Bug 1309195

Summary: Cannot import image tag to imagestream
Product: OpenShift Container Platform Reporter: Wenjing Zheng <wzheng>
Component: Image RegistryAssignee: Maciej Szulik <maszulik>
Status: CLOSED CURRENTRELEASE QA Contact: Wang Haoran <haowang>
Severity: low Docs Contact:
Priority: medium    
Version: 3.2.0CC: aos-bugs, bleanhar, haowang, maszulik, sdodson, sgraf, tdawson, twaugh, wsun, xtian
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: When pinging the remote registry through https first we returned wrong error message to the caller. Consequence: When importing images from certain registries the import would fail due to not falling back properly to http. Fix: The image importer code currently returns appropriate code when it fails pinging remote registry. Result: When importing images the fallback path to http works as expected.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-22 22:37:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 7 Maciej Szulik 2016-02-19 17:45:36 UTC 
I've created https://github.com/openshift/origin/pull/7469 to address problem with insecure v1 registries.
Comment 9 openshift-github-bot 2016-02-20 05:39:43 UTC 
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/18f055cbd4771cdbfa332bb13a8803c01d36d5c7
Bug 1309195 - Return ErrNotV2Registry when falling back to http backend
Comment 17 Maciej Szulik 2016-02-23 15:02:52 UTC 
Here are the steps needed to work with the repository Brenton mentioned. Since this is secured repository with authentication we need to mark the registry as insecure (this will bypass checking certificate) and provide secrets to satisfy the authentication. Here are the steps to do so:

1. create the secret:
   a) oc login following instructions at https://api.qe.openshift.com/oauth/token/request
   b) get token with oc whoami -t
   c) docker login -u username -e email -p token registry.qe.openshift.com
     (in my case both username and email where my rh email, if in doubt check 
      oc whoam i)
   d) oc secrets new mysecret .dockerconfigjson=$HOME/.docker/config.json

2. create the image stream:

apiVersion: v1
kind: ImageStream
metadata:
  name: myis 
  annotations:
    openshift.io/image.insecureRepository: "true"
spec:
  dockerImageRepository: registry.qe.openshift.com/openshift3/php-55-rhel7

This should do the trick of importing images.
Comment 18 Brenton Leanhardt 2016-02-23 15:25:25 UTC 
Maciej,

Is there no way to specify a CA file today?  It seems like we should create a card for that if that's the case.
Comment 19 Maciej Szulik 2016-02-23 16:05:44 UTC 
Brenton, 

I'm not sure this is the right way to go. I'd rather admins deal with repos with self-signed certs at the operating system level by importing appropriate company-wide CA used for issuing those certs. Importing metadata will only allow seeing the image, for docker push/pull operation the CA needs to be on a node still.
Comment 22 Maciej Szulik 2016-09-08 07:30:26 UTC 
Based on previous comment and the fact that I was able to access all the repos mentioned in this issue I'm moving this to QA.