We are trying to set up a build pipeline for one of our apps, running in Openshift, and are having some TLS issues.
We are using Jenkins to build the docker image for this app, then to push the image to the Openshift Registry. Here is what we have done so far:
Copied the Openshift master certs over to Jenkins:
mkdir -p /etc/docker/certs.d/docker-registry-default.router.default.svc.cluster.local
cd /etc/docker/certs.d/docker-registry-default.router.default.svc.cluster.local
scp root@<OPENSHIFT_MASTER_IP>:/etc/origin/master/ca.crt ca.crt
Successfully logged into the Registry from Jenkins:
bash-4.2$ docker login -u <USER> -p <OC_TOKEN> docker-registry-default.router.default.svc.cluster.local
Login Succeeded
Pushed the image to the Registry from Jenkins(also works):
docker push docker-registry-default.router.default.svc.cluster.local/project/app:latest
Deploying the image through the Openshift UI works as well, since I was able to select the Namespace, ImageStream and Tag for my app when deploying the image.
However, the following error occurs when the pod starts up:
Failed to pull image "docker-registry.default.svc:5000/project/app@sha256:8fd9759XXXXXXXXXXXXXXXf7fXXXXXXXXXXXXXXXXXXXXX": rpc error: code = Unknown desc = Get https://docker-registry.default.svc:5000/v2/: net/http: TLS handshake timeout
Any idea why I'm seeing TLS related errors, when Openshift can see the image, but can't pull the image at deploy time?
Any help would be appreciated.
The issue here was that the Openshift Application node resides on a different subnet then the Master and Infra nodes.
The fix was to move the Application node into the same subnet as the Master and Infra nodes, then rebuild the cluster.
Everything worked after doing this, although this can be configured in the openshift-ansible inventory file, if you need to have nodes in different subnets.
https://docs.okd.io/latest/install/configuring_inventory_file.html