1494231 – oc import-image generates x509 error when trying to import an image

Bug 1494231 - oc import-image generates x509 error when trying to import an image

Summary: oc import-image generates x509 error when trying to import an image

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	ImageStreams
Sub Component:
Version:	3.6.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	3.7.0
Assignee:	Oleg Bulatov
QA Contact:	Dongbo Yan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-09-21 18:47 UTC by Rob Cernich
Modified:	2017-11-28 22:12 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: importPolicy.insecure is ignored in `oc import-image <imagestream:tag>` Consequence: re-import from an insecure registry fails because it expects a valid SSL certificate. Fix: when the image stream tag exists, use its importPolicy.insecure Result: re-import succeed
Clone Of:
Environment:
Last Closed:	2017-11-28 22:12:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3188	0	normal	SHIPPED_LIVE	Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update	2017-11-29 02:34:54 UTC

Description Rob Cernich 2017-09-21 18:47:42 UTC

Description of problem:


Version-Release number of selected component (if applicable):
OCP 3.6.1.

How reproducible:


Steps to Reproduce:
1. Create an image in an insecure registry
2. Create an image stream, with a tag definition pointing to the image (i.e. tag: from: ...) and importPolicy: { insecure: true }.
3. import the image tag, e.g. oc import-image image:tag.  notice the x509 error.  also notice that the import may have succeeded.
4. Successive imports appear to fail, but setting generation back to 0 sometimes allows the import to succeed.

Actual results:
import fails


Expected results:
import updates the tag


Additional info:

Comment 1 Rob Cernich 2017-09-21 18:49:05 UTC

Forgot to add, the import succeeds if you also add openshift.io/image.insecureRepository: true to the annotations on the image stream.

Comment 4 Ben Parees 2017-10-05 04:02:16 UTC

Alexey has a few blockers already, Oleg can you take a look at this one?

Comment 5 Oleg Bulatov 2017-10-09 12:16:53 UTC

> setting generation back to 0 sometimes allows the import to succeed.

Can you provide the exact path to the generation field? .metadata.generation or .spec.tags.generation?

Comment 6 Rob Cernich 2017-10-09 14:29:02 UTC

.metadata.generation

Comment 8 Oleg Bulatov 2017-10-10 15:29:19 UTC

https://github.com/openshift/origin/pull/16756

Comment 10 Dongbo Yan 2017-10-18 10:15:59 UTC

Verified
# oc version
oc v3.7.0-0.159.0
kubernetes v1.7.6+a08f5eeb62
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://:8443
openshift v3.7.0-0.153.0
kubernetes v1.7.6+a08f5eeb62

cannot reproduce this issue

Comment 14 errata-xmlrpc 2017-11-28 22:12:03 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188

Note You need to log in before you can comment on or make changes to this bug.