As a consequence of feature gap (ICSP not fully implemented across the system for disconnected clusters, https://issues.redhat.com/browse/IR-34) the mirroring e2e tests which verify disconnected clusters cannot pass because the e2e tests use image streams with pullthrough (starting 12/08/2020 with the offline e2e changes to mitigate docker and allow offline e2e testing). This means roughly 50 e2e tests fail, leaving a gap in our coverage that means we may regress customers without being aware of it in a new release.
Because this is tied to work that requires a feature, a one time deferral from 4.8 may be appropriate but leaving disconnected clusters ungated is also a significant product level risk. If this bug is deferred, we should open a 4.7.z bug and explicitly defer it, then backport the ICSP behavior if the fix comes within a reasonable time. Also, please keep environment up to date (since the mirroring jobs are 25% red because of this)
Failure list: https://prow.ci.openshift.org/view/gcs/origin-ci-test/logs/release-openshift-ocp-installer-e2e-aws-mirrors-4.7/1351622431432773632
"A one time deferral from 4.7". Right now we can't even run proxy-e2e tests so we don't even know if any other tests have regressed.
Per comments in this issue, opened backport to 4.7.z.
Could pull image whose imagestream enabled pullthough via imagecontentsourcepolicy on restricted cluster.
Step 1: Create a mirror registry without auth. and mirror jenkins image to mirror registry
Pull jenkins image from mirror registry without auth
$ podman pull wxj-611icsp14.mirror-registry.qe.gcp.devcluster.openshift.com:5000/ocp/release@sha256:c8b838b043b7a13f69749ebd99dcf6982b405d6421ee774c5f41cc7891bf8561 --tls-verify=false
Trying to pull wxj-611icsp14.mirror-registry.qe.gcp.devcluster.openshift.com:5000/ocp/release@sha256:c8b838b043b7a13f69749ebd99dcf6982b405d6421ee774c5f41cc7891bf8561...Getting image source signatures
Copying blob 33db084abe90 done
Copying blob 99920319b5be done
Copying blob 45d8de60ce97 done
Copying blob 3cbc59484248 done
Copying blob d0c9851d609d done
Copying blob a46440ee71ba done
Copying config 1892869616 done
Writing manifest to image destination
Check if jenkins imagestream imports successfully with pullthough
$ oc get is jenkins -n openshift -o json | jq -r '.status.tags'
$oc get imagecontentsourcepolicy image-policy-0 -o json | jq -r '.spec'
Create jenkins application
$oc new-app jenkins-persistent
jenkins pod is running.
$ oc get pods
NAME READY STATUS RESTARTS AGE
jenkins-1-5pcll 1/1 Running 0 12h
jenkins-1-deploy 0/1 Completed 0 12h
Image could be pulled from mirror registry via iscp.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.