Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1576157

Summary: Image stream generated during installation for containerized OCP install on OpenStack lack suitable pull secret
Product: OpenShift Container Platform Reporter: Priyanka Kanthale <pkanthal>
Component: InstallerAssignee: Michael Gugino <mgugino>
Status: CLOSED ERRATA QA Contact: Johnny Liu <jialiu>
Severity: high Docs Contact:
Priority: high    
Version: 3.9.0CC: aos-bugs, jokerman, mmccomas
Target Milestone: ---   
Target Release: 3.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-11 07:19:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Priyanka Kanthale 2018-05-09 02:51:40 UTC 
Description of problem:

The image streams / pull secrets that are generated during the cluster provisioning by openshift-ansible don't work in for containerized OCP install on OpenStack
 using image pull-through.

It fails to read image meta information from the registry-mirror, apparently due to lack of a suitable pull secret.

e.g. the IS "registry-console" in the default NS also shows the authorization error of  Unable to find a secret to match 


How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:
Shows the authorization error of  Unable to find a secret to match 


Expected results: 
Should not show such error

Additional info:
Please refer Bug 1571079 for more information 


Description of problem:

Version-Release number of the following components:
rpm -q openshift-ansible
rpm -q ansible
ansible --version

How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Expected results:

Additional info:
Please attach logs from ansible-playbook with the -vvv flag
Comment 3 Scott Dodson 2018-05-09 13:03:45 UTC 
Workaround, provision a pull secret for the relevant namespaces.

https://docs.openshift.org/latest/dev_guide/managing_images.html#allowing-pods-to-reference-images-from-other-secured-registries
Comment 4 Scott Dodson 2018-07-17 13:39:32 UTC 
This should already be done now that we're provisioning a pull secret to the openshift namespace in 3.11.
Comment 5 Scott Dodson 2018-08-14 21:24:42 UTC 
Should be in openshift-ansible-3.11.0-0.15.0
Comment 6 Johnny Liu 2018-08-15 09:33:42 UTC 
Verified this bug with openshift-ansible-3.11.0-0.15.0.git.0.842d3d1None.noarch, and PASS.

Run an install against an authenticated registry with oreg_auth_user + oreg_auth_password, a pull secret is created in openshift namespace.

TASK [openshift_examples : Create imagestream import secret] *******************
Wednesday 15 August 2018  16:18:25 +0800 (0:00:00.183)       0:11:05.989 ****** 
ok: [host-8-252-102.host.centralci.eng.rdu2.redhat.com] => (item=/usr/share/openshift/examples/image-streams/image-streams-rhel7.json) => {"changed": false, "cmd": ["oc", "create", "secret", "docker-registry", "imagestreamsecret", "--docker-server=registry.dev.redhat.io", "--docker-username=****", "--docker-email=openshift", "--docker-password=****", "--config=/etc/origin/master/admin.kubeconfig", "-n", "openshift"], "delta": "0:00:00.196055", "end": "2018-08-15 04:18:26.368587", "failed_when_result": false, "item": "/usr/share/openshift/examples/image-streams/image-streams-rhel7.json", "rc": 0, "start": "2018-08-15 04:18:26.172532", "stderr": "", "stderr_lines": [], "stdout": "secret/imagestreamsecret created", "stdout_lines": ["secret/imagestreamsecret created"]}
ok: [host-8-252-102.host.centralci.eng.rdu2.redhat.com] => (item=/usr/share/openshift/examples/image-streams/dotnet_imagestreams.json) => {"changed": false, "cmd": ["oc", "create", "secret", "docker-registry", "imagestreamsecret", "--docker-server=registry.dev.redhat.io", "--docker-username=****", "--docker-email=openshift", "--docker-password=****", "--config=/etc/origin/master/admin.kubeconfig", "-n", "openshift"], "delta": "0:00:00.185415", "end": "2018-08-15 04:18:26.702816", "failed_when_result": false, "item": "/usr/share/openshift/examples/image-streams/dotnet_imagestreams.json", "msg": "non-zero return code", "rc": 1, "start": "2018-08-15 04:18:26.517401", "stderr": "Error from server (AlreadyExists): secrets \"imagestreamsecret\" already exists", "stderr_lines": ["Error from server (AlreadyExists): secrets \"imagestreamsecret\" already exists"], "stdout": "", "stdout_lines": []}

# oc describe secret imagestreamsecret -n openshift
Name:         imagestreamsecret
Namespace:    openshift
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/dockerconfigjson

Data
====
.dockerconfigjson:  1929 byte

For 3.11, there is no registry-console IS any more.
# oc get is
No resources found.
Comment 8 errata-xmlrpc 2018-10-11 07:19:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2652