In short, there are two possible use-cases here.
The first, in which the authorization is performed under the same URL as
the pull:
1. IS stays the same, no need to modify anything.
2. Create a secret, eg:
oc secrets new-dockercfg <secret_name> \
--docker-server=<server> \
--docker-username=<username> \
--docker-password=<password> \
--docker-email=<email>
3. Re-run the import:
oc import-image <IS name>
The second, in which authorization is delegated to a different URL:
1. IS stays the same, no need to modify anything.
2. Create a secret as previously.
3. Create a 2nd secret again the authorization url. You can get it by
trying to curl the image
data, eg. curl -v https://<registry address>/v2/<namespace>/<image> in
return you should
see the HTTP/1.1 401 Unauthorized with information where to
authenticate, eg:
WWW-Authenticate: Bearer realm="<auth URL>",service="docker-registry"
use that auth URL for docker-server when creating the second secret.
4. Re-run import.
Hope that helps,
Maciej
On Thu, Jan 4, 2018 at 2:53 PM, Alan Christie <
[email protected]> wrote:
> Thanks for your guidance so far Maciej but none of this is working for me.
> [1] doesn’t really help as I’m past that and, sadly the 1,500 lines and
> numerous of posts in issue 9584 [2] are exhausting to trawl though and
> still leave me with an inability to pull from GitLab using an image stream.
>
> Again, I have a working DC/IPS solution. I understand secrets, DCs and IPS
> but I still cannot get ImageStreams to work. I just get…
>
> *Internal error occurred: Get https://registry.gitlab.com/v2/myproject/
> <https://registry.gitlab.com/v2/myproject/>myimage.manifests/latest: denied:
> access forbidden.*
>
> I’m just about exhausted.
>
> So, if my setup is:
>
> - *OpenShift 3.6.1*
> - An image that's: *myproject/myimage:latest*
> - A registry that’s: *registry.gitlab.com <http://registry.gitlab.com>*
> - A pull secret that works for DC/IPS - i.e. I can pull the image from
> the private repo with my DC and the installed secret.
>
> What...
>
> - would my *ImageStream* yaml template or json look like?
> - would I need to change in my working DC yaml?
> - if any, are the crucial roles my OC user needs?
>
>
> On 3 Jan 2018, at 11:03, Maciej Szulik <[email protected]> wrote:
>
> Have a look at [1] which should explain how to connect the IS with the
> secret. Additionally,
> there's [2] which explains problems when auth is delegated to a different
> uri.
>
> Maciej
>
>
> [1] https://docs.openshift.org/latest/dev_guide/managing_
> images.html#private-registries
> [2] https://github.com/openshift/origin/issues/9584
>
> On Wed, Jan 3, 2018 at 10:34 AM, Alan Christie <
> [email protected]> wrote:
>
>> Hi all,
>>
>> I’m successfully using a DeploymentConfig (DC) and an ImagePullSecret
>> (IPS) templates with OpenShift Origin v3.6 to spin-up my application from a
>> container image hosted on a private GitLab registry. But I want the
>> deployment to re-deploy when the GitLab image changes and to do this I
>> believe I need to employ an ImageStream.
>>
>> I’m, comfortable with each of these objects and have successfully used
>> ImageStreams and DCs with public DockerHub images (that was easy because
>> there are so many examples). But I’m stuck trying to pull an image using an
>> ImageStream from a private GitLab-hosted docker registry.
>>
>> The IPS seems to belong to the DC, so how do I get my ImageStream to use
>> it? My initial attempts have not been successful. All I get, after a number
>> of attempts at this, is the following error on the ImageScreen console...
>>
>> Internal error occurred: Get https://registry.gitlab.com/v2
>> /myproject/myimage/manifests/latest: denied: access forbidden.
>> Timestamp: 2017-12-28T14:27:12Z Error count: 2.
>>
>> Where “myproject” and “myimage” are my GitLab project and image names.
>>
>> My working DC/IPS combo looks something like this…
>>
>> […]
>> imagePullSecrets:
>> - name: gitlab-myproject
>> containers:
>> - image: registry.gitlab.com/myproject/myimage:stable
>> name: myimage
>> […]
>>
>> But what would my DC/IPS/ImageStream objects look like?
>>
>> Thanks in advance.
>>
>> Alan Christie.
>>
>>
>> _______________________________________________
>> users mailing list
>> [email protected]
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
>
>
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
