From bb4855ecc9f98d721d2c56ba3a0d014e8b0e6dac Mon Sep 17 00:00:00 2001 From: Pierangelo Di Pilato Date: Mon, 1 Aug 2022 11:50:34 +0200 Subject: [PATCH] Allow openshift-serverless namespace to pull images from openshift-marketplace When using `ON_CLUSTER_BUILDS` for `make images` I'm getting ``` Failed to pull image "image-registry.openshift-image-registry.svc:5000/openshift-marketplace/knative-operator": rpc error: code = Unknown desc = reading manifest latest in image-registry.openshift-image-registry.svc:5000/openshift-marketplace/knative-operator: unauthorized: authentication required ``` We need to allow `openshift-serverless` namespace to pull images from the namespace `openshift-marketplace` as documented in https://docs.openshift.com/container-platform/4.7/openshift_images/managing_images/using-image-pull-secrets.html#images-allow-pods-to-reference-images-across-projects_using-image-pull-secrets Apparently, the command that we already (pasted below) run is not enough for this case: ``` oc adm policy add-role-to-group system:image-puller system:unauthenticated --namespace openshift-marketplace ``` Signed-off-by: Pierangelo Di Pilato --- hack/lib/catalogsource.bash | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hack/lib/catalogsource.bash b/hack/lib/catalogsource.bash index 0d0f38f206..b0ed673e40 100644 --- a/hack/lib/catalogsource.bash +++ b/hack/lib/catalogsource.bash @@ -53,6 +53,10 @@ function install_catalogsource { # Allow OPM to pull the serverless-bundle from openshift-marketplace ns from internal registry. oc adm policy add-role-to-group system:image-puller system:unauthenticated --namespace openshift-marketplace + # export ON_CLUSTER_BUILDS=true; make images + # will push images to ${OLM_NAMESPACE} namespace, allow the ${OPERATORS_NAMESPACE} namespace to pull those images. + oc adm policy add-role-to-group system:image-puller system:serviceaccounts:"${OPERATORS_NAMESPACE}" --namespace "${OLM_NAMESPACE}" + local index_build_dir=${rootdir}/olm-catalog/serverless-operator/index logger.debug "Create a backup of the index Dockerfile."