1576157 – Image stream generated during installation for containerized OCP install on OpenStack lack suitable pull secret

Bug 1576157 - Image stream generated during installation for containerized OCP install on OpenStack lack suitable pull secret

Summary: Image stream generated during installation for containerized OCP install on O...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	3.11.0
Assignee:	Michael Gugino
QA Contact:	Johnny Liu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-05-09 02:51 UTC by Priyanka Kanthale
Modified:	2018-10-11 07:19 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-11 07:19:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:2652	0	None	None	None	2018-10-11 07:19:39 UTC

Description Priyanka Kanthale 2018-05-09 02:51:40 UTC

Description of problem:

The image streams / pull secrets that are generated during the cluster provisioning by openshift-ansible don't work in for containerized OCP install on OpenStack
 using image pull-through.

It fails to read image meta information from the registry-mirror, apparently due to lack of a suitable pull secret.

e.g. the IS "registry-console" in the default NS also shows the authorization error of  Unable to find a secret to match 


How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:
Shows the authorization error of  Unable to find a secret to match 


Expected results: 
Should not show such error

Additional info:
Please refer Bug 1571079 for more information 


Description of problem:

Version-Release number of the following components:
rpm -q openshift-ansible
rpm -q ansible
ansible --version

How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Expected results:

Additional info:
Please attach logs from ansible-playbook with the -vvv flag

Comment 3 Scott Dodson 2018-05-09 13:03:45 UTC

Workaround, provision a pull secret for the relevant namespaces.

https://docs.openshift.org/latest/dev_guide/managing_images.html#allowing-pods-to-reference-images-from-other-secured-registries

Comment 4 Scott Dodson 2018-07-17 13:39:32 UTC

This should already be done now that we're provisioning a pull secret to the openshift namespace in 3.11.

Comment 5 Scott Dodson 2018-08-14 21:24:42 UTC

Should be in openshift-ansible-3.11.0-0.15.0

Comment 6 Johnny Liu 2018-08-15 09:33:42 UTC

Verified this bug with openshift-ansible-3.11.0-0.15.0.git.0.842d3d1None.noarch, and PASS.

Run an install against an authenticated registry with oreg_auth_user + oreg_auth_password, a pull secret is created in openshift namespace.

TASK [openshift_examples : Create imagestream import secret] *******************
Wednesday 15 August 2018  16:18:25 +0800 (0:00:00.183)       0:11:05.989 ****** 
ok: [host-8-252-102.host.centralci.eng.rdu2.redhat.com] => (item=/usr/share/openshift/examples/image-streams/image-streams-rhel7.json) => {"changed": false, "cmd": ["oc", "create", "secret", "docker-registry", "imagestreamsecret", "--docker-server=registry.dev.redhat.io", "--docker-username=****", "--docker-email=openshift", "--docker-password=****", "--config=/etc/origin/master/admin.kubeconfig", "-n", "openshift"], "delta": "0:00:00.196055", "end": "2018-08-15 04:18:26.368587", "failed_when_result": false, "item": "/usr/share/openshift/examples/image-streams/image-streams-rhel7.json", "rc": 0, "start": "2018-08-15 04:18:26.172532", "stderr": "", "stderr_lines": [], "stdout": "secret/imagestreamsecret created", "stdout_lines": ["secret/imagestreamsecret created"]}
ok: [host-8-252-102.host.centralci.eng.rdu2.redhat.com] => (item=/usr/share/openshift/examples/image-streams/dotnet_imagestreams.json) => {"changed": false, "cmd": ["oc", "create", "secret", "docker-registry", "imagestreamsecret", "--docker-server=registry.dev.redhat.io", "--docker-username=****", "--docker-email=openshift", "--docker-password=****", "--config=/etc/origin/master/admin.kubeconfig", "-n", "openshift"], "delta": "0:00:00.185415", "end": "2018-08-15 04:18:26.702816", "failed_when_result": false, "item": "/usr/share/openshift/examples/image-streams/dotnet_imagestreams.json", "msg": "non-zero return code", "rc": 1, "start": "2018-08-15 04:18:26.517401", "stderr": "Error from server (AlreadyExists): secrets \"imagestreamsecret\" already exists", "stderr_lines": ["Error from server (AlreadyExists): secrets \"imagestreamsecret\" already exists"], "stdout": "", "stdout_lines": []}

# oc describe secret imagestreamsecret -n openshift
Name:         imagestreamsecret
Namespace:    openshift
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/dockerconfigjson

Data
====
.dockerconfigjson:  1929 byte

For 3.11, there is no registry-console IS any more.
# oc get is
No resources found.

Comment 8 errata-xmlrpc 2018-10-11 07:19:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2652

Note You need to log in before you can comment on or make changes to this bug.