-
Notifications
You must be signed in to change notification settings - Fork 568
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using Nexus as a proxy registry for a disconnected OpenShift install #475
Comments
@Thulium-Drake Hi, I think you're very close but for some reason your screenshot doesn't look like the proxy configuration I have in my Nexus (3.73.0).
This should give you two logins and 4 registry URLs (obfuscated):
The way I am doing this is by giving each repo its own private port and aggregate all of them under a group called 'redhat'. In the ADMIN UI side of Nexus, my config looks like this: Now, for each of the repos, I define a specific port and enter the credentials obtained from the pull secret, like this: and at the end the authentication from the pull secret: Repeat for each upstream registry and aggregate all of them under a group registry (that one is on 18000 which gets TLS'ed to 5000): It used to work fine but in the recent months it ceased working for some images (hence this nexus issue). |
Sonatype Nexus Repository OSS users can file an issue here.
I’m attempting to use Nexus as a local proxy registry for deploying OCP clusters.
I’ve configured upstream docker proxy repos to quay.io, registry.redhat.io and a few others.
Then, I’ve aggregated those repos (each with their pull secrets) under a group hosted on Nexus on port 5000.
This works fine for image-based downloads.
Upstream:
podman pull quay.io/openshift-release-dev/ocp-release:4.16.5-x86_64
My registry:
podman pull registry.lasthome.solace.krynn:5000/openshift-release-dev/ocp-release:4.16.5-x86_64
Both of these work without issues.
However, if I try to deploy Openshift using Nexus as my registry, I get errors for the sha256 images (digests?), e.g:
This one works (using upstream):
podman pull quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1e4b8d40d25ba75162a201b45ff09dea4dd9fb13d078bbd6dd09276266df6842
but this one fails:
podman pull registry.lasthome.solace.krynn:5000/openshift-release-dev/ocp-v4.0-art-dev@sha256:1e4b8d40d25ba75162a201b45ff09dea4dd9fb13d078bbd6dd09276266df6842
and it reports: “manifest unknown”
In the nexus outbound Log, I can then see 401 errors such as these:
For reference, this is what I am using in my install-config:
I’ve reached out to OpenShift support and they said that the only way this could fail with a 401 on quay.io is if the requests aren’t properly authenticated:
The v2/auth endpoint on Quay will only return a 401 if you have bad credentials. There would be no other reason to do so.
Without credentials:
With credentials:
The text was updated successfully, but these errors were encountered: