Re: How to pull images from a remote registry with the actual layers instead of just metadata?

Ahh ok. Is there some way to abuse build config‘s to push existing images to remote OpenShift registries? On Sat, 18 Nov 2017 at 6:15 pm, Ben Parees wrote: > On Sat, Nov 18, 2017 at 2:12 AM, Joel Pearson < > japear...@agiledigital.com.au> wrote: > >> So there is no way with

Re: Remote image with referencePolicy.type=Local -> manifest unknown

It works if I mount the secret on /etc/pki/tls/certs. Yeh doco on this is non-existent. I've been struggling with this all day but now that you say it a PV with the full ca-trust dir sounds obvious. On 18 November 2017 at 17:52, Ben Parees wrote: > > > On Sat, Nov 18, 2017

Re: How to pull images from a remote registry with the actual layers instead of just metadata?

On Sat, Nov 18, 2017 at 2:12 AM, Joel Pearson wrote: > So there is no way with the oc command to import an image and not have it > need the remote to exist after that? I’d just have to use docker push > instead? currently that is correct. > > On Sat, 18 Nov

Re: How to pull images from a remote registry with the actual layers instead of just metadata?

So there is no way with the oc command to import an image and not have it need the remote to exist after that? I’d just have to use docker push instead? On Sat, 18 Nov 2017 at 6:04 pm, Ben Parees wrote: > On Sat, Nov 18, 2017 at 1:13 AM, Lionel Orellana >

Re: How to pull images from a remote registry with the actual layers instead of just metadata?

On Sat, Nov 18, 2017 at 1:13 AM, Lionel Orellana wrote: > So it sounds like the local option means after it’s pulled once it will >> exist in the local registry? > > > Hmm It always seems to do the pull-through >

Re: Remote image with referencePolicy.type=Local -> manifest unknown

On Sat, Nov 18, 2017 at 1:31 AM, Lionel Orellana wrote: > It doesn't look like putting the ca in /etc/pki/ca-trust/source/anchors > is enough without running update-ca-trust > yeah that makes sense and unfortunately makes it difficult if you don't mount your ca-trust via a

Re: Remote image with referencePolicy.type=Local -> manifest unknown

It doesn't look like putting the ca in /etc/pki/ca-trust/source/anchors is enough without running update-ca-trust On 18 November 2017 at 15:40, Lionel Orellana wrote: > Inside the registry, curl with --cacert pointing to > /etc/pki/ca-trust/source/anchors/.crt works. > > On

Re: How to pull images from a remote registry with the actual layers instead of just metadata?

Thanks Lionel. I guess one way to make it secure would be to have a certificate that’s valid on the internet. But I guess it’s not really important if it’s all internal traffic. I’ll try out that local option I think that’s what I want. Because I don’t want to have to rely on the remote registry

Re: SSO with OAUTH/OIDC between OpenShift and Jenkins not working

Thanks Joel & Jordan. Deleted all the routes and created a new one with the same name as the 127.0.0.1.nip.io host but with a new host name and everything worked great. (Jenkins times out but i'm going to see if I just need to add some memory to the vm. Java's CPU is spiking at 100% On Sat, Nov

Re: SSO with OAUTH/OIDC between OpenShift and Jenkins not working

I’ve had this problem too. You need to use the original route name (you can change the host name) as the Jenkins service account refers to the route name for oauth purposes. On Sat, 18 Nov 2017 at 4:13 pm, Marc Boorshtein wrote: > I have a fresh install of Origin 3.6.1 on

SSO with OAUTH/OIDC between OpenShift and Jenkins not working

I have a fresh install of Origin 3.6.1 on CentOS 7. In my project I created a new persistent jenkins from the template included in origin with oauth enabled. It creates a route to 127.0.0.1.nip.io. When I create a new route with a routable domain name, and I try to login I get the following

Re: Remote image with referencePolicy.type=Local -> manifest unknown

Inside the registry, curl with --cacert pointing to /etc/pki/ca-trust/source/anchors/.crt works. On 18 November 2017 at 15:11, Lionel Orellana wrote: > I created a secret with the remote ca, mounted it on the registry at > /etc/pki/ca-trust/source/anchor. The registry still

Re: Remote image with referencePolicy.type=Local -> manifest unknown

I created a secret with the remote ca, mounted it on the registry at /etc/pki/ca-trust/source/anchor. The registry still says "certificate signed by unknown authority". On 17 November 2017 at 23:57, Ben Parees wrote: > > > On Fri, Nov 17, 2017 at 12:17 AM, Lionel Orellana

How to pull images from a remote registry with the actual layers instead of just metadata?

Hi, I'm using OpenShift 3.6.1 in AWS and I tried using "oc import-image" to pull an image from one openshift cluster to another. I setup the docker secrets, and it appeared to be working as there was a bunch of metadata visible in the image stream. However, when actually started a pod, it

Openshift orign: Global template library is missing

I installed openshift-origin-server-v3.6.1-008f2d5-linux-64bit.tar.gz at CentOS 7. The global template library is missing when I logon to the web console. The Browse Catalog should show global template library. Please see 

Re: Openshift router certificate chain

Sha1 may not even be in “old” (because I believe it’s now considered broken. If you need it, you’ll have to edit the router template with that cipher. On Nov 17, 2017, at 7:49 AM, Mateus Caruccio wrote: What is the value of `ROUTER_CIPHERS`? $ oc -n default env

Re: Remote image with referencePolicy.type=Local -> manifest unknown

On Fri, Nov 17, 2017 at 12:17 AM, Lionel Orellana wrote: > Thanks Ben, that makes sense. How do I add remote CAs to the registry > though? > Similar to what is described here to add certs to the registry:

Re: Openshift router certificate chain

What is the value of `ROUTER_CIPHERS`? $ oc -n default env --list dc/router | grep ROUTER_CIPHERS Maybe you need to set it to `old` in order to support sha1. -- Mateus Caruccio / Master of Puppets GetupCloud.com We make the infrastructure invisible Gartner Cool Vendor 2017 2017-11-17 10:42

Re: Openshift router certificate chain

Hi Mateus, this is the output reported: # Prevent vulnerability to POODLE attacks ssl-default-bind-options no-sslv3 # The default cipher suite can be selected from the three sets recommended by https://wiki.mozilla.org/Security/Server_Side_TLS, # or the user can provide one using the

Re: Openshift router certificate chain

Hey Marcello. Correct me if I'm wrong, but you could look into haproxy's config and set all ciphers you need: $ oc -n default rsh dc/router grep -C 10 ssl-default-bind-ciphers haproxy-config.template There is this env var `ROUTER_CIPHERS` you can choose standard profiles

Openshift router certificate chain

Hi All, we tried to configure a new route on Openshift Origin 3.6 to expose a pod where the SSL termination is enabled. We have a problem to configure a re-encrypt route because we noticed that the application is not present on the router and after some investigation we discovered that the problem

Re: Force external image sync

Yes, oc import-image is for the ad-hoc imports. But if you're interested in tweaking the re-sync interval for the scheduled import look into master-config.yaml's Image Policy Configuration section [1] and tweak the value of ScheduledImageImportMinimumIntervalSeconds. Maciej [1]