1448217 – Deploying from route give "Unauthorized"

Bug 1448217 - Deploying from route give "Unauthorized"

Summary: Deploying from route give "Unauthorized"

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Node
Sub Component:
Version:	3.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Solly Ross
QA Contact:	DeShuai Ma
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-05-04 20:33 UTC by Steven Walter
Modified:	2020-07-16 09:31 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-06-01 14:16:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Steven Walter 2017-05-04 20:33:18 UTC

Description of problem:
After securing and exposing registry, running "docker pull" against the registry ip and port works fine, however running "docker pull" against the registry route fails with "unauthorized".

# oc get pods -w
NAME                   READY     STATUS         RESTARTS   AGE
test-apache-1-jr0hd    1/1       Running        0          1d
test-apache-2-deploy   1/1       Running        0          8s
test-apache-2-vu9fc    0/1       ErrImagePull   0          5s

# oc get events -w
. . .
2017-05-04 14:25:13 -0400 EDT   2017-05-04 14:24:56 -0400 EDT   2         test-apache-2-vu9fc   Pod       spec.containers{test-apache}   Warning   Failed       {kubelet node01.example.com}   Failed to pull image "docker-registry.example.company.com/test/test-apache@sha256:559a3ea19c63a8f69085e355baeed58e5b98bc90e0443da40c9e83aa021b25ed": image pull failed for docker-registry.example.company.com/test/test-apache@sha256:559a3ea19c63a8f69085e355baeed58e5b98bc90e0443da40c9e83aa021b25ed, this may be because there are no credentials on this request.  details: (unauthorized: authentication required)

However if using registry ip and port, pods run fine (test-apache-1-jr0hd is an example). Also, docker pull against route works:
# docker pull docker-registry.example.company.com/openshift/metrics-hawkular-metrics:3.3.0
Trying to pull repository docker-registry.example.company.com/openshift/metrics-hawkular-metrics ...
3.3.0: Pulling from docker-registry.example.company.com/openshift/metrics-hawkular-metrics
99de704d97c2: Already exists
f89a2abdf250: Already exists
542424590006: Already exists
494ef1d512a0: Already exists
2b64ecc1bef5: Already exists
5a28e228ee91: Already exists
Digest: sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Version-Release number of selected component (if applicable):
3.4.0

How reproducible:
Unreproduced


Uploading more info in priv comments

Comment 4 Ben Bennett 2017-05-08 18:40:06 UTC

Are you running the manual pull from the same node that failed to deploy?

And did the IP pull work from the same node that the route-based pull failed on?

However, I don't think this is a route problem... reassigning to the Kubernetes team.

Comment 20 Derek Carr 2017-06-01 14:16:42 UTC

It appears the root cause was identified.

Steven, if the solution described by Solly does not work for your customer, feel free to re-open.  You may also want your customer to open an RFE for the following:

"In the future, it might not be a bad idea for us to auto-generate pull secrets for referring to the registry by route or service DNS name, since these are more human-readable."

Comment 21 Steven Walter 2017-06-07 21:52:59 UTC

Opened RFE here if anyone is interested:
https://bugzilla.redhat.com/show_bug.cgi?id=1459698

Note You need to log in before you can comment on or make changes to this bug.