Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: 4.18.0
Affects Version/s: 4.15
Component/s: ImageStreams
Labels:
- disconnected
- imagestream

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:

4.17.z, 4.16.z
Target Version:

4.18.z
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
Cause: The current code blocked the image import from blocked registry, but it did not take into account that the blocked registries are possible to be redirected to mirror registries since the neverContactSource configuration comes with ImageDigestMirrorSet/ImageTagMirrorSet to ImageContentSourcePolicy migration.

Consequence: The image import failed from mirrors if their source was configured as neverContactSource.

Fix: Do not block the image import from the registry when the registry has mirrors configured.

Result: The image import should success if the IDMS/ITMS had neverContactSource set to true.

Show
Cause: The current code blocked the image import from blocked registry, but it did not take into account that the blocked registries are possible to be redirected to mirror registries since the neverContactSource configuration comes with ImageDigestMirrorSet/ImageTagMirrorSet to ImageContentSourcePolicy migration. Consequence: The image import failed from mirrors if their source was configured as neverContactSource. Fix: Do not block the image import from the registry when the registry has mirrors configured. Result: The image import should success if the IDMS/ITMS had neverContactSource set to true.

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

This is a clone of issue ~~OCPBUGS-44432~~. The following is the description of the original issue:
—
Description of problem:

ImageStream cannot import image tags when ImageTagMirrorSet is set to NeverContactSource. The same issue does not apply for pods

Version-Release number of selected component (if applicable):

4.15.35

Steps to Reproduce:

    1. Create a disconnected cluster with no internet access
    2. Create a "pull-through" image registry  [1]   
    3. Create the following ImageTagMirrorSet and ImageDigestMirrorSet

~~~
apiVersion: config.openshift.io/v1
kind: ImageDigestMirrorSet
metadata:
  name: image-mirrors
spec:
  imageDigestMirrors:
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/docker-remote
      source: docker.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/registry.access.redhat.com
      source: registry.access.redhat.com
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/quay.io
      source: quay.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/registry.redhat.io
      source: registry.redhat.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/gcr.io
      source: gcr.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/ghcr.io
      source: ghcr.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/com.redhat.connect.registry
      source: registry.connect.redhat.com
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/nvcr.io
      source: nvcr.io
---
apiVersion: config.openshift.io/v1
kind: ImageTagMirrorSet
metadata:
  name: image-mirrors
spec:
  imageTagMirrors:
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/docker-remote
      source: docker.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/registry.access.redhat.com
      source: registry.access.redhat.com
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/quay.io
      source: quay.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/registry.redhat.io
      source: registry.redhat.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/gcr.io
      source: gcr.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/ghcr.io
      source: ghcr.io
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/com.redhat.connect.registry
      source: registry.connect.redhat.com
    - mirrorSourcePolicy: NeverContactSource 
      mirrors:
        - <local-registry-url>/nvcr.io
      source: nvcr.io
~~~

    4. Import an image [2]

[1] https://docs.redhat.com/en/documentation/red_hat_quay/3.13/html/use_red_hat_quay/quay-as-cache-proxy
[2] https://docs.openshift.com/container-platform/4.15/openshift_images/image-streams-manage.html#images-imagestream-import-images-image-streams

Actual results:

Unable to import images

Expected results:

Being able to import images

A similar issue is reported in OCPBUGS-17975

blocks

OCPBUGS-53382 ImageStream ignores ITMS NeverContactSource policy

Closed

clones

OCPBUGS-44432 ImageStream ignores ITMS NeverContactSource policy

Closed

is blocked by

OCPBUGS-44432 ImageStream ignores ITMS NeverContactSource policy

Closed

is cloned by

OCPBUGS-53382 ImageStream ignores ITMS NeverContactSource policy

Closed

OCPBUGS-61474 ImageStream ignores ITMS NeverContactSource policy

Closed

links to

openshift/openshift-apiserver#498: [release-4.18] OCPBUGS-52312: Skip blocked registry check for registries with mirrors

RHBA-2025:3293 OpenShift Container Platform 4.18.z bug fix update

(2 links to)

Assignee:: Qi Wang

Reporter:: OpenShift Prow Bot

Need Info From:: None

Contributors:: None

QA Contact:: XiuJuan Wang

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2025/03/04 5:52 PM

Updated:: 2025/09/13 5:51 AM

Resolved:: 2025/04/03 6:48 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide