Description of problem: Red Hat partner registry registry.connect.redhat.com requires authenticated SSO user/pass credentials to pull images. When a dockercfg secret is provided for the registry import-image and pulling onto a node fails as if no secret was provided. Version-Release number of selected component (if applicable): oc v3.6.0-alpha.2+3c221d5 kubernetes v1.6.1+5115d708d7 features: Basic-Auth GSSAPI Kerberos SPNEGO Server https://127.0.0.1:8443 openshift v3.6.0-alpha.2+3c221d5 kubernetes v1.6.1+5115d708d7 How reproducible: always Steps to Reproduce: 1. oc secret new-dockercfg --docker-server=registry.connect.redhat.com --docker-username=aweiteka --docker-password=PORTAL_SSO_PASS --docker-email=foobar 2. oc import-image crunchy --from registry.connect.redhat.com/crunchydata/crunchy-postgres --confirm Actual results: import-image: Internal error occurred: Get https://registry.connect.redhat.com/v2/crunchydata/crunchy-postgres/manifests/latest: unable to decode token response: invalid character '<' looking for beginning of value oc run: Error from server (BadRequest): container "crunchy" in pod "crunchy-1-79hmd" is waiting to start: trying and failing to pull image Expected results: image imported Additional info: https://paste.fedoraproject.org/paste/r1GSKpSCZbCKVkscj~ikUw
Workaround to land image on a node: create a secret using a .docker/config.json file. $ cat /root/.docker/config.json { "auths": { "registry.connect.redhat.com": { "auth": "YXdlaXRla2FA...b3JlZGhhdA==" } } } $ oc secret new rhconnectauths .dockerconfigjson=/root/.docker/config.json $ oc secrets link default rhconnectauths --for=pull $ oc run haproxy --image registry.connect.redhat.com/haproxytech/haproxy It appears there's something with the import-image still does not work with this config.
It looks like this is related to a GitHub issue on OpenShift Origin as well: https://github.com/openshift/origin/issues/9584 (there's a PR linked to it as well) Because authentication is handled at sso.redhat.com, OpeShift isn't matching the registry.connect.redhat.com secre The simplest workaround appears to be creating 2 image pull secrets: one for registry.connect.redhat.com and another for sso.redhat.com $ oc secret new-dockercfg --docker-server=registry.connect.redhat.com --docker-username=peasters --docker-password=SSO_PASSWORD --docker-email=whatev connect secret/connect $ oc secret new-dockercfg --docker-server=sso.redhat.com --docker-username=peasters --docker-password=SSO_PASSWORD --docker-email=whatev connect-sso secret/connect-sso $ oc import-image crunchy --from registry.connect.redhat.com/crunchydata/crunchy-postgres --confirm The import completed successfully. Name: crunchy Namespace: myproject Created: Less than a second ago Labels: <none> Annotations: openshift.io/image.dockerRepositoryCheck=2017-07-28T12:50:46Z Docker Pull Spec: 172.30.1.1:5000/myproject/crunchy Unique Images: 1 Tags: 1 latest tagged from registry.connect.redhat.com/crunchydata/crunchy-postgres * registry.connect.redhat.com/crunchydata/crunchy-postgres@sha256:21d826baa73fc09bda9e86f617e1c6d18ddf201db8468ccb13934f59f83aead5 Less than a second ago
*** This bug has been marked as a duplicate of bug 1462606 ***