search

openshift / jenkins-plugin

Apache License 2.0
81 stars 50 forks source link

Unable to do openshiftTag() in pipeline #132

Closed alex-sl-eng closed 7 years ago

alex-sl-eng commented 7 years ago

Hi,

I'm having difficulties trying to convert my oc command (which is working with the same token) to jenkins openshiftTag() syntax. The jenkins is service within the openshift.

My oc command: oc project openshift-project oc tag external.registry.host.com/myproject:1.0 oc-my-stream:latest


Pipeline syntax:
openshiftTag(
   apiURL: 'http://my.localhost.openshift.com',  
   destinationAuthToken: 'my-token-for-my.localhost.openshift.com',
   namespace: 'external.registry.host.com',
   sourceStream: 'myproject',
   sourceTag: '1.0',
   destinationNamespace: 'openshift-project',
   destinationStream: 'oc-my-stream',
   destinationTag: 'latest'
)

When I run the pipeline job

Starting "Tag OpenShift Image" with the source [image stream:tag] "myproject:1.0" from the project "external.registry.host.com" and destination stream(s) "oc-my-stream" with tag(s) "latest" from the project "openshift-project".
com.openshift.restclient.authorization.UnauthorizedException: Unauthorized to access resource. You can access the server using Basic authentication.

Please help.

gabemontero commented 7 years ago

I believe you are ultimately trying an option for tagging available with the CLI which is not available with the openshift-pipeline plugin.

You only specified a token my-token-for-my.localhost.openshift.com for the destination name space openshift-project

You did not specify a token for the source namespace external.registry.host.com, which by the way does not sound like a valid openshift namespace name, but an external docker registry.

If so, we are failing trying to access the project/namespace external.registry.host.com from the openshift master. And if by some add stretch such a project does exist, since you don't specify the source token for any non-default source namespace the plugin will use the service account token for the project hosting jenkins, and that token does not have access.

The plugin does not have the feature currently to try and access the source as an external docker registry.

If you don't think this analysis hits the mark, please re-open and clarify.

To ultimately work around this, I suggest you use our new plugin. See https://github.com/openshift/jenkins-client-plugin. It provides pipeline DSL that allows for direct invocation of the oc command in the openshift jenkins image. You can then leverage the oc commands capability to specify and external docker registry as a source for the tag command.