ImageContentSourcePolicy creation fails
Cloud Pak Operand deployment fails in an air-gapped or disconnected environment with an ImagePullBackOff
error when a Quay registry is being used with defined organizations.
Symptom
The Operand deployment fails with an error similar to:
Failed to pull image "cp.icr.io/cp/iaf-ui-customization@sha256:d9a3bf86182e977a15700d948ede61a00390dff88666615b394f9b74b193d2a4": rpc error: code = Unknown desc = (Mirrors also failed: [my-quay-registry.com/myOrg/iaf-ui-customization@sha256:d9a3bf86182e977a15700d948ede61a00390dff88666615b394f9b74b193d2a4: reading manifest sha256:d9a3bf86182e977a15700d948ede61a00390dff88666615b394f9b74b193d2a4 in my-quay-registry.com/myOrg/iaf-ui-customization: name unknown: repository not found]): cp.icr.io/cp/iaf-ui-customization@sha256:d9a3bf86182e977a15700d948ede61a00390dff88666615b394f9b74b193d2a4: Requesting bear token: invalid status code from registry 400 (Bad Request)
Cause
When you run the oc ibm-pak
command with --action configure-cluster-airgap
and use the --nsPrefix
parameter to specify the organization in Quay where the images are mirrored, the generated ImageContentSourcePolicy
is invalid.
For example, the ImageContentSourcePolicy creation fails when you run the following command:
# oc ibm-pak case launch --case ${CASE_LOCAL_PATH} --inventory ${CASE_INVENTORY_SETUP} --action configure-cluster-airgap --namespace ${NAMESPACE} --args "--registry ${LOCAL_REGISTRY} --user ${LOCAL_REGISTRY_USER} --pass ${LOCAL_REGISTRY_PASS} --inputDir ${OFFLINEDIR} --nsPrefix ${NSPREFIX}"
Resolving the problem
To resolve this issue, you must manually correct the generated ImageContentSourcePolicy.
-
Locate the generated ImageContentSourcePolicy.
oc get imageContentSourcePolicy
-
Edit the policy.
oc edit imageContentSourcePolicy <image-content-source-policy>
-
Append the image subpaths after the organization. For example, change the following specification:
Spec: Repository Digest Mirrors: Mirrors: us-west-2-registry.cloudpak-bringup.com/myOrg Source: cp.icr.io/cp Mirrors: us-west-2-registry.cloudpak-bringup.com/myOrg Source: docker.io/ibmcom Mirrors: us-west-2-registry.cloudpak-bringup.com/myOrg Source: icr.io/cpopen Mirrors: us-west-2-registry.cloudpak-bringup.com/myOrg Source: icr.io/db2u Mirrors: us-west-2-registry.cloudpak-bringup.com/myOrg Source: icr.io/ibm-messaging Mirrors: us-west-2-registry.cloudpak-bringup.com/myOrg Source: quay.io/opencloudio
to the following specification:
Spec: Repository Digest Mirrors: Mirrors: us-west-2-registry.cloudpak-bringup.com/myOrg/cp Source: cp.icr.io/cp Mirrors: us-west-2-registry.cloudpak-bringup.com/myOrg/ibmcom Source: docker.io/ibmcom Mirrors: us-west-2-registry.cloudpak-bringup.com/myOrg/cpopen Source: icr.io/cpopen Mirrors: us-west-2-registry.cloudpak-bringup.com/myOrg/db2u Source: icr.io/db2u Mirrors: us-west-2-registry.cloudpak-bringup.com/myOrg/ibm-messaging Source: icr.io/ibm-messaging Mirrors: us-west-2-registry.cloudpak-bringup.com/myOrg/opencloudio Source: quay.io/opencloudio
You might need to wait for the cluster nodes to reboot after editing the ImageContentSourcePolicy in order for it to take effect.