Closed jordigilh closed 2 years ago
When deploying in an environment with a self signed CA, the compose-cli command fails to compose when attempting to reach the ostree repository, hosted behind the route:
compose-cli
[rfe-oci-build-installer-image : build-installer-image-playbook] TASK [oci-build-installer-image : Compose Image] ******************************* [rfe-oci-build-installer-image : build-installer-image-playbook] Tuesday 11 January 2022 01:10:20 +0000 (0:00:02.759) 0:00:12.972 ******* [rfe-oci-build-installer-image : build-installer-image-playbook] fatal: [image-builder]: FAILED! => {"changed": true, "cmd": ["composer-cli", "-j", "compose", "start-ostree", "--ref", "rhel/8/x86_64/edge", "--url", "https://httpd-rfe.apps.mycluster.redhat.com/microshift/latest", "rfe-iso-blueprint", "rhel-edge-installer"], "delta": "0:00:00.119717", "end": "2022-01-10 20:10:20.722024", "msg": "non-zero return code", "rc": 1, "start": "2022-01-10 20:10:20.602307", "stderr": "", "stderr_lines": [], "stdout": "{\n \"status\": false,\n \"errors\": [\n {\n \"id\": \"OSTreeCommitError\",\n \"msg\": \"Get \\\"https://httpd-rfe.apps.mycluster.redhat.com/microshift/latest/refs/heads/rhel/8/x86_64/edge\\\": x509: certificate signed by unknown authority\"\n }\n ]\n}", "stdout_lines": ["{", " \"status\": false,", " \"errors\": [", " {", " \"id\": \"OSTreeCommitError\",", " \"msg\": \"Get \\\"https://httpd-rfe.apps.mycluster.redhat.com/microshift/latest/refs/heads/rhel/8/x86_64/edge\\\": x509: certificate signed by unknown authority\"", " }", " ]", "}"]}
to solve this, the ingress' CA certificate needs to be added to the image-builder VM truststore so that composer-cli can establish the connection.
composer-cli
tls.crt
router-certs-default
openshift-ingress
/etc/pki/ca-trust/source/anchors/tls.crt
/bin/update-ca-trust
When deploying in an environment with a self signed CA, the
compose-cli
command fails to compose when attempting to reach the ostree repository, hosted behind the route:to solve this, the ingress' CA certificate needs to be added to the image-builder VM truststore so that
composer-cli
can establish the connection.tls.crt
stored in the secretrouter-certs-default
inopenshift-ingress
./etc/pki/ca-trust/source/anchors/tls.crt
in the image-builder VM./bin/update-ca-trust
.