Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1529867

Summary:	Internal registry image no longer accessible when upgrading from 3.6 to 3.7
Product:	OpenShift Container Platform	Reporter:	Bruno Andrade <bandrade>
Component:	Master	Assignee:	Maciej Szulik <maszulik>
Status:	CLOSED DUPLICATE	QA Contact:	Wang Haoran <haowang>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	3.7.0	CC:	aos-bugs, bandrade, jokerman, mfojtik, mmccomas, wmeng
Target Milestone:	---
Target Release:	3.7.z
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-02-15 11:55:33 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Bruno Andrade 2017-12-30 14:34:11 UTC

Description of problem:

We use ansible playbook to create origin and enterprise clusters. Playbook calls origin-ansible playbook. Internal docker registry stores business docker images. All works well for us on 3.6.

We're upgrading to 3.7. We're doing minimal changes to our setup, following the release notes [1].

We expected that our deployment should still work, we expected no security related change for internal registry.

We see an authentication issues when pods using images from the internal docker registry are created.

The issue is identical to issue on github [2], including log entries, error message and setup. We see pods entering ImagePullBackOff and logging authentication issues.

Authentication to registry is done through a secret. The secret is create using a token from a dedicated user. We have a custom project, e.g. PROJECT. The user has the rights it needs to access PROJECT, push and pull images from the registry, and access default project.

[1] https://docs.openshift.com/container-platform/latest/release_notes/ocp_3_7_release_notes.html
[2] https://github.com/openshift/origin/issues/17523

Version-Release number of selected component (if applicable):
3.7

How reproducible:

Update to Openshift v3.7 with a custom service account with rights to push and pull image from the registry, see https://github.com/openshift/origin/issues/17523

Actual results:
We see pods entering ImagePullBackOff and logging authentication issues

Expected results:
Push and pull with success using custom service accounts

Additional info:

Description of problem:

Version-Release number of the following components:
rpm -q openshift-ansible
rpm -q ansible
ansible --version

How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Expected results:

Additional info:
Please attach logs from ansible-playbook with the -vvv flag

Description of problem:

Version-Release number of the following components:
rpm -q openshift-ansible
rpm -q ansible
ansible --version

How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Expected results:

Additional info:
Please attach logs from ansible-playbook with the -vvv flag

Comment 1 Scott Dodson 2018-01-19 21:00:56 UTC

Moving to auth component per Ben's comment that this is likely RBAC related.

https://github.com/openshift/origin/issues/17523#issuecomment-351535411

Comment 2 Simo Sorce 2018-01-22 16:27:47 UTC

Scott,
per that comment it is not an auth issue, but some issue about sourcing the right secrets to present to auth. Moving to master, hopefully that's the right team.

Comment 3 Maciej Szulik 2018-01-23 12:10:45 UTC

It looks like your problem is identical to https://bugzilla.redhat.com/show_bug.cgi?id=1531511 can you please double check that?

Comment 4 Bruno Andrade 2018-02-15 11:55:33 UTC


*** This bug has been marked as a duplicate of bug 1531511 ***