Cannot access CASE packages when using a proxy server

If you use a proxy server to mirror images or to download CASE packages, the cpd-cli manage mirror-images command fails.

Symptoms

The cpd-cli returns an error with the following format:

"stderr": "[ERROR]: unable to obtain root index for '<proxy-server-URL>/repository/github/IBM/cloud-pak/raw/master/repo/case': 
\"**A HTTP processing related error occurred while accessing CASE repo: 
Get \\\"<proxy-server-URL>/repository/github/IBM/cloud-pak/raw/master/repo/case/index.yaml\\\": 
x509: certificate signed by unknown authority\"\nerror: Unable to obtain a valid CASE for the CASE name of \"ibm-cp-datacore\"** at repository 
\<proxy-server-URL>/repository/github/IBM/cloud-pak/raw/master/repo/case\
Mirroring images
If you are attempting to mirror images, this typically occurs when you run the cpd-cli manage mirror-images with the --source_registry option pointing to a proxy server.
For example, your command might have the following format:
cpd-cli manage mirror-images \
--release=${VERSION} \
--components=${COMPONENTS} \
--source_registry=<registry-on-proxy-server>
--target_registry=PRIVATE_REGISTRY_LOCATION
Downloading CASE packages
If you are attempting to download CASE packages, this error typically occurs when you run one of the following commands with --case_download=true:
  • cpd-cli manage apply-olm
  • cpd-cli manage list-images
  • cpd-cli manage mirror-images

Causes

The olm-utils container, which provides the cpd-cli manage functionality, connects to different endpoints, such as:
  • The CASE package repository on github.com
  • The IBM Entitled Registry
  • Your OpenShift® Container Platform cluster
  • Your private container registry

If you use a proxy server to access these endpoints, you might need to add CA certificates to enable the olm-utils container to trust connections through the proxy server.

Resolving the problem

User response: To resolve the problem:
  1. Ensure that any required CA certificates are available on the client workstation.
    Tip: Typically the CA certificates are in the /etc/pki/ca-trust directory on the workstation.
    If you need additional information on adding certificates to a workstation, run:
    man update-ca-trust
  2. Add the OLM_UTILS_LAUNCH_ARGS environment variable to your environment variable script.
    • If the certificates on the client workstation are in the /etc/pki/ca-trust directory, add:
      export OLM_UTILS_LAUNCH_ARGS=" -v /etc/pki/ca-trust:/etc/pki/ca-trust"
    • If the CA certificates are in a different location, replace <client-workstation-location> with the appropriate location:
      export OLM_UTILS_LAUNCH_ARGS=" -v <client-workstation-location>:/etc/pki/ca-trust"
  3. Source the environment variables. For example, if you named the environment variables script cpd_vars.sh, run:
    source ./cpd_vars.sh
  4. Restart the container where the olm-utils image is running:
    cpd-cli manage restart-container