>> Thanks Ben, that makes sense. How do I add remote CAs to the registry >>>>> though? >>>>> >>>> >>>> Similar to what is described here to add certs to the registry: >>>> https://docs.openshift.org/latest/install_config/registry/se >>>> curing_and_exposing_registry.html#securing-the-registry >>>> >>>> (mount the ca.crt into the system ca cert location within the pod, it >>>> should be picked up automatically). >>>> >>>> >>>> >>>>> On 17 November 2017 at 15:08, Ben Parees <bpar...@redhat.com> wrote: >>>>> >>>>>> The registry CAs are distinct from the image import controller CA. >>>>>> They are two different processes running in two different environments. >>>>>> >>>>>> >>>>>> Ben Parees | OpenShift >>>>>> >>>>>> On Nov 16, 2017 10:58 PM, "Lionel Orellana" <lione...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> Looking at the registry logs, it's not happy with the remote >>>>>>> registry cert. >>>>>>> >>>>>>> time="2017-11-17T03:53:46.591715267Z" level=error msg="response >>>>>>> completed with error" err.code="manifest unknown" err.detail=" x509: >>>>>>> certificate signed by unknown authority" >>>>>>> >>>>>>> Given that oc import-image works I was expecting the registry to >>>>>>> trust the same ca's. >>>>>>> >>>>>>> On 17 November 2017 at 12:01, Ben Parees <bpar...@redhat.com> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Nov 16, 2017 at 7:57 PM, Lionel Orellana < >>>>>>>> lione...@gmail.com> wrote: >>>>>>>> >>>>>>>>> Is pullthrough enabled on your registry? >>>>>>>>> >>>>>>>>> >>>>>>>>> Yes. >>>>>>>>> >>>>>>>>> "When performing pullthrough, the registry will use pull >>>>>>>>>> credentials found in the project associated with the image stream >>>>>>>>>> tag that >>>>>>>>>> is being referenced" >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> I'm deploying in the same project where the image stream is. I >>>>>>>>> have a dockercfg secret in the project with credentials for the remote >>>>>>>>> registry. I linked that secret to the deployment as pull secret. It >>>>>>>>> works >>>>>>>>> when remotePolicy is Source so I know the credentials are Ok. But how >>>>>>>>> does >>>>>>>>> the registry find the pull credentials to use? I assume it looks for >>>>>>>>> the >>>>>>>>> server name in the dockercfg secret? >>>>>>>>> >>>>>>>> >>>>>>>> yes. >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On 17 November 2017 at 10:01, Ben Parees <bpar...@redhat.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Thu, Nov 16, 2017 at 5:36 PM, Lionel Orellana < >>>>>>>>>> lione...@gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> I imported a remote image and set referencePolicy.type to Local >>>>>>>>>>> in the resulting tag. When I try to deploy an pod using this image >>>>>>>>>>> stream >>>>>>>>>>> tag I get "rpc error: code = 2 desc = manifest unknown: >>>>>>>>>>> manifest unknown". >>>>>>>>>>> >>>>>>>>>>> If I change the referencePolicy type to Source then the pod >>>>>>>>>>> pulls the image fine from the remote registry. But this requires >>>>>>>>>>> linking a >>>>>>>>>>> pull secret to the deployment which is an extra step I could do >>>>>>>>>>> without. I >>>>>>>>>>> thought I would get around that by referencing the Local image. >>>>>>>>>>> >>>>>>>>>>> How do I pull the remote image when referencePolicy is Local? >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Is pullthrough enabled on your registry? >>>>>>>>>> https://docs.openshift.org/latest/install_config/registry/ex >>>>>>>>>> tended_registry_configuration.html#middleware-repository-pul >>>>>>>>>> lthrough >>>>>>>>>> >>>>>>>>>> also: >>>>>>>>>> "When performing pullthrough, the registry will use pull >>>>>>>>>> credentials found in the project associated with the image stream >>>>>>>>>> tag that >>>>>>>>>> is being referenced. " >>>>>>>>>> >>>>>>>>>> So if your imagestream is in a different project, you need to >>>>>>>>>> make sure the credentials are in the right place. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Thanks >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> users mailing list >>>>>>>>>>> users@lists.openshift.redhat.com >>>>>>>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Ben Parees | OpenShift >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Ben Parees | OpenShift >>>>>>>> >>>>>>>> >>>>>>> >>>>> >>>> >>>> >>>> -- >>>> Ben Parees | OpenShift >>>> >>>> >>> >> > -- Ben Parees | OpenShift
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users