I apologize if this seems like a fairly trivial question, but I am not very familiar with OpenShift deployment. I am trying to build a Docker image, push it to an OpenShift internal registry deployed on-premise, and then deploy an app that pulls said image. However, when I run oc apply -f myapp.yaml, the created pod fails with an ImagePullBackOff error, which is due to an ErrImagePull error with the message:
Failed to pull image "myregistry.openshift.mycompany.com/myproject/myapp:mytag": rpc error: code = Unknown desc = pinging container registry myregistry.openshift.mycompany.com: Get "https://myregistry.openshift.mycompany.com/myproject/v2/": x509: certificate signed by unknown authority
Contents of myapp.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
namespace: myapp
labels:
app: myapp
spec:
replicas: 1
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: myregistry.openshift.mycompany.com/myproject/myapp:mytag
ports:
- containerPort: 8080
protocol: TCP
volumeMounts:
- mountPath: path/to/logs
name: deploymentlogs
- mountPath: path/to/reports
name: reports
securityContext:
privileged: false
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
resources:
requests:
cpu: 100m
imagePullSecrets:
- name: dockerconfigjson
# I tried two values for imagePullSecrets, details below.
volumes:
- name: deploymentlogs
persistentVolumeClaim:
claimName: deploymentlogs
- name: reports
persistentVolumeClaim:
claimName: reports
I tried out two values for imagePullSecrets but neither worked, both resulting in the same error.
The previous value of imagePullSecrets is registry-cert and this is the output of oc get secret registry-cert -o yaml:
apiVersion: v1
data:
myregistry.openshift.mycompany.com.crt: <long PEM encode in the exported cert>
kind: Secret
metadata:
creationTimestamp: "2023-05-22T07:28:52Z"
name: registry-cert
namespace: myapp
resourceVersion: "148422557"
uid: 17f26b35-c5b4-4280-80d4-d66317f3f9f5
type: Opaque
I have already copied this certificate to both /etc/docker/certs.d/myregistry.openshift.mycompany.com and /usr/local/share/ca-certificates/.
The current value of imagePullSecrets is dockerconfigjson and this is the output of oc get secret dockerconfigjson -o yaml:
apiVersion: v1
data:
.dockerconfigjson: <long base64 string>
kind: Secret
metadata:
creationTimestamp: "2023-05-23T05:39:09Z"
name: dockerconfigjson
namespace: myapp
resourceVersion: "150532046"
uid: be79c7d1-112e-4c24-905d-669a83505deb
type: kubernetes.io/dockerconfigjson
Output of oc get secret dockerconfigjson -o "jsonpath={.data.\.dockerconfigjson}" | base64 --decode (which is the contents of my ~/.docker/config.json):
{
"auths": {
"myregistry.openshift.mycompany.com": {
"auth": "base64-encode of '$(oc whoami):$(oc whoami -t)'"
},
"https://index.docker.io/v1/": {
"auth": "short base64 string"
}
}
}
Contents of /etc/docker/daemon.json:
{"insecure-registries": ["myregistry.openshift.mycompany.com"]}
I doubt that my Docker build/push process is the problem but nevertheless, these are the steps that I go through to build and push my image:
- Login to OpenShift by running
oc login --token=... --server=.... To obtain the token, I authenticate as a non-admin user using Azure AD. - Login to Docker by running
docker login -u $(oc whoami) -p $(oc whoami -t) myregistry.openshift.mycompany.com - Build the Docker image by running
docker build -f Dockerfile -t myapp:mytag . - Tag the image to the registry by running
docker image tag myapp:mytag myregistry.openshift.mycompany.com/myproject/myapp:mytag - Push the image by running
docker push myregistry.openshift.mycompany.com/myproject/myapp:mytag