Bug 1526949 - [ASB] The openshift registry of the ASB works fail
Summary: [ASB] The openshift registry of the ASB works fail
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Service Broker
Version: 3.7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.9.0
Assignee: Dylan Murray
QA Contact: Jian Zhang
Depends On:
TreeView+ depends on / blocked
Reported: 2017-12-18 09:29 UTC by Jian Zhang
Modified: 2018-03-28 14:15 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: User did not set `auth_type` in the config Fix: We now do not require `auth_type` to be set and default to the configuration file for credentials.
Clone Of:
Last Closed: 2018-03-28 14:15:24 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0489 0 None None None 2018-03-28 14:15:53 UTC

Comment 1 weiwei jiang 2017-12-18 10:11:50 UTC

# curl https://jiazha:redhat@sso.redhat.com/auth/realms/rhc4tp/protocol/docker-v2/auth\?service\=docker-registry -X GET -I
HTTP/1.1 500 Internal Server Error
Cache-Control: no-store, must-revalidate, max-age=0
X-Powered-By: Undertow/1
Server: JBoss-EAP/7
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-src 'self'
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=utf-8
Content-Length: 1997
Date: Mon, 18 Dec 2017 09:55:12 GMT
Connection: keep-alive
Set-Cookie: KC_RESTART=eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiNWU4MmIyZmQtYzUwMC00MWExLTk1ZGMtMTFlMTkxNTY1ZjVhIn0.eyJjcyI6ImVlZjRlMWMwLTQ1YmEtNGJiMC05ZWRkLTYxZWNmZGRkMTU3ZiIsImNpZCI6ImRvY2tlci1yZWdpc3RyeSIsInB0eSI6ImRvY2tlci12MiIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNlcnZpY2UiOiJkb2NrZXItcmVnaXN0cnkiLCJzY29wZSI6bnVsbCwiZG9ja2VyLmlzcyI6Imh0dHBzOi8vc3NvLnJlZGhhdC5jb20vYXV0aC9yZWFsbXMvcmhjNHRwIiwiYWNjb3VudCI6bnVsbH19.n92AfvfIcfnZrROMiFCFlmsi8eEdI8cvRdhabLZ0WBo; Version=1; Path=/auth/realms/rhc4tp; HttpOnly
Set-Cookie: BIGipServer~prod~keycloak-webssl-https=610731274.64288.0000; path=/; Httponly; Secure
Set-Cookie: sso_origin_dc=origin-sso-phx2.redhat.com; path=/; domain=sso.redhat.com; secure; HttpOnly
Set-Cookie: sso_origin_dc=novalue; expires=Thu, 21-Dec-1990 11:59:00 GMT;  path=/; domain=sso.redhat.com; secure; HttpOnly

And no idea if the authURL still available.

Comment 2 Dylan Murray 2017-12-18 14:37:19 UTC

I see one problem with your registry config. You are using the URL registry.connect.redhat.com (which is correct in this instance when using the openshift registry adapter. However, the image `openshift3/postgresql-apb` does not exist on this registry. That image exists in RHCC at registry.access.redhat.com. To use that image you would use the `rhcc` registry adapter.


I will investigate if the authUrl has changed.

First step should be to change the image to one that exists in the ISV registry. I would use `rocketchat/rocketchat-apb`. (https://access.redhat.com/containers/?tab=overview#/registry.connect.redhat.com/rocketchat/rocketchat-apb)

Comment 8 Dylan Murray 2018-01-10 15:54:38 UTC
Zhang & Jian,

I apologize I didn't respond sooner this was lost in the shutdown. The host is no longer active and I am still unable to reproduce this on my local machine using your credentials. Is it possible that you are dealing with a proxy that cannot talk to registry.connect.redhat.com? I'm happy to look at another host if you can reproduce.


Comment 10 Dylan Murray 2018-01-11 14:34:03 UTC

Thank you for setting up another host. I have confirmed that this issue is present in the ansible-service-broker image on the aws registry which you are using. I tested on your host with our latest upstream image and saw success using your credentials. I cannot track down what specific change to the adapter your image is built on but I can confirm it is fixed in the latest builds upstream so I will ensure this fix is in RHCC. I will move the bug to ON_QA when it is built and ready to be tested again.

Comment 12 Dylan Murray 2018-01-12 14:54:26 UTC

Thank you for the clarification! You are right this problem does exist in the 3.7 image. I have figured out what it is causing this. We have a bug if the user does not set `auth_type` in the broker config.

To workaround this, in the registry config you can set `auth_type` to `config`. This will then use your proper credentials. I am also going to post a PR to set the user/pass if auth_type isn't set.

Comment 14 Dylan Murray 2018-01-12 15:24:26 UTC
Previous PR link was invalid:

This will not be fixed in 3.7.x I will be filing a docs bug to ensure the user is setting auth_type in the registry config.

Comment 17 Dylan Murray 2018-01-16 19:12:16 UTC

Associated documentation bug.

Comment 21 errata-xmlrpc 2018-03-28 14:15:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.