oc import-image --from=registry cross-cross:latest --confirm --insecure

[soltysh]

While working on cherry picking #9580 I was invoking:

oc import-image --from=${DOCKER_REGISTRY}/custom/cross:namespace-pull cross-cross:latest --confirm --insecure

For some reason --insecure flag was not applied to the created Image Stream.

[soltysh]

When working on this please add following test:

imageid=$(docker images | grep custom/cross | awk '{ print $3 }')
os::cmd::expect_success "docker rmi -f ${imageid}"
echo "[INFO] Importing image from internal registry for chained cross pull"
os::cmd::expect_success "oc import-image --from=${DOCKER_REGISTRY}/custom/cross:namespace-pull cross-cross:latest --confirm --insecure"
os::cmd::expect_success "docker pull ${DOCKER_REGISTRY}/cache/cross-cross:latest"
echo "[INFO] Cross namespace chained pull successful"

which is failing right now.

[soltysh]

The --insecure flag works as expected, just checked, lowering prio to p2. I'm still trying to figure out why the test fails, though.

[miminar]

IMHO the problem here is that the registry is trying to pullthrough from itself. Using the importer which is invoked with insecure=false (hardcoded). And of course this fails because the registry is not secured.

[soltysh]

This is blocked by #9758. We can't implement that without the option to specify multiple secrets.

[miminar]

#17238 should be addressed when fixing this.

[bparees]

This is blocked by #9758. We can't implement that without the option to specify multiple secrets.

@soltysh @miminar why do we need multiple secrets to resolve this?

Can one of you provide an updated summary of exactly what scenario is broken?

What I am seeing is:

1. push an image in one project
2. as the same user, import that image into a second project (from the registry)
3. the imagestream is marked insecure(and the registry is) but the import fails with:

 message: you may not have access to the Docker image "172.30.244.80:5000/p2/foo:latest"

I would assume the issue here is simply that the docker secret that the importer picked up from my second project doesn't have access to the first project.

Is there something deeper?

[soltysh]

Sorry, I can't remember a thing 😢 I'll defer to @miminar since he's still playing with images and registry.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[bparees]

/lifecycle frozen
/remove-lifecycle stale