Bug 1494231
| Summary: | oc import-image generates x509 error when trying to import an image | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Rob Cernich <rcernich> |
| Component: | ImageStreams | Assignee: | Oleg Bulatov <obulatov> |
| Status: | CLOSED ERRATA | QA Contact: | Dongbo Yan <dyan> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.6.1 | CC: | aos-bugs, bparees, jokerman, mmccomas, rcernich |
| Target Milestone: | --- | ||
| Target Release: | 3.7.0 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: importPolicy.insecure is ignored in `oc import-image <imagestream:tag>`
Consequence: re-import from an insecure registry fails because it expects a valid SSL certificate.
Fix: when the image stream tag exists, use its importPolicy.insecure
Result: re-import succeed
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-11-28 22:12:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Forgot to add, the import succeeds if you also add openshift.io/image.insecureRepository: true to the annotations on the image stream. Alexey has a few blockers already, Oleg can you take a look at this one? > setting generation back to 0 sometimes allows the import to succeed.
Can you provide the exact path to the generation field? .metadata.generation or .spec.tags.generation?
.metadata.generation Verified # oc version oc v3.7.0-0.159.0 kubernetes v1.7.6+a08f5eeb62 features: Basic-Auth GSSAPI Kerberos SPNEGO Server https://:8443 openshift v3.7.0-0.153.0 kubernetes v1.7.6+a08f5eeb62 cannot reproduce this issue Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188 |
Description of problem: Version-Release number of selected component (if applicable): OCP 3.6.1. How reproducible: Steps to Reproduce: 1. Create an image in an insecure registry 2. Create an image stream, with a tag definition pointing to the image (i.e. tag: from: ...) and importPolicy: { insecure: true }. 3. import the image tag, e.g. oc import-image image:tag. notice the x509 error. also notice that the import may have succeeded. 4. Successive imports appear to fail, but setting generation back to 0 sometimes allows the import to succeed. Actual results: import fails Expected results: import updates the tag Additional info: