Bug 1790802

Summary: `oc adm catalog mirror` should pass `--inesecure` option
Product: OpenShift Container Platform Reporter: Jian Zhang <jiazha>
Component: OLMAssignee: Evan Cordell <ecordell>
OLM sub component: OLM QA Contact: Bruno Andrade <bandrade>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high    
Version: 4.3.0   
Target Milestone: ---   
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-04 11:24:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jian Zhang 2020-01-14 09:00:32 UTC
Description of problem:
`oc adm catalog mirror` does not pass --inesecure to the underlying `oc extract` command, which means mirror doesn't work if mirroring from an untrusted registry (mirroring from a trusted registry or a file works).

Version-Release number of selected component (if applicable):
Cluster version is: 4.3.0-0.nightly-2020-01-14-000626 
[jzhang@dhcp-140-36 ~]$ oc version
Client Version: 4.3.0-0.nightly-2020-01-14-000626
Server Version: 4.3.0-0.nightly-2020-01-14-000626
Kubernetes Version: v1.16.2

How reproducible:
always

Steps to Reproduce:
1. Install the `oc` client.

2. Check the help info.
[jzhang@dhcp-140-36 ~]$ oc adm catalog mirror --inesecure
Error: unknown flag: --inesecure
See 'oc adm catalog mirror --help' for usage.


Actual results:
No '--inesecure' provides.

[jzhang@dhcp-140-36 ~]$ oc adm catalog mirror --help
Mirrors the contents of a catalog into a registry.

 This command will pull down an image containing a catalog database, extract it to disk, query it to find all of the
images used in the manifests, and then mirror them to a target registry.

 By default, the database is extracted to a temporary directory, but can be saved locally via flags.

 An ImageContentSourcePolicy is written to a file that can be adedd to a cluster with access to the target registry.
This will configure the cluster to pull from the mirrors instead of the locations referenced in the operator manifests.

 A mapping.txt file is also created that is compatible with "oc image mirror". This may be used to further customize the
mirroring configuration, but should not be needed in normal circumstances.

Usage:
  oc adm catalog mirror [flags]

Options:
      --dir='': The directory on disk that file:// images will be copied under.
      --dry-run=false: Print the actions that would be taken and exit without writing to the destinations.
      --from-dir='': The directory on disk that file:// images will be read from. Overrides --dir
      --manifests-only=false: Calculate the manifests required for mirroring, but do not actually mirror image content.
      --path='': Specify an in-container to local path mapping for the database.
      --to-manifests='': Local path to store manifests.

Use "oc adm options" for a list of global command-line options (applies to all commands).


Expected results:
Should pass the `--inesecure` option so that `oc adm catalog mirror` can work for the untrusted registry.

Additional info:

Comment 2 Bruno Andrade 2020-01-24 12:21:34 UTC
--insecure option is now available, marking as VERIFIED.


oc version                                                    
Client Version: 4.4.0-0.nightly-2020-01-22-221818

oc adm catalog mirror -h            
Mirrors the contents of a catalog into a registry.

 This command will pull down an image containing a catalog database, extract it to disk, query it to find all of the
images used in the manifests, and then mirror them to a target registry.

 By default, the database is extracted to a temporary directory, but can be saved locally via flags.

 An ImageContentSourcePolicy is written to a file that can be adedd to a cluster with access to the target registry.
This will configure the cluster to pull from the mirrors instead of the locations referenced in the operator manifests.

 A mapping.txt file is also created that is compatible with "oc image mirror". This may be used to further customize the
mirroring configuration, but should not be needed in normal circumstances.

Usage:
  oc adm catalog mirror SRC DEST [flags]

Examples:
  # Mirror an operator-registry image and its contents to a registry
  oc adm catalog mirror quay.io/my/image:latest myregistry.com
  
  # Configure a cluster to use a mirrored registry
  oc apply -f manifests/imageContentSourcePolicy.yaml
  
  # Edit the mirroring mappings and mirror with "oc image mirror" manually
  oc adm catalog mirror --manifests-only quay.io/my/image:latest myregistry.com
  oc image mirror -f manifests/mapping.txt

Options:
      --dir='': The directory on disk that file:// images will be copied under.
      --dry-run=false: Print the actions that would be taken and exit without writing to the destinations.
      --filter-by-os='': A regular expression to control which images are considered when multiple variants are
available. Images will be passed as '<platform>/<architecture>[/<variant>]'.
      --from-dir='': The directory on disk that file:// images will be read from. Overrides --dir
      --insecure=false: Allow push and pull operations to registries to be made over HTTP
      --manifests-only=false: Calculate the manifests required for mirroring, but do not actually mirror image content.
      --max-per-registry=4: Number of concurrent requests allowed per registry.
      --path='': Specify an in-container to local path mapping for the database.
  -a, --registry-config='': Path to your registry credentials (defaults to ~/.docker/config.json)
      --skip-verification=false: Skip verifying the integrity of the retrieved content. This is not recommended, but may
be necessary when importing images from older image registries. Only bypass verification if the registry is known to be
trustworthy.
      --to-manifests='': Local path to store manifests.

Use "oc adm options" for a list of global command-line options (applies to all commands).

Comment 4 errata-xmlrpc 2020-05-04 11:24:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581