Normal Description of problem:
oc-mirror is using HTTP connection instead of HTTPS when mirroring images to mirror registry for OpenShift. The expected behavior should be using HTTPS as the default protocol $ oc mirror --config=imageset-reproducer.yaml docker://mirror-registry.local:8443 Checking push permissions for mirror-registry.local:8443 error: error checking push permissions for mirror-registry.local:8443: creating push check transport for mirror-registry.local:8443 failed: GET http://mirror-registry.local:8443/v2/: unexpected status code 400 Bad Request: <html> <head><title>400 The plain HTTP request was sent to HTTPS port</title></head> <body> <center><h1>400 Bad Request</h1></center> <center>The plain HTTP request was sent to HTTPS port</center> <hr><center>nginx/1.20.1</center> </body> </html>
Version-Release number of selected component (if applicable):
$ oc mirror version --output=yaml clientVersion: buildDate: "2024-09-12T09:59:41Z" compiler: gc gitCommit: c9123030d5df99847cf3779856d90ff83cf64dcb gitTreeState: clean gitVersion: 4.17.0-202409120935.p0.gc912303.assembly.stream.el9-c912303 goVersion: go1.22.5 (Red Hat 1.22.5-1.el9) X:strictfipsruntime major: "" minor: "" platform: linux/amd64
How reproducible:
100% reproducible
Steps to Reproduce:
- Install mirror registry on RHEL 9
- Create the ImageSetConfiguration file, for example
kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
storageConfig:
registry:
imageURL: mirror-registry.local:8443/mirror/oc-mirror-metadata
skipTLS: true
mirror:
platform:
channels:
- name: stable-4.12
type: ocp
operators:
- catalog: registry.redhat.io/redhat/redhat-operator-index:v4.12
additionalImages:
- name: registry.redhat.io/ubi8/ubi:latest
- Start the mirroring process:
oc mirror --config=imageset-reproducer.yaml docker://mirror-registry.local:8443
Actual results:
Checking push permissions for mirror-registry.local:8443 error: error checking push permissions for mirror-registry.local:8443: creating push check transport for mirror-registry.local:8443 failed: GET http://mirror-registry.local:8443/v2/: unexpected status code 400 Bad Request: <html> <head><title>400 The plain HTTP request was sent to HTTPS port</title></head> <body> <center><h1>400 Bad Request</h1></center> <center>The plain HTTP request was sent to HTTPS port</center> <hr><center>nginx/1.20.1</center> </body> </html>
Expected results:
oc-mirror should use HTTPS by default when communicating with destination registry unless --dest-use-http flag is provided
Additional info:
oc-mirror runs the mirroring process in HTTPS when --dest-use-http flag is used which is a bit counterintuitive: oc mirror --config=imageset-reproducer.yaml docker://mirror-registry.local:8443 --dest-use-http -v9 Checking push permissions for mirror-registry.local:8443 Using image mirror-registry.local:8443/oc-mirror to check permissions Found: oc-mirror-workspace/src/publish Found: oc-mirror-workspace/src/v2 Found: oc-mirror-workspace/src/charts Found: oc-mirror-workspace/src/release-signatures Using registry backend at location mirror-registry.local:8443/mirror/oc-mirror-metadata Checking for existing metadata image at mirror-registry.local:8443/mirror/oc-mirror-metadata:latest No metadata detected, creating new workspace
