[epic] Support installing bundles from a private registry #1015
Comments
everettraven
added
epic
v1.0
|
Can the ServiceAccount be patched to attach the cluster pull secret? |
@bentito Could you elaborate on what you mean by this? |
|
The user/admin would need to do this: kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "my-pull-secret"}]}'and then the code would need to reference it, for example on Pod creation: // Define a new Pod object
pod := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "demo-pod",
Namespace: req.Namespace,
},
Spec: corev1.PodSpec{
Containers: []corev1.Container{
{
Name: "demo-container",
Image: "my-registry.example.com/my-image:latest",
},
},
ServiceAccountName: "default", // Ensure this ServiceAccount has the pull secret
},
}Benefits of blessing the SA with the pull secret like this are 1) it's centralized for any usage (Pod, Deployment, etc); 2) Just one place to go to for creds rotation. |
|
@bentito thanks for more info on that. I forgot that in catalogd's unpacking implementation for image sources we have the ServiceAccount configured secrets disabled for pull secrets: I think we should enable them for both catalogd and operator-controller (o-c should follow a similar pattern to catalogd) |
|
/assign |
everettraven
added
v1.x
|
@cgwalters We stumbled upon containers/image#1746 during a discussion about how OLM can directly pull images using OCP's global pull secret and the I see in the PR that Since OLM is a controller running in an OCP cluster with a randomly assigned UID, none of the default locations "just work". It seems like we need to do some combination of:
Given that PR, I'm wondering if you have any recommendation for setting up global auth in a system-level OCP component? |
Today the OCP one is the kubelet one, which is not
The PR isn't done so doesn't help anything today. In the meantime, yes you'll need to get access to the kubelet pull secret and explicitly use it. There's an API object for it I believe which you could just fetch from your operator and project the secret into your env. |
That might be a better question for the MCO and cri-o folks. Certainly if it were the other way around and
Yeah, that PR being unmerged is why I wanted to get your opinion. I'm trying to understand where on the continuum that PR is. Is it "we've agreed on the path location and high level goal, but just working out details"? Or is it "this is a proposal and we may reject it outright"? If the former, that might be enough to convince us to go ahead and use that location within our controller filesystem and we'd explicitly configure On the other hand, if that |
|
I think it'd probably be a good idea to wait until the location is codified upstream before just starting to write a file there. In the short term especially for OCP I think |
|
@anik120 @skattoju Given Colin's answer above, I propose we mount If the file location on the node ever changes, we can just change our |
|
I believe this epic is complete. Are we good to close this? |
|
I agree. Going to close this epic. |
|
We need to a follow up epic for supporting private bundle and catalog images via API field. |
LalatenduMohanty
added
v1.0
Currently, there is no support for creating a
ClusterExtensionthat can install a bundle that is in a private registry and requires authentication. This epic is scoped for enabling that support. There are a couple different approaches that should be supported:SecretSecretBrief: https://docs.google.com/document/d/14abNwdBEe6bGaLczGIlgYR9ghz6gbp_qene_7znIa8o/edit
RFC: https://docs.google.com/document/d/1BXD6kj5zXHcGiqvJOikU2xs8kV26TPnzEKp6n7TKD4M/edit
The text was updated successfully, but these errors were encountered: