I just realised as well that I can just use oc tag for that with the right source :
oc tag --alias=true project-build/cakephp-mysql-persistent:latest cakephp-mysql-persistent:latest which seems a easier to do that than just the recreation but is there a way to have this automatically so whenever I build in project-build to have it tagged in my run ? On Thu, Jul 12, 2018 at 10:27 AM Chmouel Boudjnah <[email protected]> wrote: > Hello, > > I am trying to understand how to properly do ImageStream promotion between > projects I own (i.e: project-build to project-prod) > > I see in the documentation here > https://docs.openshift.com/container-platform/3.9/dev_guide/managing_images.html#allowing-pods-to-reference-images-across-projects > that I can allow projects with roles and policy which is something I am > trying to avoid since this is done as admin. > > If I don't do this and reference directly from project-prod the > imagestream built on project-build I am getting a permission denied, for > example this is snippet in my DC referencing the image : > > from: > kind: ImageStreamTag > name: cakephp-mysql-persistent:latest > namespace: project-build > > and the error message denied access to the image from the other project : > > 13s 13s 1 cakephp-mysql-persistent-2-ss6kv Pod > spec.containers{cakephp-mysql-persistent} Warning > Failed kubelet, localhost Failed to pull image > " > 172.30.1.1:5000/project-build/cakephp-mysql-persistent@sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b": > rpc error: code = Unknown desc = unauthorized: authentication required > > > I have found another way which is having an ImageStream referencing my > ImageStreamTag from the project-build namespace : > > apiVersion: v1 > kind: ImageStream > metadata: > name: cakephp-mysql-persistent > spec: > tags: > - from: > kind: ImageStreamTag > name: cakephp-mysql-persistent:latest > namespace: project-build > name: latest > > and then if I create the application and check my imagestreamtags : > > % oc create -f /tmp/x.yaml > > > imagestream "cakephp-mysql-persistent" created > % oc get istag > > > NAME DOCKER REF > > UPDATED IMAGENAME > cakephp-mysql-persistent:latest > 172.30.1.1:5000/project-run/cakephp-mysql-persistent@sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b > 9 hours ago > sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b > > I see it imported the image tag from the imagestreamtag on project-build : > > % oc get istag -n project-build > NAME DOCKER REF > > UPDATED IMAGENAME > cakephp-mysql-persistent:latest > 172.30.1.1:5000/project-build/cakephp-mysql-persistent@sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b > 9 hours ago > sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b > > and then my application can use it correctly when removing the namespace: > project-build to use my own project namespace. > > The weird part here is that the monitoring of new image is not refreshed > and i need to recreate every time my imagestream to get the latest tagged > image. Which then I would have to do that for promotion : > > build in project-build which generate an image and imagesteamtag > delete imagestream in cakephp-mysql-persistent and recreate it with the > same yaml which then recreate a istag imported from the latest image on > project-build > deploy in project-run with the latest image built on project-build > > So my questions here : > > 1) Is it the right behaviour can we rely on that ? > 2) Is it normal ? Should we get permission denied when doing that, or be > allowed to reference our own imagestreamtag from other project ? > 3) Is there a better way (without having to launch admin command) ? > > Thanks, > Chmouel > > >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
