import-image returns 'access forbidden' for private repository

[0x4c6565]

When attempting to issue oc import-image to create an image stream from a private repository, I receive the following error:

error: tag latest failed: Internal error occurred: Get https://registry.myrepo.co.uk/v2/infrastructure/myapp-container/myapp/manifests/latest: denied: access forbidden

I have followed the steps within the documentation for configuring the required image pull secret, and I am able to issue docker login and docker pull without issue.

If it helps, the registry I am attempting to pull from is within a private-hosted Gitlab instance.

Version

[root@os-master-01 ~]# oc version
oc v3.9.0+ba7faec-1
kubernetes v1.9.1+a0ce1bc657
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://cluster-01.openshift.io:8443
openshift v3.9.0+ba7faec-1
kubernetes v1.9.1+a0ce1bc657

Steps To Reproduce

oc project lolproject
docker login registry.myrepo.co.uk --username myuser
oc create secret generic registry-secret-lolproject --from-file=.dockerconfigjson=/root/.docker/config.json --type=kubernetes.io/dockerconfigjson
oc secrets link builder registry-secret-lolproject
oc secrets link default registry-secret-lolproject --for=pull
oc import-image test-myapp --from=registry.myrepo.co.uk/infrastructure/myapp-container/myapp --confirm

I have also tried oc create secret docker-registry to no avail.

Actual result

[root@os-master-01 ~]#oc import-image test-myapp --from=registry.myrepo.co.uk/infrastructure/myapp-container/myapp --confirm
The import completed with errors.

Name:                   test-myapp
Namespace:              lolproject
Created:                Less than a second ago
Labels:                 <none>
Annotations:            openshift.io/image.dockerRepositoryCheck=2018-05-18T10:58:44Z
Docker Pull Spec:       docker-registry.default.svc:5000/lolproject/test-myapp
Image Lookup:           local=false
Unique Images:          0
Tags:                   1

latest
  tagged from registry.myrepo.co.uk/infrastructure/myapp-container/myapp

  ! error: Import failed (InternalError): Internal error occurred: Get https://registry.myrepo.co.uk/v2/infrastructure/myapp-container/myapp/manifests/latest: denied: access forbidden
      Less than a second ago

error: tag latest failed: Internal error occurred: Get https://registry.myrepo.co.uk/v2/infrastructure/myapp-container/myapp/manifests/latest: denied: access forbidden

Expected result

Image stream to be added successfully.

[jwforres]

@openshift/sig-developer-experience

[bparees]

@legionus @dmage is there any issue w/ importing from repository paths that have multiple slashes? (the import path in this case is registry.myrepo.co.uk/infrastructure/myapp-container/myapp)

everything else about the config looks right to me...

[0x4c6565]

I have managed to solve this - I failed to notice that the gitlab registry uses a different url for authentication (gitlab.myrepo.co.uk). I have seen other issues regarding this for hosted gitlab.com registry, but this also appears to apply for on-prem gitlab.

After adding a second deploy secret into openshift for the second domain, I've been able to add the image stream successfully.

[bparees]

ah, yeah that would do it.