Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-110

Service Mesh cannot be installed on disconnected environments because ImageContentSourcePolicy only works when pulling images referenced by SHA-digest.

XMLWordPrintable

      [ICloned from https://bugzilla.redhat.com/show_bug.cgi?id=1768414]

      Description of problem:

      Our documented way to mirror OLM operator container images[1] will only work with operators that use image digests for their container images[2] but the vast majority of OLM operators use tags instead of digests.

      For example, installing the Service Mesh[3] involves installing the Elasticsearch, Jaeger, Kiali and Service Mesh Operators. The Jaeger operator fails because it's referenced by the following tag:

      ~~~
      registry.redhat.io/distributed-tracing/jaeger-rhel7-operator:1.13.1
      ~~~

      The proposed workaround[4] to circumvent this issue is as follows:

      ~~~

      • pull the catalog data for offlining
      • pull the tagged images for the desired operators
      • look up the digest for the pulled images
      • modify the manifests in the catalog to point to the digests instead of the tags
      • mirror the manifests by digest
      • use an ImageContentSourcePolicy for the mirrored images
        ~~~

      But, after Jaeger operator is successfully installed using the workaround, the Service Mesh Operator tries to download another images like "openshift-service-mesh/citadel-rhel8:1.0.1" which is not contained within the catalog and therefore cannot be manually modified on the same manner.

      Version-Release number of selected component (if applicable):

      OCP 4.2

      How reproducible:

      Always

      Steps to Reproduce:
      1. OCP 4.2.x
      2. OLM on restricted networks[1]
      3. Install Service Mesh

      Actual results:

      Some Operators are still using tags and therefore "ImageContentSourcePolicy" cannot be used to mirror those images.

      Expected results:

      Move our OLM operators to use digest references OR propose a "supported" workaround in order to successfully install Service Mesh on disconnected environments.

      Additional info:

      [1] - https://docs.openshift.com/container-platform/4.2/operators/olm-restricted-networks.html
      [2] - https://github.com/openshift/api/blob/master/operator/v1alpha1/types_image_content_source_policy.go#L54
      [3] - https://docs.openshift.com/container-platform/4.2/service_mesh/service_mesh_install/installing-ossm.html
      [4] - http://post-office.corp.redhat.com/archives/openshift-sme/2019-October/msg01602.html

              rcernich1 Rob Cernich
              rhn-support-pamoedom Pedro Jose Amoedo Martinez
              Votes:
              8 Vote for this issue
              Watchers:
              21 Start watching this issue

                Created:
                Updated:
                Resolved: