-
Bug
-
Resolution: Won't Do
-
Normal
-
None
-
4.10
-
Moderate
-
Refinement Backlog
-
1
-
Rejected
-
Unspecified
-
If docs needed, set a value
Description of problem:
When installing CatalogSource that uses an index image from internal image registry, the pull secrets might not be linked in time with the ServiceAccount that runs the catalog source Pod. As a result, the .spec.imagePullSecrets in the pod is not populated and the Pod fails with the following error:
37s Warning Failed pod/serverless-operator-vhp22 Failed to pull image "image-registry.openshift-image-registry.svc:5000/openshift-marketplace/serverless-index:latest": rpc error: code = Unknown desc = reading manifest latest in image-registry.openshift-image-registry.svc:5000/openshift-marketplace/serverless-index: unauthorized: authentication required
Version-Release number of selected component (if applicable):
OCP 4.10.0, GCP cloud
Note: It's NOT easily reproducible on AWS cloud, but 100% on GCP cloud provisioned as mentioned below.
How reproducible:
Steps to Reproduce:
1. Provision a cluster via clusterbot: launch 4.10.0 gcp
2. Check out this revision of serverless-operator repo: https://github.com/openshift-knative/serverless-operator/commit/fec7231346a0833f834dea8969de02f5576d663b
3. Run DOCKER_REPO_OVERRIDE=docker.io/<your_username> make install
Actual results:
1) Bundle and Index images are built
2) CatalogSource is created as follows:
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: serverless-operator
namespace: openshift-marketplace
spec:
displayName: Serverless Operator
image: image-registry.openshift-image-registry.svc:5000/openshift-marketplace/serverless-index:latest
publisher: Red Hat
sourceType: grpc
3) ServiceAccount named serverless-operator is created in openshift-marketplace NS
4) Pod serverless-operator-XXXXX is created in the openshift-marketplace namespace but it fails to pull the index image because the Pod doesn't have .spec.imagePullSecrets
5) Restarting the Pod a bit later helps, the pull secrets are already linked to the ServiceAccount and provided to the Pod as .spec.imagePullSecrets
Expected results:
The steps above should lead to installing Serverless Operator and its operands with success.
Additional info:
We sent this PR as a workaround to our repo: https://github.com/openshift-knative/serverless-operator/pull/1572
Ideally, the CatalogSource would wait for the ServiceAccount to have the right pull secrets linked before creating the Pod.