Uploaded image for project: 'RH-SSO'
  1. RH-SSO
  2. RHSSO-2658

RH-SSO operator: Unable to pull PostgreSQL image in a airgap environment

XMLWordPrintable

    • False
    • None
    • False
    • Red Hat Single Sign-On

      1. Environment:

      OCP 4.12
      OCP/RH-SSO operator 7.6.4

      2) Usual Operator image deployment

      RH-SSO operators pulls 2 images from the registry
      -sso image
      -PostgreSQL image

      The SSO image is pulled using a message digest, whereas the PostgreSQL image is pulled using image tage.

      39m Normal Pulling pod/keycloak-0 Pulling image "registry.redhat.io/rh-sso-7/sso76-openshift-rhel8@sha256:da0b74da608e71c5af15d73fd53f5978c20243c3d028fdf1c90e9c4be36da4df"
      ....
      ...
      37m Normal Pulling pod/keycloak-postgresql-75dff84cc4-bnhfp Pulling image "registry.redhat.io/rhscl/postgresql-10-rhel7:1-173"

      Note:
      The attached log trace corresponds to a successful OCP/RH-SSO operator deployment, showcasing that sso image is pulled using image digest and PostgreSQL image pulled using tags.

      3) Using an Airgap environment (i.e disconnected environment)

      When working in a disconnected environment and using Openshift 4.12 ICSP (ImageContentSourcePolicy) mirroring, images are pulled from mirrors. But ImageContentSourcePolicy objects support image digests only, not image tags.

      See Openshift Doc 4.12

      Configuring image registry repository mirroring
      https://docs.openshift.com/container-platform/4.12/openshift_images/image-configuration.html#images-configuration-registry-mirror_image-configuration

      _5. To check that the mirrored configuration settings,

      e. Pull an image digest to the node from the source and check if it is resolved by the mirror. ImageContentSourcePolicy objects support image digests only, not image tags._

      ===> The Openshift doc clearly states that it requires to pull image using image digest.

      4. Issue Description:

      When working in disconnected environment (Airgap) and using Openshift ICSP, all the objects have to be pulled using image digest.

      In the case of OCP/RH-SSO operator 7.6.4 deployed on Openshift 4.12, the PostgreSQL image is pulled is retrieved using image tag.

      In the usual way, when user can have access to Red Hat source registry, OCP/RH-SSO operator image deployment is working absolutely fine.

      In the case of working within a Air Gap environment, and using Openshift ICSP, OCP/RH-SSO operator image deployment is is FAILING, as it cannot pull the PostgreSQL image from the mirror within the airgap environment.

      It generates an error

      _" Failed to pull image "registry.access.redhat.com/rhscl/postgresql-10-rhel7:173": rpc error: code = Unknown desc = parsing image configuration: Error fetching blob: invalid status code from registry 403 (Forbidden)" _

      5 What is needed to make it work

      In order to deploy OCP/RH-SSO operator images safely within an disconnected/airgap environment the PostgreSQL image has to be pulled using image digest and not image tag.

      Note:
      The sso image is already pulled using image digest, and is obtained correctly

              Unassigned Unassigned
              rhn-support-orivat Olivier Rivat
              Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: