Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verify-image-signature cannot talk to secured registry #15809

Closed
miminar opened this issue Aug 17, 2017 · 3 comments
Closed

verify-image-signature cannot talk to secured registry #15809

miminar opened this issue Aug 17, 2017 · 3 comments
Assignees
@miminar
Labels
component/image kind/bug Categorizes issue or PR as related to a bug. kind/test-flake Categorizes issue or PR as related to test flakes. priority/P2

Comments

@miminar
Copy link

miminar commented Aug 17, 2017

The oadm verify-image-signature uses insecure connection to the integrated registry. For this reason, the following extended test fails:


• Failure [121.196 seconds]
[imageapis][registry] image signature workflow
/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/test/extended/registry/signature.go:113
  can push a signed image to openshift registry and verify it [It]
  /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/test/extended/registry/signature.go:112

  Expected
      <string>: error verifying signature sha256:bd25771c79b53946ab1f92970f6a08907e07b9acb8f3a359494a037be2f09f57@e52846c9ec597d9b905862e16cc946d7 for image sha256:bd25771c79b53946ab1f92970f6a08907e07b9acb8f3a359494a037be2f09f57 (verification status will be removed): failed to get image "sha256:bd25771c79b53946ab1f92970f6a08907e07b9acb8f3a359494a037be2f09f57" manifest: Get http://docker-registry.default.svc:5000/v2/: malformed HTTP response "\x15\x03\x01\x00\x02\x02"
  to contain substring
      <string>: identity is now confirmed

  /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/test/extended/registry/signature.go:106

The command needs to try https first and fall-back to http if not possible. The insecure connection should be enabled based on insecure flags of corresponding imagestream (e.g. insecure repository annotation or insecure import policy.
@miminar miminar added component/image kind/bug Categorizes issue or PR as related to a bug. kind/test-flake Categorizes issue or PR as related to test flakes. priority/P1 labels Aug 17, 2017
@miminar
Copy link
Author

miminar commented Aug 17, 2017

/cc @dmage @mfojtik @legionus

@mfojtik
Copy link
Contributor

mfojtik commented Aug 17, 2017

yes. good catch.

@mfojtik
Copy link
Contributor

mfojtik commented Oct 27, 2017

I don't think this is a blocker, that test deserves to be fixed for sure. I thought we already have --insecure-registry flag for verify image signature. I will check.

@miminar miminar mentioned this issue Nov 6, 2017
Merged
@bparees bparees assigned miminar and unassigned mfojtik Nov 6, 2017
openshift-merge-robot added a commit that referenced this issue Nov 7, 2017
@openshift-merge-robot
Merge pull request #17202 from miminar/signature-workflow-reenabled-1…
985a79b 
…5809

Automatic merge from submit-queue.

verify-signature: fixed (in)secure transport

And reenabled image signature workflow extended test.

Resolves #15809
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@miminar miminar

Labels
component/image kind/bug Categorizes issue or PR as related to a bug. kind/test-flake Categorizes issue or PR as related to test flakes. priority/P2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mfojtik @miminar