From ee89046b2665729fd62c6e616cdd611a4e79b488 Mon Sep 17 00:00:00 2001 From: Anik Bhattacharjee Date: Fri, 25 Oct 2024 18:02:55 +0530 Subject: [PATCH] =?UTF-8?q?=F0=9F=93=96=20Document=20how=20to=20configure?= =?UTF-8?q?=20global=20pull=20secrets?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes #1409 --- docs/howto/configure-global-pull-secrets.md | 46 +++++++++++++++++++++ docs/tutorials/install-extension.md | 2 + 2 files changed, 48 insertions(+) create mode 100644 docs/howto/configure-global-pull-secrets.md diff --git a/docs/howto/configure-global-pull-secrets.md b/docs/howto/configure-global-pull-secrets.md new file mode 100644 index 000000000..48617d7ec --- /dev/null +++ b/docs/howto/configure-global-pull-secrets.md @@ -0,0 +1,46 @@ +# Configure global pull secrets for allowing components to pull private images + +To configure `catalogd` and `operator-controller` to use authentication information for pulling private images (catalog/bundle images etc), the components can be informed about a kubernetes `Secret` object that contains the relevant auth information. The `Secret` must be of type `kubernetes.io/dockerconfigjson`. + +Once the `Secret` is created, `catalogd` and `operator-controller` needs to be redeployed with an additional field, `--global-pull-secret=/` passed to the respective binaries. + +For eg, create a `Secret` using locally available `config.json`: + +```sh +$ kubectl create secret docker-registry test-secret \ + --from-file=.dockerconfigjson=$HOME/.docker/config.json \ + --namespace olmv1-system +secret/test-secret created +``` + +Verify that the Secret is created: + +```sh +$ kubectl get secret test-secret -n olmv1-system -o yaml +apiVersion: v1 +data: + .dockerconfigjson: ewogICJh.... +kind: Secret +metadata: + creationTimestamp: "2024-10-25T12:05:46Z" + name: test-secret + namespace: olmv1-system + resourceVersion: "237734" + uid: 880138f1-5d98-4bb0-9e45-45e8ebaff647 +type: kubernetes.io/dockerconfigjson +``` + +Modify the `config/base/manager/manager.yaml` file for `catalogd` and `operator-controller` to include the new field in the binary args: + +```yaml + - command: + - ./manager + args: + - ... + - ... + - ... + - --global-pull-secret=olmv1-system/test-secret +``` + +With the above configuration, creating a `ClusterCatalog` or a `ClusterExention` whose content is packaged in a private container image hosted in an image registry, will become possible. + \ No newline at end of file diff --git a/docs/tutorials/install-extension.md b/docs/tutorials/install-extension.md index 95bdb5c3a..d77bee1f8 100644 --- a/docs/tutorials/install-extension.md +++ b/docs/tutorials/install-extension.md @@ -14,6 +14,8 @@ After you add a catalog to your cluster, you can install an extension by creatin * The name, and optionally version, or channel, of the [supported extension](../project/olmv1_limitations.md) to be installed * An existing namespace in which to install the extension +**Note** To install ClusterExentions that are shipped as private container images hosted in an image registry, please see [How to conifgure global pull secrets](../howto/configure-global-pull-secrets.md). + ### ServiceAccount for ClusterExtension Installation and Management Adhering to OLM v1's "Secure by Default" tenet, OLM v1 does not have the permissions