Hi Chmouel, you do that usually within a pipeline, so that you promote images after tests etc. succeeded.
Also keep in mind that you need to allow the jenkins user of the build project to "push" images into the second repo. best Marcel On Thu, 12 Jul 2018 at 13:40, Chmouel Boudjnah <chmo...@redhat.com> wrote: > I just realised as well that I can just use oc tag for that with the right > source : > > oc tag --alias=true project-build/cakephp-mysql-persistent:latest > cakephp-mysql-persistent:latest > > which seems a easier to do that than just the recreation but is there a > way to have this automatically so whenever I build in project-build to have > it tagged in my run ? > > On Thu, Jul 12, 2018 at 10:27 AM Chmouel Boudjnah <chmo...@redhat.com> > wrote: > >> Hello, >> >> I am trying to understand how to properly do ImageStream promotion >> between projects I own (i.e: project-build to project-prod) >> >> I see in the documentation here >> https://docs.openshift.com/container-platform/3.9/dev_guide/managing_images.html#allowing-pods-to-reference-images-across-projects >> that I can allow projects with roles and policy which is something I am >> trying to avoid since this is done as admin. >> >> If I don't do this and reference directly from project-prod the >> imagestream built on project-build I am getting a permission denied, for >> example this is snippet in my DC referencing the image : >> >> from: >> kind: ImageStreamTag >> name: cakephp-mysql-persistent:latest >> namespace: project-build >> >> and the error message denied access to the image from the other project : >> >> 13s 13s 1 cakephp-mysql-persistent-2-ss6kv Pod >> spec.containers{cakephp-mysql-persistent} Warning >> Failed kubelet, localhost Failed to pull image >> " >> 172.30.1.1:5000/project-build/cakephp-mysql-persistent@sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b": >> rpc error: code = Unknown desc = unauthorized: authentication required >> >> >> I have found another way which is having an ImageStream referencing my >> ImageStreamTag from the project-build namespace : >> >> apiVersion: v1 >> kind: ImageStream >> metadata: >> name: cakephp-mysql-persistent >> spec: >> tags: >> - from: >> kind: ImageStreamTag >> name: cakephp-mysql-persistent:latest >> namespace: project-build >> name: latest >> >> and then if I create the application and check my imagestreamtags : >> >> % oc create -f /tmp/x.yaml >> >> >> imagestream "cakephp-mysql-persistent" created >> % oc get istag >> >> >> NAME DOCKER REF >> >> UPDATED IMAGENAME >> cakephp-mysql-persistent:latest >> 172.30.1.1:5000/project-run/cakephp-mysql-persistent@sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b >> 9 hours ago >> sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b >> >> I see it imported the image tag from the imagestreamtag on project-build >> : >> >> % oc get istag -n project-build >> NAME DOCKER REF >> >> UPDATED IMAGENAME >> cakephp-mysql-persistent:latest >> 172.30.1.1:5000/project-build/cakephp-mysql-persistent@sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b >> 9 hours ago >> sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b >> >> and then my application can use it correctly when removing the namespace: >> project-build to use my own project namespace. >> >> The weird part here is that the monitoring of new image is not refreshed >> and i need to recreate every time my imagestream to get the latest tagged >> image. Which then I would have to do that for promotion : >> >> build in project-build which generate an image and imagesteamtag >> delete imagestream in cakephp-mysql-persistent and recreate it with the >> same yaml which then recreate a istag imported from the latest image on >> project-build >> deploy in project-run with the latest image built on project-build >> >> So my questions here : >> >> 1) Is it the right behaviour can we rely on that ? >> 2) Is it normal ? Should we get permission denied when doing that, or be >> allowed to reference our own imagestreamtag from other project ? >> 3) Is there a better way (without having to launch admin command) ? >> >> Thanks, >> Chmouel >> >> >> _______________________________________________ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
