-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.16
-
None
-
Moderate
-
None
-
False
-
Description of problem:
Working with the ABI, the following is a portion of my install-config.yaml:
```
pullSecret: '{"auths":{"quayreg1.my.test.domain.com/jbsandbox2":{"auth":"<token_data>"},"quayreg1.my.test.domain.com/openshift-releases":{"auth":"<token_data>"}}}'
imageDigestSources:
- mirrors:
- quayreg1.my.test.domain.com/jbsandbox2/openshift4/16/32/install/openshift/release-images
- quayreg1.my.test.domain.com/jbsandbox2/openshift4/16/install/openshift/release-images
source: quay.io/openshift-release-dev/ocp-release
- mirrors:
- quayreg1.my.test.domain.com/jbsandbox2/openshift4/16/32/install/openshift/release
- quayreg1.my.test.domain.com/jbsandbox2/openshift4/16/install/openshift/release
source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
```
When I go to start my KVM guests, I get the following error that prevents installation from proceeding:
```
Jan 29 14:42:38 master2 service[2513]: time="2025-01-29T14:42:38Z" level=error msg="Failed to registered cluster jbsandbox2 with id 456ec78f-97c8-4fe7-961d-7a12ed2675a1" func="github.com/openshift/assisted-service/internal/bminventory.(*bareMetalInventory).RegisterClusterInternal.func1" file="/src/internal/bminventory/inventory.go:518" cluster_id=456ec78f-97c8-4fe7-961d-7a12ed2675a1 error="pull secret for new cluster is invalid: pull secret must contain auth for \"quayreg1.my.test.domain.com\"" go-id=657 pkg=Inventory request_id=760d85bf-9354-4eb6-893a-de7b9ba6319e
```
If I switch either of my pull secrets to use just the path `quayreg1.my.test.domain.com` the installation will proceed, however, I think it's better to be able to specify my org path within the pull secret. A) specifying the path in the secret makes it easier for users to tell which token relates to which path, making debugging or rotating credentials easier B) since I am using an org restricted token quay *should* only allow that token access to that specific org but being able to specify the org in the path is a second check permitting better access control.
Version-Release number of selected component (if applicable):
Seen on 4.16.26 and 4.16.32 on IBM Z
How reproducible:
Consistent
Steps to Reproduce:
1. Create a valid install config for a disconnected environment with a pull secret that specifies orgs within the local registry to be used by the install process. The pull secret should not reference the root of the repository.
2. Create agent iso's
3. Boot the agent iso's, review the journalctl output on the rendezvous host and notice that the install will not proceed
Actual results:
The install stops with an error message similar to the following:
Jan 29 14:42:38 master2 service[2513]: time="2025-01-29T14:42:38Z" level=error msg="Failed to registered cluster jbsandbox2 with id 456ec78f-97c8-4fe7-961d-7a12ed2675a1" func="github.com/openshift/assisted-service/internal/bminventory.(*bareMetalInventory).RegisterClusterInternal.func1" file="/src/internal/bminventory/inventory.go:518" cluster_id=456ec78f-97c8-4fe7-961d-7a12ed2675a1 error="pull secret for new cluster is invalid: pull secret must contain auth for \"testregistry.test.domain.com\"" go-id=657 pkg=Inventory request_id=760d85bf-9354-4eb6-893a-de7b9ba6319e
Expected results:
The install proceeds and correctly uses the namespace restricted tokens.
Additional info:
I am attempting to complete a disconnected install on KVM on s390x
