sclorg
allow ubi8 images to work unauthenticated
Should resolve ubi8 Issue:306.
I didn't check if RHEL7 is having a similar issue but likely it doesn't because we would have heard about it by now.
Hi @jontrossbach thanks for the PR!
I am afraid this simple change might break a lot of things in our general workflow so I would like to put this aside, at least for now.
This does seem like something that could be fixed with a bit of configuration system side - you know you do not have access to registry.redhat.io (I guess that is the default for you right?), so you should be looking into the unauthenticated one first. Is this something you could consider?
I appreciate the reply, Petr.
After thinking about it, for my purposes, writing in the line FROM registry.access.redhat.com/ubi8/s2i-base works fine. I guess I just thought this repo's maintainers might be interested in the sort of down stream nuances I came across when using your Dockerfiles.
Addressing the idea of trying to get some new default registry pull sequence set up: I believe podman is already pulling from the unauthenticated registry first because the current set up seems to work without any changes (base machine being Fedora 32). In order to do this for OpenShift though, I was considering making a custom resource definition (CRD), i.e. an ImageContentSourcePolicy. This seems to be intended for restricted/close networks though, is there a better way to change the default registry in OpenShift for this purpose?
Glad to hear you have a workaround for now!
Yes, for podman the set up should already be correct. podman is taking configuration from /etc/containers/registries.conf so you can check that out for defaults/look-up order.
For Openshift I am actually not sure what is the correct way to achieve the same. I expect you will need to do the changes to the same file as podman uses, but Openshift itself might be maintaining it... Importing the image into Openshift's own internal registry and using it as an imagestream might work as well.
@bparees Hi Ben, would you perhaps know how to change the default image registry for looking up images without fully qualified names (or add a registry to image look-up) inside Openshift?
@bparees Hi Ben, would you perhaps know how to change the default image registry for looking up images without fully qualified names (or add a registry to image look-up) inside Openshift?
you'd need to use MCO to modify the /etc/containers/registries.conf.d on every node in the cluster.
see: https://github.com/openshift/enhancements/blob/master/enhancements/api-review/add-unqualified-search-registries.md#motivation
for some discussion of the current situation and the future plans.
note that there are a lot of security complications and implications to doing this. I strongly recommend against it. The main one is that k8s itself is going to pick a registry credential for your image pull based on "docker.io" as the assumed registry when you use shortnames. So the only way this works is if the node itself has appropriate creds for the actual registry. User(namespaced) credentials won't get used because k8s won't realize what the actual target registry is.
This issue is not valid for this repository. Modification of /etc/containers/registries.conf provide the way how to pull proper image. Closing this issue. Feel free to reopen it if it makes sense.