Bug 1679900 - Cli imagestreams under openshift should be installed after samples-registry-credentials secret create
Summary: Cli imagestreams under openshift should be installed after samples-registry-c...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: ImageStreams
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.1.0
Assignee: Gabe Montero
QA Contact: XiuJuan Wang
Depends On:
TreeView+ depends on / blocked
Reported: 2019-02-22 08:10 UTC by XiuJuan Wang
Modified: 2019-06-04 10:44 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2019-06-04 10:44:19 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 0 None None None 2019-06-04 10:44:27 UTC

Description XiuJuan Wang 2019-02-22 08:10:38 UTC
Description of problem:
After install cluster, the cli, tests, installer imagestreams which are not managed by samples operator need import manually due to 'Import failed (Unauthorized)'.

Since the three imagestreams installed earlier than samples-operator did, then the samples-registry-credentials secret creates later than those imagestreams.


Version-Release number of selected component (if applicable):
$oc  get clusterversion 
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE     STATUS
version   4.0.0-0.nightly-2019-02-21-215247   True        False         3h28m     4.0.0-0.nightly-2019-02-21-215247


How reproducible:

Steps to Reproduce:
1.Check cli, tests,installer imagestreams under openshift project

Actual results:

$ oc get is  -n openshift
NAME        IMAGE REPOSITORY                                                       TAGS      UPDATED
cli         image-registry.openshift-image-registry.svc:5000/openshift/cli         latest    
installer   image-registry.openshift-image-registry.svc:5000/openshift/installer   latest    
tests       image-registry.openshift-image-registry.svc:5000/openshift/tests       latest   

$ oc describe is cli   -n openshift
Name:			cli
Namespace:		openshift
Created:		4 hours ago
Labels:			<none>
Annotations:		<none>
Image Repository:	image-registry.openshift-image-registry.svc:5000/openshift/cli
Image Lookup:		local=false
Unique Images:		0
Tags:			1

  tagged from quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3ad0df04f953c4f8ceedea0986ca4f47091389783c5764f9178c27360783c1ef

  ! error: Import failed (Unauthorized): you may not have access to the Docker image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3ad0df04f953c4f8ceedea0986ca4f47091389783c5764f9178c27360783c1ef"
      4 hours ago

Expected results:

cli, tests,installer imagestreams should be imported successfully after install cluster.

Additional info:

Comment 1 Ben Parees 2019-02-22 12:42:06 UTC
Gabe, in theory i think moving those imagestreams later in the manifest than the clusteroperator object itself might make this work (assuming the samples operator's clusteroperator status does not report available=true until the secret has been copied over).

In practice, I think this means we ought to make these additional imagestreams a first class part of the samples operator managed bits at some point, but that means treating them like jenkins (ie all the special casing we do for jenkins to substitute the pullspec and not let the registry hostname be overwritten).

So probably go w/ the short term fix if you agree it should work.

Comment 2 Gabe Montero 2019-02-22 15:18:11 UTC

1) Yes, we will not attempt to create the samples until the secret is copied over.  So available==false until we finish creating all the samples

2) Moving those imagestreams later in the manifest .... I could not find where those imagestreams are defined, so don't know how to move them.
I guessed it was buried in https://github.com/openshift/release somewhere but could not find it.
Plus, I looked at a release-payload, and the clusteroperator object is listed way way early (20th in that big long list).

On long term making them first class citizens wrt samples operator ... yeah, even though the jenkins* are in the payload, they are also 
defined in openshift/library, so that makes the special casing fairly limited.

The Clayton specials like "cli" are of course not defined there.  Nor should be I would think.  The special casing for those will have 
additional hits.

I'm more inclined to just have whatever early installer code that places the pull secret in kube-system also place it in the openshift
namespace, and keep the samples operator out of it, assuming these Clayton specials need to be healthy out of the gate.  

We would still monitor kube-system (or whatever the final landing spot might be) for changes and recreates in the openshift namespace.


Comment 3 Ben Parees 2019-02-22 15:35:13 UTC
Having the installer put the pullsecret into the openshift namespace is a reasonable solution to me, definitely worth talking to them about, but there may be pushback so i'd reorder the manifests in the short term.

Comment 4 Gabe Montero 2019-02-22 15:56:05 UTC
OK Ben showed me that those imagestreams were being defined under my own nose in the cluster-samples-operator manifests :-)

Still have the same opinion against the "long term fix / first class citizenship"

But nix the notion of having the installer direcly store the coreos pull secret into the openshift namespace

Comment 5 Gabe Montero 2019-02-22 16:06:58 UTC
PR https://github.com/openshift/cluster-samples-operator/pull/112 is up

Comment 6 Gabe Montero 2019-02-23 03:39:10 UTC
PR has merged

Comment 7 XiuJuan Wang 2019-02-26 08:28:39 UTC
Thanks gabe,
The cli, installer, tests imagestreams could be imported automaticlly after install cluster.

$ oc get is cli tests installer -n openshift  
NAME        IMAGE REPOSITORY                                                       TAGS     UPDATED
cli         image-registry.openshift-image-registry.svc:5000/openshift/cli         latest   7 hours ago
NAME        IMAGE REPOSITORY                                                       TAGS     UPDATED
tests       image-registry.openshift-image-registry.svc:5000/openshift/tests       latest   7 hours ago
NAME        IMAGE REPOSITORY                                                       TAGS     UPDATED
installer   image-registry.openshift-image-registry.svc:5000/openshift/installer   latest   7 hours ago

$oc get clusterversion 
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.0.0-0.nightly-2019-02-25-194625   True        False         7h9m    Cluster version is 4.0.0-0.nightly-2019-02-25-194625

Comment 10 errata-xmlrpc 2019-06-04 10:44:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.