Bug: PullSecret for catalog in imageset config does not work when headsOnly is true about oc-mirror HOT 6 CLOSED

The exact error is happening when oc-bundle is trying to pull down the index image to create the diff. Looks like the resolver is not exported for the registry. We would just need that exported so we can set the resolver options with the credentials we want.
https://github.com/estroz/operator-registry/blob/1787329c541ff5c4533d680df5f208805eee93ea/pkg/image/containerdregistry/registry.go#L50. @afflom @estroz FYSA.

from oc-mirror.

Pull secret seems to be ignored when pulling operators when it's only defined under "ocp" and not the operator definition. Using "create full".

apiVersion: tmp-redhatgov.com/v1alpha1
kind: ImageSetConfiguration
mirror:
  ocp:
    channels:
      - name: stable-4.8
    graph: true
    pullSecret: '{"auths":{"cloud.openshift.com":{"auth":"...."}}}'
  operators:
    - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.8
      headsOnly: true

Which results in this:

Success
Update image:  openshift/release:4.8.5-x86_64
To upload local images to a registry, run:
    oc image mirror --from-dir=ocbundle-data/src 'file://openshift/release:4.8.5-x86_64*' REGISTRY/REPOSITORY
INFO Channel Latest version 4.8.5                 
INFO trying next host                              error=failed to authorize: failed to fetch anonymous token: unexpected status: 401 Unauthorized host=registry.redhat.io
FATAL error generating diff: error rendering new refs: render reference "registry.redhat.io/redhat/redhat-operator-index:v4.8": error resolving name : failed to authorize: failed to fetch anonymous token: unexpected status: 401 Unauthorized 

Using the secret's authentication, I can pull the image successful using podman.

from oc-mirror.

@bit4man , you are correct. Each operator catalog take it's own pull secret value, but you also have the option to just put all of your pulll secrets in your .docker/config.json. If a pull secret value is not provided with the operator catalog in the config, it will just default to that file.

from oc-mirror.

@bit4man , you are correct. Each operator catalog take it's own pull secret value, but you also have the option to just put all of your pulll secrets in your .docker/config.json. If a pull secret value is not provided with the operator catalog in the config, it will just default to that file.

@jpower432 Unfortunately, I get the same error when I put the pullSecret in the operator catalog entry.

from oc-mirror.

@bit4man , you are correct. Each operator catalog take it's own pull secret value, but you also have the option to just put all of your pulll secrets in your .docker/config.json. If a pull secret value is not provided with the operator catalog in the config, it will just default to that file.

@jpower432 Unfortunately, I get the same error when I put the pullSecret in the operator catalog entry.

@bit4man if you put your pull secret in your config.json, the error will go away. This ticket is actually capturing the issue you are seeing. When the catalog diff data is generated it uses a docker resolver that we are not passing credentials to because it is unexported. Thank you for adding more information about the error, by the way. That is very helpful in explaining what is happening. :)

from oc-mirror.

Using .docker/config.json will have to suffice until the operator download code from operator-registry allows for configured credentials. My suggestion going forward is: keep the secrets out of the config file and allow for a separate auth-file reference when our operator-registry import allows.

from oc-mirror.