Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1462606

Summary: Cannot import image from Red Hat Container Catalog which requires authentication
Product: OpenShift Container Platform Reporter: Andrew Block <andrew.block>
Component: RFEAssignee: Ben Parees <bparees>
Status: CLOSED WONTFIX QA Contact: Xiaoli Tian <xtian>
Severity: high Docs Contact:
Priority: high    
Version: 3.5.0CC: aos-bugs, aweiteka, bparees, jokerman, mmccomas, peasters, pweil
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Mac OS   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-12 11:54:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrew Block 2017-06-19 05:00:20 UTC 
Description of problem:

Cannot perform an "oc import-image" from an image that requires authentication from the Red Hat Container Catalog


Version-Release number of selected component (if applicable):

CDK 3.0.0
openshift v3.5.5.8
kubernetes v1.5.2+43a9be4

How reproducible:

Always

Steps to Reproduce:
1. Create secret containing .dockercfg

oc secrets new-dockercfg rhcc --docker-server=registry.connect.redhat.com --docker-username=<user_name> --docker-password=<password> --docker-email=<email>

2. Link the secret to the default service account as a Pull Secret

oc secrets link default rhcc --for=pull

3. Create the ImageStream

oc import-image my-rocketchat/rocketchat --from=registry.connect.redhat.com/rocketchat/rocketchat --confirm


Actual results:

oc import-image my-rocketchat/rocketchat --from=registry.connect.redhat.com/rocketchat/rocketchat --confirm
The import completed with errors.

Name:			rocketchat
Namespace:		rocketchat
Created:		About an hour ago
Labels:			app=rocketchat-mongodb
			application=rocketchat
			template=rocketchat
Annotations:		openshift.io/image.dockerRepositoryCheck=2017-06-19T04:49:13Z
Docker Pull Spec:	172.30.1.1:5000/rocketchat/rocketchat
Unique Images:		0
Tags:			1

latest
  tagged from registry.connect.redhat.com/rocketchat/rocketchat

  ! error: Import failed (InternalError): Internal error occurred: Get https://registry.connect.redhat.com/v2/rocketchat/rocketchat/manifests/latest: unable to decode token response: invalid character '<' looking for beginning of value
      1 second ago


Expected results:

The image would be imported successfully


Additional info:

As an additional test, an application was deployed using the image directly within a DeploymentConfig and not referencing an ImageStream which resulted in the successful retrieval of the protected image and start of the container

Snippet of DeploymentConfig

...
        image: registry.connect.redhat.com/rocketchat/rocketchat:0.56.0
        imagePullPolicy: Always
...
Comment 1 Maciej Szulik 2017-06-21 15:51:25 UTC 
The problem here is that the initial request to https://registry.connect.redhat.com redirects to https://sso.redhat.com/auth/realms/rhc4tp/protocol/docker-v2/auth for authentication. A similar issue was raised in https://github.com/openshift/origin/issues/9584 already. We need to improve our secret matching algorithm to match several secrets properly.
Comment 3 Aaron Weitekamp 2017-07-28 14:23:17 UTC 
*** Bug 1473810 has been marked as a duplicate of this bug. ***
Comment 5 Maciej Szulik 2017-08-10 10:43:41 UTC 
There's a PR in-flight: https://github.com/openshift/origin/pull/14851. I'll make sure this is addressed in 3.7 time-frame.
Comment 6 Maciej Szulik 2017-09-14 09:49:05 UTC 
I've discussed the approach from the aforementioned PR with Michal Minar and we agreed that approach is not acceptable b/c of security concerns. We need appropriate authorization handler implemented that will know how to match request with a secret. I've created https://trello.com/c/o8tqoSAp/1345-support-importing-from-registries-having-delegated-authorization and I'm re-assiging this issue to Michal.
Comment 11 Kirsten Newcomer 2019-06-12 11:54:38 UTC 
With the introduction of OpenShift 4, Red Hat has delivered or roadmapped a substantial number of features based on feedback by our customers.  Many of the enhancements encompass specific RFEs which have been requested, or deliver a comparable solution to a customer problem, rendering an RFE redundant.

This bz (RFE) has been identified as a feature request not yet planned or scheduled for an OpenShift release and is being closed. 

If this feature is still an active request that needs to be tracked, Red Hat Support can assist in filing a request in the new JIRA RFE system, as well as provide you with updates as the RFE progress within our planning processes. Please open a new support case: https://access.redhat.com/support/cases/#/case/new 

Opening a New Support Case: https://access.redhat.com/support/cases/#/case/new 

As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.