Bug 1506066

Summary: [platformmanagement_public_850]Can't import the image signature from the RedHat registry
Product: OpenShift Container Platform Reporter: zhou ying <yinzhou>
Component: Image RegistryAssignee: Michal Fojtik <mfojtik>
Status: CLOSED CURRENTRELEASE QA Contact: Dongbo Yan <dyan>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.7.0CC: aos-bugs, dyan
Target Milestone: ---   
Target Release: 3.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-21 18:38:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
import image none

Description zhou ying 2017-10-25 02:41:12 UTC 
Description of problem:
When import image from RedHat registry should import the image signature at the same time when setup the configuration about the related registry

Version-Release number of selected component (if applicable):
openshift v3.7.0-0.176.0
kubernetes v1.7.6+a08f5eeb62
etcd 3.2.8

How reproducible:
always

Steps to Reproduce:
1. Build env by jenkins job;
2. Login OpenShift and create project;
3. Setup configuration about the related image registry on all the master:
cat /etc/containers/registries.d/redhat.yaml
docker:
    registry.access.redhat.com:
        sigstore: https://access.redhat.com/webassets/docker/content/sigstore
4. Restart master service: atomic-openshift-master-api,atomic-openshift-master-controllers;
5. As normal user import image from RH registry:
  `oc tag --source=docker registry.access.redhat.com/rhel7 rhel:7`
6. Check the logs from master service: atomic-openshift-master-controllers.

Actual results:
6. No signature imported:
Oct 24 05:39:55 ip-172-18-11-57.ec2.internal atomic-openshift-master-controllers[14147]: I1024 09:39:55.140959   14158 signature_import_controller.go:61] Adding image sha256:a744ef5b58472bccfa7c606efcc6b126a164eee4b7057f85cb8be46c481ee954
Oct 24 05:39:55 ip-172-18-11-57.ec2.internal atomic-openshift-master-controllers[14147]: I1024 09:39:55.140989   14158 signature_import_controller.go:132] Initiating download of signatures for sha256:a744ef5b58472bccfa7c606efcc6b126a164eee4b7057f85cb8be46c481ee954
Oct 24 05:39:55 ip-172-18-11-57.ec2.internal atomic-openshift-master-controllers[14147]: I1024 09:39:55.433944   14158 signature_import_controller.go:148] No signatures dowloaded for sha256:a744ef5b58472bccfa7c606efcc6b126a164eee4b7057f85cb8be46c481ee954



Expected results:
6. The image has signature, should import the signature succeed.


Additional info:
When the OpenShift start by `oc cluster up` could import the image signature succeed.
Comment 1 Michal Fojtik 2018-01-18 09:36:50 UTC 
Can I see the result of `oc get image sha256:a744ef5b58472bccfa7c606efcc6b126a164eee4b7057f85cb8be46c481ee954 -o yaml` ?
Comment 3 Dongbo Yan 2018-01-23 11:47:21 UTC 
Created attachment 1384807 [details]
import image
Comment 4 Dongbo Yan 2018-01-23 11:48:37 UTC 
I can see signature after tagging image

# oc describe istag rhel:7
Image Name:		sha256:883444ebd2520daa0f64f5d469de68f65cc113e27e16744d98d49edce610e679
Docker Image:		registry.access.redhat.com/rhel7@sha256:883444ebd2520daa0f64f5d469de68f65cc113e27e16744d98d49edce610e679
Name:			sha256:883444ebd2520daa0f64f5d469de68f65cc113e27e16744d98d49edce610e679
Created:		44 seconds ago
Annotations:		image.openshift.io/dockerLayersOrder=ascending
Image Size:		74.88MB (first layer 74.88MB, last binary layer 1.239kB)
Image Signatures:	 
			Name:	sha256:883444ebd2520daa0f64f5d469de68f65cc113e27e16744d98d49edce610e679@22272cad1f902a4f1e378c0d0626a61a912ab3a91d837039e80e5c9562185e9f
			Type:	AtomicImageV1
			Status:	Unverified
Image Created:		2 months ago
Author:			Red Hat, Inc.

oc v3.9.0-0.22.0
kubernetes v1.9.1+a0ce1bc657
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://:8443
openshift v3.9.0-0.22.0
kubernetes v1.9.1+a0ce1bc657