On Fri, Nov 17, 2017 at 12:17 AM, Lionel Orellana <[email protected]> wrote:
> Thanks Ben, that makes sense. How do I add remote CAs to the registry > though? > Similar to what is described here to add certs to the registry: https://docs.openshift.org/latest/install_config/registry/securing_and_exposing_registry.html#securing-the-registry (mount the ca.crt into the system ca cert location within the pod, it should be picked up automatically). > On 17 November 2017 at 15:08, Ben Parees <[email protected]> wrote: > >> The registry CAs are distinct from the image import controller CA. They >> are two different processes running in two different environments. >> >> >> Ben Parees | OpenShift >> >> On Nov 16, 2017 10:58 PM, "Lionel Orellana" <[email protected]> wrote: >> >>> Looking at the registry logs, it's not happy with the remote registry >>> cert. >>> >>> time="2017-11-17T03:53:46.591715267Z" level=error msg="response >>> completed with error" err.code="manifest unknown" err.detail=" x509: >>> certificate signed by unknown authority" >>> >>> Given that oc import-image works I was expecting the registry to trust >>> the same ca's. >>> >>> On 17 November 2017 at 12:01, Ben Parees <[email protected]> wrote: >>> >>>> >>>> >>>> On Thu, Nov 16, 2017 at 7:57 PM, Lionel Orellana <[email protected]> >>>> wrote: >>>> >>>>> Is pullthrough enabled on your registry? >>>>> >>>>> >>>>> Yes. >>>>> >>>>> "When performing pullthrough, the registry will use pull credentials >>>>>> found in the project associated with the image stream tag that is being >>>>>> referenced" >>>>>> >>>>> >>>>> >>>>> I'm deploying in the same project where the image stream is. I have >>>>> a dockercfg secret in the project with credentials for the remote >>>>> registry. >>>>> I linked that secret to the deployment as pull secret. It works when >>>>> remotePolicy is Source so I know the credentials are Ok. But how does the >>>>> registry find the pull credentials to use? I assume it looks for the >>>>> server >>>>> name in the dockercfg secret? >>>>> >>>> >>>> yes. >>>> >>>> >>>>> >>>>> >>>>> On 17 November 2017 at 10:01, Ben Parees <[email protected]> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Thu, Nov 16, 2017 at 5:36 PM, Lionel Orellana <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I imported a remote image and set referencePolicy.type to Local in >>>>>>> the resulting tag. When I try to deploy an pod using this image stream >>>>>>> tag >>>>>>> I get "rpc error: code = 2 desc = manifest unknown: manifest >>>>>>> unknown". >>>>>>> >>>>>>> If I change the referencePolicy type to Source then the pod pulls >>>>>>> the image fine from the remote registry. But this requires linking a >>>>>>> pull >>>>>>> secret to the deployment which is an extra step I could do without. I >>>>>>> thought I would get around that by referencing the Local image. >>>>>>> >>>>>>> How do I pull the remote image when referencePolicy is Local? >>>>>>> >>>>>> >>>>>> >>>>>> Is pullthrough enabled on your registry? >>>>>> https://docs.openshift.org/latest/install_config/registry/ex >>>>>> tended_registry_configuration.html#middleware-repository-pullthrough >>>>>> >>>>>> also: >>>>>> "When performing pullthrough, the registry will use pull credentials >>>>>> found in the project associated with the image stream tag that is being >>>>>> referenced. " >>>>>> >>>>>> So if your imagestream is in a different project, you need to make >>>>>> sure the credentials are in the right place. >>>>>> >>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> users mailing list >>>>>>> [email protected] >>>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Ben Parees | OpenShift >>>>>> >>>>>> >>>>> >>>> >>>> >>>> -- >>>> Ben Parees | OpenShift >>>> >>>> >>> > -- Ben Parees | OpenShift
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
