operator-lifecycle-manager icon indicating copy to clipboard operation
operator-lifecycle-manager copied to clipboard
verified publisher icon operator-framework

operator can't pull from private gitlab registry

Open jmccormick2001 opened this issue 3 years ago • 2 comments

Bug Report

What did you do? I"m trying to get OLM/Openshift to work with a private gitlab registry for pulling operator images. For this, I created a ServiceAccount, and patched it with a docker registry pull secret that works with the gitlab instance. Then I proceed to install the operator using OLM functionality.

What did you expect to see? I expected that a ServiceAccount that is created manually would be honored by OLM during the installation and that the ServiceAccount would retain its imagePullSecrets.

What did you see instead? Under which circumstances? After I approve the InstallPlan, OLM appears to be removing the ServiceAccount that I created manually, and then creates a new ServiceAccount with the same name, but leaves out the applied (via patch) imagePullSecrets. This causes the operator pod to not be able to pull the gitlab registry images.

Environment

  • operator-lifecycle-manager version:

    • name: OPERATOR_NAME value: olm-operator
    • name: RELEASE_VERSION value: 4.11.1 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:71e485ca85f437eab29e7442aba98f9b40209e187e09cc16b02a90ce2ea47a69

  • Kubernetes version information:

Client Version: 4.11.2 Kustomize Version: v4.5.4 Server Version: 4.11.1 Kubernetes Version: v1.24.0+4f0dd4d

  • Kubernetes cluster kind:

openshift 4.11.1

Possible Solution I would have thought that OLM would detect that the ServiceAccount was already created, then perform a merge/patch on it instead of deleting the ServiceAccount and recreating it (from the CSV spec). I don't see a way in the CSV to tell OLM to add the imagePullSecret to the ServiceAccount that it recreates either. I need a way to retain or specify the imagePullSecrets for OLM to use when running the operator.

Additional context I currently get around this problem by re-patching the ServiceAccount after OLM recreates it, then killing the operator pod, then it can pull from gitlab. I also tried to set the imagePullSecret via the CSV but that also doesn't appear to work, instead OLM creates an imagePullSecret with a generated name.

jmccormick2001 avatar Sep 15 '22 17:09 jmccormick2001

@sqqqrly

jmccormick2001 avatar Sep 15 '22 17:09 jmccormick2001

ping

jmccormick2001 avatar Nov 07 '22 17:11 jmccormick2001