If you see the following error when you link OpenShift and self-signed Quay registry… I’ve got the steps for you…
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 38s default-scheduler Successfully assigned openshift-marketplace/my-operator-catalog-29vl8 to worker.output.xyz
Normal AddedInterface 36s multus Add eth0 [10.131.1.5/23] from openshift-sdn
Normal Pulling 23s (x2 over 36s) kubelet Pulling image "quay-demo.host.xyz:8443/repository/ocp/openshift4_12_ppc64le"
Warning Failed 22s (x2 over 35s) kubelet Failed to pull image "quay-demo.host.xyz:8443/repository/ocp/openshift4_12_ppc64le": rpc error: code = Unknown desc = pinging container registry quay-demo.host.xyz:8443: Get "https://quay-demo.host.xyz:8443/v2/": x509: certificate signed by unknown authority
Warning Failed 22s (x2 over 35s) kubelet Error: ErrImagePull
Normal BackOff 8s (x2 over 35s) kubelet Back-off pulling image "quay-demo.host.xyz:8443/repository/ocp/openshift4_12_ppc64le"
Warning Failed 8s (x2 over 35s) kubelet Error: ImagePullBackOff
Steps
- Set the hostname to your registry hostname
export REGISTRY_HOSTNAME=quay-demo.host.xyz
export REGISTRY_PORT=8443
- Extract all the ca certs
echo "" | openssl s_client -showcerts -prexit -connect "${REGISTRY_HOSTNAME}:${REGISTRY_PORT}" 2> /dev/null | sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p' > tmp.crt
- Display the cert to verify you see the Issuer
# openssl x509 -in tmp.crt -text | grep Issuer
Issuer: C = US, ST = VA, L = New York, O = Quay, OU = Division, CN = quay-demo.host.xyz
- Create the
configmapin the openshift-config namespace
# oc create configmap registry-quay -n openshift-config --from-file="${REGISTRY_HOSTNAME}..${REGISTRY_PORT}=$(pwd)/tmp.crt"
configmap/registry-quay created
- Add an
additionalTrustedCAto the the cluster image config.
# oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-quay"}}}' --type=merge
image.config.openshift.io/cluster patched
- Verify you config is updated
# oc get image.config.openshift.io/cluster -o yaml
apiVersion: config.openshift.io/v1
kind: Image
metadata:
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
release.openshift.io/create-only: "true"
creationTimestamp: "2022-10-20T15:35:08Z"
generation: 2
name: cluster
ownerReferences:
- apiVersion: config.openshift.io/v1
kind: ClusterVersion
name: version
uid: a3df97ca-73ff-4a72-93b1-f3ef7d51e329
resourceVersion: "6299552"
uid: f7e56517-486d-4530-8e14-16ef0deed462
spec:
additionalTrustedCA:
name: registry-quay
status:
internalRegistryHostname: image-registry.openshift-image-registry.svc:5000
- Check your pod that failed to connect, and you should see that it now succeeds.
Reference
- x509: certificate signed by unknown authority — error when working with images using docker (OpenShift 4.3) – Thanks to Madhavan for the blog post.
- IBM CloudPak docs which shows how to use an alternate port.