Bug 1375455

Summary: Users cannot choose to import ImageStream and template which requires extra subscription
Product: OpenShift Container Platform Reporter: Kenjiro Nakayama <knakayam>
Component: InstallerAssignee: Scott Dodson <sdodson>
Status: CLOSED WONTFIX QA Contact: Johnny Liu <jialiu>
Severity: low Docs Contact:
Priority: low    
Version: 3.2.1CC: aos-bugs, bleanhar, erich, jokerman, jolamb, knakayam, mmccomas, sdodson, tkimura, trogers
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-31 15:39:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Kenjiro Nakayama 2016-09-13 07:57:04 UTC 
Description of problem:

  OpenShift installer import EAP, AMQ, DataGrid ... imageStream and template regardless the users have the subscription or not.
  Some of xPaaS images need the entitlement, so this bug leads users to abuse the images

Version-Release number of selected component (if applicable):

  - OSE 3.2

Steps to Reproduce:

  Installer OSE

Actual results:

  oc get is,template -n openshift shows EAP imageStream and teamplte 

Expected results:

  Users can select if they import the imageStream and template which need xPaaS subscription

Additional info:

  The list of images which need extra entitlement - https://access.redhat.com/solutions/1495513
  These values works as xPaaS images. So, it doesn' work for some images like JWS https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_examples/tasks/main.yml#L115-L129
Comment 1 Brenton Leanhardt 2016-09-13 14:08:32 UTC 
Hi Kenjiro,

Right now there is no entitlement checking on these images.  I agree we need to have a way to help guide the user to a supportable configuration for the entitlements they have.
Comment 3 Travis Rogers 2016-12-08 23:45:35 UTC 
Currently the installation of xPaaS templates and imagestreams is an optional task.  The actual json files will reside on an Openshift node's filesystem, but importing the templates and imagestreams into the Openshift environment is optional.  [1]

Currently, the ansible examples [2] are set to install the xPaaS templates and imagestreams.  This can be set to false, if desired.

Is the request to block access to the registry and require entitlements?


[1]
https://docs.openshift.com/container-platform/3.3/install_config/imagestreams_templates.html#creating-image-streams-for-xpaas-middleware-images

[2]
https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_examples/defaults/main.yml#L6
Comment 4 DiĆ³genes Rettori 2016-12-09 20:02:18 UTC 
Blocking access to the images is not a priority.
Comment 5 Scott Dodson 2017-06-09 02:26:26 UTC 
What is the suggested implementation here? We could make xpaas content opt-in rather than opt-out as it is now for enterprise installs. Moving to low severity.
Comment 9 Scott Dodson 2017-10-02 12:41:56 UTC 
Kenjiro,

Setting openshift_examples_load_xpaas=false should disable this, can you try that?

--
Scott
Comment 10 Kenjiro Nakayama 2017-10-30 12:39:31 UTC 
Scott, thank you for the suggestion. But the option stops importing templates under the `/usr/share/openshift/examples/xpaas-templates`[1]. So, it will exclude jws3*- (tomcat) and sso7*- templates. These are "xPaaS" images, but these do NOT need xPaaS subscription. So, the users want to include them. The customer's expectation is to distinguish the image/template which requires extra subscription requires or not.

ref: https://docs.openshift.com/container-platform/3.6/install_config/imagestreams_templates.html#is-templates-core-sub
Comment 11 Takayoshi Kimura 2018-03-07 08:05:41 UTC 
*** Bug 1552453 has been marked as a duplicate of this bug. ***
Comment 12 Scott Dodson 2019-01-31 15:39:17 UTC 
I'm sorry but we don't have capacity to provide this fine grained level of control over image streams. Our recommendation is to disable image stream management and curate the content as they see fit.