Description of problem: `oc adm catalog mirror` does not pass --inesecure to the underlying `oc extract` command, which means mirror doesn't work if mirroring from an untrusted registry (mirroring from a trusted registry or a file works). Version-Release number of selected component (if applicable): Cluster version is: 4.3.0-0.nightly-2020-01-14-000626 [jzhang@dhcp-140-36 ~]$ oc version Client Version: 4.3.0-0.nightly-2020-01-14-000626 Server Version: 4.3.0-0.nightly-2020-01-14-000626 Kubernetes Version: v1.16.2 How reproducible: always Steps to Reproduce: 1. Install the `oc` client. 2. Check the help info. [jzhang@dhcp-140-36 ~]$ oc adm catalog mirror --inesecure Error: unknown flag: --inesecure See 'oc adm catalog mirror --help' for usage. Actual results: No '--inesecure' provides. [jzhang@dhcp-140-36 ~]$ oc adm catalog mirror --help Mirrors the contents of a catalog into a registry. This command will pull down an image containing a catalog database, extract it to disk, query it to find all of the images used in the manifests, and then mirror them to a target registry. By default, the database is extracted to a temporary directory, but can be saved locally via flags. An ImageContentSourcePolicy is written to a file that can be adedd to a cluster with access to the target registry. This will configure the cluster to pull from the mirrors instead of the locations referenced in the operator manifests. A mapping.txt file is also created that is compatible with "oc image mirror". This may be used to further customize the mirroring configuration, but should not be needed in normal circumstances. Usage: oc adm catalog mirror [flags] Options: --dir='': The directory on disk that file:// images will be copied under. --dry-run=false: Print the actions that would be taken and exit without writing to the destinations. --from-dir='': The directory on disk that file:// images will be read from. Overrides --dir --manifests-only=false: Calculate the manifests required for mirroring, but do not actually mirror image content. --path='': Specify an in-container to local path mapping for the database. --to-manifests='': Local path to store manifests. Use "oc adm options" for a list of global command-line options (applies to all commands). Expected results: Should pass the `--inesecure` option so that `oc adm catalog mirror` can work for the untrusted registry. Additional info:
--insecure option is now available, marking as VERIFIED. oc version Client Version: 4.4.0-0.nightly-2020-01-22-221818 oc adm catalog mirror -h Mirrors the contents of a catalog into a registry. This command will pull down an image containing a catalog database, extract it to disk, query it to find all of the images used in the manifests, and then mirror them to a target registry. By default, the database is extracted to a temporary directory, but can be saved locally via flags. An ImageContentSourcePolicy is written to a file that can be adedd to a cluster with access to the target registry. This will configure the cluster to pull from the mirrors instead of the locations referenced in the operator manifests. A mapping.txt file is also created that is compatible with "oc image mirror". This may be used to further customize the mirroring configuration, but should not be needed in normal circumstances. Usage: oc adm catalog mirror SRC DEST [flags] Examples: # Mirror an operator-registry image and its contents to a registry oc adm catalog mirror quay.io/my/image:latest myregistry.com # Configure a cluster to use a mirrored registry oc apply -f manifests/imageContentSourcePolicy.yaml # Edit the mirroring mappings and mirror with "oc image mirror" manually oc adm catalog mirror --manifests-only quay.io/my/image:latest myregistry.com oc image mirror -f manifests/mapping.txt Options: --dir='': The directory on disk that file:// images will be copied under. --dry-run=false: Print the actions that would be taken and exit without writing to the destinations. --filter-by-os='': A regular expression to control which images are considered when multiple variants are available. Images will be passed as '<platform>/<architecture>[/<variant>]'. --from-dir='': The directory on disk that file:// images will be read from. Overrides --dir --insecure=false: Allow push and pull operations to registries to be made over HTTP --manifests-only=false: Calculate the manifests required for mirroring, but do not actually mirror image content. --max-per-registry=4: Number of concurrent requests allowed per registry. --path='': Specify an in-container to local path mapping for the database. -a, --registry-config='': Path to your registry credentials (defaults to ~/.docker/config.json) --skip-verification=false: Skip verifying the integrity of the retrieved content. This is not recommended, but may be necessary when importing images from older image registries. Only bypass verification if the registry is known to be trustworthy. --to-manifests='': Local path to store manifests. Use "oc adm options" for a list of global command-line options (applies to all commands).
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581