Bug 1790802 - `oc adm catalog mirror` should pass `--inesecure` option
Summary: `oc adm catalog mirror` should pass `--inesecure` option
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: OLM
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.4.0
Assignee: Evan Cordell
QA Contact: Bruno Andrade
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-01-14 09:00 UTC by Jian Zhang
Modified: 2020-05-04 11:24 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-04 11:24:06 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift oc pull 252 None closed Bug 1790802: Pass security options for `oc adm catalog mirror` 2020-11-11 12:34:21 UTC
Red Hat Product Errata RHBA-2020:0581 None None None 2020-05-04 11:24:32 UTC

Description Jian Zhang 2020-01-14 09:00:32 UTC
Description of problem:
`oc adm catalog mirror` does not pass --inesecure to the underlying `oc extract` command, which means mirror doesn't work if mirroring from an untrusted registry (mirroring from a trusted registry or a file works).

Version-Release number of selected component (if applicable):
Cluster version is: 4.3.0-0.nightly-2020-01-14-000626 
[jzhang@dhcp-140-36 ~]$ oc version
Client Version: 4.3.0-0.nightly-2020-01-14-000626
Server Version: 4.3.0-0.nightly-2020-01-14-000626
Kubernetes Version: v1.16.2

How reproducible:
always

Steps to Reproduce:
1. Install the `oc` client.

2. Check the help info.
[jzhang@dhcp-140-36 ~]$ oc adm catalog mirror --inesecure
Error: unknown flag: --inesecure
See 'oc adm catalog mirror --help' for usage.


Actual results:
No '--inesecure' provides.

[jzhang@dhcp-140-36 ~]$ oc adm catalog mirror --help
Mirrors the contents of a catalog into a registry.

 This command will pull down an image containing a catalog database, extract it to disk, query it to find all of the
images used in the manifests, and then mirror them to a target registry.

 By default, the database is extracted to a temporary directory, but can be saved locally via flags.

 An ImageContentSourcePolicy is written to a file that can be adedd to a cluster with access to the target registry.
This will configure the cluster to pull from the mirrors instead of the locations referenced in the operator manifests.

 A mapping.txt file is also created that is compatible with "oc image mirror". This may be used to further customize the
mirroring configuration, but should not be needed in normal circumstances.

Usage:
  oc adm catalog mirror [flags]

Options:
      --dir='': The directory on disk that file:// images will be copied under.
      --dry-run=false: Print the actions that would be taken and exit without writing to the destinations.
      --from-dir='': The directory on disk that file:// images will be read from. Overrides --dir
      --manifests-only=false: Calculate the manifests required for mirroring, but do not actually mirror image content.
      --path='': Specify an in-container to local path mapping for the database.
      --to-manifests='': Local path to store manifests.

Use "oc adm options" for a list of global command-line options (applies to all commands).


Expected results:
Should pass the `--inesecure` option so that `oc adm catalog mirror` can work for the untrusted registry.

Additional info:

Comment 2 Bruno Andrade 2020-01-24 12:21:34 UTC
--insecure option is now available, marking as VERIFIED.


oc version                                                    
Client Version: 4.4.0-0.nightly-2020-01-22-221818

oc adm catalog mirror -h            
Mirrors the contents of a catalog into a registry.

 This command will pull down an image containing a catalog database, extract it to disk, query it to find all of the
images used in the manifests, and then mirror them to a target registry.

 By default, the database is extracted to a temporary directory, but can be saved locally via flags.

 An ImageContentSourcePolicy is written to a file that can be adedd to a cluster with access to the target registry.
This will configure the cluster to pull from the mirrors instead of the locations referenced in the operator manifests.

 A mapping.txt file is also created that is compatible with "oc image mirror". This may be used to further customize the
mirroring configuration, but should not be needed in normal circumstances.

Usage:
  oc adm catalog mirror SRC DEST [flags]

Examples:
  # Mirror an operator-registry image and its contents to a registry
  oc adm catalog mirror quay.io/my/image:latest myregistry.com
  
  # Configure a cluster to use a mirrored registry
  oc apply -f manifests/imageContentSourcePolicy.yaml
  
  # Edit the mirroring mappings and mirror with "oc image mirror" manually
  oc adm catalog mirror --manifests-only quay.io/my/image:latest myregistry.com
  oc image mirror -f manifests/mapping.txt

Options:
      --dir='': The directory on disk that file:// images will be copied under.
      --dry-run=false: Print the actions that would be taken and exit without writing to the destinations.
      --filter-by-os='': A regular expression to control which images are considered when multiple variants are
available. Images will be passed as '<platform>/<architecture>[/<variant>]'.
      --from-dir='': The directory on disk that file:// images will be read from. Overrides --dir
      --insecure=false: Allow push and pull operations to registries to be made over HTTP
      --manifests-only=false: Calculate the manifests required for mirroring, but do not actually mirror image content.
      --max-per-registry=4: Number of concurrent requests allowed per registry.
      --path='': Specify an in-container to local path mapping for the database.
  -a, --registry-config='': Path to your registry credentials (defaults to ~/.docker/config.json)
      --skip-verification=false: Skip verifying the integrity of the retrieved content. This is not recommended, but may
be necessary when importing images from older image registries. Only bypass verification if the registry is known to be
trustworthy.
      --to-manifests='': Local path to store manifests.

Use "oc adm options" for a list of global command-line options (applies to all commands).

Comment 4 errata-xmlrpc 2020-05-04 11:24:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581


Note You need to log in before you can comment on or make changes to this bug.