Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Critical
Fix Version/s: 4.15.z
Affects Version/s: 4.15.z
Component/s: Image Registry
Labels:
- pre-merge-tested

Severity:
Critical
Regression:
No
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
* Previously, the internal image registry did not correctly authenticate users on clusters configured for `externalAWS` IAM OpenID Connect (OIDC) users. This causes issues for users when pushing or pulling images to and from the internal image registry. With this release, the internal image registry starts by using the `SelfSubjectReview` API instead of the OpenShift-specific user API. The OpenShift-specific user API is not compatible with external OIDC users. (link:https://issues.redhat.com/browse/OCPBUGS-36287[*~~OCPBUGS-36287~~*])

Show
* Previously, the internal image registry did not correctly authenticate users on clusters configured for `externalAWS` IAM OpenID Connect (OIDC) users. This causes issues for users when pushing or pulling images to and from the internal image registry. With this release, the internal image registry starts by using the `SelfSubjectReview` API instead of the OpenShift-specific user API. The OpenShift-specific user API is not compatible with external OIDC users. (link: https://issues.redhat.com/browse/OCPBUGS-36287 [* OCPBUGS-36287 *])
Release Note Type:
Bug Fix
Release Note Status:
Done
Target Version:

4.15.z
Target Backport Versions:

4.15.z, 4.16.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

This is a clone of issue ~~OCPBUGS-35567~~. The following is the description of the original issue:
—
This is a clone of ~~OCPBUGS-35335~~.

Description of problem:

user.openshift.io and oauth.openshift.io APIs are not unavailable in external oidc cluster, that conducts all the common pull/push blob from/to image registry failed.

Version-Release number of selected component (if applicable):

4.15.15

How reproducible:

always

Steps to Reproduce:

1.Create a ROSA HCP cluster which configured external oidc users
2.Push data to image registry under a project
oc new-project wxj1
oc new-build httpd~https://github.com/openshift/httpd-ex.git 
3.

Actual results:

$ oc logs -f build/httpd-ex-1
Cloning "https://github.com/openshift/httpd-ex.git" ...	Commit:	1edee8f58c0889616304cf34659f074fda33678c (Update httpd.json)	Author:	Petr Hracek <phracek@redhat.com>	Date:	Wed Jun 5 13:00:09 2024 +0200time="2024-06-12T09:55:13Z" level=info msg="Not using native diff for overlay, this may cause degraded performance for building images: kernel has CONFIG_OVERLAY_FS_REDIRECT_DIR enabled"I0612 09:55:13.306937       1 defaults.go:112] Defaulting to storage driver "overlay" with options [mountopt=metacopy=on].Caching blobs under "/var/cache/blobs".Trying to pull image-registry.openshift-image-registry.svc:5000/openshift/httpd@sha256:765aa645587f34e310e49db7cdc97e82d34122adb0b604eea891e0f98050aa77...Warning: Pull failed, retrying in 5s ...Trying to pull image-registry.openshift-image-registry.svc:5000/openshift/httpd@sha256:765aa645587f34e310e49db7cdc97e82d34122adb0b604eea891e0f98050aa77...Warning: Pull failed, retrying in 5s ...Trying to pull image-registry.openshift-image-registry.svc:5000/openshift/httpd@sha256:765aa645587f34e310e49db7cdc97e82d34122adb0b604eea891e0f98050aa77...Warning: Pull failed, retrying in 5s ...error: build error: After retrying 2 times, Pull image still failed due to error: unauthorized: unable to validate token: NotFound


oc logs -f deploy/image-registry -n openshift-image-registry

time="2024-06-12T09:55:13.36003996Z" level=error msg="invalid token: the server could not find the requested resource (get users.user.openshift.io ~)" go.version="go1.20.12 X:strictfipsruntime" http.request.host="image-registry.openshift-image-registry.svc:5000" http.request.id=0c380b81-99d4-4118-8de3-407706e8767c http.request.method=GET http.request.remoteaddr="10.130.0.35:50550" http.request.uri="/openshift/token?account=serviceaccount&scope=repository%3Aopenshift%2Fhttpd%3Apull" http.request.useragent="containers/5.28.0 (github.com/containers/image)"

Expected results:

Should pull/push blob from/to image registry on external oidc cluster

Additional info:

clones

OCPBUGS-35567 [4.16] Failed to pull/push blob from/to image registry on external OIDC cluster

Closed

is blocked by

OCPBUGS-35567 [4.16] Failed to pull/push blob from/to image registry on external OIDC cluster

Closed

links to

openshift/image-registry#406: [release-4.15] OCPBUGS-36287: use SelfSubjectReview to obtain user info #406

RHBA-2024:4321 OpenShift Container Platform 4.15.z bug fix update

Assignee:: Flavian Missi

Reporter:: OpenShift Prow Bot

QA Contact:: Wen Wang

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/06/27 4:56 PM

Updated:: 2024/07/10 11:23 AM

Resolved:: 2024/07/10 11:23 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates