Bug 1889945

Summary: [DOCS] provide the prerequisite to enable ImageStream through mirror registry for must-gather IS
Product: OpenShift Container Platform Reporter: Daein Park <dapark>
Component: DocumentationAssignee: Kathryn Alexander <kalexand>
Status: CLOSED CURRENTRELEASE QA Contact: XiuJuan Wang <xiuwang>
Severity: medium Docs Contact: Vikram Goyal <vigoyal>
Priority: medium    
Version: 4.5CC: aos-bugs, jokerman
Target Milestone: ---   
Target Release: 4.5.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-10 19:44:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daein Park 2020-10-21 03:18:09 UTC 
Document URL: 

* Gathering data about your cluster
  [ https://docs.openshift.com/container-platform/4.5/support/gathering-cluster-data.html ]

Section Number and Name: 

* Gathering data about your cluster for Red Hat Support
  [ https://docs.openshift.com/container-platform/4.5/support/gathering-cluster-data.html#support_gathering_data_gathering-cluster-data ]

Describe the issue: 

There is no mention about adding the required trusted CAs for the mirror before using ImageStream on the restricted network environments.
It's going to cause the import image command failure.

~~~
If your cluster is using a restricted network you must import the default must-gather image before running the oc adm must-gather command.

$ oc import-image is/must-gather -n openshift
~~~

Suggestions for improvement: 

Notify a procedure to add the required trusted CAs for the mirror together at the same section for must-gather.
The similar procedure is already provided in the other section[0], the procedure is also required for the section for must-gather.

[0] Using Cluster Samples Operator imagestreams with alternate or mirrored registries
    [ https://docs.openshift.com/container-platform/4.5/openshift_images/samples-operator-alt-registry.html#installation-restricted-network-samples_samples-operator-alt-registry ]
~~~
The cli, installer, must-gather, and tests imagestreams, while part of the install payload, are not managed by the Cluster Samples Operator.
These are not addressed in this procedure.
:

4. Add the required trusted CAs for the mirror in the cluster’s image configuration object:

$ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-config"}}}' --type=merge
~~~

Additional information: 

This issue is reported by CU.
Comment 2 Kathryn Alexander 2020-10-28 18:17:04 UTC 
Daein and I have updated the PR, and I think that all the information is in the best place possible.

Shengsheng Cheng, I think that this issue is most closely related to auth because it involves changing the trusted CA. Will you PTAL or help me find the right person to provide QE?
Comment 3 XiuJuan Wang 2020-11-02 02:29:04 UTC 
The docs pr looks good to me.
Comment 4 Kathryn Alexander 2020-11-02 20:19:41 UTC 
Thanks! I've merged the change and am waiting for it to go live.
Comment 5 Kathryn Alexander 2020-11-10 19:44:33 UTC 
This change is live: https://docs.openshift.com/container-platform/4.5/support/gathering-cluster-data.html#support_gathering_data_gathering-cluster-data