1888936 – Cannot update Encrypt flag from image-registry config operator

Bug 1888936 - Cannot update Encrypt flag from image-registry config operator

Summary: Cannot update Encrypt flag from image-registry config operator

Keywords:
Status:	CLOSED DUPLICATE of bug 1814709
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Image Registry
Sub Component:
Version:	4.5
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	4.7.0
Assignee:	Oleg Bulatov
QA Contact:	Wenjing Zheng
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-10-16 12:26 UTC by Martin Ouimet
Modified:	2020-10-19 11:28 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-19 11:28:28 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Martin Ouimet 2020-10-16 12:26:06 UTC

Description of problem:

I configured Image Registry to use S3 provided by Noobaa (from OCS installation).

The operator succeed, but unable to push image to the registry. Getting error 500.

I realized this is caused by the switch "encrypt" from the s3 configuration in configs.imageregistry.operator.openshift.io cluster. When trying to set encrypt to false, the configuration always goes back to true.

The only way I found out to set the encrypt flag to false is to configure image registry to use pvc claim and then, once image registry is back, update the configuration with s3 with then flag encrypt explicitly set to false.

The documentation state that the default for encrypt is false.

Version-Release number of selected component (if applicable):
4.5.14

I know this was working fine in 4.4. I cannot say if this encrypt feature appear in 4.5 or in a sub-version of 4.5.

Steps to Reproduce:

Install OCP 4.5.14
Install OCS 4.5
create an object bucket claim ( or a bucket directly in noobaa )
Configure image registry to use the new bucket
- Create secret image-registry-private-configuration-user with bucket creds.
- edit configs.imageregistry.operator.openshift.io cluster
- example:

storage:
s3:
bucket: image-registry-395028b0-141b-4242-84a1-1f4a9099aa7c
encrypt: false
region: noobaa
regionEndpoint: https://s3-openshift-storage.apps.ocp-east.mouimetlab.com
virtualHostedStyle: false

Actual results:

- Image registry status will be ok, since access to bucket works.
- Create an image stream in a project
- try to podman push to the image stream ( should get 500 )

- try to update configs.imageregistry.operator.openshift.io cluster and change the flag encrypt to false.

- check the output of
oc get configs.imageregistry.operator.openshift.io cluster -o yaml

the flag encrypt will be true

Expected results:

- Expected to be able to set encrypt flag to false.

Additional info:

Looks like Noobaa does not support the encrypt feature. It only works when encrypt flag is false.

I can expect that a customer could face this issue using any local compatible s3 devices for image registry backend.

Same behaviour on AWS, Bare-metal and UPI VMWare.

Comment 1 Stephen Cuppett 2020-10-19 11:23:50 UTC

Setting target release to the active development branch (4.7.0). For any fixes, where required and requested, cloned BZs will be created for those release maintenance streams where appropriate once they are identified.

Comment 2 Oleg Bulatov 2020-10-19 11:28:28 UTC


*** This bug has been marked as a duplicate of bug 1814709 ***

Note You need to log in before you can comment on or make changes to this bug.