In this case, Tony is trying to connect to the OpenShift registry, so the secret should exist; the dockercfg secret for the project's default service account.
Tony, two things that may be your issue:
1) You're using a route for your registry (docker-lab.example.net). The dockercfg secret will likely only have an entry for the ip address of the registry and not the route. (Maciej, maybe you know of a way to get the secrets to include an entry for the host of the route). Otherwise, you're better off specifying the service ip when invoking new-app.
You can check what hosts are included in the dockercfg secret by doing 'oc describe secret/default-dockercfg-XXXX' where XXXX is whatever suffix is used in your project.
2) The image ref that you're using in your new-app invocation doesn't include a namespace. All images on the OpenShift registry will have a namespace and name like:
[registry-host]:[port]/projectname/testwebapp:latest. Make sure you have the full spec for the image (from 'oc get is').