Bug 1526949

Summary: [ASB] The openshift registry of the ASB works fail
Product: OpenShift Container Platform Reporter: Jian Zhang <jiazha>
Component: Service BrokerAssignee: Dylan Murray <dymurray>
Status: CLOSED ERRATA QA Contact: Jian Zhang <jiazha>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.7.0CC: aos-bugs, chezhang, dymurray, jmatthew, wjiang
Target Milestone: ---   
Target Release: 3.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: User did not set `auth_type` in the config Fix: We now do not require `auth_type` to be set and default to the configuration file for credentials.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-28 14:15:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 weiwei jiang 2017-12-18 10:11:50 UTC 
FYI

# curl https://jiazha:redhat@sso.redhat.com/auth/realms/rhc4tp/protocol/docker-v2/auth\?service\=docker-registry -X GET -I
HTTP/1.1 500 Internal Server Error
Cache-Control: no-store, must-revalidate, max-age=0
X-Powered-By: Undertow/1
Server: JBoss-EAP/7
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-src 'self'
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=utf-8
Content-Length: 1997
Date: Mon, 18 Dec 2017 09:55:12 GMT
Connection: keep-alive
Set-Cookie: KC_RESTART=eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiNWU4MmIyZmQtYzUwMC00MWExLTk1ZGMtMTFlMTkxNTY1ZjVhIn0.eyJjcyI6ImVlZjRlMWMwLTQ1YmEtNGJiMC05ZWRkLTYxZWNmZGRkMTU3ZiIsImNpZCI6ImRvY2tlci1yZWdpc3RyeSIsInB0eSI6ImRvY2tlci12MiIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNlcnZpY2UiOiJkb2NrZXItcmVnaXN0cnkiLCJzY29wZSI6bnVsbCwiZG9ja2VyLmlzcyI6Imh0dHBzOi8vc3NvLnJlZGhhdC5jb20vYXV0aC9yZWFsbXMvcmhjNHRwIiwiYWNjb3VudCI6bnVsbH19.n92AfvfIcfnZrROMiFCFlmsi8eEdI8cvRdhabLZ0WBo; Version=1; Path=/auth/realms/rhc4tp; HttpOnly
Set-Cookie: BIGipServer~prod~keycloak-webssl-https=610731274.64288.0000; path=/; Httponly; Secure
Set-Cookie: sso_origin_dc=origin-sso-phx2.redhat.com; path=/; domain=sso.redhat.com; secure; HttpOnly
Set-Cookie: sso_origin_dc=novalue; expires=Thu, 21-Dec-1990 11:59:00 GMT;  path=/; domain=sso.redhat.com; secure; HttpOnly


And no idea if the authURL still available.
Comment 2 Dylan Murray 2017-12-18 14:37:19 UTC 
Jian,

I see one problem with your registry config. You are using the URL registry.connect.redhat.com (which is correct in this instance when using the openshift registry adapter. However, the image `openshift3/postgresql-apb` does not exist on this registry. That image exists in RHCC at registry.access.redhat.com. To use that image you would use the `rhcc` registry adapter.

Weiwei,

I will investigate if the authUrl has changed.

First step should be to change the image to one that exists in the ISV registry. I would use `rocketchat/rocketchat-apb`. (https://access.redhat.com/containers/?tab=overview#/registry.connect.redhat.com/rocketchat/rocketchat-apb)
Comment 8 Dylan Murray 2018-01-10 15:54:38 UTC 
Zhang & Jian,

I apologize I didn't respond sooner this was lost in the shutdown. The host is no longer active and I am still unable to reproduce this on my local machine using your credentials. Is it possible that you are dealing with a proxy that cannot talk to registry.connect.redhat.com? I'm happy to look at another host if you can reproduce.

Thanks.
Comment 10 Dylan Murray 2018-01-11 14:34:03 UTC 
Jian,

Thank you for setting up another host. I have confirmed that this issue is present in the ansible-service-broker image on the aws registry which you are using. I tested on your host with our latest upstream image and saw success using your credentials. I cannot track down what specific change to the adapter your image is built on but I can confirm it is fixed in the latest builds upstream so I will ensure this fix is in RHCC. I will move the bug to ON_QA when it is built and ready to be tested again.
Comment 12 Dylan Murray 2018-01-12 14:54:26 UTC 
Jian,

Thank you for the clarification! You are right this problem does exist in the 3.7 image. I have figured out what it is causing this. We have a bug if the user does not set `auth_type` in the broker config.

To workaround this, in the registry config you can set `auth_type` to `config`. This will then use your proper credentials. I am also going to post a PR to set the user/pass if auth_type isn't set.
Comment 14 Dylan Murray 2018-01-12 15:24:26 UTC 
Previous PR link was invalid:
https://github.com/openshift/ansible-service-broker/pull/635


This will not be fixed in 3.7.x I will be filing a docs bug to ensure the user is setting auth_type in the registry config.
Comment 17 Dylan Murray 2018-01-16 19:12:16 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=1535026

Associated documentation bug.
Comment 21 errata-xmlrpc 2018-03-28 14:15:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0489