[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Imagestream promotion between projects

Hi Chmouel,

you do that usually within a pipeline, so that you promote images after tests etc. succeeded.

Also keep in mind that you need to allow the jenkins user of the build project to "push" images into the second repo.



On Thu, 12 Jul 2018 at 13:40, Chmouel Boudjnah <chmouel redhat com> wrote:
I just realised as well that I can just use oc tag for that with the right source : 

oc tag --alias=true project-build/cakephp-mysql-persistent:latest cakephp-mysql-persistent:latest

which seems a easier to do that than just the recreation but is there a way to have this automatically so whenever I build in project-build to have it tagged in my run ?

On Thu, Jul 12, 2018 at 10:27 AM Chmouel Boudjnah <chmouel redhat com> wrote:

I am trying to understand how to properly do ImageStream promotion between projects I own (i.e: project-build to project-prod)

I see in the documentation here https://docs.openshift.com/container-platform/3.9/dev_guide/managing_images.html#allowing-pods-to-reference-images-across-projects that I can allow projects with roles and policy which is something I am trying to avoid since this is done as admin.

If I don't do this and reference directly from project-prod the imagestream built on project-build I am getting a permission denied, for example this is snippet in my DC referencing the image : 

        kind: ImageStreamTag
        name: cakephp-mysql-persistent:latest
        namespace: project-build

and the error message denied access to the image from the other project : 

13s        13s         1         cakephp-mysql-persistent-2-ss6kv    Pod                     spec.containers{cakephp-mysql-persistent}   Warning   Failed                  kubelet, localhost            Failed to pull image " sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b": rpc error: code = Unknown desc = unauthorized: authentication required

I have found another way which is having an ImageStream referencing my ImageStreamTag from the project-build namespace :

apiVersion: v1
kind: ImageStream
  name: cakephp-mysql-persistent
    - from:
        kind: ImageStreamTag
        name: cakephp-mysql-persistent:latest
        namespace: project-build
      name: latest

and then if I create the application and check my imagestreamtags : 

% oc create -f /tmp/x.yaml                                                                                                                                         
imagestream "cakephp-mysql-persistent" created
% oc get istag                                                                                                                                                     
NAME                              DOCKER REF                                                                                                              UPDATED       IMAGENAME
cakephp-mysql-persistent:latest sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b   9 hours ago   sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b

I see it imported the image tag from the imagestreamtag on project-build : 

% oc get istag -n project-build
NAME                              DOCKER REF                                                                                                               UPDATED       IMAGENAME
cakephp-mysql-persistent:latest sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b   9 hours ago   sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b

and then my application can use it correctly when removing the namespace: project-build to use my own project namespace.

The weird part here is that the monitoring of new image is not refreshed and i need to recreate every time my imagestream to get the latest tagged image. Which then I would have to do that for promotion :

build in project-build which generate an image and imagesteamtag
delete imagestream in cakephp-mysql-persistent and recreate it with the same yaml which then recreate a istag imported from the latest image on project-build
deploy in project-run with the latest image built on project-build

So my questions here :

1) Is it the right behaviour can we rely on that ?
2) Is it normal ? Should we get permission denied when doing that, or be allowed to reference our own imagestreamtag from other project ?
3) Is there a better way (without having to launch admin command) ?


users mailing list
users lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]