scan task fails with internal registry, x509: certificate signed by unknown authority

[dacleyra]

      java-microprofile-manual-pipeline-run-image-scan-task-cdvbs:
        pipelineTaskName: image-scan-task
        status:
          completionTime: "2019-11-05T13:51:06Z"
          conditions:
          - lastTransitionTime: "2019-11-05T13:51:06Z"
            message: '"step-mount-image" exited with code 2 (image: "docker.io/appsody/appsody-buildah@sha256:4a9941d67464af5594eddf0b3e816fbb6ac6164fa2d27d269cbaa6ab6f3f3eb1");
              for logs run: kubectl -n kabanero logs java-microprofile-manual-pipeline-run-image-scan-task-cdvbs-pod-b135f6
              -c step-mount-image'
            reason: Failed
            status: "False"
            type: Succeeded
          podName: java-microprofile-manual-pipeline-run-image-scan-task-cdvbs-pod-b135f6
          startTime: "2019-11-05T13:50:31Z"
          steps:
          - container: step-mount-image
            imageID: docker.io/appsody/appsody-buildah@sha256:4a9941d67464af5594eddf0b3e816fbb6ac6164fa2d27d269cbaa6ab6f3f3eb1
            name: mount-image
            terminated:
              containerID: cri-o://87d28346e93bd53f3ce2b0384318218fa3ca424c858b371639ce7e7822012fe9
              exitCode: 2
              finishedAt: "2019-11-05T13:51:05Z"
              reason: Error
              startedAt: "2019-11-05T13:50:46Z"
          - container: step-scan-image
            imageID: docker.io/kabanero/scanner@sha256:57910b551275b26dfd8e77150b1287836ad0ef1662568cca1c6c32ce4fb3c1b3
            name: scan-image
            terminated:
              containerID: cri-o://fe1db54a70bcb79eeb5c1de0cd561b454b41dcc4c56188c5d77cf742a9d15f55
              exitCode: 0
              finishedAt: "2019-11-05T13:51:05Z"
              reason: Completed
              startedAt: "2019-11-05T13:51:01Z"
          - container: step-git-source-git-source-8h2v9
            imageID: quay.io/openshift-pipeline/tektoncd-pipeline-git-init@sha256:b9beb1d9e41e08923f6683467dae01bb1657fdbae2e19f08c4c866f26eef3e0d
            name: git-source-git-source-8h2v9
            terminated:
              containerID: cri-o://642fb7cde1f86e9eb70104636cd894724f225c378ac76fe4ef7896c7c6530e0f
              exitCode: 0
              finishedAt: "2019-11-05T13:51:05Z"
              reason: Completed
              startedAt: "2019-11-05T13:50:43Z"
oc logs java-microprofile-manual-pipeline-run-image-scan-task-cdvbs-pod-b135f6 --all-containers=true
{"level":"warn","ts":1572961841.9309406,"logger":"fallback-logger","caller":"logging/config.go:69","msg":"Fetch GitHub commit ID from kodata failed: \"KO_DATA_PATH\" does not exist or is empty"}
{"level":"info","ts":1572961841.9319112,"logger":"fallback-logger","caller":"creds-init/main.go:40","msg":"Credentials initialized."}
{"level":"warn","ts":1572961863.871822,"logger":"fallback-logger","caller":"logging/config.go:69","msg":"Fetch GitHub commit ID from kodata failed: \"KO_DATA_PATH\" does not exist or is empty"}
{"level":"info","ts":1572961865.2931924,"logger":"fallback-logger","caller":"git/git.go:102","msg":"Successfully cloned https://github.com/dacleyra/appsody-hello-world/ @ master in path /workspace/git-source"}
Error initializing source docker://image-registry.openshift-image-registry.svc:5000/kabanero/java-microprofile:latest: pinging docker registry returned: Get https://image-registry.openshift-image-registry.svc:5000/v2/: x509: certificate signed by unknown authority
total 4
drwxrwxrwx. 5 root root 87 Nov  5 13:51 .
drwxr-xr-x. 4 root root 31 Nov  5 13:50 ..
drwxr-xr-x. 2 root root 25 Nov  5 13:50 .docker
-rw-------. 1 root root  0 Nov  5 13:50 .git-credentials
-rw-------. 1 root root 29 Nov  5 13:50 .gitconfig
drwxr-----. 3 root root 19 Nov  5 13:51 .pki
drwxr-xr-x. 2 root root 39 Nov  5 13:50 .ssh
cp: missing destination file operand after '/var/lib/containers'
Try 'cp --help' for more information.
ls: cannot access '/var/lib/containers/merged': No such file or directory

[marikaj123]

@dacleyra - Hi Dan is this bug related to release 0.3.0?

[dacleyra]

yes, adding tag

[stephenkinder]

@aadeshpa can you fill out your GitHub profile so that I can find your id when assigning defects please? :) Since your ID is aadeshpa typing ashish does not bring up your id. :) . Same for @kvijai82 ... please add your name to your profile.

[stephenkinder]

I've assigned @teddyjtorres to diagnose but may need help from the pipeline team.

[kvijai82]

for now we added tls-verify=false like we do in other places to get us past this issue. have another issue to deal with documenting cert setup for users who would prefer doing that. the fix for this is part of the larger scan task fix I will be creating a PR for shortly.

[mtamboli]

@kvijai82 Where would the fix go? In collections? Do we expect new collections release?

[aadeshpa]

@aadeshpa can you fill out your GitHub profile so that I can find your id when assigning defects please? :) Since your ID is aadeshpa typing ashish does not bring up your id. :) . Same for @kvijai82 ... please add your name to your profile.

@stephenkinder : updated the name in the profile. Now I think you would be able to search us with name.

[kvijai82]

@mtamboli yes I am in the process of pushing the fix to collections right now. we will need a respin of the collections to pick it up.

[groeges]

@kvijai82 @marikaj123 Please let me know when the PR needs review and I can review then I can cut a 0.3.0.-rc.3 release (if that is what is required).

[kvijai82]

Fix should be in the new collections release. @mtamboli / @dacleyra could you please verify & close this issue when you get a chance? Thanks!

[mtamboli]

@kvijai82 It seems to be working fine. Do you expect image scanning to happen after deployment?

[kvijai82]

@mtamboli In this pipeline, the deploy task & scan task run in parallel. The thinking right now is that the scan results would be reviewed by a human as there are some false positive results that can happen.

When run via the eventing framework, this task is called in a pipeline that is driven only when a PR is merged. The results can then be reviewed by the team and when they create a release in the git repo, the deploy pipeline will run.

[kvijai82]

Closing this issue as @mtamboli validated the task passes now.