@@ -16,3 +16,5 @@ auth:

 middleware:

   repository:

     - name: openshift

+      options:

+        pullthrough: true

@@ -337,7 +337,7 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {

 				},

 				{

 					Verbs:     sets.NewString("get"),

-					Resources: sets.NewString("imagestreamimages", "imagestreamtags", "imagestreams"),

+					Resources: sets.NewString("imagestreamimages", "imagestreamtags", "imagestreams", "imagestreams/secrets"),

 				},

 				{

 					Verbs:     sets.NewString("update"),

new file mode 100644

@@ -0,0 +1,93 @@

+package server

+

+import (

+	"sync"

+

+	"github.com/hashicorp/golang-lru"

+

+	"github.com/docker/distribution/digest"

+)

+

+// digestToRepositoryCache maps image digests to recently seen remote repositories that

+// may contain that digest. Each digest is bucketed and remembering new repositories will

+// push old repositories out.

+type digestToRepositoryCache struct {

+	*lru.Cache

+}

+

+// newDigestToRepositoryCache creates a new LRU cache of image digests to possible remote

+// repository strings with the given size. It returns an error if the cache

+// cannot be created.

+func newDigestToRepositoryCache(size int) (digestToRepositoryCache, error) {

+	c, err := lru.New(size)

+	if err != nil {

+		return digestToRepositoryCache{}, err

+	}

+	return digestToRepositoryCache{Cache: c}, nil

+}

+

+const bucketSize = 10

+

+// RememberDigest associates a digest with a repository.

+func (c digestToRepositoryCache) RememberDigest(dgst digest.Digest, repo string) {

+	key := dgst.String()

+	value, ok := c.Get(key)

+	if !ok {

+		value = &repositoryBucket{}

+		if ok, _ := c.ContainsOrAdd(key, value); !ok {

+			return

+		}

+	}

+	repos := value.(*repositoryBucket)

+	repos.Add(repo)

+}

+

+// RepositoriesForDigest returns a list of repositories that may contain this digest.

+func (c digestToRepositoryCache) RepositoriesForDigest(dgst digest.Digest) []string {

+	value, ok := c.Get(dgst.String())

+	if !ok {

+		return nil

+	}

+	repos := value.(*repositoryBucket)

+	return repos.Copy()

+}

+

+type repositoryBucket struct {

+	mu   sync.Mutex

+	list []string

+}

+

+// Has returns true if the bucket contains this repository.

+func (i *repositoryBucket) Has(repo string) bool {

+	i.mu.Lock()

+	defer i.mu.Unlock()

+	for _, s := range i.list {

+		if s == repo {

+			return true

+		}

+	}

+	return false

+}

+

+// Add one or more repositories to this bucket.

+func (i *repositoryBucket) Add(repos ...string) {

+	i.mu.Lock()

+	defer i.mu.Unlock()

+	arr := i.list

+	for _, repo := range repos {

+		if len(arr) >= bucketSize {

+			arr = arr[1:]

+		}

+		arr = append(arr, repo)

+	}

+	i.list = arr

+}

+

+// Copy returns a copy of the contents of this bucket in a threadsafe fasion.

+func (i *repositoryBucket) Copy() []string {

+	i.mu.Lock()

+	defer i.mu.Unlock()

+	out := make([]string, len(i.list))

+	copy(out, i.list)

+	return out

+}

new file mode 100644

@@ -0,0 +1,211 @@

+package server

+

+import (

+	"io"

+	"net/http"

+	"strconv"

+

+	"github.com/docker/distribution"

+	"github.com/docker/distribution/context"

+	"github.com/docker/distribution/digest"

+

+	"k8s.io/kubernetes/pkg/api/errors"

+

+	imageapi "github.com/openshift/origin/pkg/image/api"

+	"github.com/openshift/origin/pkg/image/importer"

+)

+

+// pullthroughBlobStore wraps a distribution.BlobStore and allows remote repositories to serve blobs from remote

+// repositories.

+type pullthroughBlobStore struct {

+	distribution.BlobStore

+

+	repo          *repository

+	digestToStore map[string]distribution.BlobStore

+}

+

+var _ distribution.BlobStore = &pullthroughBlobStore{}

+

+// Stat makes a local check for the blob, then falls through to the other servers referenced by

+// the image stream and looks for those that have the layer.

+func (r *pullthroughBlobStore) Stat(ctx context.Context, dgst digest.Digest) (distribution.Descriptor, error) {

+	// check the local store for the blob

+	desc, err := r.BlobStore.Stat(ctx, dgst)

+	switch {

+	case err == distribution.ErrBlobUnknown:

+		// continue on to the code below and look up the blob in a remote store since it is not in

+		// the local store

+	case err != nil:

+		context.GetLogger(r.repo.ctx).Errorf("Failed to find blob %q: %#v", dgst.String(), err)

+		fallthrough

+	default:

+		return desc, err

+	}

+

+	// look up the potential remote repositories that this blob could be part of (at this time,

+	// we don't know which image in the image stream surfaced the content).

+	is, err := r.repo.getImageStream()

+	if err != nil {

+		if errors.IsNotFound(err) || errors.IsForbidden(err) {

+			return distribution.Descriptor{}, distribution.ErrBlobUnknown

+		}

+		context.GetLogger(r.repo.ctx).Errorf("Error retrieving image stream for blob: %s", err)

+		return distribution.Descriptor{}, err

+	}

+

+	var localRegistry string

+	if local, err := imageapi.ParseDockerImageReference(is.Status.DockerImageRepository); err == nil {

+		// TODO: normalize further?

+		localRegistry = local.Registry

+	}

+

+	retriever := r.repo.importContext()

+	cached := r.repo.cachedLayers.RepositoriesForDigest(dgst)

+

+	// look at the first level of tagged repositories first

+	search := identifyCandidateRepositories(is, localRegistry, true)

+	if desc, err := r.findCandidateRepository(ctx, search, cached, dgst, retriever); err == nil {

+		return desc, nil

+	}

+

+	// look at all other repositories tagged by the server

+	secondary := identifyCandidateRepositories(is, localRegistry, false)

+	for k := range search {

+		delete(secondary, k)

+	}

+	if desc, err := r.findCandidateRepository(ctx, secondary, cached, dgst, retriever); err == nil {

+		return desc, nil

+	}

+

+	return distribution.Descriptor{}, distribution.ErrBlobUnknown

+}

+

+// proxyStat attempts to locate the digest in the provided remote repository or returns an error. If the digest is found,

+// r.digestToStore saves the store.

+func (r *pullthroughBlobStore) proxyStat(ctx context.Context, retriever importer.RepositoryRetriever, ref imageapi.DockerImageReference, dgst digest.Digest) (distribution.Descriptor, error) {

+	context.GetLogger(r.repo.ctx).Infof("Trying to stat %q from %q", dgst, ref.Exact())

+	repo, err := retriever.Repository(ctx, ref.RegistryURL(), ref.RepositoryName(), false)

+	if err != nil {

+		context.GetLogger(r.repo.ctx).Errorf("Error getting remote repository for image %q: %v", ref.Exact(), err)

+		return distribution.Descriptor{}, err

+	}

+	pullthroughBlobStore := repo.Blobs(ctx)

+	desc, err := pullthroughBlobStore.Stat(r.repo.ctx, dgst)

+	if err != nil {

+		if err != distribution.ErrBlobUnknown {

+			context.GetLogger(r.repo.ctx).Errorf("Error getting pullthroughBlobStore for image %q: %v", ref.Exact(), err)

+		}

+		return distribution.Descriptor{}, err

+	}

+

+	r.digestToStore[dgst.String()] = pullthroughBlobStore

+	return desc, nil

+}

+

+// ServeBlob attempts to serve the requested digest onto w, using a remote proxy store if necessary.

+func (r *pullthroughBlobStore) ServeBlob(ctx context.Context, w http.ResponseWriter, req *http.Request, dgst digest.Digest) error {

+	store, ok := r.digestToStore[dgst.String()]

+	if !ok {

+		return r.BlobStore.ServeBlob(ctx, w, req, dgst)

+	}

+

+	desc, err := store.Stat(ctx, dgst)

+	if err != nil {

+		context.GetLogger(r.repo.ctx).Errorf("Failed to stat digest %q: %v", dgst.String(), err)

+		return err

+	}

+

+	remoteReader, err := store.Open(ctx, dgst)

+	if err != nil {

+		context.GetLogger(r.repo.ctx).Errorf("Failure to open remote store %q: %v", dgst.String(), err)

+		return err

+	}

+

+	setResponseHeaders(w, desc.Size, desc.MediaType, dgst)

+

+	context.GetLogger(r.repo.ctx).Infof("Copying %d bytes of type %q for %q", desc.Size, desc.MediaType, dgst.String())

+	if _, err := io.CopyN(w, remoteReader, desc.Size); err != nil {

+		context.GetLogger(r.repo.ctx).Errorf("Failed copying content from remote store %q: %v", dgst.String(), err)

+		return err

+	}

+	return nil

+}

+

+// findCandidateRepository looks in search for a particular blob, referring to previously cached items

+func (r *pullthroughBlobStore) findCandidateRepository(ctx context.Context, search map[string]*imageapi.DockerImageReference, cachedLayers []string, dgst digest.Digest, retriever importer.RepositoryRetriever) (distribution.Descriptor, error) {

+	// no possible remote locations to search, exit early

+	if len(search) == 0 {

+		return distribution.Descriptor{}, distribution.ErrBlobUnknown

+	}

+

+	// see if any of the previously located repositories containing this digest are in this

+	// image stream

+	for _, repo := range cachedLayers {

+		ref, ok := search[repo]

+		if !ok {

+			continue

+		}

+		desc, err := r.proxyStat(ctx, retriever, *ref, dgst)

+		if err != nil {

+			delete(search, repo)

+			continue

+		}

+		context.GetLogger(r.repo.ctx).Infof("Found digest location from cache %q in %q: %v", dgst, repo, err)

+		return desc, nil

+	}

+

+	// search the remaining registries for this digest

+	for repo, ref := range search {

+		desc, err := r.proxyStat(ctx, retriever, *ref, dgst)

+		if err != nil {

+			continue

+		}

+		r.repo.cachedLayers.RememberDigest(dgst, repo)

+		context.GetLogger(r.repo.ctx).Infof("Found digest location by search %q in %q: %v", dgst, repo, err)

+		return desc, nil

+	}

+

+	return distribution.Descriptor{}, distribution.ErrBlobUnknown

+}

+

+// identifyCandidateRepositories returns a map of remote repositories referenced by this image stream.

+func identifyCandidateRepositories(is *imageapi.ImageStream, localRegistry string, primary bool) map[string]*imageapi.DockerImageReference {

+	// identify the canonical location of referenced registries to search

+	search := make(map[string]*imageapi.DockerImageReference)

+	for _, tagEvent := range is.Status.Tags {

+		var candidates []imageapi.TagEvent

+		if primary {

+			if len(tagEvent.Items) == 0 {

+				continue

+			}

+			candidates = tagEvent.Items[:1]

+		} else {

+			if len(tagEvent.Items) <= 1 {

+				continue

+			}

+			candidates = tagEvent.Items[1:]

+		}

+		for _, event := range candidates {

+			ref, err := imageapi.ParseDockerImageReference(event.DockerImageReference)

+			if err != nil {

+				continue

+			}

+			// skip anything that matches the innate registry

+			// TODO: there may be a better way to make this determination

+			if len(localRegistry) != 0 && localRegistry == ref.Registry {

+				continue

+			}

+			ref = ref.DockerClientDefaults()

+			search[ref.AsRepository().Exact()] = &ref

+		}

+	}

+	return search

+}

+

+// setResponseHeaders sets the appropriate content serving headers

+func setResponseHeaders(w http.ResponseWriter, length int64, mediaType string, digest digest.Digest) {

+	w.Header().Set("Content-Length", strconv.FormatInt(length, 10))

+	w.Header().Set("Content-Type", mediaType)

+	w.Header().Set("Docker-Content-Digest", digest.String())

+	w.Header().Set("Etag", digest.String())

+}

@@ -14,17 +14,30 @@ import (

 	"github.com/docker/distribution/manifest/schema1"

 	repomw "github.com/docker/distribution/registry/middleware/repository"

 	"github.com/docker/libtrust"

+

 	kapi "k8s.io/kubernetes/pkg/api"

 	kerrors "k8s.io/kubernetes/pkg/api/errors"

 	"github.com/openshift/origin/pkg/client"

 	imageapi "github.com/openshift/origin/pkg/image/api"

+	"github.com/openshift/origin/pkg/image/importer"

 )

+// cachedLayers is a shared cache of blob digests to remote repositories that have previously

+// been identified as containing that blob. Thread safe and reused by all middleware layers.

+var cachedLayers digestToRepositoryCache

+

 func init() {

+	cache, err := newDigestToRepositoryCache(1024)

+	if err != nil {

+		panic(err)

+	}

+	cachedLayers = cache

 	repomw.Register("openshift", repomw.InitFunc(newRepository))

 }

+// repository wraps a distribution.Repository and allows manifests to be served from the OpenShift image

+// API.

 type repository struct {

 	distribution.Repository

@@ -33,6 +46,14 @@ type repository struct {

 	registryAddr   string

 	namespace      string

 	name           string

+

+	// if true, the repository will check remote references in the image stream to support pulling "through"

+	// from a remote repository

+	pullthrough bool

+	// cachedLayers remembers a mapping of layer digest to repositories recently seen with that image to avoid

+	// having to check every potential upstream repository when a blob request is made. The cache is useful only

+	// when session affinity is on for the registry, but in practice the first pull will fill the cache.

+	cachedLayers digestToRepositoryCache

 }

 var _ distribution.ManifestService = &repository{}

@@ -44,6 +65,13 @@ func newRepository(ctx context.Context, repo distribution.Repository, options ma

 		return nil, errors.New("DOCKER_REGISTRY_URL is required")

 	}

+	pullthrough := false

+	if value, ok := options["pullthrough"]; ok {

+		if b, ok := value.(bool); ok {

+			pullthrough = b

+		}

+	}

+

 	registryClient, err := NewRegistryOpenShiftClient()

 	if err != nil {

 		return nil, err

@@ -62,6 +90,8 @@ func newRepository(ctx context.Context, repo distribution.Repository, options ma

 		registryAddr:   registryAddr,

 		namespace:      nameParts[0],

 		name:           nameParts[1],

+		pullthrough:    pullthrough,

+		cachedLayers:   cachedLayers,

 	}, nil

 }

@@ -75,6 +105,22 @@ func (r *repository) Manifests(ctx context.Context, options ...distribution.Mani

 	return &repo, nil

 }

+// Blobs returns a blob store which can delegate to remote repositories.

+func (r *repository) Blobs(ctx context.Context) distribution.BlobStore {

+	if !r.pullthrough {

+		return r.Repository.Blobs(ctx)

+	}

+

+	repo := repository(*r)

+	repo.ctx = ctx

+	return &pullthroughBlobStore{

+		BlobStore: r.Repository.Blobs(ctx),

+

+		repo:          &repo,

+		digestToStore: make(map[string]distribution.BlobStore),

+	}

+}

+

 // Tags lists the tags under the named repository.

 func (r *repository) Tags() ([]string, error) {

 	imageStream, err := r.getImageStream()

@@ -121,7 +167,8 @@ func (r *repository) Get(dgst digest.Digest) (*schema1.SignedManifest, error) {

 		return nil, err

 	}

-	return r.manifestFromImage(image)

+	ref := imageapi.DockerImageReference{Namespace: r.namespace, Name: r.name, Registry: r.registryAddr}

+	return r.manifestFromImageWithCachedLayers(image, ref.DockerClientDefaults().Exact())

 }

 // Enumerate retrieves digests of manifest revisions in particular repository

@@ -136,26 +183,107 @@ func (r *repository) GetByTag(tag string, options ...distribution.ManifestServic

 			return nil, err

 		}

 	}

+

+	// find the image mapped to this tag

 	imageStreamTag, err := r.getImageStreamTag(tag)

 	if err != nil {

+		// TODO: typed errors

 		context.GetLogger(r.ctx).Errorf("Error getting ImageStreamTag %q: %v", tag, err)

 		return nil, err

 	}

 	image := &imageStreamTag.Image

+	ref, referenceErr := imageapi.ParseDockerImageReference(image.DockerImageReference)

+	if referenceErr == nil {

+		ref.Namespace = r.namespace

+		ref.Name = r.name

+		ref.Registry = r.registryAddr

+	}

+	defaultRef := ref.DockerClientDefaults()

+	cacheName := defaultRef.AsRepository().Exact()

+

+	// if we have a local manifest, use it

+	if len(image.DockerImageManifest) > 0 {

+		return r.manifestFromImageWithCachedLayers(image, cacheName)

+	}

+

 	dgst, err := digest.ParseDigest(imageStreamTag.Image.Name)

 	if err != nil {

 		context.GetLogger(r.ctx).Errorf("Error parsing digest %q: %v", imageStreamTag.Image.Name, err)

 		return nil, err

 	}

-	image, err = r.getImage(dgst)

+	if localImage, err := r.getImage(dgst); err != nil {

+		// if the image is managed by OpenShift and we cannot load the image, report an error

+		if image.Annotations[imageapi.ManagedByOpenShiftAnnotation] == "true" {

+			context.GetLogger(r.ctx).Errorf("Error getting image %q: %v", dgst.String(), err)

+			return nil, err

+		}

+	} else {

+		// if we have a local manifest, use it

+		if len(localImage.DockerImageManifest) > 0 {

+			return r.manifestFromImageWithCachedLayers(localImage, cacheName)

+		}

+	}

+

+	// allow pullthrough to be disabled

+	if !r.pullthrough {

+		return nil, distribution.ErrManifestBlobUnknown{Digest: dgst}

+	}

+

+	// check the previous error here

+	if referenceErr != nil {

+		context.GetLogger(r.ctx).Errorf("Error parsing image %q: %v", image.DockerImageReference, referenceErr)

+		return nil, referenceErr

+	}

+

+	return r.pullthroughGetByTag(image, ref, cacheName, options...)

+}

+

+// pullthroughGetByTag attempts to load the given image manifest from the remote server defined by ref, using cacheName to store any cached layers.

+func (r *repository) pullthroughGetByTag(image *imageapi.Image, ref imageapi.DockerImageReference, cacheName string, options ...distribution.ManifestServiceOption) (*schema1.SignedManifest, error) {

+	defaultRef := ref.DockerClientDefaults()

+

+	retriever := r.importContext()

+

+	repo, err := retriever.Repository(r.ctx, defaultRef.RegistryURL(), defaultRef.RepositoryName(), false)

+	if err != nil {

+		context.GetLogger(r.ctx).Errorf("Error getting remote repository for image %q: %v", image.DockerImageReference, err)

+		return nil, err

+	}

+

+	// get a manifest context

+	manifests, err := repo.Manifests(r.ctx)

+	if err != nil {

+		context.GetLogger(r.ctx).Errorf("Error getting manifests for image %q: %v", image.DockerImageReference, err)

+		return nil, err

+	}

+

+	// fetch this by image

+	if len(ref.ID) > 0 {

+		dgst, err := digest.ParseDigest(ref.ID)

+		if err != nil {

+			context.GetLogger(r.ctx).Errorf("Error getting manifests for image %q: %v", image.DockerImageReference, err)

+			return nil, err

+		}

+		manifest, err := manifests.Get(dgst)

+		if err != nil {

+			context.GetLogger(r.ctx).Errorf("Error getting manifest from remote server for image %q: %v", image.DockerImageReference, err)

+			return nil, err

+		}

+		r.rememberLayers(manifest, cacheName)

+		return manifest, nil

+	}

+

+	// fetch this by tag

+	manifest, err := manifests.GetByTag(ref.Tag, options...)

 	if err != nil {

-		context.GetLogger(r.ctx).Errorf("Error getting image %q: %v", dgst.String(), err)

+		context.GetLogger(r.ctx).Errorf("Error getting manifest from remote server for image %q: %v", image.DockerImageReference, err)

 		return nil, err

 	}

-	return r.manifestFromImage(image)

+	r.rememberLayers(manifest, cacheName)

+	return manifest, nil

 }

 // Put creates or updates the named manifest.

@@ -187,7 +315,7 @@ func (r *repository) Put(manifest *schema1.SignedManifest) error {

 				},

 			},

 			DockerImageReference: fmt.Sprintf("%s/%s/%s@%s", r.registryAddr, r.namespace, r.name, dgst.String()),

-			DockerImageManifest:  string(payload),

+			DockerImageManifest:  string(manifest.Raw),

 		},

 	}

@@ -256,6 +384,18 @@ func (r *repository) Delete(dgst digest.Digest) error {

 	return ms.Delete(dgst)

 }

+// importContext loads secrets for this image stream and returns a context for getting distribution

+// clients to remote repositories.

+func (r *repository) importContext() importer.RepositoryRetriever {

+	secrets, err := r.registryClient.ImageStreamSecrets(r.namespace).Secrets(r.name, kapi.ListOptions{})

+	if err != nil {

+		context.GetLogger(r.ctx).Errorf("Error getting secrets for repository %q: %v", r.Name(), err)

+		secrets = &kapi.SecretList{}

+	}

+	credentials := importer.NewCredentialsForSecrets(secrets.Items)

+	return importer.NewContext(http.DefaultTransport).WithCredentials(credentials)

+}

+

 // getImageStream retrieves the ImageStream for r.

 func (r *repository) getImageStream() (*imageapi.ImageStream, error) {

 	return r.registryClient.ImageStreams(r.namespace).Get(r.name)

@@ -278,6 +418,27 @@ func (r *repository) getImageStreamImage(dgst digest.Digest) (*imageapi.ImageStr

 	return r.registryClient.ImageStreamImages(r.namespace).Get(r.name, dgst.String())

 }

+// rememberLayers caches the provided layers

+func (r *repository) rememberLayers(manifest *schema1.SignedManifest, cacheName string) {

+	if !r.pullthrough {

+		return

+	}

+	// remember the layers in the cache as an optimization to avoid searching all remote repositories

+	for _, layer := range manifest.FSLayers {

+		r.cachedLayers.RememberDigest(layer.BlobSum, cacheName)

+	}

+}

+

+// manifestFromImageWithCachedLayers loads the image and then caches any located layers

+func (r *repository) manifestFromImageWithCachedLayers(image *imageapi.Image, cacheName string) (*schema1.SignedManifest, error) {

+	manifest, err := r.manifestFromImage(image)

+	if err != nil {

+		return nil, err

+	}

+	r.rememberLayers(manifest, cacheName)

+	return manifest, nil

+}

+

 // manifestFromImage converts an Image to a SignedManifest.

 func (r *repository) manifestFromImage(image *imageapi.Image) (*schema1.SignedManifest, error) {

 	dgst, err := digest.ParseDigest(image.Name)

@@ -285,19 +446,29 @@ func (r *repository) manifestFromImage(image *imageapi.Image) (*schema1.SignedMa

 		return nil, err

 	}

+	raw := []byte(image.DockerImageManifest)

+

+	// prefer signatures from the manifest

+	if _, err := libtrust.ParsePrettySignature(raw, "signatures"); err == nil {

+		sm := schema1.SignedManifest{Raw: raw}

+		if err := json.Unmarshal(raw, &sm); err == nil {

+			return &sm, nil

+		}

+	}

+

 	// Fetch the signatures for the manifest

 	signatures, err := r.Signatures().Get(dgst)

 	if err != nil {

 		return nil, err

 	}

-	jsig, err := libtrust.NewJSONSignature([]byte(image.DockerImageManifest), signatures...)

+	jsig, err := libtrust.NewJSONSignature(raw, signatures...)

 	if err != nil {

 		return nil, err

 	}

 	// Extract the pretty JWS

-	raw, err := jsig.PrettySignature("signatures")

+	raw, err = jsig.PrettySignature("signatures")

 	if err != nil {

 		return nil, err

 	}

@@ -14,6 +14,7 @@ import (

 	"github.com/blang/semver"

 	"github.com/docker/distribution/digest"

+	"github.com/docker/distribution/manifest/schema1"

 	"github.com/golang/glog"

 )

@@ -298,7 +299,28 @@ func NormalizeImageStreamTag(name string) string {

 	return name

 }

-// ImageWithMetadata modifies the image to fill in DockerImageMetadata

+// ManifestMatchesImage returns true if the provided manifest matches the name of the image.

+func ManifestMatchesImage(image *Image, newManifest []byte) (bool, error) {

+	dgst, err := digest.ParseDigest(image.Name)

+	if err != nil {

+		return false, err

+	}

+	v, err := digest.NewDigestVerifier(dgst)

+	if err != nil {

+		return false, err

+	}

+	sm := schema1.SignedManifest{Raw: newManifest}

+	raw, err := sm.Payload()

+	if err != nil {

+		return false, err

+	}

+	if _, err := v.Write(raw); err != nil {

+		return false, err

+	}

+	return v.Verified(), nil

+}

+

+// ImageWithMetadata returns a copy of image with the DockerImageMetadata filled in

 // from the raw DockerImageManifest data stored in the image.

 func ImageWithMetadata(image *Image) error {

 	if len(image.DockerImageManifest) == 0 {

@@ -66,7 +66,7 @@ type ImageStreamImporter struct {

 	retriever RepositoryRetriever

 	limiter   util.RateLimiter

-	imageCache map[gocontext.Context]map[manifestKey]*api.Image

+	digestToRepositoryCache map[gocontext.Context]map[manifestKey]*api.Image

 }

 // NewImageStreamImport creates an importer that will load images from a remote Docker registry into an

@@ -81,16 +81,16 @@ func NewImageStreamImporter(retriever RepositoryRetriever, maximumTagsPerRepo in

 		retriever: retriever,

 		limiter:   limiter,

-		imageCache: make(map[gocontext.Context]map[manifestKey]*api.Image),

+		digestToRepositoryCache: make(map[gocontext.Context]map[manifestKey]*api.Image),

 	}

 }

 // contextImageCache returns the image cache entry for a context.

 func (i *ImageStreamImporter) contextImageCache(ctx gocontext.Context) map[manifestKey]*api.Image {

-	cache := i.imageCache[ctx]

+	cache := i.digestToRepositoryCache[ctx]

 	if cache == nil {

 		cache = make(map[manifestKey]*api.Image)

-		i.imageCache[ctx] = cache

+		i.digestToRepositoryCache[ctx] = cache

 	}

 	return cache

 }

@@ -154,6 +154,42 @@ const etcdManifest = `

    ]

 }`

+const etcdManifestNoSignature = `

+{

+   "schemaVersion": 1, 

+   "tag": "latest", 

+   "name": "coreos/etcd", 

+   "architecture": "amd64", 

+   "fsLayers": [

+      {

+         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"

+      }, 

+      {

+         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"

+      }, 

+      {

+         "blobSum": "sha256:2560187847cadddef806eaf244b7755af247a9dbabb90ca953dd2703cf423766"

+      }, 

+      {

+         "blobSum": "sha256:744b46d0ac8636c45870a03830d8d82c20b75fbfb9bc937d5e61005d23ad4cfe"

+      }

+   ], 

+   "history": [

+      {

+         "v1Compatibility": "{\"id\":\"fe50ac14986497fa6b5d2cc24feb4a561d01767bc64413752c0988cb70b0b8b9\",\"parent\":\"a5a18474fa96a3c6e240bc88e41de2afd236520caf904356ad9d5f8d875c3481\",\"created\":\"2015-12-30T22:29:13.967754365Z\",\"container\":\"c8d0f1a274b5f52fa5beb280775ef07cf18ec0f95e5ae42fbad01157e2614d42\",\"container_config\":{\"Hostname\":\"1b97abade59e\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"ExposedPorts\":{\"2379/tcp\":{},\"2380/tcp\":{},\"4001/tcp\":{},\"7001/tcp\":{}},\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) ENTRYPOINT \\u0026{[\\\"/etcd\\\"]}\"],\"Image\":\"a5a18474fa96a3c6e240bc88e41de2afd236520caf904356ad9d5f8d875c3481\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":[\"/etcd\"],\"OnBuild\":null,\"Labels\":{}},\"docker_version\":\"1.9.1\",\"config\":{\"Hostname\":\"1b97abade59e\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"ExposedPorts\":{\"2379/tcp\":{},\"2380/tcp\":{},\"4001/tcp\":{},\"7001/tcp\":{}},\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":null,\"Image\":\"a5a18474fa96a3c6e240bc88e41de2afd236520caf904356ad9d5f8d875c3481\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":[\"/etcd\"],\"OnBuild\":null,\"Labels\":{}},\"architecture\":\"amd64\",\"os\":\"linux\"}"

+      }, 

+      {

+         "v1Compatibility": "{\"id\":\"a5a18474fa96a3c6e240bc88e41de2afd236520caf904356ad9d5f8d875c3481\",\"parent\":\"796d581500e960cc02095dcdeccf55db215b8e54c57e3a0b11392145ffe60cf6\",\"created\":\"2015-12-30T22:29:13.504159783Z\",\"container\":\"080708d544f85052a46fab72e701b4358c1b96cb4b805a5b2d66276fc2aaf85d\",\"container_config\":{\"Hostname\":\"1b97abade59e\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"ExposedPorts\":{\"2379/tcp\":{},\"2380/tcp\":{},\"4001/tcp\":{},\"7001/tcp\":{}},\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) EXPOSE 2379/tcp 2380/tcp 4001/tcp 7001/tcp\"],\"Image\":\"796d581500e960cc02095dcdeccf55db215b8e54c57e3a0b11392145ffe60cf6\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"docker_version\":\"1.9.1\",\"config\":{\"Hostname\":\"1b97abade59e\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"ExposedPorts\":{\"2379/tcp\":{},\"2380/tcp\":{},\"4001/tcp\":{},\"7001/tcp\":{}},\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":null,\"Image\":\"796d581500e960cc02095dcdeccf55db215b8e54c57e3a0b11392145ffe60cf6\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"architecture\":\"amd64\",\"os\":\"linux\"}"

+      }, 

+      {

+         "v1Compatibility": "{\"id\":\"796d581500e960cc02095dcdeccf55db215b8e54c57e3a0b11392145ffe60cf6\",\"parent\":\"309c960c7f875411ae2ee2bfb97b86eee5058f3dad77206dd0df4f97df8a77fa\",\"created\":\"2015-12-30T22:29:12.912813629Z\",\"container\":\"f28be899c9b8680d4cf8585e663ad20b35019db062526844e7cfef117ce9037f\",\"container_config\":{\"Hostname\":\"1b97abade59e\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) ADD file:e330b1da49d993059975e46560b3bd360691498b0f2f6e00f39fc160cf8d4ec3 in /\"],\"Image\":\"309c960c7f875411ae2ee2bfb97b86eee5058f3dad77206dd0df4f97df8a77fa\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"docker_version\":\"1.9.1\",\"config\":{\"Hostname\":\"1b97abade59e\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":null,\"Image\":\"309c960c7f875411ae2ee2bfb97b86eee5058f3dad77206dd0df4f97df8a77fa\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":13502144}"

+      }, 

+      {

+         "v1Compatibility": "{\"id\":\"309c960c7f875411ae2ee2bfb97b86eee5058f3dad77206dd0df4f97df8a77fa\",\"created\":\"2015-12-30T22:29:12.346834862Z\",\"container\":\"1b97abade59e4b5b935aede236980a54fb500cd9ee5bd4323c832c6d7b3ffc6e\",\"container_config\":{\"Hostname\":\"1b97abade59e\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) ADD file:74912593c6783292c4520514f5cc9313acbd1da0f46edee0fdbed2a24a264d6f in /\"],\"Image\":\"\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"docker_version\":\"1.9.1\",\"config\":{\"Hostname\":\"1b97abade59e\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":null,\"Image\":\"\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":15141568}"

+      }

+   ]

+}`

+

 func TestCreateSetsMetadata(t *testing.T) {

 	testCases := []struct {

 		image  *api.Image

@@ -293,7 +329,44 @@ func TestUpdateResetsMetadata(t *testing.T) {

 				DockerImageMetadata:  api.DockerImage{ID: "foo"},

 			},

 		},

-	}

+		// old manifest is replaced because the new manifest matches the digest

+		{

+			expect: func(image *api.Image) bool {

+				if image.DockerImageManifest != etcdManifest {

+					t.Errorf("unexpected manifest: %s", image.DockerImageManifest)

+					return false

+				}

+				if image.DockerImageMetadata.ID != "fe50ac14986497fa6b5d2cc24feb4a561d01767bc64413752c0988cb70b0b8b9" {

+					t.Errorf("unexpected docker image: %#v", image.DockerImageMetadata)

+					return false

+				}

+				if image.DockerImageReference != "openshift/ruby-19-centos-2" {

+					t.Errorf("image reference changed: %s", image.DockerImageReference)

+					return false

+				}

+				if image.DockerImageMetadata.Size != 28643712 {

+					t.Errorf("image had size %d", image.DockerImageMetadata.Size)

+					return false

+				}

+				if len(image.DockerImageLayers) != 4 || image.DockerImageLayers[0].Name != "sha256:744b46d0ac8636c45870a03830d8d82c20b75fbfb9bc937d5e61005d23ad4cfe" || image.DockerImageLayers[0].Size != 15141568 {

+					t.Errorf("unexpected layers: %#v", image.DockerImageLayers)

+					return false

+				}

+				return true

+			},

+			existing: &api.Image{

+				ObjectMeta:           kapi.ObjectMeta{Name: "sha256:54820434e2ccd1596892668504fef12ed980f0cc312f60eac93d6864445ba123", ResourceVersion: "1"},

+				DockerImageReference: "openshift/ruby-19-centos-2",

+				DockerImageLayers:    []api.ImageLayer{},

+				DockerImageManifest:  etcdManifestNoSignature,

+			},

+			image: &api.Image{

+				ObjectMeta:           kapi.ObjectMeta{Name: "sha256:54820434e2ccd1596892668504fef12ed980f0cc312f60eac93d6864445ba123", ResourceVersion: "1"},

+				DockerImageReference: "openshift/ruby-19-centos",

+				DockerImageMetadata:  api.DockerImage{ID: "foo"},

+				DockerImageManifest:  etcdManifest,

+			},

+		}}

 	for i, test := range testCases {

 		storage, server := newStorage(t)

@@ -60,7 +60,9 @@ func (imageStrategy) Canonicalize(obj runtime.Object) {

 }

 // PrepareForUpdate clears fields that are not allowed to be set by end users on update.

-// It extracts the latest info from the manifest and sets that on the object.

+// It extracts the latest info from the manifest and sets that on the object. It allows a user

+// to update the manifest so that it matches the digest (in case an older server stored a manifest

+// that was malformed, it can always be corrected).

 func (imageStrategy) PrepareForUpdate(obj, old runtime.Object) {

 	newImage := obj.(*api.Image)

 	oldImage := old.(*api.Image)

@@ -68,10 +70,21 @@ func (imageStrategy) PrepareForUpdate(obj, old runtime.Object) {

 	// image metadata cannot be altered

 	newImage.DockerImageReference = oldImage.DockerImageReference

 	newImage.DockerImageMetadata = oldImage.DockerImageMetadata

-	newImage.DockerImageManifest = oldImage.DockerImageManifest

 	newImage.DockerImageMetadataVersion = oldImage.DockerImageMetadataVersion

 	newImage.DockerImageLayers = oldImage.DockerImageLayers

+	// allow an image update that results in the manifest matching the digest (the name)

+	newManifest := newImage.DockerImageManifest

+	newImage.DockerImageManifest = oldImage.DockerImageManifest

+	if newManifest != oldImage.DockerImageManifest && len(newManifest) > 0 {

+		ok, err := api.ManifestMatchesImage(oldImage, []byte(newManifest))

+		if err != nil {

+			util.HandleError(fmt.Errorf("attempted to validate that a manifest change to %q matched the signature, but failed: %v", oldImage.Name, err))

+		} else if ok {

+			newImage.DockerImageManifest = newManifest

+		}

+	}

+

 	if err := api.ImageWithMetadata(newImage); err != nil {

 		util.HandleError(fmt.Errorf("Unable to update image metadata for %q: %v", newImage.Name, err))

 	}

@@ -106,7 +106,7 @@ oc login -u e2e-user -p pass

 # make sure viewers can see oc status

 oc status -n default

-# check to make sure a project admin can push an image

+# check to make sure a project admin can push an image to an image stream that doesn't exist

 oc project cache

 e2e_user_token=$(oc config view --flatten --minify -o template --template='{{with index .users 0}}{{.user.token}}{{end}}')

 [[ -n ${e2e_user_token} ]]

@@ -120,6 +120,10 @@ docker tag -f centos/ruby-22-centos7:latest ${DOCKER_REGISTRY}/cache/ruby-22-cen

 docker push ${DOCKER_REGISTRY}/cache/ruby-22-centos7:latest

 echo "[INFO] Pushed ruby-22-centos7"

+# verify remote images can be pulled directly from the local registry

+oc import-image --confirm --from=mysql:latest mysql:pullthrough

+docker pull ${DOCKER_REGISTRY}/cache/mysql:pullthrough

+

 # check to make sure an image-pusher can push an image

 oc policy add-role-to-user system:image-pusher pusher

 oc login -u pusher -p pass

@@ -689,6 +689,7 @@ items:

     resources:

     - imagestreamimages

     - imagestreams

+    - imagestreams/secrets

     - imagestreamtags

     verbs:

     - get