Louis, In our case, it is Artifactory. Relevant headers:
HTTP/1.1 401 Unauthorized Server: Artifactory/5.4.5 X-Artifactory-Id: xxxx X-Artifactory-Node-Id: xxxx WWW-Authenticate: Basic realm="Artifactory Realm" Note however that in the case of Artifactory, Docker registries have to be fronted by haproxy, so the Basic auth might be coming from there... - Gaurav On Fri, Jan 19, 2018 at 3:03 AM, Louis Santillan <[email protected]> wrote: > Gaurav, Alan, > > What is the full (redact if necessary for artifactory) output of `curl -kv > https://<registry address>/v2/<namespace>/<image>`? > > I get the following headers when I naively hit ` > https://registry.gitlab.com/v2/myproject/myimage/manifests/latest` > <https://registry.gitlab.com/v2/myproject/myimage/manifests/latest> > > 1. Content-Length: > 160 > 2. Content-Type: > application/json; charset=utf-8 > 3. Date: > Fri, 19 Jan 2018 07:58:26 GMT > 4. Docker-Distribution-Api-Version: > registry/2.0 > 5. Www-Authenticate: > Bearer realm="https://gitlab.com/jwt/auth",service="container_ > registry",scope="repository:myproject/myimage:pull" > 6. X-Content-Type-Options: > nosniff > > Looks like `https://gitlab.com/jwt/auth` <https://gitlab.com/jwt/auth> is > the auth URL Maciej is speaking of. > > The docs also mention having to `link` the secret to the namespace's > `:default` service account for pod image pulling [0]. There's a step or > two extra there that Maciej had not yet mentioned. > > [0] https://docs.openshift.com/container-platform/3.7/dev_ > guide/managing_images.html#allowing-pods-to-reference- > images-from-other-secured-registries > > ___________________________________________________ > > LOUIS P. SANTILLAN > > Architect, OPENSHIFT, MIDDLEWARE & DEVOPS > > Red Hat Consulting, <https://www.redhat.com/> Container and PaaS Practice > > [email protected] M: 3236334854 > <https://red.ht/sig> > TRIED. TESTED. TRUSTED. <https://redhat.com/trusted> > > > > On Thu, Jan 18, 2018 at 2:01 PM, Gaurav P <[email protected]> wrote: > >> Maciej, >> >> I have a similar problem, however with a private authenticated >> Artifactory registry fronted by haproxy. >> >> Tried the curl you suggested, but the WWW-Authenticate header in the >> response only contains 'Basic realm="Artifactory Realm"'. >> >> Struggling to find what that 2nd url should be. >> >> - Gaurav >> >> On Mon, Jan 8, 2018 at 6:20 AM, Maciej Szulik <[email protected]> >> wrote: >> >>> In short, there are two possible use-cases here. >>> >>> The first, in which the authorization is performed under the same URL as >>> the pull: >>> >>> 1. IS stays the same, no need to modify anything. >>> 2. Create a secret, eg: >>> oc secrets new-dockercfg <secret_name> \ >>> --docker-server=<server> \ >>> --docker-username=<username> \ >>> --docker-password=<password> \ >>> --docker-email=<email> >>> >>> 3. Re-run the import: >>> oc import-image <IS name> >>> >>> >>> The second, in which authorization is delegated to a different URL: >>> 1. IS stays the same, no need to modify anything. >>> 2. Create a secret as previously. >>> 3. Create a 2nd secret again the authorization url. You can get it by >>> trying to curl the image >>> data, eg. curl -v https://<registry address>/v2/<namespace>/<image> >>> in return you should >>> see the HTTP/1.1 401 Unauthorized with information where to >>> authenticate, eg: >>> WWW-Authenticate: Bearer realm="<auth URL>",service="docker-registry" >>> use that auth URL for docker-server when creating the second secret. >>> 4. Re-run import. >>> >>> Hope that helps, >>> Maciej >>> >>> >>> >>> >>> >>> On Thu, Jan 4, 2018 at 2:53 PM, Alan Christie < >>> [email protected]> wrote: >>> >>>> Thanks for your guidance so far Maciej but none of this is working for >>>> me. [1] doesn’t really help as I’m past that and, sadly the 1,500 lines and >>>> numerous of posts in issue 9584 [2] are exhausting to trawl though and >>>> still leave me with an inability to pull from GitLab using an image stream. >>>> >>>> Again, I have a working DC/IPS solution. I understand secrets, DCs and >>>> IPS but I still cannot get ImageStreams to work. I just get… >>>> >>>> *Internal error occurred: Get https://registry.gitlab.com/v2/myproject/ >>>> <https://registry.gitlab.com/v2/myproject/>myimage.manifests/latest: >>>> denied: >>>> access forbidden.* >>>> >>>> I’m just about exhausted. >>>> >>>> So, if my setup is: >>>> >>>> - *OpenShift 3.6.1* >>>> - An image that's: *myproject/myimage:latest* >>>> - A registry that’s: *registry.gitlab.com >>>> <http://registry.gitlab.com>* >>>> - A pull secret that works for DC/IPS - i.e. I can pull the image >>>> from the private repo with my DC and the installed secret. >>>> >>>> What... >>>> >>>> - would my *ImageStream* yaml template or json look like? >>>> - would I need to change in my working DC yaml? >>>> - if any, are the crucial roles my OC user needs? >>>> >>>> >>>> On 3 Jan 2018, at 11:03, Maciej Szulik <[email protected]> wrote: >>>> >>>> Have a look at [1] which should explain how to connect the IS with the >>>> secret. Additionally, >>>> there's [2] which explains problems when auth is delegated to a >>>> different uri. >>>> >>>> Maciej >>>> >>>> >>>> [1] https://docs.openshift.org/latest/dev_guide/managing_images. >>>> html#private-registries >>>> [2] https://github.com/openshift/origin/issues/9584 >>>> >>>> On Wed, Jan 3, 2018 at 10:34 AM, Alan Christie < >>>> [email protected]> wrote: >>>> >>>>> Hi all, >>>>> >>>>> I’m successfully using a DeploymentConfig (DC) and an ImagePullSecret >>>>> (IPS) templates with OpenShift Origin v3.6 to spin-up my application from >>>>> a >>>>> container image hosted on a private GitLab registry. But I want the >>>>> deployment to re-deploy when the GitLab image changes and to do this I >>>>> believe I need to employ an ImageStream. >>>>> >>>>> I’m, comfortable with each of these objects and have successfully used >>>>> ImageStreams and DCs with public DockerHub images (that was easy because >>>>> there are so many examples). But I’m stuck trying to pull an image using >>>>> an >>>>> ImageStream from a private GitLab-hosted docker registry. >>>>> >>>>> The IPS seems to belong to the DC, so how do I get my ImageStream to >>>>> use it? My initial attempts have not been successful. All I get, after a >>>>> number of attempts at this, is the following error on the ImageScreen >>>>> console... >>>>> >>>>> Internal error occurred: Get https://registry.gitlab.com/v2 >>>>> /myproject/myimage/manifests/latest: denied: access forbidden. >>>>> Timestamp: 2017-12-28T14:27:12Z Error count: 2. >>>>> >>>>> Where “myproject” and “myimage” are my GitLab project and image names. >>>>> >>>>> My working DC/IPS combo looks something like this… >>>>> >>>>> […] >>>>> imagePullSecrets: >>>>> - name: gitlab-myproject >>>>> containers: >>>>> - image: registry.gitlab.com/myproject/myimage:stable >>>>> name: myimage >>>>> […] >>>>> >>>>> But what would my DC/IPS/ImageStream objects look like? >>>>> >>>>> Thanks in advance. >>>>> >>>>> Alan Christie. >>>>> >>>>> >>>>> _______________________________________________ >>>>> users mailing list >>>>> [email protected] >>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>> >>>> >>>> >>>> >>> >>> _______________________________________________ >>> users mailing list >>> [email protected] >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>> >>> >> >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> >> >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
