Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-42980

oc-mirror using HTTP connection by default

XMLWordPrintable

    • None
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      oc-mirror is using HTTP connection instead of HTTPS when mirroring images to mirror registry for OpenShift.

The expected behavior should be using HTTPS as the default protocol

$ oc mirror --config=imageset-reproducer.yaml docker://mirror-registry.local:8443

Checking push permissions for mirror-registry.local:8443
error: error checking push permissions for mirror-registry.local:8443: creating push check transport for mirror-registry.local:8443 failed: GET http://mirror-registry.local:8443/v2/: unexpected status code 400 Bad Request: <html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.20.1</center>
</body>
</html>

      Version-Release number of selected component (if applicable):

      $ oc mirror version --output=yaml
clientVersion:
  buildDate: "2024-09-12T09:59:41Z"
  compiler: gc
  gitCommit: c9123030d5df99847cf3779856d90ff83cf64dcb
  gitTreeState: clean
  gitVersion: 4.17.0-202409120935.p0.gc912303.assembly.stream.el9-c912303
  goVersion: go1.22.5 (Red Hat 1.22.5-1.el9) X:strictfipsruntime
  major: ""
  minor: ""
  platform: linux/amd64

      How reproducible:

      100% reproducible

      Steps to Reproduce:

      - Install mirror registry on RHEL 9
- Create the ImageSetConfiguration file, for example

kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
storageConfig:
  registry:
    imageURL: mirror-registry.local:8443/mirror/oc-mirror-metadata
    skipTLS: true              
mirror:
  platform:
    channels:
    - name: stable-4.12
      type: ocp
  operators:
  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.12
  additionalImages:
  - name: registry.redhat.io/ubi8/ubi:latest

- Start the mirroring process:

oc mirror --config=imageset-reproducer.yaml docker://mirror-registry.local:8443    

      Actual results:

      Checking push permissions for mirror-registry.local:8443 error: error checking push permissions for mirror-registry.local:8443: creating push check transport for mirror-registry.local:8443 failed: GET http://mirror-registry.local:8443/v2/: unexpected status code 400 Bad Request: <html> <head><title>400 The plain HTTP request was sent to HTTPS port</title></head> <body> <center><h1>400 Bad Request</h1></center> <center>The plain HTTP request was sent to HTTPS port</center> <hr><center>nginx/1.20.1</center> </body> </html>

      Expected results:

      oc-mirror should use HTTPS by default when communicating with destination registry unless --dest-use-http flag is provided

      Additional info:

      oc-mirror runs the mirroring process in HTTPS when --dest-use-http flag is used which is a bit counterintuitive:

oc mirror --config=imageset-reproducer.yaml docker://mirror-registry.local:8443 --dest-use-http -v9

Checking push permissions for mirror-registry.local:8443
Using image mirror-registry.local:8443/oc-mirror to check permissions
Found: oc-mirror-workspace/src/publish
Found: oc-mirror-workspace/src/v2
Found: oc-mirror-workspace/src/charts
Found: oc-mirror-workspace/src/release-signatures
Using registry backend at location mirror-registry.local:8443/mirror/oc-mirror-metadata
Checking for existing metadata image at mirror-registry.local:8443/mirror/oc-mirror-metadata:latest
No metadata detected, creating new workspace

            luzuccar@redhat.com Luigi Mario Zuccarelli
            rhn-support-ggeraci Giovanni Geraci
            ying zhou ying zhou
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: