Docker login fails with your own certificate after rollback

After you roll back to a previous version of IBM Cloud Private, you cannot use the Docker login command to log in to your IBM Cloud Private private registry.

Symptoms

You are using a BYO (Bring Your Own) certificate on IBM Cloud Private and then roll back to a previous version. After you roll back, you attempt to use the Docker login command to log in to your private registry. The login fails with an error message that resembles the following message:

# docker login mycluster.icp:8500 -u admin -p 012345abcdefghijklmnopqrstuvwxyz012345
\WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://mycluster.icp:8500/v2/: x509: certificate signed by unknown authority

The pod for the image-manager-init-certs DaemonSet is also not restarted after you roll back.

Causes

The upgrade strategy for the image-manager-init-certs DaemonSet is set to OnDelete instead of Rolling Update.

For more information, see Perform a Rolling Update on a DaemonSet Opens in a new tab .

Resolving the problem

Delete all pods for the image-manager-init-certs DaemonSet. Run the following command to delete the pods:

kubectl -n kube-system delete pods -l app=image-manager-init-certs

The Kubernetes service then restarts the pods and populates the correct certificate for the Docker client.