Bug 1716627
| Summary: | Undercloud deployment using containers from authenticated remote registry fails with unable to retrieve auth token: invalid username/password | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Marius Cornea <mcornea> |
| Component: | openstack-tripleo-heat-templates | Assignee: | RHOS Maint <rhos-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Sasha Smolyak <ssmolyak> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 15.0 (Stein) | CC: | dbecker, emacchi, jhajyahy, mburns, morazi, rhos-maint, sbaker |
| Target Milestone: | z2 | Keywords: | TestOnly, Triaged, ZStream |
| Target Release: | 15.0 (Stein) | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-tripleo-heat-templates-10.5.1-0.20190619160415.eff8376.el8ost | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-05 11:59:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1726567 | ||
For now it is required that push_destination:true is set for every entry when the registry needs authentication. We have lots of different tooling calling podman pull on the nodes (paunch, container-puppet.py, pacemaker, etc) so it will be a bit of work to ensure that "podman login" is called in every case.
The following should work, and I'd strongly encourage push_destination:true to be used whenever possible.
containers-prepare-parameter.yaml:
parameter_defaults:
ContainerImagePrepare:
- push_destination: true
set:
ceph_image: default_organization-ceph_containers-rhceph-4_0-rhel8
ceph_namespace: $namespace
ceph_tag: latest
name_prefix: default_organization-osp15_containers-
name_suffix: ''
namespace: $namespace
neutron_driver: ovn
tag: 15.0
tag_from_label: '{version}-{release}'
excludes: [ceph]
- push_destination: true
set:
ceph_image: default_organization-ceph_containers-rhceph-4_0-rhel8
ceph_namespace: $namespace
ceph_tag: latest
includes: [ceph]
ContainerImageRegistryCredentials:
$namespace:
admin: changeme
This one is still work in progress. We had to revert a backport in THT, https://review.opendev.org/#/c/669575/, because of a bug with the task: https://bugs.launchpad.net/tripleo/+bug/1835657. Deployed UC using:
parameter_defaults:
NeutronMechanismDrivers: ovn
ContainerImagePrepare:
- set:
name_prefix: openstack-
namespace: registry.redhat.io/rhosp15-rhel8
tag: latest
ContainerImageRegistryLogin: true
ContainerImageRegistryCredentials:
registry.redhat.io:
user : 'pass'
If this bug requires doc text for errata release, please set the 'Doc Type' and provide draft text according to the template in the 'Doc Text' field. The documentation team will review, edit, and approve the text. If this bug does not require doc text, please set the 'requires_doc_text' flag to '-'. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0643 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |
Description of problem: Undercloud deployment with containers from authenticated remote registry fails with unable to retrieve auth token: invalid username/password . containers-prepare-parameter.yaml: parameter_defaults: ContainerImagePrepare: - set: ceph_image: default_organization-ceph_containers-rhceph-4_0-rhel8 ceph_namespace: $namespace ceph_tag: latest name_prefix: default_organization-osp15_containers- name_suffix: '' namespace: $namespace neutron_driver: ovn tag: 15.0 tag_from_label: '{version}-{release}' excludes: [ceph] - push_destination: true set: ceph_image: default_organization-ceph_containers-rhceph-4_0-rhel8 ceph_namespace: $namespace ceph_tag: latest includes: [ceph] ContainerImageRegistryCredentials: $namespace: admin: changeme Version-Release number of selected component (if applicable): openstack-tripleo-common-10.7.1-0.20190525000410.71c099f.el8ost.noarch python3-tripleo-common-10.7.1-0.20190525000410.71c099f.el8ost.noarch openstack-tripleo-common-containers-10.7.1-0.20190525000410.71c099f.el8ost.noarch How reproducible: 100% Steps to Reproduce: 1. Deploy undercloud with container images pulled from a remote authenticated registry(without using --local-push-destination option) Actual results: Deployment fails with invalid username/password errors. Expected results: Credentials specified in containers-prepare-parameter.yaml are used and deployment succeeds. Additional info: Attaching full log.