-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
operator-sdk run bundle cannot pull private bundle image #4650
Comments
/kind feature |
Same problem for us, ie the We are trying to go through the "quickstart for go" and it fails executing this step (registry url replaced by xxx)
The image registry uses a certificate emitted by the corporate CA, the cluster is configured with it and all the images running in the cluster are pulled from the registry without any problem Versions:
The errors are not in the "CatalogSource" pod as described in the initial post but from a pod named
Q:
|
@titou10titou10 unfortunately not at the moment. The only work around is to deploy the operator manually https://olm.operatorframework.io/docs/tasks/make-operator-part-of-catalog/ |
@jmrodri OK. IMHO it should be added in the documentation that you can't use the Also the command reference for Thx |
I'm going to take this on. Will update docs prior to the next release so at least readers are aware of this issue, if the feature doesn't land in v1.6. |
|
@bitscuit @titou10titou10 #4694 implements this feature. Let me know if the options provided are sufficient to pull private bundles. |
thanks @estroz, they look good to me. |
@estroz I don't think it solves the problem. AFAIK there is no way to set a CA inside an The pod has no problem pulling its image to run, it uses the CA set at the cluster level. The problem is the command ( To solve the problem, we should be able to specify a file with the CA cert to the
The Another option would be to change the As for the |
@titou10titou10 Perhaps allowing a cert to be passed to |
@estroz I've seen the code change you've made on the Now, what will be the parameters of the
Thx |
@titou10titou10 if it's desirable to skip TLS, then I don't see a problem exposing kubectl create secret generic tls-ca --from-file=cert.pem=/path/to/registry/cert.pem
operator-sdk run bundle public-ca-reg.com/my-bundle:v0.1.0 --ca-secret-name=tls-ca If a pull secret is also required, i.e. for a private registry, you'd run kubectl create secret generic tls-ca --from-file=cert.pem=/path/to/registry/cert.pem
kubectl create secret docker-registry reg --docker-username=foo --docker-password=bar123 --docker-server=https://private-ca-reg.com
kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"reg"}]}'
operator-sdk run bundle private-ca-reg.com/my-bundle:v0.1.0 --secret-name=reg --ca-secret-name=tls-ca Ideally the cluster, namespace, and service account used will have been provisioned with the appropriate secrets beforehand, so the above just becomes
Perhaps renaming |
@estroz excellent
just my 2cts |
Bug Report
What did you do?
What did you expect to see?
CatalogSource pod created by
run bundle
should be inRunning
state, and operator installedWhat did you see instead? Under which circumstances?
CatalogSource pod is in
CrashLoopBackOff
stateOutput of
run bundle
Logs from CatalogSource pod
Environment
Operator type:
/language go
Kubernetes cluster type:
Openshift 4.6.16
$ operator-sdk version
Also tried with operator-sdk version 1.5.0
$ go version
(if language is Go)go version go1.15.5 linux/amd64
$ kubectl version
Possible Solution
CatalogSource pod should additionally use global cluster pull secret
Additional context
Few things I can confirm:
Deployment
using another imageI tried adding my private registry credentials to the
imagePullSecrets
the pod was using, but got the same result:imagePullSecrets
secretoperator-sdk cleanup ibm-common-service-operator
run bundle
commandimagePullSecrets
)Found a related bugzilla report https://bugzilla.redhat.com/show_bug.cgi?id=1883198
Also, potentially another bug; the pod name was
tory-swg-devops-com-ibmcom-common-service-operator-bundle-3-7-1
. Seems like there is a character limit to the name that does not match Kubernetes' character limit for names.The text was updated successfully, but these errors were encountered: