Maciej, I have a similar problem, however with a private authenticated Artifactory registry fronted by haproxy.
Tried the curl you suggested, but the WWW-Authenticate header in the response only contains 'Basic realm="Artifactory Realm"'. Struggling to find what that 2nd url should be. - Gaurav On Mon, Jan 8, 2018 at 6:20 AM, Maciej Szulik <[email protected]> wrote: > In short, there are two possible use-cases here. > > The first, in which the authorization is performed under the same URL as > the pull: > > 1. IS stays the same, no need to modify anything. > 2. Create a secret, eg: > oc secrets new-dockercfg <secret_name> \ > --docker-server=<server> \ > --docker-username=<username> \ > --docker-password=<password> \ > --docker-email=<email> > > 3. Re-run the import: > oc import-image <IS name> > > > The second, in which authorization is delegated to a different URL: > 1. IS stays the same, no need to modify anything. > 2. Create a secret as previously. > 3. Create a 2nd secret again the authorization url. You can get it by > trying to curl the image > data, eg. curl -v https://<registry address>/v2/<namespace>/<image> in > return you should > see the HTTP/1.1 401 Unauthorized with information where to > authenticate, eg: > WWW-Authenticate: Bearer realm="<auth URL>",service="docker-registry" > use that auth URL for docker-server when creating the second secret. > 4. Re-run import. > > Hope that helps, > Maciej > > > > > > On Thu, Jan 4, 2018 at 2:53 PM, Alan Christie < > [email protected]> wrote: > >> Thanks for your guidance so far Maciej but none of this is working for >> me. [1] doesn’t really help as I’m past that and, sadly the 1,500 lines and >> numerous of posts in issue 9584 [2] are exhausting to trawl though and >> still leave me with an inability to pull from GitLab using an image stream. >> >> Again, I have a working DC/IPS solution. I understand secrets, DCs and >> IPS but I still cannot get ImageStreams to work. I just get… >> >> *Internal error occurred: Get https://registry.gitlab.com/v2/myproject/ >> <https://registry.gitlab.com/v2/myproject/>myimage.manifests/latest: denied: >> access forbidden.* >> >> I’m just about exhausted. >> >> So, if my setup is: >> >> - *OpenShift 3.6.1* >> - An image that's: *myproject/myimage:latest* >> - A registry that’s: *registry.gitlab.com >> <http://registry.gitlab.com>* >> - A pull secret that works for DC/IPS - i.e. I can pull the image >> from the private repo with my DC and the installed secret. >> >> What... >> >> - would my *ImageStream* yaml template or json look like? >> - would I need to change in my working DC yaml? >> - if any, are the crucial roles my OC user needs? >> >> >> On 3 Jan 2018, at 11:03, Maciej Szulik <[email protected]> wrote: >> >> Have a look at [1] which should explain how to connect the IS with the >> secret. Additionally, >> there's [2] which explains problems when auth is delegated to a different >> uri. >> >> Maciej >> >> >> [1] https://docs.openshift.org/latest/dev_guide/managing_images. >> html#private-registries >> [2] https://github.com/openshift/origin/issues/9584 >> >> On Wed, Jan 3, 2018 at 10:34 AM, Alan Christie < >> [email protected]> wrote: >> >>> Hi all, >>> >>> I’m successfully using a DeploymentConfig (DC) and an ImagePullSecret >>> (IPS) templates with OpenShift Origin v3.6 to spin-up my application from a >>> container image hosted on a private GitLab registry. But I want the >>> deployment to re-deploy when the GitLab image changes and to do this I >>> believe I need to employ an ImageStream. >>> >>> I’m, comfortable with each of these objects and have successfully used >>> ImageStreams and DCs with public DockerHub images (that was easy because >>> there are so many examples). But I’m stuck trying to pull an image using an >>> ImageStream from a private GitLab-hosted docker registry. >>> >>> The IPS seems to belong to the DC, so how do I get my ImageStream to use >>> it? My initial attempts have not been successful. All I get, after a number >>> of attempts at this, is the following error on the ImageScreen console... >>> >>> Internal error occurred: Get https://registry.gitlab.com/v2 >>> /myproject/myimage/manifests/latest: denied: access forbidden. >>> Timestamp: 2017-12-28T14:27:12Z Error count: 2. >>> >>> Where “myproject” and “myimage” are my GitLab project and image names. >>> >>> My working DC/IPS combo looks something like this… >>> >>> […] >>> imagePullSecrets: >>> - name: gitlab-myproject >>> containers: >>> - image: registry.gitlab.com/myproject/myimage:stable >>> name: myimage >>> […] >>> >>> But what would my DC/IPS/ImageStream objects look like? >>> >>> Thanks in advance. >>> >>> Alan Christie. >>> >>> >>> _______________________________________________ >>> users mailing list >>> [email protected] >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>> >> >> >> > > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
