[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Remote image with referencePolicy.type=Local -> manifest unknown



The registry CAs are distinct from the image import controller CA. They are two different processes running in two different environments. 


Ben Parees | OpenShift

On Nov 16, 2017 10:58 PM, "Lionel Orellana" <lionelve gmail com> wrote:
Looking at the registry logs, it's not happy with the remote registry cert.

time="2017-11-17T03:53:46.591715267Z" level=error msg="response completed with error" err.code="manifest unknown" err.detail=" x509: certificate signed by unknown authority"

Given that oc import-image works I was expecting the registry to trust the same ca's. 

On 17 November 2017 at 12:01, Ben Parees <bparees redhat com> wrote:


On Thu, Nov 16, 2017 at 7:57 PM, Lionel Orellana <lionelve gmail com> wrote:
Is pullthrough enabled on your registry?

Yes.

"When performing pullthrough, the registry will use pull credentials found in the project associated with the image stream tag that is being referenced"


I'm deploying in the same project where the image stream is. I have a dockercfg secret in the project with credentials for the remote registry. I linked that secret to the deployment as pull secret. It works when remotePolicy is Source so I know the credentials are Ok. But how does the registry find the pull credentials to use? I assume it looks for the server name in the dockercfg secret? 

yes.
 


On 17 November 2017 at 10:01, Ben Parees <bparees redhat com> wrote:


On Thu, Nov 16, 2017 at 5:36 PM, Lionel Orellana <lionelve gmail com> wrote:
Hi, 

I imported a remote image and set  referencePolicy.type to Local in the resulting tag. When I try to deploy an pod using this image stream tag I get "rpc error: code = 2 desc = manifest unknown: manifest unknown".

If I change the referencePolicy type to Source then the pod pulls the image fine from the remote registry. But this requires linking a pull secret to the deployment which is an extra step I could do without. I thought I would get around that by referencing the Local image. 

How do I pull the remote image when referencePolicy is Local?


Is pullthrough enabled on your registry?

also:
"When performing pullthrough, the registry will use pull credentials found in the project associated with the image stream tag that is being referenced. "

So if your imagestream is in a different project, you need to make sure the credentials are in the right place.


Thanks



_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users




--
Ben Parees | OpenShift





--
Ben Parees | OpenShift



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]