Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-38343

Should save the release signature in the archive tar file instead of count on the enterprise cache (or working-dir)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • 4.17
    • oc / oc-mirror
    • Moderate
    • None
    • CLID Sprint 259
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Should save the release signature in the archive tar file instead of count on the enterprise cache (or working-dir)

      Version-Release number of selected component (if applicable):

      oc-mirror version WARNING: This version information is deprecated and will be replaced with the output from --short. Use --output=yaml|json to get the full version.Client Version: version.Info{Major:"", Minor:"", GitVersion:"4.17.0-202407291514.p0.gdbf115f.assembly.stream.el9-dbf115f", GitCommit:"dbf115f547a19f12ab72e7b326be219a47d460a0", GitTreeState:"clean", BuildDate:"2024-07-29T15:52:52Z", GoVersion:"go1.22.4 (Red Hat 1.22.4-2.el9) X:strictfipsruntime", Compiler:"gc", Platform:"linux/amd64"}

      How reproducible:

      100%

      Steps to Reproduce:

      1) Prepare data for enterprise registry use mirror2disk+disk2mirror mode with the following command :
kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v2alpha1
mirror:
  platform:
    graph: true
    channels:
    - name: stable-4.15

`oc-mirror -c config-38037.yaml  file://out38037 --v2`
`oc-mirror -c config-38037.yaml --from file://out38037  docker://my-route-zhouy.apps.yinzhou-88.qe.devcluster.openshift.com --v2  --dest-tls-verify=false`

  2) Prepare the env to simulate the enclave cluster :
cat /etc/squid/squid.conf
http_port 3128
coredump_dir /var/spool/squid
acl whitelist dstdomain "/etc/squid/whitelist"
http_access allow whitelist
http_access deny !whitelist

cat /etc/squid/whitelist 
my-route-zhouy.apps.yinzhou-88.qe.devcluster.openshift.com             -------------registry route  (oc get route -n your registry app's project)
update-service-oc-mirror-route-openshift-update-service.apps.yinzhou-88.qe.devcluster.openshift.com        ---osus route  (oc get route -n openshift-update-service)

Sudo systemctl restart squid
export https_proxy=http://127.0.0.1:3128
export http_proxy=http://127.0.0.1:3128

Setting registry redirect with : 
cat ~/.config/containers/registries.conf 
[[registry]]
  location = "quay.io"
  insecure = false
  blocked = false
  mirror-by-digest-only = false
  prefix = ""
  [[registry.mirror]]
    location = "my-route-zhouy.apps.yinzhou-88.qe.devcluster.openshift.com"
    insecure = false


3) Simulate enclave mirror with same imagesetconfig with command :
 `oc-mirror -c config-38037.yaml file://new-folder --v2`

      Actual results:

      3) The mirror2disk failed with error :   

      I0812 06:45:26.026441  199941 core-cincinnati.go:508] Using proxy 127.0.0.1:3128 to request updates from https://update-service-oc-mirror-route-openshift-update-service.apps.yinzhou-417.qe.devcluster.openshift.com/api/upgrades_info/v1/graph?arch=amd64&channel=stable-4.15&id=a6097264-8b29-438f-9e71-4aba1e9ec32d
      2024/08/12 06:45:26  [ERROR]  : http request Get "https://mirror.openshift.com/pub/openshift-v4/signatures/openshift/release/sha256=0f55261077557d1bb909c06b115e0c79b0025677be57ba2f045495c11e2443ee/signature-1": Forbidden

       

      Expected results:

      No error and should contain the signature in the archives tar file , not count on the enterprise cache (From  custom usage, they may on different machine for enclave cluster , or they may not use the same directory )
       

       

            luzuccar@redhat.com Luigi Mario Zuccarelli
            yinzhou@redhat.com ying zhou
            ying zhou ying zhou
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: