Bug 1846127 - Restricted OLM - the ICSP is generated with digests.
Summary: Restricted OLM - the ICSP is generated with digests.
Keywords:
Status: CLOSED DUPLICATE of bug 1842655
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: OLM
Version: 4.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Evan Cordell
QA Contact: Jian Zhang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-06-10 20:42 UTC by Alexander Chuzhoy
Modified: 2020-06-10 20:50 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-06-10 20:50:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Alexander Chuzhoy 2020-06-10 20:42:53 UTC 
[kni@provisionhost-0-0 ~]$ oc version
Client Version: 4.5.0-0.nightly-2020-06-05-214616
Server Version: 4.5.0-0.nightly-2020-06-08-192500
Kubernetes Version: v1.18.3+a637491


Followed the procedure documented in https://access.redhat.com/documentation/en-us/openshift_container_platform/4.4/html-single/operators/index#olm-restricted-networks-operatorhub_olm-restricted-networks

oc adm catalog build --appregistry-org redhat-operators --from=quay.io/openshift/origin-operator-registry:4.5 --to=registry.ocp-sasha-0.qe.lab.redhat.com:5000/localoperators/redhat-operators:v4.5 --registry-config=./combined.json --filter-by-os="linux/amd64"


oc adm catalog mirror registry.ocp-sasha-0.qe.lab.redhat.com:5000/localoperators/redhat-operators:v4.5 registry.ocp-sasha-0.qe.lab.redhat.com:5000 -a ./combined.json


The icsp yaml is generated with digests in the source:
[kni@provisionhost-0-0 ~]$ head -n 30 redhat-operators-manifests/imageContentSourcePolicy.yaml 
apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
  name: redhat-operators
spec:
  repositoryDigestMirrors:
  - mirrors:
    - registry.ocp-sasha-0.qe.lab.redhat.com:5000/amq7/amq-streams-rhel7-operator
    source: registry.redhat.io/amq7/amq-streams-rhel7-operator@sha256:4079eadd9a806adfbf3222f071c0498b17a6c54f9b8d199cf5af4961bcbdd83a
  - mirrors:
    - registry.ocp-sasha-0.qe.lab.redhat.com:5000/openshift-service-mesh/prometheus-rhel8
    source: registry.redhat.io/openshift-service-mesh/prometheus-rhel8@sha256:70960efc418688d96d6e9b1ee8a35905ce221cb08d9e5aefff9616e44b95cd9f
  - mirrors:
    - registry.ocp-sasha-0.qe.lab.redhat.com:5000/ocs4/mcg-rhel8-operator
    source: registry.redhat.io/ocs4/mcg-rhel8-operator@sha256:9b2df211528394938e4e4df648e746f54bf377962968d364febcfcec432074a0
  - mirrors:
    - registry.ocp-sasha-0.qe.lab.redhat.com:5000/openshift4/ose-sriov-dp-admission-controller
    source: registry.redhat.io/openshift4/ose-sriov-dp-admission-controller@sha256:053967be0524c76cec43fa9e8a84f4c432f7575ff7f172d377122d9f1023139f
  - mirrors:
    - registry.ocp-sasha-0.qe.lab.redhat.com:5000/openshift4/ose-cluster-logging-operator
    source: registry.redhat.io/openshift4/ose-cluster-logging-operator@sha256:c7c1af490fec56a15dfd1ab51d08edb79bd8d2a29ea6f4855e68d3a28e61520d
  - mirrors:
    - registry.ocp-sasha-0.qe.lab.redhat.com:5000/distributed-tracing/jaeger-ingester-rhel7
    source: registry.redhat.io/distributed-tracing/jaeger-ingester-rhel7@sha256:9e9ef992dfe2b432cd3a603c1fcce5e9f490bc6d39abc832dc65070a86bdc56e
  - mirrors:
    - registry.ocp-sasha-0.qe.lab.redhat.com:5000/openshift-service-mesh/istio-rhel8-operator
    source: registry.redhat.io/openshift-service-mesh/istio-rhel8-operator@sha256:aee6bebfa43d80936f16fa3ce15b671e2102080d2677d0238790974c2aff8e8d
  - mirrors:
    - registry.ocp-sasha-0.qe.lab.redhat.com:5000/openshift-serverless-1/serving-controller-rhel8
    source: registry.redhat.io/openshift-serverless-1/serving-controller-rhel8@sha256:9c4bf2e4671e3e5d878544fcfe03f760f38fcb58ff939968e5645c98f6ad7879
[kni@provisionhost-0-0 ~]$ 



As a result the /etc/containers/registries.conf has entries similar to:
[[registry]]
  prefix = ""
  location = "registry.redhat.io/openshift4/ose-local-storage-operator@sha256:75f1dfba197945a2f782fff0f9e33dfea6d345384c85ba2d56361608fe83914a"
  mirror-by-digest-only = true

  [[registry.mirror]]
    location = "registry.ocp-sasha-0.qe.lab.redhat.com:5000/openshift4/ose-local-storage-operator"


Which in turn results in pods not being able to pull images from the local mirror:
 172.224.200.69:443: connect: network is unreachable
  Normal   Pulling         81m (x4 over 83m)     kubelet, worker-0-1.ocp-sasha-0.qe.lab.redhat.com  Pulling image "registry.redhat.io/openshift4/ose-local-storage-operator@sha256:75f1dfba197945a2f782fff0f9e33dfea6d345384c85ba2d56361608fe83914a"
  Warning  Failed          81m (x3 over 83m)     kubelet, worker-0-1.ocp-sasha-0.qe.lab.redhat.com  Failed to pull image "registry.redhat.io/openshift4/ose-local-storage-operator@sha256:75f1dfba197945a2f782fff0f9e33dfea6d345384c85ba2d56361608fe83914a": rpc error: code = Unknown desc = error pinging docker registry registry.redhat.io: Get https://registry.redhat.io/v2/: dial tcp 23.76.70.52:443: connect: network is unreachable
  Warning  Failed          81m (x4 over 83m)     kubelet, worker-0-1.ocp-sasha-0.qe.lab.redhat.com  Error: ErrImagePull
  Normal   BackOff         13m (x304 over 83m)   kubelet, worker-0-1.ocp-sasha-0.qe.lab.redhat.com  Back-off pulling image "registry.redhat.io/openshift4/ose-local-storage-operator@sha256:75f1dfba197945a2f782fff0f9e33dfea6d345384c85ba2d56361608fe83914a"
  Warning  Failed          3m5s (x348 over 83m)  kubelet, worker-0-1.ocp-sasha-0.qe.lab.redhat.com  Error: ImagePullBackOff
Comment 1 Evan Cordell 2020-06-10 20:50:10 UTC 

*** This bug has been marked as a duplicate of bug 1842655 ***
Note You need to log in before you can comment on or make changes to this bug.