Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pushing a built image to the registry fails the certificate check #5177

Closed
tomassedovic opened this issue Aug 23, 2017 · 4 comments
Closed

Pushing a built image to the registry fails the certificate check #5177

tomassedovic opened this issue Aug 23, 2017 · 4 comments
Assignees
@sdodson
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/P1
Milestone
3.7.0

Comments

@tomassedovic
Copy link
Contributor

Description

Provide a brief description of your issue here. For example:

Installing Openshift Origin with the default options for the registry and certificates, the last part of an image build (pushing the image) fails with an HTTPS certificate error.

Version

Please put the following version information in the code block
indicated below.

  • Your ansible version per ansible --version

If you're operating from a git clone:

  • The output of git describe

Place the output between the code block below:

$ ansible --version
ansible 2.3.1.0
  config file = /opt/stack/openshift-ansible/ansible.cfg
  configured module search path = Default w/o overrides
  python version = 2.7.5 (default, Nov  6 2016, 00:28:07) [GCC 4.8.5 20150623 (Red Hat 4.8.5-11)]

$ git describe
`openshift-ansible-3.6.153-1-67-gd7d9796`
Steps To Reproduce
  1. Run an origin deployment with default values for the registry and certs but with a custom openshift_master_default_subdomain
  2. Create an app using the the CakePHP teplate (oc new-app --template=cakephp-mysql-example)
Expected Results

The STI build will succeed and the app will be available through its route.

Observed Results

The build fails while trying to access the registry:

$ oc logs -f bc/cakephp-mysql-example
Cloning "https://github.com/openshift/cakephp-ex.git" ...
...
Pushing image docker-registry.default.svc:5000/test/cakephp-mysql-example:latest ...
Registry server Address: 
Registry server User Name: serviceaccount
Registry server Email: [email protected]
Registry server Password: <<non-empty>>
error: build error: Failed to push image: Get https://docker-registry.default.svc:5000/v1/_ping: x509: certificate is valid for docker-registry-default.apps.openshift.example.com, 172.30.7.14, not docker-registry.default.svc
Additional Information

This is a simple 1 master, 1 infra, 1 app node deployment. The same workflow that is broken now was working with openshift-ansible-3.7.0-0.103.0-2-g1febf0b.

As far as my testing goes, this is the commit that broke us:

00afac6

OS: CentOS Linux release 7.3.1611 (Core)

Inventory variables (in group_vars/OSEv3.yml):

---
openshift_deployment_type: origin
openshift_master_default_subdomain: "apps.openshift.example.com"

osm_default_node_selector: 'region=primary'

openshift_master_identity_providers:
- name: 'htpasswd_auth'
  login: 'true'
  challenge: 'true'
  kind: 'HTPasswdPasswordIdentityProvider'
  filename: '/etc/origin/master/htpasswd'

openshift_master_htpasswd_users:
  tsedovic: 'REDACTED'
@sdodson sdodson mentioned this issue Aug 23, 2017
Merged
@sdodson
Copy link
Member

sdodson commented Aug 23, 2017

Thanks for pinpointing the change that broke things.

@sdodson sdodson self-assigned this Aug 23, 2017
@sdodson sdodson added kind/bug Categorizes issue or PR as related to a bug. priority/P1 labels Aug 23, 2017
@sdodson sdodson added this to the 3.7.0 milestone Aug 23, 2017
@sdodson
Copy link
Member

sdodson commented Aug 23, 2017
edited
Loading

@dustymabe this is probably what you mentioned to me

@dustymabe
Copy link
Member

@sdodson - looks like it

bogdando pushed a commit to openshift/openshift-ansible-contrib that referenced this issue Aug 28, 2017
@tomassedovic @bogdando
Switch openshift-ansible back to master in the CI (#700)
f8043d2 
The issue in openshift-ansible is fixed now:

openshift/openshift-ansible#5177

So this moves the Openstack end to end CI from using known working
commit to using master again.

Fixes #686
@mtoddw
Copy link

mtoddw commented Oct 24, 2017

so what is the workaround for this issue?
We have custom cert with many sub alt names.
when we switch from openshift signer ca to our custom cert we have same error.
is adding docker-registry.default.svc to our custom cert the best workaround?

jaywryan pushed a commit to jaywryan/openshift-ansible-contrib that referenced this issue Jul 3, 2018
@tomassedovic @bogdando
Switch openshift-ansible back to master in the CI (openshift#700)
ecc935c 
The issue in openshift-ansible is fixed now:

openshift/openshift-ansible#5177

So this moves the Openstack end to end CI from using known working
commit to using master again.

Fixes openshift#686
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sdodson sdodson

Labels
kind/bug Categorizes issue or PR as related to a bug. priority/P1
Projects
None yet
Milestone
3.7.0
Development

No branches or pull requests
4 participants
@sdodson @tomassedovic @dustymabe @mtoddw