OCP image registry fails to push or pull image to/from the s3 compliant object storage
Environment
- Red Hat OpenShift Container Platform 4
Issue
-
OpenShift image registry is unable to push images to a s3 compliant object storage which is not tested/certified by Red Hat yet.
-
While pushing the image to the registry, the image registry POD throws the following errors:
Trying to pull example-ojectregistry.example.com:8443/keycloak:latest... Error: initializing source docker://example-ojectregistry.example.com:8443/keycloak:latest: reading manifest latest in example-ojectregistry.example.com:8443/keycloak: unauthorized: access to the requested resource is not authorized
Resolution
-
For the custom or 3rd party s3 compatible Object storage setting the
spec.storage.managementStatetoUnmanagedin the image registry operator resolves the issue but this configuration lets the image registry operator ignore changes to the configuration resources. -
Changing the operator state to
Unmanagedis not recommended, here we we can only suggest that the storage provider has to certify their solution with Red Hat before releasing it for Openshift use. -
Refer to the product documentation to change the management state of the registry operator to
Unmanaged.
Root Cause
OCP Image Registry POD complains that the custom 3rd party s3 compliant backend is not authorized.
Diagnostic Steps
Image pull/push failed with authorization error:
# podman pull example-ojectregistry.example.com:8443/keycloak:latest
# podman push example-ojectregistry.example.com:8443/keycloak:latest
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments