If you see the following error when you link OpenShift and self-signed Quay registry… I’ve got the steps for you…

Events:
  Type     Reason          Age                From               Message
  ----     ------          ----               ----               -------
  Normal   Scheduled       38s                default-scheduler  Successfully assigned openshift-marketplace/my-operator-catalog-29vl8 to worker.output.xyz
  Normal   AddedInterface  36s                multus             Add eth0 [10.131.1.5/23] from openshift-sdn
  Normal   Pulling         23s (x2 over 36s)  kubelet            Pulling image "quay-demo.host.xyz:8443/repository/ocp/openshift4_12_ppc64le"
  Warning  Failed          22s (x2 over 35s)  kubelet            Failed to pull image "quay-demo.host.xyz:8443/repository/ocp/openshift4_12_ppc64le": rpc error: code = Unknown desc = pinging container registry quay-demo.host.xyz:8443: Get "https://quay-demo.host.xyz:8443/v2/": x509: certificate signed by unknown authority
  Warning  Failed          22s (x2 over 35s)  kubelet            Error: ErrImagePull
  Normal   BackOff         8s (x2 over 35s)   kubelet            Back-off pulling image "quay-demo.host.xyz:8443/repository/ocp/openshift4_12_ppc64le"
  Warning  Failed          8s (x2 over 35s)   kubelet            Error: ImagePullBackOff

Steps

Set the hostname to your registry hostname

export REGISTRY_HOSTNAME=quay-demo.host.xyz
export REGISTRY_PORT=8443

Extract all the ca certs

echo "" | openssl s_client -showcerts -prexit -connect "${REGISTRY_HOSTNAME}:${REGISTRY_PORT}" 2> /dev/null | sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p' > tmp.crt

Display the cert to verify you see the Issuer

# openssl x509 -in tmp.crt -text | grep Issuer
        Issuer: C = US, ST = VA, L = New York, O = Quay, OU = Division, CN = quay-demo.host.xyz

Create the configmap in the openshift-config namespace

# oc create configmap registry-quay -n openshift-config --from-file="${REGISTRY_HOSTNAME}..${REGISTRY_PORT}=$(pwd)/tmp.crt"
configmap/registry-quay created

Add anadditionalTrustedCA to the the cluster image config.

# oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-quay"}}}' --type=merge
image.config.openshift.io/cluster patched

Verify you config is updated

# oc get image.config.openshift.io/cluster -o yaml
apiVersion: config.openshift.io/v1
kind: Image
metadata:
  annotations:
    include.release.openshift.io/ibm-cloud-managed: "true"
    include.release.openshift.io/self-managed-high-availability: "true"
    include.release.openshift.io/single-node-developer: "true"
    release.openshift.io/create-only: "true"
  creationTimestamp: "2022-10-20T15:35:08Z"
  generation: 2
  name: cluster
  ownerReferences:
  - apiVersion: config.openshift.io/v1
    kind: ClusterVersion
    name: version
    uid: a3df97ca-73ff-4a72-93b1-f3ef7d51e329
  resourceVersion: "6299552"
  uid: f7e56517-486d-4530-8e14-16ef0deed462
spec:
  additionalTrustedCA:
    name: registry-quay
status:
  internalRegistryHostname: image-registry.openshift-image-registry.svc:5000

Check your pod that failed to connect, and you should see that it now succeeds.

Reference

x509: certificate signed by unknown authority — error when working with images using docker (OpenShift 4.3) – Thanks to Madhavan for the blog post.
IBM CloudPak docs which shows how to use an alternate port.

Linking Quay to OpenShift and you hit `x509: certificate signed by unknown authority`

Steps

Reference

More posts

Red Hat OpenShift Container Platform 4.18 Now Available on IBM Power

Nest Accelerator and Urandom… I think

Kernel Stack Trace

Nice article on name,version and references from Red Hat