Issue:
Pulling images fails with OCP 4 nodes. Typically, this occurs with one of the OCP4 images not updating for the node operators.
Error:
sh-4.x# podman pull registry.redhat.io/openshift4/<image_name>
Failed to pull image "registry.redhat.io/openshift4/<image-operator>@sha256:abc12345": rpc error: code = Unknown desc = unable to retrieve auth token: invalid username/password: unauthorized: Please login to the Red Hat Registry using your Customer Portal credentials.
Cause:
After confirming the @sha256:abc12345 service account is valid...
The podman login command doesn't store its credentials as they are in clear text. Therefore, they are not available for the subsequent podman pull command. Therefore, with OCP4 podman pull requires credentials passed via the --authfile parameter pointing to a local config.json file containing the credential.
Workaround/Solution:
Provide the secret via the kubelet/config.json file:
sh-4.x# podman pull registry.redhat.io/openshift4/<image_name> --authfile /var/lib/kubelet/config.json
Note:
- After successful authentication, OCP (and podman actually), are re-used for the next registry pull. The authorization is stored in:
${XDG_RUNTIME_DIR}/containers/auth.json
Sample format of auth.json:
{
"auths": {
"https://registry.redhat.io": {
"auth": "abc12qrs3t4UvwXyz"
}
}
}
---
Standard authentication during pull tests:
sh-4.x# podman pull registry.redhat.io/rhel8/<image_name>
Username: myrhloginid
Password: abcd1234
sh-4.x# podman pull registry.redhat.io/openshift4/<image_name>
Username: myrhloginid
Password: abcd1234
previous page
|