Bug 2026697

Summary: When using an ImageContentSourcePolicy, the local image pull secret is not used
Product: OpenShift Container Platform Reporter: Simon Krenger <skrenger>
Component: NodeAssignee: Qi Wang <qiwan>
Node sub component: CRI-O QA Contact: Sunil Choudhary <schoudha>
Status: CLOSED DEFERRED Docs Contact:
Severity: high    
Priority: medium CC: aos-bugs, dwalsh, jokerman, mitr, tsweeney
Version: 4.9   
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-02 14:46:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Tom Sweeney 2021-11-30 23:02:38 UTC 
Valentin, can you take a look at this please?
Comment 2 Tom Sweeney 2021-11-30 23:07:21 UTC 
Valentin, ignore this, I think this is a CRIO issue and will send it to the node team to look at.
Comment 3 Peter Hunt 2021-12-01 14:30:02 UTC 
I believe this is a kind of duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1975976#c4

basically, this has to do with the interaction between ISCP and the node's policy.json. ICSP only configures the node's registries.conf (showing what registries mirror to what) but don't specify how one is supposed to interact with such registries (authenticated, blocked, always allowed).

I am going to reassign to Qi, as this is more in her perview, but this reads as a feature request to me.
Comment 4 Miloslav Trmač 2021-12-02 13:55:43 UTC 
This is not #1975956 , which deals with the "blocked" flag and mirrors.

This is a known and, AFAIK, documented limitation of ICSP: The CRI only allows providing one set of credentials, so any Pod pull secrets for the mirrors are invisible to CRI-O.

A fix is tracked e.g. in https://issues.redhat.com/browse/RFE-1956 , which links to a few other work items. There might well be other bugs / issues referring to this.
Comment 5 Simon Krenger 2021-12-02 14:46:57 UTC 
(In reply to Miloslav Trmač from comment #4)
> This is not #1975956 , which deals with the "blocked" flag and mirrors.
> 
> This is a known and, AFAIK, documented limitation of ICSP: The CRI only
> allows providing one set of credentials, so any Pod pull secrets for the
> mirrors are invisible to CRI-O.
> 
> A fix is tracked e.g. in https://issues.redhat.com/browse/RFE-1956 , which
> links to a few other work items. There might well be other bugs / issues
> referring to this.

Thanks for letting me know, in that case I believe it makes sense to close this BZ and to track the RFE-1956.
Updated the relevant Solution: https://access.redhat.com/solutions/6540591