Bug 1826740
Summary: | .spec.registrySources.insecureRegistries does not work as expected | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Christian Koep <ckoep> |
Component: | Dev Console | Assignee: | Jaivardhan Kumar <jakumar> |
Status: | CLOSED ERRATA | QA Contact: | Gajanan More <gamore> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 4.4 | CC: | aballant, aos-bugs, bparees, cvogt, jakumar, jokerman, ngirard, nmukherj, sbudhwar |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | 4.6.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause: UI wont allow insecure registry to be imported
Consequence: User won't be able to import images from any insecure registries.
Fix: Allowed import from insecure registries
in UI added a checkbox that will add `importPolicy: { insecure: true }` to the ImageStreamImport request.
Result: user can import images from any insecure registries.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-10-27 15:58:27 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Christian Koep
2020-04-22 13:24:23 UTC
new-app itself is trying to reach the registry to inspect the image you want to deploy. So your client machine (the one where you are running new-app) needs to be able to trust the registry also. That is where the error is coming from, not the cluster/node. you can pass --insecure-registry to new-app to get around this. Alternatively, you can add a CA to the cluster with these instructions: https://docs.openshift.com/container-platform/4.3/builds/setting-up-trusted-ca.html#configmap-adding-ca_setting-up-trusted-ca Adding a CA to the cluster won't help, this is purely a client side operation within oc new-app, it doesn't use cluster CAs. (adding the CA will help when it comes time for the cluster to actually pull the image, though, after new-app sets up all the resources). (In reply to Ryan Phillips from comment #2) > Alternatively, you can add a CA to the cluster with these instructions: > > https://docs.openshift.com/container-platform/4.3/builds/setting-up-trusted- > ca.html#configmap-adding-ca_setting-up-trusted-ca I can confirm that this works, thank you. (In reply to Ben Parees from comment #1) > new-app itself is trying to reach the registry to inspect the image you want > to deploy. So your client machine (the one where you are running new-app) > needs to be able to trust the registry also. That is where the error is > coming from, not the cluster/node. > > you can pass --insecure-registry to new-app to get around this. Thank you Ben for your update. I can see how the setting does not affect the "oc new-app" command based on the way it actually works (it does not use or care about /etc/containers/registries.conf on the nodes). However, the same behaviour applies to the developer console - in which we do not have a way to "accept insecure" registries. https://i.imgur.com/lyh41Uy.png This is a problem for customers looking to migrate workloads from Kubernetes ("non-OpenShift") or from OpenShift Container Platform 3. Hence I'll move this bug to the Dev Console team as discussed with Ben. Verified: OpenShift Version: 4.6.0-0.nightly-2020-06-16-214732 Kubernetes Version :v1.18.3+e1ba7b6 cluster URL: https://console-openshift-console.apps.ci-ln-w51vw82-d5d6b.origin-ci-int-aws.dev.rhcloud.com/ Browser: Chrome I have validated the bugzilla on: Version:4.6.0-0.nightly-2020-07-05-234845 Browser: Google Chrome Version 81.0.4044.129 Marking this as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196 *** Bug 1902344 has been marked as a duplicate of this bug. *** |