Description of problem: The image streams / pull secrets that are generated during the cluster provisioning by openshift-ansible don't work in for containerized OCP install on OpenStack using image pull-through. It fails to read image meta information from the registry-mirror, apparently due to lack of a suitable pull secret. e.g. the IS "registry-console" in the default NS also shows the authorization error of Unable to find a secret to match How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Shows the authorization error of Unable to find a secret to match Expected results: Should not show such error Additional info: Please refer Bug 1571079 for more information Description of problem: Version-Release number of the following components: rpm -q openshift-ansible rpm -q ansible ansible --version How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Please include the entire output from the last TASK line through the end of output if an error is generated Expected results: Additional info: Please attach logs from ansible-playbook with the -vvv flag
Workaround, provision a pull secret for the relevant namespaces. https://docs.openshift.org/latest/dev_guide/managing_images.html#allowing-pods-to-reference-images-from-other-secured-registries
This should already be done now that we're provisioning a pull secret to the openshift namespace in 3.11.
Should be in openshift-ansible-3.11.0-0.15.0
Verified this bug with openshift-ansible-3.11.0-0.15.0.git.0.842d3d1None.noarch, and PASS. Run an install against an authenticated registry with oreg_auth_user + oreg_auth_password, a pull secret is created in openshift namespace. TASK [openshift_examples : Create imagestream import secret] ******************* Wednesday 15 August 2018 16:18:25 +0800 (0:00:00.183) 0:11:05.989 ****** ok: [host-8-252-102.host.centralci.eng.rdu2.redhat.com] => (item=/usr/share/openshift/examples/image-streams/image-streams-rhel7.json) => {"changed": false, "cmd": ["oc", "create", "secret", "docker-registry", "imagestreamsecret", "--docker-server=registry.dev.redhat.io", "--docker-username=****", "--docker-email=openshift", "--docker-password=****", "--config=/etc/origin/master/admin.kubeconfig", "-n", "openshift"], "delta": "0:00:00.196055", "end": "2018-08-15 04:18:26.368587", "failed_when_result": false, "item": "/usr/share/openshift/examples/image-streams/image-streams-rhel7.json", "rc": 0, "start": "2018-08-15 04:18:26.172532", "stderr": "", "stderr_lines": [], "stdout": "secret/imagestreamsecret created", "stdout_lines": ["secret/imagestreamsecret created"]} ok: [host-8-252-102.host.centralci.eng.rdu2.redhat.com] => (item=/usr/share/openshift/examples/image-streams/dotnet_imagestreams.json) => {"changed": false, "cmd": ["oc", "create", "secret", "docker-registry", "imagestreamsecret", "--docker-server=registry.dev.redhat.io", "--docker-username=****", "--docker-email=openshift", "--docker-password=****", "--config=/etc/origin/master/admin.kubeconfig", "-n", "openshift"], "delta": "0:00:00.185415", "end": "2018-08-15 04:18:26.702816", "failed_when_result": false, "item": "/usr/share/openshift/examples/image-streams/dotnet_imagestreams.json", "msg": "non-zero return code", "rc": 1, "start": "2018-08-15 04:18:26.517401", "stderr": "Error from server (AlreadyExists): secrets \"imagestreamsecret\" already exists", "stderr_lines": ["Error from server (AlreadyExists): secrets \"imagestreamsecret\" already exists"], "stdout": "", "stdout_lines": []} # oc describe secret imagestreamsecret -n openshift Name: imagestreamsecret Namespace: openshift Labels: <none> Annotations: <none> Type: kubernetes.io/dockerconfigjson Data ==== .dockerconfigjson: 1929 byte For 3.11, there is no registry-console IS any more. # oc get is No resources found.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:2652