Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: 4.19.0
Affects Version/s: 4.15
Component/s: ImageStreams
Labels:
- disconnected
- imagestream

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:

4.19.0
Release Blocker:
None
Sprint:
OCP Node Sprint 264 (Blue), OCP Node Sprint 265 (Blue)
sprint_count:
2

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
* Previously, image import blocked registries that would fail if those registries were configured with `NeverContactSource`, even when mirror registries were set up. With this update, image importing is no longer blocked when a registry has mirrors configured. This ensures that image imports succeed even if the original source was set to `NeverContactSource` in the `ImageDigestMirrorSet` or `ImageTagMirrorSet` resources. (link:https://issues.redhat.com/browse/OCPBUGS-44432[~~OCPBUGS-44432~~])

Show
* Previously, image import blocked registries that would fail if those registries were configured with `NeverContactSource`, even when mirror registries were set up. With this update, image importing is no longer blocked when a registry has mirrors configured. This ensures that image imports succeed even if the original source was set to `NeverContactSource` in the `ImageDigestMirrorSet` or `ImageTagMirrorSet` resources. (link: https://issues.redhat.com/browse/OCPBUGS-44432 [ OCPBUGS-44432 ])

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

ImageStream cannot import image tags when ImageTagMirrorSet is set to NeverContactSource. The same issue does not apply for pods

Version-Release number of selected component (if applicable):

4.15.35

Steps to Reproduce:

    1. Create a disconnected cluster with no internet access
    2. Create a "pull-through" image registry  [1]   
    3. Create the following ImageTagMirrorSet and ImageDigestMirrorSet

~~~
apiVersion: config.openshift.io/v1
kind: ImageDigestMirrorSet
metadata:
  name: image-mirrors
spec:
  imageDigestMirrors:
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/docker-remote
      source: docker.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/registry.access.redhat.com
      source: registry.access.redhat.com
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/quay.io
      source: quay.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/registry.redhat.io
      source: registry.redhat.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/gcr.io
      source: gcr.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/ghcr.io
      source: ghcr.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/com.redhat.connect.registry
      source: registry.connect.redhat.com
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/nvcr.io
      source: nvcr.io
---
apiVersion: config.openshift.io/v1
kind: ImageTagMirrorSet
metadata:
  name: image-mirrors
spec:
  imageTagMirrors:
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/docker-remote
      source: docker.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/registry.access.redhat.com
      source: registry.access.redhat.com
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/quay.io
      source: quay.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/registry.redhat.io
      source: registry.redhat.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/gcr.io
      source: gcr.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/ghcr.io
      source: ghcr.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/com.redhat.connect.registry
      source: registry.connect.redhat.com
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/nvcr.io
      source: nvcr.io
~~~

    4. Import an image [2]

[1] https://docs.redhat.com/en/documentation/red_hat_quay/3.13/html/use_red_hat_quay/quay-as-cache-proxy
[2] https://docs.openshift.com/container-platform/4.15/openshift_images/image-streams-manage.html#images-imagestream-import-images-image-streams

Actual results:

Unable to import images

Expected results:

Being able to import images

A similar issue is reported in OCPBUGS-17975

blocks

OCPBUGS-52312 ImageStream ignores ITMS NeverContactSource policy

Closed

is cloned by

OCPBUGS-52312 ImageStream ignores ITMS NeverContactSource policy

Closed

links to

openshift/openshift-apiserver#475: OCPBUGS-44432: Skip blocked registry check for registries with mirrors

RHEA-2024:11038 OpenShift Container Platform 4.19.z bug fix update

Assignee:: Qi Wang

Reporter:: Giovanni Geraci

Need Info From:: None

Contributors:: None

QA Contact:: XiuJuan Wang

Doc Contact:: None

Votes:: 1 Vote for this issue

Watchers:: 11 Start watching this issue

Created:: 2024/11/11 2:47 PM

Updated:: 2025/09/13 5:51 AM

Resolved:: 2025/06/17 4:47 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide