Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.15
Component/s: ImageStreams
Labels:
- disconnected
- imagestream

Regression:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
Cause: The current code blocked the image import from blocked registry, but it did not take into account that the blocked registries are possible to be redirected to mirror registries since the neverContactSource configuration comes with ImageDigestMirrorSet/ImageTagMirrorSet to ImageContentSourcePolicy migration.

Consequence: The image import failed from mirrors if their source was configured as neverContactSource.

Fix: Do not block the image import from the registry when the registry has mirrors configured.

Result: The image import should success if the IDMS/ITMS had neverContactSource set to true.

Show
Cause: The current code blocked the image import from blocked registry, but it did not take into account that the blocked registries are possible to be redirected to mirror registries since the neverContactSource configuration comes with ImageDigestMirrorSet/ImageTagMirrorSet to ImageContentSourcePolicy migration. Consequence: The image import failed from mirrors if their source was configured as neverContactSource. Fix: Do not block the image import from the registry when the registry has mirrors configured. Result: The image import should success if the IDMS/ITMS had neverContactSource set to true.
Release Note Type:
Bug Fix
Release Note Status:
In Progress
Target Version:

4.18.z
Target Backport Versions:

4.17.z, 4.16.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

This is a clone of issue OCPBUGS-44432. The following is the description of the original issue:
—
Description of problem:

ImageStream cannot import image tags when ImageTagMirrorSet is set to NeverContactSource. The same issue does not apply for pods

Version-Release number of selected component (if applicable):

4.15.35

Steps to Reproduce:

    1. Create a disconnected cluster with no internet access
    2. Create a "pull-through" image registry  [1]   
    3. Create the following ImageTagMirrorSet and ImageDigestMirrorSet

~~~
apiVersion: config.openshift.io/v1
kind: ImageDigestMirrorSet
metadata:
  name: image-mirrors
spec:
  imageDigestMirrors:
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/docker-remote
      source: docker.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/registry.access.redhat.com
      source: registry.access.redhat.com
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/quay.io
      source: quay.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/registry.redhat.io
      source: registry.redhat.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/gcr.io
      source: gcr.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/ghcr.io
      source: ghcr.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/com.redhat.connect.registry
      source: registry.connect.redhat.com
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/nvcr.io
      source: nvcr.io
---
apiVersion: config.openshift.io/v1
kind: ImageTagMirrorSet
metadata:
  name: image-mirrors
spec:
  imageTagMirrors:
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/docker-remote
      source: docker.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/registry.access.redhat.com
      source: registry.access.redhat.com
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/quay.io
      source: quay.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/registry.redhat.io
      source: registry.redhat.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/gcr.io
      source: gcr.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/ghcr.io
      source: ghcr.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/com.redhat.connect.registry
      source: registry.connect.redhat.com
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/nvcr.io
      source: nvcr.io
~~~

    4. Import an image [2]

[1] https://docs.redhat.com/en/documentation/red_hat_quay/3.13/html/use_red_hat_quay/quay-as-cache-proxy
[2] https://docs.openshift.com/container-platform/4.15/openshift_images/image-streams-manage.html#images-imagestream-import-images-image-streams

Actual results:

Unable to import images

Expected results:

Being able to import images

A similar issue is reported in OCPBUGS-17975

blocks

OCPBUGS-53382 ImageStream ignores ITMS NeverContactSource policy

clones

OCPBUGS-44432 ImageStream ignores ITMS NeverContactSource policy

Verified

is blocked by

OCPBUGS-44432 ImageStream ignores ITMS NeverContactSource policy

Verified

is cloned by

OCPBUGS-53382 ImageStream ignores ITMS NeverContactSource policy

links to

openshift/openshift-apiserver#498: [release-4.18] OCPBUGS-52312: Skip blocked registry check for registries with mirrors

Assignee:: Qi Wang

Reporter:: OpenShift Prow Bot

QA Contact:: XiuJuan Wang

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2025/03/04 5:52 PM

Updated:: 2025/03/24 10:05 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates