Thanks Ben, that makes sense. How do I add remote CAs to the registry though?
On 17 November 2017 at 15:08, Ben Parees <[email protected]> wrote: > The registry CAs are distinct from the image import controller CA. They > are two different processes running in two different environments. > > > Ben Parees | OpenShift > > On Nov 16, 2017 10:58 PM, "Lionel Orellana" <[email protected]> wrote: > >> Looking at the registry logs, it's not happy with the remote registry >> cert. >> >> time="2017-11-17T03:53:46.591715267Z" level=error msg="response >> completed with error" err.code="manifest unknown" err.detail=" x509: >> certificate signed by unknown authority" >> >> Given that oc import-image works I was expecting the registry to trust >> the same ca's. >> >> On 17 November 2017 at 12:01, Ben Parees <[email protected]> wrote: >> >>> >>> >>> On Thu, Nov 16, 2017 at 7:57 PM, Lionel Orellana <[email protected]> >>> wrote: >>> >>>> Is pullthrough enabled on your registry? >>>> >>>> >>>> Yes. >>>> >>>> "When performing pullthrough, the registry will use pull credentials >>>>> found in the project associated with the image stream tag that is being >>>>> referenced" >>>>> >>>> >>>> >>>> I'm deploying in the same project where the image stream is. I have >>>> a dockercfg secret in the project with credentials for the remote registry. >>>> I linked that secret to the deployment as pull secret. It works when >>>> remotePolicy is Source so I know the credentials are Ok. But how does the >>>> registry find the pull credentials to use? I assume it looks for the server >>>> name in the dockercfg secret? >>>> >>> >>> yes. >>> >>> >>>> >>>> >>>> On 17 November 2017 at 10:01, Ben Parees <[email protected]> wrote: >>>> >>>>> >>>>> >>>>> On Thu, Nov 16, 2017 at 5:36 PM, Lionel Orellana <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I imported a remote image and set referencePolicy.type to Local in >>>>>> the resulting tag. When I try to deploy an pod using this image stream >>>>>> tag >>>>>> I get "rpc error: code = 2 desc = manifest unknown: manifest >>>>>> unknown". >>>>>> >>>>>> If I change the referencePolicy type to Source then the pod pulls the >>>>>> image fine from the remote registry. But this requires linking a pull >>>>>> secret to the deployment which is an extra step I could do without. I >>>>>> thought I would get around that by referencing the Local image. >>>>>> >>>>>> How do I pull the remote image when referencePolicy is Local? >>>>>> >>>>> >>>>> >>>>> Is pullthrough enabled on your registry? >>>>> https://docs.openshift.org/latest/install_config/registry/ex >>>>> tended_registry_configuration.html#middleware-repository-pullthrough >>>>> >>>>> also: >>>>> "When performing pullthrough, the registry will use pull credentials >>>>> found in the project associated with the image stream tag that is being >>>>> referenced. " >>>>> >>>>> So if your imagestream is in a different project, you need to make >>>>> sure the credentials are in the right place. >>>>> >>>>> >>>>>> Thanks >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> users mailing list >>>>>> [email protected] >>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Ben Parees | OpenShift >>>>> >>>>> >>>> >>> >>> >>> -- >>> Ben Parees | OpenShift >>> >>> >>
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
