Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-56008

Pull image from ACR failed

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • Yes
    • None
    • Rejected
    • CLOUD Sprint 271
    • 1
    • Done
    • Known Issue
    • Hide
      * When installing a cluster on {azure-short}, if you set any of the `compute.platform.azure.identity.type`, `controlplane.platform.azure.identity.type`, or `platform.azure.defaultMachinePlatform.identity.type` field values to `None`, your cluster is unable to pull images from the Azure Container Registry. You can avoid this issue by either providing a user-assigned identity, or by leaving the identity field blank. In both cases, the installation program generates a user-assigned identity. (link:https://issues.redhat.com/browse/OCPBUGS-56008[OCPBUGS-56008])
      Show
      * When installing a cluster on {azure-short}, if you set any of the `compute.platform.azure.identity.type`, `controlplane.platform.azure.identity.type`, or `platform.azure.defaultMachinePlatform.identity.type` field values to `None`, your cluster is unable to pull images from the Azure Container Registry. You can avoid this issue by either providing a user-assigned identity, or by leaving the identity field blank. In both cases, the installation program generates a user-assigned identity. (link: https://issues.redhat.com/browse/OCPBUGS-56008 [ OCPBUGS-56008 ])
    • None
    • None
    • None
    • None

      Description of problem:

      Pull image from ACR failed

      Version-Release number of selected component (if applicable):

      4.19.0-0.nightly-2025-05-11-153555 

      How reproducible:

      Always

      Steps to Reproduce:

      1. Given the cluster resource-group is qe-uidaily-0508-pf2qf-rg
      2. Create containerregistry on azure
      $ az acr create --resource-group qe-uidaily-0508-pf2qf-rg --name zhsuncontainerregistry --sku Basic
      3. Login into ACR
      $ az acr login --name zhsuncontainerregistry
      4. Grant AcrPull role to reourcegroup qe-uidaily-0508-pf2qf-rg
      I tried manually created Identity  qe-uidaily-0508-pf2qf-identity (in 4.19 seems this is not created by default) and manually bind qe-uidaily-0508-pf2qf-identity to nodes 
      
      5. $ docker pull openshift/hello-openshift
      6. $ docker tag openshift/hello-openshift:latest zhsuncontainerregistry.azurecr.io/hello-acr:latest
      7. Push the image to ACR
      $ docker push zhsuncontainerregistry.azurecr.io/hello-acr:latest 
      8. Create a new app using the image on ACR
      $ oc new-project hello-acr  
      $ oc new-app --name hello-acr --allow-missing-images   --image zhsuncontainerregistry.azurecr.io/hello-acr:latest
      $ oc get po                                                                                             
      NAME                         READY   STATUS             RESTARTS   AGE
      hello-acr-79cd4b5bc4-dvqkt   0/1     ImagePullBackOff   0          3m31s Failed to pull image "zhsuncontainerregistry.azurecr.io/hello-acr:latest": [initializing source docker://zhsuncontainerregistry.azurecr.io/hello-acr:latest: unable to retrieve auth token: invalid username/password: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information. CorrelationId: 65fd5960-ee74-468a-86aa-277bec29cbdc, initializing source docker://zhsuncontainerregistry.azurecr.io/hello-acr:latest: unable to retrieve auth token: invalid username/password: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information. CorrelationId: bc82f7f3-f184-4617-8a16-9de6237b2995]   
      
      sh-5.1# cat /tmp/request.json | /usr/libexec/kubelet-image-credential-provider-plugins/acr-credential-provider
      Error: requires at least 1 arg(s), only received 0
      Usage:
        acr-credential-provider configFile [flags]
      
      Flags:
        -h, --help                     help for acr-credential-provider
        -r, --registry-mirror string   Mirror a source registry host to a target registry host, and image pull credential will be requested to the target registry host when the image is from source registry host
      
      sh-5.1# cat /tmp/request.json
      {
        "apiVersion": "credentialprovider.kubelet.k8s.io/v1",
        "kind": "CredentialProviderRequest",
        "image": "zhsunregistry1.azurecr.io/hello-acr:latest"
      }

      Actual results:

      Pull image from ACR failed 

      Expected results:

      Pull image from ACR succeed

      Additional info:

      This only happens in 4.19, Theo may have some finding for this, discussion https://redhat-internal.slack.com/archives/GE2HQ9QP4/p1746700433890159 

              padillon Patrick Dillon
              rhn-support-zhsun Zhaohua Sun
              None
              None
              Zhaohua Sun Zhaohua Sun
              None
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: