1506066 – [platformmanagement_public_850]Can't import the image signature from the RedHat registry

Bug 1506066 - [platformmanagement_public_850]Can't import the image signature from the RedHat registry

Summary: [platformmanagement_public_850]Can't import the image signature from the RedH...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Image Registry
Sub Component:
Version:	3.7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	3.8.0
Assignee:	Michal Fojtik
QA Contact:	Dongbo Yan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-10-25 02:41 UTC by zhou ying
Modified:	2019-11-21 18:38 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-11-21 18:38:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
import image (8.77 KB, text/plain) 2018-01-23 11:47 UTC, Dongbo Yan	no flags	Details
View All

Description zhou ying 2017-10-25 02:41:12 UTC

Description of problem:
When import image from RedHat registry should import the image signature at the same time when setup the configuration about the related registry

Version-Release number of selected component (if applicable):
openshift v3.7.0-0.176.0
kubernetes v1.7.6+a08f5eeb62
etcd 3.2.8

How reproducible:
always

Steps to Reproduce:
1. Build env by jenkins job;
2. Login OpenShift and create project;
3. Setup configuration about the related image registry on all the master:
cat /etc/containers/registries.d/redhat.yaml
docker:
    registry.access.redhat.com:
        sigstore: https://access.redhat.com/webassets/docker/content/sigstore
4. Restart master service: atomic-openshift-master-api,atomic-openshift-master-controllers;
5. As normal user import image from RH registry:
  `oc tag --source=docker registry.access.redhat.com/rhel7 rhel:7`
6. Check the logs from master service: atomic-openshift-master-controllers.

Actual results:
6. No signature imported:
Oct 24 05:39:55 ip-172-18-11-57.ec2.internal atomic-openshift-master-controllers[14147]: I1024 09:39:55.140959   14158 signature_import_controller.go:61] Adding image sha256:a744ef5b58472bccfa7c606efcc6b126a164eee4b7057f85cb8be46c481ee954
Oct 24 05:39:55 ip-172-18-11-57.ec2.internal atomic-openshift-master-controllers[14147]: I1024 09:39:55.140989   14158 signature_import_controller.go:132] Initiating download of signatures for sha256:a744ef5b58472bccfa7c606efcc6b126a164eee4b7057f85cb8be46c481ee954
Oct 24 05:39:55 ip-172-18-11-57.ec2.internal atomic-openshift-master-controllers[14147]: I1024 09:39:55.433944   14158 signature_import_controller.go:148] No signatures dowloaded for sha256:a744ef5b58472bccfa7c606efcc6b126a164eee4b7057f85cb8be46c481ee954



Expected results:
6. The image has signature, should import the signature succeed.


Additional info:
When the OpenShift start by `oc cluster up` could import the image signature succeed.

Comment 1 Michal Fojtik 2018-01-18 09:36:50 UTC

Can I see the result of `oc get image sha256:a744ef5b58472bccfa7c606efcc6b126a164eee4b7057f85cb8be46c481ee954 -o yaml` ?

Comment 3 Dongbo Yan 2018-01-23 11:47:21 UTC

Created attachment 1384807 [details]
import image

Comment 4 Dongbo Yan 2018-01-23 11:48:37 UTC

I can see signature after tagging image

# oc describe istag rhel:7
Image Name:		sha256:883444ebd2520daa0f64f5d469de68f65cc113e27e16744d98d49edce610e679
Docker Image:		registry.access.redhat.com/rhel7@sha256:883444ebd2520daa0f64f5d469de68f65cc113e27e16744d98d49edce610e679
Name:			sha256:883444ebd2520daa0f64f5d469de68f65cc113e27e16744d98d49edce610e679
Created:		44 seconds ago
Annotations:		image.openshift.io/dockerLayersOrder=ascending
Image Size:		74.88MB (first layer 74.88MB, last binary layer 1.239kB)
Image Signatures:	 
			Name:	sha256:883444ebd2520daa0f64f5d469de68f65cc113e27e16744d98d49edce610e679@22272cad1f902a4f1e378c0d0626a61a912ab3a91d837039e80e5c9562185e9f
			Type:	AtomicImageV1
			Status:	Unverified
Image Created:		2 months ago
Author:			Red Hat, Inc.

oc v3.9.0-0.22.0
kubernetes v1.9.1+a0ce1bc657
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://:8443
openshift v3.9.0-0.22.0
kubernetes v1.9.1+a0ce1bc657

Note You need to log in before you can comment on or make changes to this bug.