I'm trying to deploy OCP 4.5 on s390x openstack platform, but image registry with Swif

<div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clip

<a class="user-mention notranslate" data-hovercard-type="user" data-hover

I tried to debug in image-registry contianer <div class="snippet-clipboard-content

Failed to create image registry with Swift storage on s390x about image-registry HOT 7 CLOSED

openshift commented on July 19, 2024

Failed to create image registry with Swift storage on s390x

from image-registry.

Comments (7)

gyohuangxin commented on July 19, 2024

$ oc edit deployment image-registry -n openshift-image-registry
spec:
  template:
    containers:
    - env:
    ...
        - name: REGISTRY_OPENSHIFT_SERVER_ADDR
          value: image-registry.openshift-image-registry.svc:5000
        - name: REGISTRY_HTTP_TLS_CERTIFICATE
          value: /etc/secrets/tls.crt
        - name: REGISTRY_HTTP_TLS_KEY
          value: /etc/secrets/tls.key
         ....
               volumes:
      - name: registry-tls
        projected:
          defaultMode: 420
          sources:
          - secret:
              name: image-registry-tls
      - configMap:
          defaultMode: 420
          name: image-registry-certificates
        name: registry-certificates
      - configMap:
          defaultMode: 420
          items:
          - key: ca-bundle.crt
            path: anchors/ca-bundle.crt
          name: trusted-ca
          optional: true
        name: trusted-ca
      - name: installation-pull-secrets
        secret:
          defaultMode: 420
          items:
          - key: .dockerconfigjson
            path: config.json
          optional: true
          secretName: installation-pull-secrets
        volumeMounts:
        - mountPath: /etc/secrets
          name: registry-tls
        - mountPath: /etc/pki/ca-trust/source/anchors
          name: registry-certificates
        - mountPath: /usr/share/pki/ca-trust-source
          name: trusted-ca
        - mountPath: /var/lib/kubelet/
          name: installation-pull-secrets

from image-registry.

bparees commented on July 19, 2024

i believe the registry operator allows you to provide an additional CA explicitly for communicating w/ storage providers, but i'm not finding it in the api or product docs. @dmage?

we should make sure the procedure gets documented somewhere near either:
https://docs.openshift.com/container-platform/4.5/registry/configuring-registry-operator.html#registry-operator-config-resources-storage-credentials_configuring-registry-operator

or
https://docs.openshift.com/container-platform/4.5/registry/configuring_registry_storage/configuring-registry-storage-baremetal.html#registry-configuring-storage-baremetal_configuring-registry-storage-baremetal (and equivalent pages for other platforms)

from image-registry.

dmage commented on July 19, 2024

The registry operator can get CA from the cloud-provider-config configmap from the openshift-config namespace, and so far that's the only way to provide a custom CA for the Swift driver. If you be automatically created if you have a CA in your clouds.yaml. See also openshift/installer#2932.

@bparees do you think we need a way to configure it via the image registry config?

from image-registry.

bparees commented on July 19, 2024

@bparees do you think we need a way to configure it via the image registry config?

maybe someday as i can envision someone providing storage independent of the cloud provider, but i'd just put it in the backlog.

from image-registry.

gyohuangxin commented on July 19, 2024

I tried to debug in image-registry contianer

$ oc exec -it image-registry-658d869cb8-jrrd2 -n openshift-image-registry -- /bin/bash
bash-4.2$ curl --verbose https://xx.xx.xx.xx:5000/v3/auth/tokens
* About to connect() to xx.xx.xx.xx port 5000 (#0)
*   Trying xx.xx.xx.xx...
* Connected to xx.xx.xx.xx (xx.xx.xx.xx) port 5000 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
* 	subject: CN=xx.xx.xx.xx
* 	start date: Jul 23 09:46:27 2020 GMT
* 	expire date: Jul 23 09:46:27 2030 GMT
* 	common name: xx.xx.xx.xx
* 	issuer: CN=xx.xx.xx.xx
* NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)
* Issuer certificate is invalid.
* Closing connection 0
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

It seems that it uses certificates in /etc/pki/tls/certs/ca-bundle.crt, but I can't find our self-signed certificate in it.

from image-registry.

gyohuangxin commented on July 19, 2024

This issue is related to our certificate format, and it has been resolved, thanks.

from image-registry.

bparees commented on July 19, 2024

thanks for letting us know, glad you found a resolution

from image-registry.

Failed to create image registry with Swift storage on s390x about image-registry HOT 7 CLOSED

Comments (7)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent