Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-31509

4.14 Do imports on imagestreams respect ImageTagMirrorSet?

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • 4.14.z
    • 4.14
    • ImageStreams
    • Moderate
    • No
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, when users imported image stream tags, `ImageContentSourcePolicy` (ICSP) was not allowed to co-exist with `ImageDigestMirrorSet` (IDMS) and `ImageTagMirrorSet` (ITMS). {product-title} ignored any IDMS/ITMS created by the user and favored ICSP. With this release, the image stream tags can co-exist because importing image stream tags now respect IDMS/ITMS when ICSP is also present. (link:https://issues.redhat.com/browse/OCPBUGS-31509[*OCPBUGS-31509*])
      Show
      * Previously, when users imported image stream tags, `ImageContentSourcePolicy` (ICSP) was not allowed to co-exist with `ImageDigestMirrorSet` (IDMS) and `ImageTagMirrorSet` (ITMS). {product-title} ignored any IDMS/ITMS created by the user and favored ICSP. With this release, the image stream tags can co-exist because importing image stream tags now respect IDMS/ITMS when ICSP is also present. (link: https://issues.redhat.com/browse/OCPBUGS-31509 [* OCPBUGS-31509 *])
    • Bug Fix
    • Done

      Not sure which component this bug should be associated with.

      I am not even sure if importing respects ImageTagMirrorSet.

      We could not figure out in the slack conversion.

      https://redhat-internal.slack.com/archives/C013VBYBJQH/p1709583648013199

       

      Description of problem:

      The expecting behaviour of ImageTagMirrorSet of redirecting the pulling of a proxy to quay.io did not work out.

      Version-Release number of selected component (if applicable):

      oc --context build02 get clusterversion version
      NAME      VERSION       AVAILABLE   PROGRESSING   SINCE   STATUS
      version   4.16.0-ec.3   True        False         7d4h    

      Steps to Reproduce:

      oc --context build02 get ImageTagMirrorSet quay-proxy -o yaml
      apiVersion: config.openshift.io/v1
      kind: ImageTagMirrorSet
      metadata:
        annotations:
          kubectl.kubernetes.io/last-applied-configuration: |
            {"apiVersion":"config.openshift.io/v1","kind":"ImageTagMirrorSet","metadata":{"annotations":{},"name":"quay-proxy"},"spec":{"imageTagMirrors":[{"mirrors":["quay.io/openshift/ci"],"source":"quay-proxy.ci.openshift.org/openshift/ci"}]}}
        creationTimestamp: "2024-03-05T03:49:59Z"
        generation: 1
        name: quay-proxy
        resourceVersion: "4895378740"
        uid: 69fb479e-85bd-4a16-a38f-29b08f2636c3
      spec:
        imageTagMirrors:
        - mirrors:
          - quay.io/openshift/ci
          source: quay-proxy.ci.openshift.org/openshift/ci
      
      
      oc --context build02 tag --source docker quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest hongkliu-test/proxy-test-2:011 --as system:admin
      Tag proxy-test-2:011 set to quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest.
      
      oc --context build02 get is proxy-test-2 -o yaml
      apiVersion: image.openshift.io/v1
      kind: ImageStream
      metadata:
        annotations:
          openshift.io/image.dockerRepositoryCheck: "2024-03-05T20:03:02Z"
        creationTimestamp: "2024-03-05T20:03:02Z"
        generation: 2
        name: proxy-test-2
        namespace: hongkliu-test
        resourceVersion: "4898915153"
        uid: f60b3142-1f5f-42ae-a936-a9595e794c05
      spec:
        lookupPolicy:
          local: false
        tags:
        - annotations: null
          from:
            kind: DockerImage
            name: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
          generation: 2
          importPolicy:
            importMode: Legacy
          name: "011"
          referencePolicy:
            type: Source
      status:
        dockerImageRepository: image-registry.openshift-image-registry.svc:5000/hongkliu-test/proxy-test-2
        publicDockerImageRepository: registry.build02.ci.openshift.org/hongkliu-test/proxy-test-2
        tags:
        - conditions:
          - generation: 2
            lastTransitionTime: "2024-03-05T20:03:02Z"
            message: 'Internal error occurred: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest:
              Get "https://quay-proxy.ci.openshift.org/v2/": EOF'
            reason: InternalError
            status: "False"
            type: ImportSuccess
          items: null
          tag: "011"

      Actual results:

      The status of the stream shows that it still tries to connect to quay-proxy.

      Expected results:

      The request goes to quay.io directly.

      Additional info:

      The proxy has been shut down completely just to simplify the case. If it was on, there are Access logs showing the proxy get the requests for the image.
      oc scale deployment qci-appci -n ci --replicas 0
      deployment.apps/qci-appci scaled
      
      I also checked the pull secret in the namespace and it has correct pull credentials to both proxy and quay.io.

              fmissi Flavian Missi
              hongkliu Hongkai Liu
              XiuJuan Wang XiuJuan Wang
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: