Bug 1767076 - BuildConfig refers to wrong DockerImage in new builds for newly created ImageStreams on 'openshift' namespace
Summary: BuildConfig refers to wrong DockerImage in new builds for newly created Image...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Build
Version: 4.2.z
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Adam Kaplan
QA Contact: wewang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-30 16:02 UTC by Ricardo Zanini
Modified: 2019-11-01 14:22 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-30 20:01:28 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1702743 0 unspecified CLOSED Pull image still failed due to error: while pulling "docker://registry.redhat.io/rhoar-nodejs/nodejs-10... 2021-02-22 00:41:40 UTC
Red Hat Issue Tracker KOGITO-504 0 Major Closed Investigate why Kogito s2i builds take too much time on OpenShift 4.x 2020-09-03 07:41:47 UTC

Description Ricardo Zanini 2019-10-30 16:02:53 UTC
Description of problem:

After importing new images from Red Hat Registry and try to using them with "oc new-app" command, the newly started build refers to the image in the Red Hat registry instead of the internal one:

~~~

~~~


Version-Release number of selected component (if applicable):
4.2.2

How reproducible:
Always

Steps to Reproduce:
1. Import the new s2i JDK images with:
~~~
oc import-image redhat-openjdk-18/openjdk18-openshift --from=registry.redhat.io/redhat-openjdk-18/openjdk18-openshift --confirm -n openshift

--
oc describe is openjdk18-openshift -n openshift

Name:			openjdk18-openshift
Namespace:		openshift
Created:		About an hour ago
Labels:			<none>
Annotations:		openshift.io/image.dockerRepositoryCheck=2019-10-30T15:08:01Z
Image Repository:	default-route-openshift-image-registry.apps.kogito.automation.rhmw.io/openshift/openjdk18-openshift
Image Lookup:		local=false
Unique Images:		1
Tags:			1

latest
  tagged from registry.redhat.io/redhat-openjdk-18/openjdk18-openshift

  * registry.redhat.io/redhat-openjdk-18/openjdk18-openshift@sha256:308c64dd37bcaad23fd73fd5c12877529b25887c41c136118fcb49c60f20ed96
      About an hour ago
~~~

2. Create a new app using this image:

~~~
oc new-app https://github.com/ricardozanini/spring-todo --image-stream=openshift/openjdk18-openshift:latest --build-env S2I_SOURCE_DEPLOYMENTS_FILTER="*.war"
~~~

3. The newly created build will refer to the DockerImage in the Red Hat Registry instead:

~~~
 strategy:
    type: Source
    sourceStrategy:
      from:
        kind: DockerImage
        name: >-
          registry.redhat.io/redhat-openjdk-18/openjdk18-openshift@sha256:308c64dd37bcaad23fd73fd5c12877529b25887c41c136118fcb49c60f20ed96
      env:
        - name: S2I_SOURCE_DEPLOYMENTS_FILTER
          value: '*.war'
~~~

4. Then failing the build because the app's namespace doesn't have the required token to access the registry:

~~~
Cloning "https://github.com/ricardozanini/spring-todo" ...
	Commit:	4d6ea2c8e692031fcaef6acbd488df7eff6aa10e (Standard to openshift profile)
	Author:	Ricardo Zanini <1538000+ricardozanini.github.com>
	Date:	Wed Oct 30 11:55:31 2019 -0300
Caching blobs under "/var/cache/blobs".
Warning: Pull failed, retrying in 5s ...
Warning: Pull failed, retrying in 5s ...
Warning: Pull failed, retrying in 5s ...
error: build error: After retrying 2 times, Pull image still failed due to error: unable to retrieve auth token: invalid username/password
~~~

Actual results:

The build fails to pull the image because has references to pull it from a protected registry.

Expected results:

To have the build to reference the internal registry instead, like:

image-registry.openshift-image-registry.svc:5000/openshift/openjdk18-openshift


Additional info:

Generated BuildConfig:

~~~
apiVersion: build.openshift.io/v1
kind: BuildConfig
metadata:
  annotations:
    openshift.io/generated-by: OpenShiftNewApp
  creationTimestamp: "2019-10-30T15:54:26Z"
  labels:
    app: spring-todo
  name: spring-todo
  namespace: cloud-operations
  resourceVersion: "8680820"
  selfLink: /apis/build.openshift.io/v1/namespaces/cloud-operations/buildconfigs/spring-todo
  uid: 8cb0b99a-fb2d-11e9-96f4-0a580a820097
spec:
  failedBuildsHistoryLimit: 5
  nodeSelector: null
  output:
    to:
      kind: ImageStreamTag
      name: spring-todo:latest
  postCommit: {}
  resources: {}
  runPolicy: Serial
  source:
    git:
      uri: https://github.com/ricardozanini/spring-todo
    type: Git
  strategy:
    sourceStrategy:
      env:
      - name: S2I_SOURCE_DEPLOYMENTS_FILTER
        value: '*.war'
      from:
        kind: ImageStreamTag
        name: openjdk18-openshift:latest
        namespace: openshift
    type: Source
  successfulBuildsHistoryLimit: 5
  triggers:
  - github:
      secret: gPq1g-2EywzVZXedZuEs
    type: GitHub
  - generic:
      secret: nOJMce-UID7fQZjWVmwx
    type: Generic
  - type: ConfigChange
  - imageChange:
      lastTriggeredImageID: registry.redhat.io/redhat-openjdk-18/openjdk18-openshift@sha256:308c64dd37bcaad23fd73fd5c12877529b25887c41c136118fcb49c60f20ed96
    type: ImageChange
status:
  lastVersion: 1
~~~

Build:

~~~
apiVersion: v1
items:
- apiVersion: build.openshift.io/v1
  kind: Build
  metadata:
    annotations:
      openshift.io/build-config.name: spring-todo
      openshift.io/build.number: "1"
      openshift.io/build.pod-name: spring-todo-1-build
    creationTimestamp: "2019-10-30T15:54:26Z"
    labels:
      app: spring-todo
      buildconfig: spring-todo
      openshift.io/build-config.name: spring-todo
      openshift.io/build.start-policy: Serial
    name: spring-todo-1
    namespace: cloud-operations
    ownerReferences:
    - apiVersion: build.openshift.io/v1
      controller: true
      kind: BuildConfig
      name: spring-todo
      uid: 8cb0b99a-fb2d-11e9-96f4-0a580a820097
    resourceVersion: "8681229"
    selfLink: /apis/build.openshift.io/v1/namespaces/cloud-operations/builds/spring-todo-1
    uid: 8cd89fad-fb2d-11e9-87e3-0a580a81007d
  spec:
    nodeSelector: null
    output:
      pushSecret:
        name: builder-dockercfg-t2w6q
      to:
        kind: ImageStreamTag
        name: spring-todo:latest
    postCommit: {}
    resources: {}
    revision:
      git:
        author:
          email: 1538000+ricardozanini.github.com
          name: Ricardo Zanini
        commit: 4d6ea2c8e692031fcaef6acbd488df7eff6aa10e
        committer:
          email: noreply
          name: GitHub
        message: Standard to openshift profile
      type: Git
    serviceAccount: builder
    source:
      git:
        uri: https://github.com/ricardozanini/spring-todo
      type: Git
    strategy:
      sourceStrategy:
        env:
        - name: S2I_SOURCE_DEPLOYMENTS_FILTER
          value: '*.war'
        from:
          kind: DockerImage
          name: registry.redhat.io/redhat-openjdk-18/openjdk18-openshift@sha256:308c64dd37bcaad23fd73fd5c12877529b25887c41c136118fcb49c60f20ed96
      type: Source
    triggeredBy:
    - imageChangeBuild:
        fromRef:
          kind: ImageStreamTag
          name: openjdk18-openshift:latest
          namespace: openshift
        imageID: registry.redhat.io/redhat-openjdk-18/openjdk18-openshift@sha256:308c64dd37bcaad23fd73fd5c12877529b25887c41c136118fcb49c60f20ed96
      message: Image change
  status:
    completionTimestamp: "2019-10-30T15:55:01Z"
    config:
      kind: BuildConfig
      name: spring-todo
      namespace: cloud-operations
    duration: 35000000000
    logSnippet: |-
      Caching blobs under "/var/cache/blobs".
      Warning: Pull failed, retrying in 5s ...
      Warning: Pull failed, retrying in 5s ...
      Warning: Pull failed, retrying in 5s ...
      error: build error: After retrying 2 times, Pull image sti...r: unable to retrieve auth token: invalid username/password
    message: Generic Build failure - check logs for details.
    output: {}
    outputDockerImageReference: image-registry.openshift-image-registry.svc:5000/cloud-operations/spring-todo:latest
    phase: Failed
    reason: GenericBuildFailed
    stages:
    - durationMilliseconds: 1539
      name: FetchInputs
      startTime: "2019-10-30T15:54:40Z"
      steps:
      - durationMilliseconds: 1539
        name: FetchGitSource
        startTime: "2019-10-30T15:54:40Z"
    - durationMilliseconds: 16643
      name: PullImages
      startTime: "2019-10-30T15:54:44Z"
      steps:
      - durationMilliseconds: 16643
        name: PullBaseImage
        startTime: "2019-10-30T15:54:44Z"
    startTimestamp: "2019-10-30T15:54:26Z"
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
~~~

Is this the expected behavior? The application namespace must have a token to access the external Red Hat Registry instead of having it only on openshift default namespace?

Comment 1 Ricardo Zanini 2019-10-30 18:49:09 UTC
Linking https://bugzilla.redhat.com/show_bug.cgi?id=1702743 since might be related.

Comment 2 Adam Kaplan 2019-10-30 20:01:28 UTC
Not a bug - the imagestream tag is not a pullthrough image tag. As a result, the build controller resolves the image to its proper "upstream" location. In this case, the upstream registry.redhat.io repo requires a pull secret.

Use the `--reference-policy=local` flag in `oc import-image` or `oc tag` to use pullthrough - then the image will live on the internal registry and won't require a pull secret.

Comment 3 Ricardo Zanini 2019-11-01 14:22:55 UTC
Hi @Adam! Many thanks for the information. After deleting and recreating the imagestream with the flag `--reference-policy=local` I was able to deploy the application correctly. Thanks!


Note You need to log in before you can comment on or make changes to this bug.