Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-9275

Catalog source creates Pod that misses secrets for accessing internal image registry

XMLWordPrintable

    • Moderate
    • Refinement Backlog
    • 1
    • Rejected
    • Unspecified
    • If docs needed, set a value

      Description of problem:

      When installing CatalogSource that uses an index image from internal image registry, the pull secrets might not be linked in time with the ServiceAccount that runs the catalog source Pod. As a result, the .spec.imagePullSecrets in the pod is not populated and the Pod fails with the following error:

      37s Warning Failed pod/serverless-operator-vhp22 Failed to pull image "image-registry.openshift-image-registry.svc:5000/openshift-marketplace/serverless-index:latest": rpc error: code = Unknown desc = reading manifest latest in image-registry.openshift-image-registry.svc:5000/openshift-marketplace/serverless-index: unauthorized: authentication required

      Version-Release number of selected component (if applicable):
      OCP 4.10.0, GCP cloud
      Note: It's NOT easily reproducible on AWS cloud, but 100% on GCP cloud provisioned as mentioned below.

      How reproducible:

      Steps to Reproduce:
      1. Provision a cluster via clusterbot: launch 4.10.0 gcp
      2. Check out this revision of serverless-operator repo: https://github.com/openshift-knative/serverless-operator/commit/fec7231346a0833f834dea8969de02f5576d663b
      3. Run DOCKER_REPO_OVERRIDE=docker.io/<your_username> make install

      Actual results:

      1) Bundle and Index images are built
      2) CatalogSource is created as follows:

      apiVersion: operators.coreos.com/v1alpha1
      kind: CatalogSource
      metadata:
      name: serverless-operator
      namespace: openshift-marketplace
      spec:
      displayName: Serverless Operator
      image: image-registry.openshift-image-registry.svc:5000/openshift-marketplace/serverless-index:latest
      publisher: Red Hat
      sourceType: grpc

      3) ServiceAccount named serverless-operator is created in openshift-marketplace NS
      4) Pod serverless-operator-XXXXX is created in the openshift-marketplace namespace but it fails to pull the index image because the Pod doesn't have .spec.imagePullSecrets
      5) Restarting the Pod a bit later helps, the pull secrets are already linked to the ServiceAccount and provided to the Pod as .spec.imagePullSecrets

      Expected results:
      The steps above should lead to installing Serverless Operator and its operands with success.

      Additional info:
      We sent this PR as a workaround to our repo: https://github.com/openshift-knative/serverless-operator/pull/1572

      Ideally, the CatalogSource would wait for the ServiceAccount to have the right pull secrets linked before creating the Pod.

            agreene1991 Alexander Greene
            mgencur@redhat.com Martin Gencur
            Jian Zhang Jian Zhang
            Red Hat Employee
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: