Openshift import-image call via REST API

[Meems33]

Is this possible?

I'm looking for a way to import images from an artifactory docker repository into an openshift internal docker repository (without using CLI). So far I have been able to use the openshift REST API to create an image stream that pulls from the repository and auto loads tags using this json:

    { 
        "apiVersion": "v1", 
        "kind":"ImageStream", 
        "metadata": { 
            "name": "mystream", 
            "namespace": "myproject"
        }
        "spec": { 
            "dockerImageRepository": "artifactory.docker.repository/myproject/mystream" 
        },
        "status": { } 
    }

If my repository has three tags "test1", "test2", and "latest" this will cause the stream to be created and then within a few seconds the images to be asynchronously synced.

I have not found a way to manually cause this sync to occur (outside of the command line and using oc image-import). Per the documentation import-image is not automated (yet), but I was hoping there was a way to trigger the sync without using the import-image command. I tried modifying annotation tags on the image stream but that does not appear to cause an update. Does this feature exist?

[deads2k]

You can run any command with --loglevel=8 and see exactly which API calls its making.

In this case, we do one of two things:

1. use imagestreamimport for new servers
2. delete the openshift.io/image.dockerRepositoryCheck annotation for old servers

You can use the higher log level to see which your server supports doing.

[smarterclayton]

/oapi/v1/namespaces/NAMESPACE/imagestreamimport is synchronous and will allow you to see the metadata prior to import. In addition, scheduling is also available. In 1.1.2

[zonArt]

@Meems33 Sorry for coming late on this issue, but I notice per your comment that you seemed to successfully having an ImageStream pulling an external artifactory docker registry.
May I kindly ask you whether it was an authenticated registry and if yes how you manage to get your ImageStream working with it ?

[ghost]

@zonArt you will need a dockercfg secret and link it to the project service account(s) (serviceaccount "default" for pull/push of images, "builder" for pull/push of S2I images). First, create a dockercfg type secret with your registry server URL, username and password (+ optional email). Then link it to the project serviceaccount.

oc secret new-dockercfg registry-secret-name \
   --docker-server=<registry URL> \
   --docker-username=<username> \
   --docker-password=<password> \
   --docker-email=<email>

oc secrets link default <secret name> --for=pull
oc secrets link builder <secret name> --for=pull # For S2I builder image pull

https://docs.openshift.com/container-platform/3.6/dev_guide/managing_images.html#allowing-pods-to-reference-images-from-other-secured-registries

EDIT: Example ImageStream spec below

apiVersion: v1
kind: ImageStreamImport
metadata:
  labels:
    app: my-app
  name: my-app-imagestream
spec:
  import: true
  repository:
    from:
      kind: DockerImage
      name: my.custom.registry.com/my-app
    importPolicy:
      insecure: true # Necessary if using self-signed / untrusted certificates on the registry
      scheduled: true
status: {}

[zonArt]

@tomcooperca Thank you, I'm aware that I need Secret and associate them to ServiceAccounts however this doesn't do the trick, I need two (secrets) of them (one with the port 443 defined and another one without it). I already opened a ticket (#17238) to ask this question more in detail.