Description of problem: After importing new images from Red Hat Registry and try to using them with "oc new-app" command, the newly started build refers to the image in the Red Hat registry instead of the internal one: ~~~ ~~~ Version-Release number of selected component (if applicable): 4.2.2 How reproducible: Always Steps to Reproduce: 1. Import the new s2i JDK images with: ~~~ oc import-image redhat-openjdk-18/openjdk18-openshift --from=registry.redhat.io/redhat-openjdk-18/openjdk18-openshift --confirm -n openshift -- oc describe is openjdk18-openshift -n openshift Name: openjdk18-openshift Namespace: openshift Created: About an hour ago Labels: <none> Annotations: openshift.io/image.dockerRepositoryCheck=2019-10-30T15:08:01Z Image Repository: default-route-openshift-image-registry.apps.kogito.automation.rhmw.io/openshift/openjdk18-openshift Image Lookup: local=false Unique Images: 1 Tags: 1 latest tagged from registry.redhat.io/redhat-openjdk-18/openjdk18-openshift * registry.redhat.io/redhat-openjdk-18/openjdk18-openshift@sha256:308c64dd37bcaad23fd73fd5c12877529b25887c41c136118fcb49c60f20ed96 About an hour ago ~~~ 2. Create a new app using this image: ~~~ oc new-app https://github.com/ricardozanini/spring-todo --image-stream=openshift/openjdk18-openshift:latest --build-env S2I_SOURCE_DEPLOYMENTS_FILTER="*.war" ~~~ 3. The newly created build will refer to the DockerImage in the Red Hat Registry instead: ~~~ strategy: type: Source sourceStrategy: from: kind: DockerImage name: >- registry.redhat.io/redhat-openjdk-18/openjdk18-openshift@sha256:308c64dd37bcaad23fd73fd5c12877529b25887c41c136118fcb49c60f20ed96 env: - name: S2I_SOURCE_DEPLOYMENTS_FILTER value: '*.war' ~~~ 4. Then failing the build because the app's namespace doesn't have the required token to access the registry: ~~~ Cloning "https://github.com/ricardozanini/spring-todo" ... Commit: 4d6ea2c8e692031fcaef6acbd488df7eff6aa10e (Standard to openshift profile) Author: Ricardo Zanini <1538000+ricardozanini.github.com> Date: Wed Oct 30 11:55:31 2019 -0300 Caching blobs under "/var/cache/blobs". Warning: Pull failed, retrying in 5s ... Warning: Pull failed, retrying in 5s ... Warning: Pull failed, retrying in 5s ... error: build error: After retrying 2 times, Pull image still failed due to error: unable to retrieve auth token: invalid username/password ~~~ Actual results: The build fails to pull the image because has references to pull it from a protected registry. Expected results: To have the build to reference the internal registry instead, like: image-registry.openshift-image-registry.svc:5000/openshift/openjdk18-openshift Additional info: Generated BuildConfig: ~~~ apiVersion: build.openshift.io/v1 kind: BuildConfig metadata: annotations: openshift.io/generated-by: OpenShiftNewApp creationTimestamp: "2019-10-30T15:54:26Z" labels: app: spring-todo name: spring-todo namespace: cloud-operations resourceVersion: "8680820" selfLink: /apis/build.openshift.io/v1/namespaces/cloud-operations/buildconfigs/spring-todo uid: 8cb0b99a-fb2d-11e9-96f4-0a580a820097 spec: failedBuildsHistoryLimit: 5 nodeSelector: null output: to: kind: ImageStreamTag name: spring-todo:latest postCommit: {} resources: {} runPolicy: Serial source: git: uri: https://github.com/ricardozanini/spring-todo type: Git strategy: sourceStrategy: env: - name: S2I_SOURCE_DEPLOYMENTS_FILTER value: '*.war' from: kind: ImageStreamTag name: openjdk18-openshift:latest namespace: openshift type: Source successfulBuildsHistoryLimit: 5 triggers: - github: secret: gPq1g-2EywzVZXedZuEs type: GitHub - generic: secret: nOJMce-UID7fQZjWVmwx type: Generic - type: ConfigChange - imageChange: lastTriggeredImageID: registry.redhat.io/redhat-openjdk-18/openjdk18-openshift@sha256:308c64dd37bcaad23fd73fd5c12877529b25887c41c136118fcb49c60f20ed96 type: ImageChange status: lastVersion: 1 ~~~ Build: ~~~ apiVersion: v1 items: - apiVersion: build.openshift.io/v1 kind: Build metadata: annotations: openshift.io/build-config.name: spring-todo openshift.io/build.number: "1" openshift.io/build.pod-name: spring-todo-1-build creationTimestamp: "2019-10-30T15:54:26Z" labels: app: spring-todo buildconfig: spring-todo openshift.io/build-config.name: spring-todo openshift.io/build.start-policy: Serial name: spring-todo-1 namespace: cloud-operations ownerReferences: - apiVersion: build.openshift.io/v1 controller: true kind: BuildConfig name: spring-todo uid: 8cb0b99a-fb2d-11e9-96f4-0a580a820097 resourceVersion: "8681229" selfLink: /apis/build.openshift.io/v1/namespaces/cloud-operations/builds/spring-todo-1 uid: 8cd89fad-fb2d-11e9-87e3-0a580a81007d spec: nodeSelector: null output: pushSecret: name: builder-dockercfg-t2w6q to: kind: ImageStreamTag name: spring-todo:latest postCommit: {} resources: {} revision: git: author: email: 1538000+ricardozanini.github.com name: Ricardo Zanini commit: 4d6ea2c8e692031fcaef6acbd488df7eff6aa10e committer: email: noreply name: GitHub message: Standard to openshift profile type: Git serviceAccount: builder source: git: uri: https://github.com/ricardozanini/spring-todo type: Git strategy: sourceStrategy: env: - name: S2I_SOURCE_DEPLOYMENTS_FILTER value: '*.war' from: kind: DockerImage name: registry.redhat.io/redhat-openjdk-18/openjdk18-openshift@sha256:308c64dd37bcaad23fd73fd5c12877529b25887c41c136118fcb49c60f20ed96 type: Source triggeredBy: - imageChangeBuild: fromRef: kind: ImageStreamTag name: openjdk18-openshift:latest namespace: openshift imageID: registry.redhat.io/redhat-openjdk-18/openjdk18-openshift@sha256:308c64dd37bcaad23fd73fd5c12877529b25887c41c136118fcb49c60f20ed96 message: Image change status: completionTimestamp: "2019-10-30T15:55:01Z" config: kind: BuildConfig name: spring-todo namespace: cloud-operations duration: 35000000000 logSnippet: |- Caching blobs under "/var/cache/blobs". Warning: Pull failed, retrying in 5s ... Warning: Pull failed, retrying in 5s ... Warning: Pull failed, retrying in 5s ... error: build error: After retrying 2 times, Pull image sti...r: unable to retrieve auth token: invalid username/password message: Generic Build failure - check logs for details. output: {} outputDockerImageReference: image-registry.openshift-image-registry.svc:5000/cloud-operations/spring-todo:latest phase: Failed reason: GenericBuildFailed stages: - durationMilliseconds: 1539 name: FetchInputs startTime: "2019-10-30T15:54:40Z" steps: - durationMilliseconds: 1539 name: FetchGitSource startTime: "2019-10-30T15:54:40Z" - durationMilliseconds: 16643 name: PullImages startTime: "2019-10-30T15:54:44Z" steps: - durationMilliseconds: 16643 name: PullBaseImage startTime: "2019-10-30T15:54:44Z" startTimestamp: "2019-10-30T15:54:26Z" kind: List metadata: resourceVersion: "" selfLink: "" ~~~ Is this the expected behavior? The application namespace must have a token to access the external Red Hat Registry instead of having it only on openshift default namespace?
Linking https://bugzilla.redhat.com/show_bug.cgi?id=1702743 since might be related.
Not a bug - the imagestream tag is not a pullthrough image tag. As a result, the build controller resolves the image to its proper "upstream" location. In this case, the upstream registry.redhat.io repo requires a pull secret. Use the `--reference-policy=local` flag in `oc import-image` or `oc tag` to use pullthrough - then the image will live on the internal registry and won't require a pull secret.
Hi @Adam! Many thanks for the information. After deleting and recreating the imagestream with the flag `--reference-policy=local` I was able to deploy the application correctly. Thanks!