Description of problem: Cannot perform an "oc import-image" from an image that requires authentication from the Red Hat Container Catalog Version-Release number of selected component (if applicable): CDK 3.0.0 openshift v3.5.5.8 kubernetes v1.5.2+43a9be4 How reproducible: Always Steps to Reproduce: 1. Create secret containing .dockercfg oc secrets new-dockercfg rhcc --docker-server=registry.connect.redhat.com --docker-username=<user_name> --docker-password=<password> --docker-email=<email> 2. Link the secret to the default service account as a Pull Secret oc secrets link default rhcc --for=pull 3. Create the ImageStream oc import-image my-rocketchat/rocketchat --from=registry.connect.redhat.com/rocketchat/rocketchat --confirm Actual results: oc import-image my-rocketchat/rocketchat --from=registry.connect.redhat.com/rocketchat/rocketchat --confirm The import completed with errors. Name: rocketchat Namespace: rocketchat Created: About an hour ago Labels: app=rocketchat-mongodb application=rocketchat template=rocketchat Annotations: openshift.io/image.dockerRepositoryCheck=2017-06-19T04:49:13Z Docker Pull Spec: 172.30.1.1:5000/rocketchat/rocketchat Unique Images: 0 Tags: 1 latest tagged from registry.connect.redhat.com/rocketchat/rocketchat ! error: Import failed (InternalError): Internal error occurred: Get https://registry.connect.redhat.com/v2/rocketchat/rocketchat/manifests/latest: unable to decode token response: invalid character '<' looking for beginning of value 1 second ago Expected results: The image would be imported successfully Additional info: As an additional test, an application was deployed using the image directly within a DeploymentConfig and not referencing an ImageStream which resulted in the successful retrieval of the protected image and start of the container Snippet of DeploymentConfig ... image: registry.connect.redhat.com/rocketchat/rocketchat:0.56.0 imagePullPolicy: Always ...
The problem here is that the initial request to https://registry.connect.redhat.com redirects to https://sso.redhat.com/auth/realms/rhc4tp/protocol/docker-v2/auth for authentication. A similar issue was raised in https://github.com/openshift/origin/issues/9584 already. We need to improve our secret matching algorithm to match several secrets properly.
*** Bug 1473810 has been marked as a duplicate of this bug. ***
There's a PR in-flight: https://github.com/openshift/origin/pull/14851. I'll make sure this is addressed in 3.7 time-frame.
I've discussed the approach from the aforementioned PR with Michal Minar and we agreed that approach is not acceptable b/c of security concerns. We need appropriate authorization handler implemented that will know how to match request with a secret. I've created https://trello.com/c/o8tqoSAp/1345-support-importing-from-registries-having-delegated-authorization and I'm re-assiging this issue to Michal.
With the introduction of OpenShift 4, Red Hat has delivered or roadmapped a substantial number of features based on feedback by our customers. Many of the enhancements encompass specific RFEs which have been requested, or deliver a comparable solution to a customer problem, rendering an RFE redundant. This bz (RFE) has been identified as a feature request not yet planned or scheduled for an OpenShift release and is being closed. If this feature is still an active request that needs to be tracked, Red Hat Support can assist in filing a request in the new JIRA RFE system, as well as provide you with updates as the RFE progress within our planning processes. Please open a new support case: https://access.redhat.com/support/cases/#/case/new Opening a New Support Case: https://access.redhat.com/support/cases/#/case/new As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.