Images mirrored to Quay can't be pulled in RHOCP

Solution Verified - Updated 13 Jun 2024

Environment

Red Hat Quay
- 3.x
Red Hat OpenShift Container Platform
- 4.x

Issue

Images are being mirrored into the quay registry using the following command with success.

$ oc adm catalog mirror <source_registry> <destination_registry> -a ./.dockerconfigjson --insecure

However, the pod deployment, using that mirrored image, fails with an authentication error:

Warning  Failed          13s                kubelet            Failed to pull image "<destination_registry>/<repository>/<image>:<tag>": rpc error: code = Unknown desc = reading manifest 1-191a in <destination_registry>/<repository>/<image>:<tag>: unauthorized: access to the requested resource is not authorized

Is it possible to change the Quay configuration so that the default setting when a new repository is pushed is "public"?

Resolution

Add and set following parameter CREATE_PRIVATE_REPO_ON_PUSH: false in quay config.yaml file. This helps create a public repository when first pushing the image to the quay registry when running the command $ oc adm catalog mirror

Root Cause

When images are pushed to the Quay registry without an existing repository, a new private one is created automatically. This keeps the kubelet, on RHOCP nodes, from pulling images and deploying the pod successfully.

alt text

SBR

Shift Container Registry

Product(s)

Red Hat Quay

Components

quay

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.