Bug 1795272
| Summary: | [CLI] oc adm catalog build neither support "-a, --registry-config=" flag, nor uses podman registry credentials file | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | rdomnu | |
| Component: | oc | Assignee: | Bowen Song <bsong> | |
| Status: | CLOSED ERRATA | QA Contact: | Jian Zhang <jiazha> | |
| Severity: | low | Docs Contact: | ||
| Priority: | low | |||
| Version: | 4.3.z | CC: | aos-bugs, bsong, ecordell, jokerman, maszulik, mfojtik, mharri, susuresh, tjungbau | |
| Target Milestone: | --- | |||
| Target Release: | 4.4.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1797026 (view as bug list) | Environment: | ||
| Last Closed: | 2020-05-04 11:27:22 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1797026 | |||
1, Create a docker registry server with basic auth: [jzhang@dhcp-140-36 ~]$ docker run --entrypoint htpasswd registry:2 -Bbn test redhat > auth/htpasswd [jzhang@dhcp-140-36 ~]$ docker run -it --rm -p 5000:5000 --name=registry -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -v /home/jzhang/goproject/src/github.com/operator-framework/operator-lifecycle-manager/pkg/lib/filemonitor/testdata/:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server-new.crt -e REGISTRY_HTTP_TLS_KEY=/certs/server-new.key registry 2, Login in this registry with podman. [jzhang@dhcp-140-36 ~]$ podman login localhost:5000 --log-level=debug INFO[0000] running as rootless Authenticating with existing credentials... DEBU[0000] Looking for TLS certificates and private keys in /etc/docker/certs.d/localhost:5000 DEBU[0000] GET https://localhost:5000/v2/ DEBU[0000] Ping https://localhost:5000/v2/ status 401 DEBU[0000] GET https://localhost:5000/v2/ Existing credentials are invalid, please enter valid username and password Username (jiazha): test Password: DEBU[0009] Looking for TLS certificates and private keys in /etc/docker/certs.d/localhost:5000 DEBU[0009] GET https://localhost:5000/v2/ DEBU[0009] Ping https://localhost:5000/v2/ status 401 DEBU[0009] GET https://localhost:5000/v2/ Login Succeeded! 3, Check the auth info in the config of podman: [jzhang@dhcp-140-36 ~]$ cat /run/user/1000/containers/auth.json { "auths": { "localhost:5000": { "auth": "dGVzdDpyZWRoYXQ=" } } } 4, Check the config of docker. And. confirm there is no auth info for this local registry. [jzhang@dhcp-140-36 ~]$ cat ~/.docker/config.json |grep localhost 5, Run this `oc adm catalog build` without special the auth file. It failed to upload, see below: [jzhang@dhcp-140-36 ~]$ oc adm catalog build --appregistry-endpoint=https://quay.io/cnr --appregistry-org=redhat-operators --to=localhost:5000/olm/redhat-operators:v1 INFO[0020] loading Bundles ... ... INFO[0022] directory dir=/tmp/cache-263988027/manifests-652025920 file=4.3 load=package Uploading ... failed Unable to connect to the server: no basic auth credentials 6, Run this `oc adm catalog build` with the `-a` flag to set the auth info. It worked well, see below: [jzhang@dhcp-140-36 ~]$ oc adm catalog build -a /run/user/1000/containers/auth.json --appregistry-endpoint=https://quay.io/cnr --appregistry-org=redhat-operators --to=localhost:5000/olm/redhat-operators:v1 INFO[0027] loading Bundles dir=/tmp/cache-841580676/manifests-848629693 ... ... INFO[0028] directory dir=/tmp/cache-841580676/manifests-848629693 file=4.2-s390x load=package INFO[0028] directory dir=/tmp/cache-841580676/manifests-848629693 file=4.3 load=package Uploading ... 14.42MB/s Uploading 9.484MB ... Uploading 3.405MB ... Pushed sha256:947a50b0eef81c594077d0b1444d9bcad0e7ab3f7bea50280989cc08a2f95890 to localhost:5000/olm/redhat-operators:v1 [jzhang@dhcp-140-36 ~]$ oc version Client Version: 4.4.0-0.nightly-2020-02-04-032141 Server Version: 4.4.0-0.nightly-2020-02-02-201619 Kubernetes Version: v1.17.1 LGTM, verify it. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581 |
Description of problem: "oc adm catalog build" command doesn't support "-a, --registry-config=" flag for specifying the location of the pull secrets file. If one authenticates to the mirror registry using podman, "oc adm catalog build" doesn't use the credentials file created by podman ("/run/containers/0/auth.json") when trying to authenticate to the mirror registry. However, "oc adm catalog build" reads the authentication file where Docker stores its credentials ("~/.docker/config.json"). Version-Release number of selected component (if applicable): 4.3.0 How reproducible: Steps to Reproduce: 1. podman login registry.local.domain:5000 Authenticating with existing credentials... Existing credentials are valid. Already logged in to registry.local.domain:5000 2. cat /run/containers/0/auth.json { "auths": { "registry.local.domain:5000": { "auth": "xxx" } } } 3. oc adm catalog build --appregistry-endpoint https://quay.io/cnr --appregistry-org redhat-operators --to=registry.local.domain:5000/olm/redhat-operators:v1 ..... INFO[0029] directory dir=/tmp/manifests-688476959 file=4.2-s390x load=package INFO[0029] directory dir=/tmp/manifests-688476959 file=4.3 load=package Uploading ... failed Unable to connect to the server: no basic auth credentials Actual results: Fail to authenticate to mirror registry Expected results: Successful authentication and push to mirror registry Workaround: - if using podman, copy your pull secrets file or the default podman authentication file to ~/.docker/config.json before running "oc adm catalog build" command : cp /run/containers/0/auth.json ~/.docker/config.json