Bug 1820250

Summary: Pods using internal images cannot pull the images after the migration
Product: OpenShift Container Platform Reporter: Sergio <sregidor>
Component: Migration ToolingAssignee: Scott Seago <sseago>
Status: CLOSED ERRATA QA Contact: Xin jiang <xjiang>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.4CC: chezhang, dymurray, jmatthew, pvauter, rpattath, whu, xjiang
Target Milestone: ---   
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-28 11:09:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Description Flags
logs none

Description Sergio 2020-04-02 15:23:24 UTC
Created attachment 1675803 [details]

Description of problem:
When we migrate pods that are not owned by any deployment and use internal images, the pods in the target cluster cannot pull the images after the migration.

Version-Release number of selected component (if applicable):
CAM 1.1.2 stage
Target cluster: OCP 4.3
Source cluster: OCP 3.9

How reproducible:

Steps to Reproduce:
1. Create the project
oc new-project bztest
2. Mirror a image to a imagestream in this project
$ oc process -f  https://github.com/sergiordlr/temp-testfiles/blob/master/helpers/mirror_helper_template.yml?raw=true -p NAMESPACE=bztest -p INT_REGISTRY=docker-registry.default.svc:5000 --namespace=bztest -p TGT_IMAGE=bztest/test-mirror:latest  | oc create -f -
3. Create a pod using this image
apiVersion: v1
kind: Pod
  generateName: bztest-
  namespace: bztest
    app: bztest
  - args:
    - echo 'Hello world! I can load the image. docker-registry.default.svc:5000/bztest/test-mirror:latest';
      while true; do sleep 30; done;
    - /bin/sh
    - -c
    - --
    image: docker-registry.default.svc:5000/bztest/test-mirror:latest
    imagePullPolicy: Always
    name: podtest
    resources: {}
  restartPolicy: OnFailure

4. Migrate

Actual results:
In target cluster the pod cannot pull the image (it has configured the dockercfg secret from the source cluster)
$ oc get pods
NAME           READY   STATUS         RESTARTS   AGE
bztest-2mvbg   0/1     ErrImagePull   0          100s


  Type     Reason     Age                         From                                                Message
  ----     ------     ----                        ----                                                -------
  Normal   Scheduled  <unknown>                   default-scheduler                                   Successfully assigned bztest/bztest-2mvbg to ip-10-0-76-171.us-east-2.compute.internal
  Normal   Pulling    7m3s (x4 over 8m22s)        kubelet, ip-10-0-76-171.us-east-2.compute.internal  Pulling image "image-registry.openshift-image-registry.svc:5000/bztest/test-mirror:latest"
  Warning  Failed     7m3s (x4 over 8m22s)        kubelet, ip-10-0-76-171.us-east-2.compute.internal  Failed to pull image "image-registry.openshift-image-registry.svc:5000/bztest/test-mirror:latest": rpc error: code = Unknown desc = Error reading manifest latest in image-registry.openshift-image-registry.svc:5000/bztest/test-mirror: unauthorized: authentication required
  Warning  Failed     7m3s (x4 over 8m22s)        kubelet, ip-10-0-76-171.us-east-2.compute.internal  Error: ErrImagePull
  Warning  Failed     6m48s (x6 over 8m21s)       kubelet, ip-10-0-76-171.us-east-2.compute.internal  Error: ImagePullBackOff
  Normal   BackOff    <invalid> (x42 over 8m21s)  kubelet, ip-10-0-76-171.us-east-2.compute.internal  Back-off pulling image "image-registry.openshift-image-registry.svc:5000/bztest/test-mirror:latest"

Expected results:
The pod should be able to pull the internal image after the migration

Additional info:
The dockerconfig secret configured in the pod after the migration is the secret used in the source cluster, not the secret corresponding to the target cluster.

Comment 5 Sergio 2020-05-08 15:12:02 UTC
Verified using CAM 1.2
4.2 -> 4.3

Following the steps to reproduce the issue we were able to run the migration successfully, and the pods were running without problems in the target migration after the migration.

Comment 7 errata-xmlrpc 2020-05-28 11:09:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.
