Pulling images from privately-hosted registry on Openshift deployments always yields "x509: certificate signed by unknown authority"

Question

I am trying to deploy apps into an Openshift cluster (using oc apply -f <deployment-file-name>.yaml), which involves pulling an image from a privately-hosted registry, and I'm running into the problem in the title. I am logged into the cluster and using oc command line tools on a bastion host, which is the only host in the cluster that is not air-gapped.

A few attempted fixes that haven't worked:

1. Getting a certificate (call it ca.crt) signed by the company I work for using an internal tool, generating a file in the format .pem (call it perm.pem) via the command openssl x509 -in ca.crt -out perm.pem, putting ca.crt into /etc/docker/certs.d/<address-of-registry-hosting-machine>:<port>/ on the bastion host, and running the private registry with the command that matches the certificate (ca.crt) and its key to the REGISTRY_HTTP_TLS_CERTIFICATE and REGISTRY_HTTP_TLS_KEY env. variables respectively (as demo'ed in the docker docs).
2. Placing "insecure-registries":["<address-of-registry-hosting-machine>:<port>"] into the file /etc/docker/daemon.json file on the bastion host
3. Creating a configuration map, as instructed here on section 2.5, and modifying the deployment YAML file to contain certificate contents (I tried all possible permutations of certificate contents, i.e. with and without root and intermediate certificates).

Does anyone know what else I could do to have deployments from the bastion host overcome the error?

Answer 1

If you are using OpenShift everything is pulled by the internal cluster registry. What you need to do is add your company CA which issued the certificate of your private registry to the OpenShift-internal registry. An article how to do that can be found here: https://docs.openshift.com/container-platform/4.7/cicd/builds/setting-up-trusted-ca.html#configmap-adding-ca_setting-up-trusted-ca