@@ -235,6 +235,8 @@ type TagReference struct {

 	Generation *int64

 	// ImportPolicy is information that controls how images may be imported by the server.

 	ImportPolicy TagImportPolicy

+	// ReferencePolicy defines how other components should consume the image

+	ReferencePolicy TagReferencePolicy

 }

 type TagImportPolicy struct {

@@ -244,6 +246,35 @@ type TagImportPolicy struct {

 	Scheduled bool

 }

+// TagReferencePolicyType describes how pull-specs for images in an image stream tag are generated when

+// image change triggers are fired.

+type TagReferencePolicyType string

+

+const (

+	// SourceTagReferencePolicy indicates the image's original location should be used when the image stream tag

+	// is resolved into other resources (builds and deployment configurations).

+	SourceTagReferencePolicy TagReferencePolicyType = "Source"

+	// LocalTagReferencePolicy indicates the image should prefer to pull via the local integrated registry,

+	// falling back to the remote location if the integrated registry has not been configured. The reference will

+	// use the internal DNS name or registry service IP.

+	LocalTagReferencePolicy TagReferencePolicyType = "Local"

+)

+

+// TagReferencePolicy describes how pull-specs for images in this image stream tag are generated when

+// image change triggers in deployment configs or builds are resolved. This allows the image stream

+// author to control how images are accessed.

+type TagReferencePolicy struct {

+	// Type determines how the image pull spec should be transformed when the image stream tag is used in

+	// deployment config triggers or new builds. The default value is `Source`, indicating the original

+	// location of the image should be used (if imported). The user may also specify `Local`, indicating

+	// that the pull spec should point to the integrated Docker registry and leverage the registry's

+	// ability to proxy the pull to an upstream registry. `Local` allows the credentials used to pull this

+	// image to be managed from the image stream's namespace, so others on the platform can access a remote

+	// image but have no access to the remote secret. It also allows the image layers to be mirrored into

+	// the local registry which the images can still be pulled even if the upstream registry is unavailable.

+	Type TagReferencePolicyType

+}

+

 // ImageStreamStatus contains information about the state of this image stream.

 type ImageStreamStatus struct {

 	// DockerImageRepository represents the effective location this stream may be accessed at. May be empty until the server

@@ -16,8 +16,15 @@ func SetDefaults_ImageImportSpec(obj *ImageImportSpec) {

 	}

 }

+func SetDefaults_TagReferencePolicy(obj *TagReferencePolicy) {

+	if len(obj.Type) == 0 {

+		obj.Type = SourceTagReferencePolicy

+	}

+}

+

 func addDefaultingFuncs(scheme *runtime.Scheme) error {

 	return scheme.AddDefaultingFuncs(

 		SetDefaults_ImageImportSpec,

+		SetDefaults_TagReferencePolicy,

 	)

 }

@@ -178,9 +178,11 @@ type TagReference struct {

 	Generation *int64 `json:"generation" protobuf:"varint,5,opt,name=generation"`

 	// Import is information that controls how images may be imported by the server.

 	ImportPolicy TagImportPolicy `json:"importPolicy,omitempty" protobuf:"bytes,6,opt,name=importPolicy"`

+	// ReferencePolicy defines how other components should consume the image

+	ReferencePolicy TagReferencePolicy `json:"referencePolicy,omitempty" protobuf:"bytes,7,opt,name=referencePolicy"`

 }

-// TagImportPolicy describes the tag import policy

+// TagImportPolicy controls how images related to this tag will be imported.

 type TagImportPolicy struct {

 	// Insecure is true if the server may bypass certificate verification or connect directly over HTTP during image import.

 	Insecure bool `json:"insecure,omitempty" protobuf:"varint,1,opt,name=insecure"`

@@ -188,6 +190,35 @@ type TagImportPolicy struct {

 	Scheduled bool `json:"scheduled,omitempty" protobuf:"varint,2,opt,name=scheduled"`

 }

+// TagReferencePolicyType describes how pull-specs for images in an image stream tag are generated when

+// image change triggers are fired.

+type TagReferencePolicyType string

+

+const (

+	// SourceTagReferencePolicy indicates the image's original location should be used when the image stream tag

+	// is resolved into other resources (builds and deployment configurations).

+	SourceTagReferencePolicy TagReferencePolicyType = "Source"

+	// LocalTagReferencePolicy indicates the image should prefer to pull via the local integrated registry,

+	// falling back to the remote location if the integrated registry has not been configured. The reference will

+	// use the internal DNS name or registry service IP.

+	LocalTagReferencePolicy TagReferencePolicyType = "Local"

+)

+

+// TagReferencePolicy describes how pull-specs for images in this image stream tag are generated when

+// image change triggers in deployment configs or builds are resolved. This allows the image stream

+// author to control how images are accessed.

+type TagReferencePolicy struct {

+	// Type determines how the image pull spec should be transformed when the image stream tag is used in

+	// deployment config triggers or new builds. The default value is `Source`, indicating the original

+	// location of the image should be used (if imported). The user may also specify `Local`, indicating

+	// that the pull spec should point to the integrated Docker registry and leverage the registry's

+	// ability to proxy the pull to an upstream registry. `Local` allows the credentials used to pull this

+	// image to be managed from the image stream's namespace, so others on the platform can access a remote

+	// image but have no access to the remote secret. It also allows the image layers to be mirrored into

+	// the local registry which the images can still be pulled even if the upstream registry is unavailable.

+	Type TagReferencePolicyType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=TagReferencePolicyType"`

+}

+

 // ImageStreamStatus contains information about the state of this image stream.

 type ImageStreamStatus struct {

 	// DockerImageRepository represents the effective location this stream may be accessed at.

@@ -208,6 +208,11 @@ func ValidateImageStreamTagReference(tagRef api.TagReference, fldPath *field.Pat

 			errs = append(errs, field.Required(fldPath.Child("from", "kind"), "valid values are 'DockerImage', 'ImageStreamImage', 'ImageStreamTag'"))

 		}

 	}

+	switch tagRef.ReferencePolicy.Type {

+	case api.SourceTagReferencePolicy, api.LocalTagReferencePolicy:

+	default:

+		errs = append(errs, field.Invalid(fldPath.Child("referencePolicy", "type"), tagRef.ReferencePolicy.Type, fmt.Sprintf("valid values are %q, %q", api.SourceTagReferencePolicy, api.LocalTagReferencePolicy)))

+	}

 	return errs

 }

@@ -452,6 +452,22 @@ func TestValidateImageStream(t *testing.T) {

 				field.Required(field.NewPath("status", "tags").Key("tag").Child("items").Index(2).Child("dockerImageReference"), ""),

 			},

 		},

+		"referencePolicy.type must be valid": {

+			namespace: "namespace",

+			name:      "foo",

+			specTags: map[string]api.TagReference{

+				"tag": {

+					From: &kapi.ObjectReference{

+						Kind: "DockerImage",

+						Name: "abc",

+					},

+					ReferencePolicy: api.TagReferencePolicy{Type: api.TagReferencePolicyType("Other")},

+				},

+			},

+			expected: field.ErrorList{

+				field.Invalid(field.NewPath("spec", "tags").Key("tag").Child("referencePolicy", "type"), api.TagReferencePolicyType("Other"), "valid values are \"Source\", \"Local\""),

+			},

+		},

 		"ImageStreamTags can't be scheduled": {

 			namespace: "namespace",

 			name:      "foo",

@@ -461,14 +477,16 @@ func TestValidateImageStream(t *testing.T) {

 						Kind: "DockerImage",

 						Name: "abc",

 					},

-					ImportPolicy: api.TagImportPolicy{Scheduled: true},

+					ImportPolicy:    api.TagImportPolicy{Scheduled: true},

+					ReferencePolicy: api.TagReferencePolicy{Type: api.SourceTagReferencePolicy},

 				},

 				"other": {

 					From: &kapi.ObjectReference{

 						Kind: "ImageStreamTag",

 						Name: "other:latest",

 					},

-					ImportPolicy: api.TagImportPolicy{Scheduled: true},

+					ImportPolicy:    api.TagImportPolicy{Scheduled: true},

+					ReferencePolicy: api.TagReferencePolicy{Type: api.SourceTagReferencePolicy},

 				},

 			},

 			expected: field.ErrorList{

@@ -484,7 +502,8 @@ func TestValidateImageStream(t *testing.T) {

 						Kind: "DockerImage",

 						Name: "abc@badid",

 					},

-					ImportPolicy: api.TagImportPolicy{Scheduled: true},

+					ImportPolicy:    api.TagImportPolicy{Scheduled: true},

+					ReferencePolicy: api.TagReferencePolicy{Type: api.SourceTagReferencePolicy},

 				},

 			},

 			expected: field.ErrorList{

@@ -500,7 +519,8 @@ func TestValidateImageStream(t *testing.T) {

 						Kind: "ImageStreamImage",

 						Name: "other@latest",

 					},

-					ImportPolicy: api.TagImportPolicy{Scheduled: true},

+					ImportPolicy:    api.TagImportPolicy{Scheduled: true},

+					ReferencePolicy: api.TagReferencePolicy{Type: api.SourceTagReferencePolicy},

 				},

 			},

 			expected: field.ErrorList{

@@ -516,12 +536,14 @@ func TestValidateImageStream(t *testing.T) {

 						Kind: "DockerImage",

 						Name: "abc",

 					},

+					ReferencePolicy: api.TagReferencePolicy{Type: api.SourceTagReferencePolicy},

 				},

 				"other": {

 					From: &kapi.ObjectReference{

 						Kind: "ImageStreamTag",

 						Name: "other:latest",

 					},

+					ReferencePolicy: api.TagReferencePolicy{Type: api.SourceTagReferencePolicy},

 				},

 			},

 			statusTags: map[string]api.TagEventList{

@@ -574,7 +596,7 @@ func TestValidateImageStream(t *testing.T) {

 		errs := ValidateImageStream(&stream)

 		if e, a := test.expected, errs; !reflect.DeepEqual(e, a) {

-			t.Errorf("%s: unexpected errors: %s", name, diff.ObjectDiff(e, a))

+			t.Errorf("%s: unexpected errors: %s", name, diff.ObjectReflectDiff(e, a))

 		}

 	}

 }

@@ -613,8 +635,9 @@ func TestValidateISTUpdate(t *testing.T) {

 			A: api.ImageStreamTag{

 				ObjectMeta: kapi.ObjectMeta{Namespace: kapi.NamespaceDefault, Name: "foo:bar", ResourceVersion: "1", Annotations: map[string]string{"one": "two"}},

 				Tag: &api.TagReference{

-					From:        &kapi.ObjectReference{Kind: "DockerImage", Name: "some/other:system"},

-					Annotations: map[string]string{"one": "three"},

+					From:            &kapi.ObjectReference{Kind: "DockerImage", Name: "some/other:system"},

+					Annotations:     map[string]string{"one": "three"},

+					ReferencePolicy: api.TagReferencePolicy{Type: api.SourceTagReferencePolicy},

 				},

 			},

 			T: field.ErrorTypeInvalid,

@@ -624,7 +647,8 @@ func TestValidateISTUpdate(t *testing.T) {

 			A: api.ImageStreamTag{

 				ObjectMeta: kapi.ObjectMeta{Namespace: kapi.NamespaceDefault, Name: "foo:bar", ResourceVersion: "1", Annotations: map[string]string{"one": "two"}},

 				Tag: &api.TagReference{

-					From: &kapi.ObjectReference{Kind: "DockerImage", Name: ""},

+					From:            &kapi.ObjectReference{Kind: "DockerImage", Name: ""},

+					ReferencePolicy: api.TagReferencePolicy{Type: api.SourceTagReferencePolicy},

 				},

 			},

 			T: field.ErrorTypeRequired,

@@ -634,7 +658,8 @@ func TestValidateISTUpdate(t *testing.T) {

 			A: api.ImageStreamTag{

 				ObjectMeta: kapi.ObjectMeta{Namespace: kapi.NamespaceDefault, Name: "foo:bar", ResourceVersion: "1", Annotations: map[string]string{"one": "two"}},

 				Tag: &api.TagReference{

-					From: &kapi.ObjectReference{Kind: "", Name: "foo/bar:biz"},

+					From:            &kapi.ObjectReference{Kind: "", Name: "foo/bar:biz"},

+					ReferencePolicy: api.TagReferencePolicy{Type: api.SourceTagReferencePolicy},

 				},

 			},

 			T: field.ErrorTypeRequired,