Bug 1476038
Summary: | Can't deploy images from private registries | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Mike Barrett <mbarrett> |
Component: | Image Registry | Assignee: | Oleg Bulatov <obulatov> |
Status: | CLOSED NOTABUG | QA Contact: | ge liu <geliu> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 3.6.0 | CC: | aos-bugs, aweiteka, bparees, dyan, jokerman, maszulik, mbarrett, mfojtik, mmccomas, obulatov, pweil |
Target Milestone: | --- | ||
Target Release: | 3.6.z | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-10-03 20:54:42 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mike Barrett
2017-07-27 22:16:50 UTC
*** Bug 1476330 has been marked as a duplicate of this bug. *** Here's the series of steps needed to do what Mike wants: 1. Import image: oc import-image hello --from=<private_pull_spec> --confirm This will fail because repo is private. 2. Create import secret: oc secrets new-dockercfg hello --docker-server=<server_address> --docker-username=<username> --docker-password=<password> --docker-email=<email> 3. Re-import image: oc import-image hello 4. Link secret to the default SA running our app: oc secrets link default hello --for=pull 5. Run the image: oc new-app hello Does that help Mike? To summarize this bug as i understand it: When referencing an external, private docker registry from an imagestreamtag, and *not* using the local reference policy, users must: 1) provide a secret to perform the import 2) provide that same secret, or another one, to the deployment service account so it can pull the image at deployment time (same would be true for a job, builder, etc). The concern is that the user must perform two steps (in reality step 1 might be performed by an admin and step 2 would have to be performed by a user). *Because* the two steps might be done by two different users, it is necessary to supply the secret separately. There is no guarantee the user in (2) should be able to see the secret used in (1). Therefore: 1) it's not a bug, at best it's an RFE 2) i don't think we can or should fix it any more so than we'd try to share secrets between builds and deployments. (A build could push an image to a registry that a deployment can't pull from, because the build has different secret configured than the deployment does). I am lowering the severity to remove this from the blocker list but my disposition is to close it entirely unless my understanding of the problem is incorrect. I don't understand, which two steps? 1. oc secrets new-dockercfg dockerhub --docker-server=index.docker.io --docker- username=dmage --docker-password=REDACTED --docker-email=unused 2. oc new-app store/couchbase/couchbase:3.1.5 It works. Closing as not a bug. As Maciej noted earlier in this thread, the way to do this is to follow: https://docs.openshift.com/container-platform/3.5/dev_guide/managing_images.html#private-registries to import the imagestream and https://docs.openshift.com/container-platform/3.5/dev_guide/managing_images.html#allowing-pods-to-reference-images-from-other-secured-registries to deploy. The web console experience may or may not need improvement, but there's nothing fundamentally broken about deploying images from private registries. Effectively the steps are: 1) create a docker secret that can pull the image (this will allow image imports to succeed) 2) link that secret to your default service account (this will allow pods to pull the image) 3) create the imagestream and allow it to be imported (it will use the secret from (1)) 4) create the deployment config referencing the imagestream (the pod that gets created will pull the image using the secret from (1) as long as it is run with the service account from (2). The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |