Bug 1888936

Summary: Cannot update Encrypt flag from image-registry config operator
Product: OpenShift Container Platform Reporter: Martin Ouimet <mouimet>
Component: Image RegistryAssignee: Oleg Bulatov <obulatov>
Status: CLOSED DUPLICATE QA Contact: Wenjing Zheng <wzheng>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.5CC: aos-bugs, scuppett
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-19 11:28:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Ouimet 2020-10-16 12:26:06 UTC 
Description of problem:

I configured Image Registry to use S3 provided by Noobaa (from OCS installation). 

The operator succeed, but unable to push image to the registry. Getting error 500. 

I realized this is caused by the switch "encrypt" from the s3 configuration in configs.imageregistry.operator.openshift.io cluster. When trying to set encrypt to false, the configuration always goes back to true. 

The only way I found out to set the encrypt flag to false is to configure image registry to use pvc claim and then, once image registry is back, update the configuration with s3 with then flag encrypt explicitly set to false. 

The documentation state that the default for encrypt is false. 


Version-Release number of selected component (if applicable):
4.5.14

I know this was working fine in 4.4. I cannot say if this encrypt feature appear in 4.5 or in a sub-version of 4.5. 


Steps to Reproduce:

Install OCP 4.5.14
Install OCS 4.5
create an object bucket claim ( or a bucket directly in noobaa )
Configure image registry to use the new bucket
 - Create secret image-registry-private-configuration-user with bucket creds.
 - edit configs.imageregistry.operator.openshift.io cluster
 - example:

  storage:
    s3:
      bucket: image-registry-395028b0-141b-4242-84a1-1f4a9099aa7c
      encrypt: false
      region: noobaa
      regionEndpoint: https://s3-openshift-storage.apps.ocp-east.mouimetlab.com
      virtualHostedStyle: false

Actual results:

 - Image registry status will be ok, since access to bucket works.
 - Create an image stream in a project
 - try to podman push to the image stream ( should get 500 )

 - try to update configs.imageregistry.operator.openshift.io cluster and change the flag encrypt to false. 

 - check the output of 
   oc get configs.imageregistry.operator.openshift.io cluster -o yaml

  the flag encrypt will be true

 

Expected results:

- Expected to be able to set encrypt flag to false. 


Additional info:

Looks like Noobaa does not support the encrypt feature. It only works when encrypt flag is false. 

I can expect that a customer could face this issue using any local compatible s3 devices for image registry backend. 

Same behaviour on AWS, Bare-metal and UPI VMWare.
Comment 1 Stephen Cuppett 2020-10-19 11:23:50 UTC 
Setting target release to the active development branch (4.7.0). For any fixes, where required and requested, cloned BZs will be created for those release maintenance streams where appropriate once they are identified.
Comment 2 Oleg Bulatov 2020-10-19 11:28:28 UTC 

*** This bug has been marked as a duplicate of bug 1814709 ***