With some help from the list I've come to the following solution which should work according to documentation (but doesnt).
First, I've configured my oc cluster up with persistent configuration and data oc cluster up --host-data-dir=c:/Temp/openshift/data--host-config-dir=c:/Temp/openshift/config After the initial config is written I can edit the master-config.yaml and subsequent runs will use the existing config oc cluster up --host-data-dir=c:/Temp/openshift/data --host-config-dir=c:/Temp/openshift/config --use-existing-config=true In order to point the preconfigured imagestreams to our private insecure registry I need to edit the imagesream yaml files within the webconsole. First I need to set an annotation for the imagestream allowing insecure repository as described here https://docs.openshift.org/latest/dev_guide/managing_images.html#insecure-registries With that in place I want to point the Docker reference to our registry which fails due to a whitelist error as described earlier. Now comes the master-config.yaml. There you can configure allowed-registries-for-import as described here https://docs.openshift.com/container-platform/3.9/admin_guide/image_policy.html So I've changed the config like this imagePolicyConfig: allowedRegistriesForImport: - domainName: *:* insecure: true - domainName: *:* insecure: false disableScheduledImport: false maxImagesBulkImportedPerRepository: 5 maxScheduledImageImportsPerMinute: 60 scheduledImageImportMinimumIntervalSeconds: 900 This allowes all hosts and ports. After a restart I still get the same result: Reason: ImageStream "jenkins" is invalid: spec.tags[2].from.name: Forbidden: registry "docker.sdvrz.de:5000" not allowed by whitelist: "172.30.1.1:5000", "docker.io:443", "*.docker.io:443", "*.redhat.com:443", and 5 more ... Of course I've tried less dramatic options without wildcard. I am running out of options. Where can I find this whitelist? :-) regards Marc Von: marc.schle...@sdv-it.de An: users@lists.openshift.redhat.com Datum: 23.04.2018 08:56 Betreff: Re: Re: Re: Re: Origin 3.9 (oc cluster up) doesnt use registry-mirror for internal registry Gesendet von: users-boun...@lists.openshift.redhat.com Thanks for the link I think this is a valid solution for development. In the long run we need to create custom imagestream anyway. Stil, I cannot save the yaml because our registry is not in the whitelist, even when setting the insecure annotation. I double checked my docker-daemon... { "registry-mirrors": [ "https://docker.mydomain.com:5000" ], "insecure-registries": [ "docker.mydomain.com:5000", "172.30.0.0/16" ], "debug": true, "experimental": true } Von: Ben Parees <bpar...@redhat.com> An: marc.schle...@sdv-it.de Kopie: users <users@lists.openshift.redhat.com> Datum: 20.04.2018 15:25 Betreff: Re: Re: Re: Origin 3.9 (oc cluster up) doesnt use registry-mirror for internal registry On Fri, Apr 20, 2018 at 2:49 AM, <marc.schle...@sdv-it.de> wrote: After setting up the proxy in oc cluster up as well as the daemon (including the necessary bypass) the problem remains. So I created a admin user to which I gave the cluster-admin role and this one can see all image-streams and I can update them in the webconsole. And here I can see the root cause which is actually caused by SSL Internal error occurred: Get https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority. Timestamp: 2018-04-20T06:33:47Z Error count: 2 Of course we have our own CA :-) Is there a way to import our ca-bundle? I did not see anything in "oc cluster up --help" You're seeing this error in the imagestreams during image import? The easiest thing to do is mark the imagestreams insecure: https://docs.openshift.org/latest/dev_guide/managing_images.html#insecure-registries (Since oc cluster up is intended for dev usage, I am going to make the assumption this is a reasonable thing for you to do). If you don't want to do that, you'd need to add the cert to the origin image which oc cluster up starts up to run the master. Von: Ben Parees <bpar...@redhat.com> An: marc.schle...@sdv-it.de Kopie: users <users@lists.openshift.redhat.com> Datum: 19.04.2018 16:10 Betreff: Re: Re: Origin 3.9 (oc cluster up) doesnt use registry-mirror for internal registry On Thu, Apr 19, 2018 at 9:14 AM, <marc.schle...@sdv-it.de> wrote: Thanks for the quick replies. The http-proxy is not enough to get out, since the daemon uses also other protocols than http. right but it will get the imagestream imported. After that it's up to your daemon configuration as to whether the pull can occur, and it sounded like you had already configured your daemon. Changing the image-streams seems to be a valid approach, unfortunately I cannot export them in order to edit them...because they are not there yet According to the documentation I need to export the image-stream by <name>@<id> In order to get the id, I can use oc describe...but see $ oc describe is jenkins Error from server (NotFound): imagestreams.image.openshift.io "jenkins" not found So I cannot run $ oc export isimage jenkins@??? I am wondering why the containerized version isnt honoring the settings of the docker-daemon running on my machine. Well it does when it is pulling the openshift images docker images REPOSITORY TAG IMAGE ID CREATED SIZE openshift/origin-web-console v3.9.0 60938911a1f9 2 weeks ago 485MB openshift/origin-docker-registry v3.9.0 2663c9df9123 2 weeks ago 455MB openshift/origin-haproxy-router v3.9.0 c70d45de5384 2 weeks ago 1.27GB openshift/origin-deployer v3.9.0 378ccd170718 2 weeks ago 1.25GB openshift/origin v3.9.0 b5f178918ae9 2 weeks ago 1.25GB openshift/origin-pod v3.9.0 1b36bf755484 2 weeks ago 217MB but the image-steams are not pulled. Nonetheless, When I pull the image-stream manually (docker pull openshift/jenkins-2-centos7) it works. So why is the pull not working from inside Openshift? regards Marc You can update the image streams to change the registry. You can also set a proxy for the master, which is the process doing the imports and which presumably needs the proxy configured, by passing these args to oc cluster up: --http-proxy='': HTTP proxy to use for master and builds --https-proxy='': HTTPS proxy to use for master and builds I believe that should enable your existing imagestreams (not the ones pointing to the proxy url) to import. best regards Marc _______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users _______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users -- Ben Parees | OpenShift _______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users -- Ben Parees | OpenShift _______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users -- Ben Parees | OpenShift _______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users