$ opm index add \
--bundles <registry>/<namespace>/<bundle_image_name>:<tag> \(1)
--tag <registry>/<namespace>/<index_image_name>:<tag> \(2)
[--binary-image <registry_base_image>] (3)
This guide describes how to work with custom catalogs for Operators packaged using either the Bundle Format or the legacy Package Manifest Format on Operator Lifecycle Manager (OLM) in OKD.
Install the opm
CLI.
You can create an index image using the opm
CLI.
opm
version 1.12.3+
podman
version 1.9.3+
A bundle image built and pushed to a registry that supports Docker v2-2
The internal registry of the OKD cluster cannot be used as the target registry because it does not support pushing without a tag, which is required during the mirroring process. |
Start a new index:
$ opm index add \
--bundles <registry>/<namespace>/<bundle_image_name>:<tag> \(1)
--tag <registry>/<namespace>/<index_image_name>:<tag> \(2)
[--binary-image <registry_base_image>] (3)
1 | Comma-separated list of bundle images to add to the index. |
2 | The image tag that you want the index image to have. |
3 | Optional: An alternative registry base image to use for serving the catalog. |
Push the index image to a registry.
If required, authenticate with your target registry:
$ podman login <registry>
Push the index image:
$ podman push <registry>/<namespace>/test-catalog:latest
You can create an Operator catalog from an index image and apply it to an OKD cluster for use with Operator Lifecycle Manager (OLM).
An index image built and pushed to a registry.
Create a CatalogSource
object that references your index image.
Modify the following to your specifications and save it as a catalogSource.yaml
file:
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: my-operator-catalog
namespace: olm (1)
spec:
sourceType: grpc
image: <registry>:<port>/<namespace>/catalog:latest (2)
displayName: My Operator Catalog
publisher: <publisher_name> (3)
updateStrategy:
registryPoll: (4)
interval: 30m
1 | If you want the catalog source to be available globally to users in all namespaces, specify the olm namespace. Otherwise, you can specify a different namespace for the catalog to be scoped and available only for that namespace. |
2 | Specify your index image. |
3 | Specify your name or an organization name publishing the catalog. |
4 | Catalog sources can automatically check for new versions to keep up to date. |
Use the file to create the CatalogSource
object:
$ oc apply -f catalogSource.yaml
Verify the following resources are created successfully.
Check the pods:
$ oc get pods -n olm
NAME READY STATUS RESTARTS AGE
my-operator-catalog-6njx6 1/1 Running 0 28s
marketplace-operator-d9f549946-96sgr 1/1 Running 0 26h
Check the catalog source:
$ oc get catalogsource -n olm
NAME DISPLAY TYPE PUBLISHER AGE
my-operator-catalog My Operator Catalog grpc 5s
Check the package manifest:
$ oc get packagemanifest -n olm
NAME CATALOG AGE
jaeger-product My Operator Catalog 93s
You can now install the Operators from the OperatorHub page on your OKD web console.
If your index image is hosted on a private registry and requires authentication, see Accessing images for Operators from private registries.
After configuring OperatorHub to use a catalog source that references a custom index image, cluster administrators can keep the available Operators on their cluster up to date by adding bundle images to the index image.
You can update an existing index image using the opm index add
command.
opm
version 1.12.3+
podman
version 1.9.3+
An index image built and pushed to a registry.
An existing catalog source referencing the index image.
Update the existing index by adding bundle images:
$ opm index add \
--bundles <registry>/<namespace>/<new_bundle_image>@sha256:<digest> \(1)
--from-index <registry>/<namespace>/<existing_index_image>:<existing_tag> \(2)
--tag <registry>/<namespace>/<existing_index_image>:<updated_tag> \(3)
--pull-tool podman (4)
1 | The --bundles flag specifies a comma-separated list of additional bundle images to add to the index. |
2 | The --from-index flag specifies the previously pushed index. |
3 | The --tag flag specifies the image tag to apply to the updated index image. |
4 | The --pull-tool flag specifies the tool used to pull container images. |
where:
<registry>
Specifies the hostname of the registry, such as quay.io
or mirror.example.com
.
<namespace>
Specifies the namespace of the registry, such as ocs-dev
or abc
.
<new_bundle_image>
Specifies the new bundle image to add to the registry, such as ocs-operator
.
<digest>
Specifies the SHA image ID, or digest, of the bundle image, such as c7f11097a628f092d8bad148406aa0e0951094a03445fd4bc0775431ef683a41
.
<existing_index_image>
Specifies the previously pushed image, such as abc-redhat-operator-index
.
<existing_tag>
Specifies a previously pushed image tag, such as 4.7
.
<updated_tag>
Specifies the image tag to apply to the updated index image, such as 4.7.1
.
$ opm index add \
--bundles quay.io/ocs-dev/ocs-operator@sha256:c7f11097a628f092d8bad148406aa0e0951094a03445fd4bc0775431ef683a41 \
--from-index mirror.example.com/abc/abc-redhat-operator-index:4.7 \
--tag mirror.example.com/abc/abc-redhat-operator-index:4.7.1 \
--pull-tool podman
Push the updated index image:
$ podman push <registry>/<namespace>/<existing_index_image>:<updated_tag>
After Operator Lifecycle Manager (OLM) automatically polls the index image referenced in the catalog source at its regular interval, verify that the new packages are successfully added:
$ oc get packagemanifests -n openshift-marketplace
An index image, based on the Operator Bundle Format, is a containerized snapshot of an Operator catalog. You can prune an index of all but a specified list of packages, which creates a copy of the source index containing only the Operators that you want.
podman
version 1.9.3+
grpcurl
(third-party command-line tool)
opm
version 1.18.0+
Access to a registry that supports Docker v2-2
The internal registry of the OKD cluster cannot be used as the target registry because it does not support pushing without a tag, which is required during the mirroring process. |
Authenticate with your target registry:
$ podman login <target_registry>
Determine the list of packages you want to include in your pruned index.
Run the source index image that you want to prune in a container. For example:
$ podman run -p50051:50051 \
-it quay.io/operatorhubio/catalog:latest
Trying to pull quay.io/operatorhubio/catalog:latest...
Getting image source signatures
Copying blob ae8a0c23f5b1 done
...
INFO[0000] serving registry database=/database/index.db port=50051
In a separate terminal session, use the grpcurl
command to get a list of the packages provided by the index:
$ grpcurl -plaintext localhost:50051 api.Registry/ListPackages > packages.out
Inspect the packages.out
file and identify which package names from this list you want to keep in your pruned index. For example:
...
{
"name": "couchdb-operator"
}
...
{
"name": "eclipse-che"
}
...
{
{
"name": "etcd"
}
...
In the terminal session where you executed the podman run
command, press Ctrl and C to stop the container process.
Run the following command to prune the source index of all but the specified packages:
$ opm index prune \
-f quay.io/operatorhubio/catalog:latest \(1)
-p couchdb-operator,eclipse-che,etcd \(2)
[-i quay.io/openshift/origin-operator-registry:4.7.0] \(3)
-t <target_registry>:<port>/<namespace>/catalog:latest (4)
1 | Index to prune. |
2 | Comma-separated list of packages to keep. |
3 | Required only for IBM Power Systems and IBM Z images: Operator Registry base image with the tag that matches the target OKD cluster major and minor version. |
4 | Custom tag for new index image being built. |
Run the following command to push the new index image to your target registry:
$ podman push <target_registry>:<port>/<namespace>/catalog:latest
where <namespace>
is any existing namespace on the registry.
Cluster administrators can build a custom Operator catalog image based on the Package Manifest Format to be used by Operator Lifecycle Manager (OLM). The catalog image can be pushed to a container image registry that supports Docker v2-2. For a cluster on a restricted network, this registry can be a registry that the cluster has network access to, such as a mirror registry created during a restricted network cluster installation.
The internal registry of the OKD cluster cannot be used as the target registry because it does not support pushing without a tag, which is required during the mirroring process. |
For this example, the procedure assumes use of a mirror registry that has access to both your network and the Internet.
Only the Linux version of the |
Workstation with unrestricted network access
oc
version 4.3.5+ Linux client
podman
version 1.9.3+
Access to mirror registry that supports Docker v2-2
If you are working with private registries, set the REG_CREDS
environment variable to the file path of your registry credentials for use in later steps. For example, for the podman
CLI:
$ REG_CREDS=${XDG_RUNTIME_DIR}/containers/auth.json
If you are working with private namespaces that your quay.io account has access to, you must set a Quay authentication token. Set the AUTH_TOKEN
environment variable for use with the --auth-token
flag by making a request against the login API using your quay.io credentials:
$ AUTH_TOKEN=$(curl -sH "Content-Type: application/json" \
-XPOST https://quay.io/cnr/api/v1/users/login -d '
{
"user": {
"username": "'"<quay_username>"'",
"password": "'"<quay_password>"'"
}
}' | jq -r '.token')
On the workstation with unrestricted network access, authenticate with the target mirror registry:
$ podman login <registry_host_name>
Build a catalog image based on the redhat-operators
catalog from Quay.io, tagging and pushing it to your mirror registry:
$ oc adm catalog build \
--appregistry-org redhat-operators \(1)
--from=quay.io/openshift/origin-operator-registry:4.7.0 \(2)
--filter-by-os="linux/amd64" \(3)
--to=<registry_host_name>:<port>/olm/redhat-operators:v1 \(4)
[-a ${REG_CREDS}] \(5)
[--insecure] \(6)
[--auth-token "${AUTH_TOKEN}"] (7)
1 | Organization (namespace) to pull from an App Registry instance. |
2 | Set --from to the Operator Registry base image using the tag that matches the target OKD cluster major and minor version. |
3 | Set --filter-by-os to the operating system and architecture to use for the base image, which must match the target OKD cluster. Valid values are linux/amd64 , linux/ppc64le , and linux/s390x . |
4 | Name your catalog image and include a tag, for example, v1 . |
5 | Optional: If required, specify the location of your registry credentials file. |
6 | Optional: If you do not want to configure trust for the target registry, add the --insecure flag. |
7 | Optional: If other application registry catalogs are used that are not public, specify a Quay authentication token. |
INFO[0013] loading Bundles dir=/var/folders/st/9cskxqs53ll3wdn434vw4cd80000gn/T/300666084/manifests-829192605
...
Pushed sha256:f73d42950021f9240389f99ddc5b0c7f1b533c054ba344654ff1edaf6bf827e3 to example_registry:5000/olm/redhat-operators:v1
Sometimes invalid manifests are accidentally introduced catalogs provided by Red Hat; when this happens, you might see some errors:
...
INFO[0014] directory dir=/var/folders/st/9cskxqs53ll3wdn434vw4cd80000gn/T/300666084/manifests-829192605 file=4.2 load=package
W1114 19:42:37.876180 34665 builder.go:141] error building database: error loading package into db: fuse-camel-k-operator.v7.5.0 specifies replacement that couldn't be found
Uploading ... 244.9kB/s
These errors are usually non-fatal, and if the Operator package mentioned does not contain an Operator you plan to install or a dependency of one, then they can be ignored.
Cluster administrators can mirror a custom Operator catalog image based on the Package Manifest Format into a registry and use a catalog source to load the content onto their cluster. For this example, the procedure uses a custom redhat-operators
catalog image previously built and pushed to a supported registry.
Workstation with unrestricted network access
A custom Operator catalog image based on the Package Manifest Format pushed to a supported registry
oc
version 4.3.5+
podman
version 1.9.3+
Access to mirror registry that supports Docker v2-2
The internal registry of the OKD cluster cannot be used as the target registry because it does not support pushing without a tag, which is required during the mirroring process. |
If you are working with private registries, set the REG_CREDS
environment variable to the file path of your registry credentials for use in later steps. For example, for the podman
CLI:
$ REG_CREDS=${XDG_RUNTIME_DIR}/containers/auth.json
The oc adm catalog mirror
command extracts the contents of your custom Operator catalog image to generate the manifests required for mirroring. You can choose to either:
Allow the default behavior of the command to automatically mirror all of the image content to your mirror registry after generating manifests, or
Add the --manifests-only
flag to only generate the manifests required for mirroring, but do not actually mirror the image content to a registry yet. This can be useful for reviewing what will be mirrored, and it allows you to make any changes to the mapping list if you only require a subset of the content. You can then use that file with the oc image mirror
command to mirror the modified list of images in a later step.
On your workstation with unrestricted network access, run the following command:
$ oc adm catalog mirror \
<registry_host_name>:<port>/olm/redhat-operators:v1 \ (1)
<registry_host_name>:<port> \ (2)
[-a ${REG_CREDS}] \ (3)
[--insecure] \ (4)
[--index-filter-by-os='<platform>/<arch>'] \ (5)
[--manifests-only] (6)
1 | Specify your Operator catalog image. |
2 | Specify the fully qualified domain name (FQDN) for the target registry. |
3 | Optional: If required, specify the location of your registry credentials file. |
4 | Optional: If you do not want to configure trust for the target registry, add the --insecure flag. |
5 | Optional: Specify which platform and architecture of the catalog image to select when multiple variants are available. Images are passed as '<platform>/<arch>[/<variant>]' . This does not apply to images referenced by the catalog image. Valid values are linux/amd64 , linux/ppc64le , and linux/s390x . |
6 | Optional: Only generate the manifests required for mirroring and do not actually mirror the image content to a registry. |
using database path mapping: /:/tmp/190214037
wrote database to /tmp/190214037
using database at: /tmp/190214037/bundles.db (1)
...
1 | Temporary database generated by the command. |
After running the command, a manifests-<index_image_name>-<random_number>/
directory is created in the current directory and generates the following files:
The catalogSource.yaml
file is a basic definition for a CatalogSource
object that is pre-populated with your catalog image tag and other relevant metadata. This file can be used as is or modified to add the catalog source to your cluster.
The imageContentSourcePolicy.yaml
file defines an ImageContentSourcePolicy
object that can configure nodes to translate between the image references stored in Operator manifests and the mirrored registry.
If your cluster uses an |
The mapping.txt
file contains all of the source images and where to map them in the target registry. This file is compatible with the oc image mirror
command and can be used to further customize the mirroring configuration.
If you used the --manifests-only
flag in the previous step and want to mirror only a subset of the content:
Modify the list of images in your mapping.txt
file to your specifications. If you are unsure of the exact names and versions of the subset of images you want to mirror, use the following steps to find them:
Run the sqlite3
tool against the temporary database that was generated by the oc adm catalog mirror
command to retrieve a list of images matching a general search query. The output helps inform how you will later edit your mapping.txt
file.
For example, to retrieve a list of images that are similar to the string clusterlogging.4.3
:
$ echo "select * from related_image \
where operatorbundle_name like 'clusterlogging.4.3%';" \
| sqlite3 -line /tmp/190214037/bundles.db (1)
1 | Refer to the previous output of the oc adm catalog mirror command to find the path of the database file. |
image = registry.redhat.io/openshift-logging/kibana6-rhel8@sha256:aa4a8b2a00836d0e28aa6497ad90a3c116f135f382d8211e3c55f34fb36dfe61
operatorbundle_name = clusterlogging.4.3.33-202008111029.p0
image = registry.redhat.io/openshift4/ose-oauth-proxy@sha256:6b4db07f6e6c962fc96473d86c44532c93b146bbefe311d0c348117bf759c506
operatorbundle_name = clusterlogging.4.3.33-202008111029.p0
...
Use the results from the previous step to edit the mapping.txt
file to only include the subset of images you want to mirror.
For example, you can use the image
values from the previous example output to find that the following matching lines exist in your mapping.txt
file:
mapping.txt
registry.redhat.io/openshift-logging/kibana6-rhel8@sha256:aa4a8b2a00836d0e28aa6497ad90a3c116f135f382d8211e3c55f34fb36dfe61=<registry_host_name>:<port>/kibana6-rhel8:a767c8f0
registry.redhat.io/openshift4/ose-oauth-proxy@sha256:6b4db07f6e6c962fc96473d86c44532c93b146bbefe311d0c348117bf759c506=<registry_host_name>:<port>/openshift4-ose-oauth-proxy:3754ea2b
In this example, if you only want to mirror these images, you would then remove all other entries in the mapping.txt
file and leave only the above two lines.
Still on your workstation with unrestricted network access, use your modified mapping.txt
file to mirror the images to your registry using the oc image mirror
command:
$ oc image mirror \
[-a ${REG_CREDS}] \
--filter-by-os='.*' \
-f ./manifests-redhat-operators-<random_number>/mapping.txt
If the |
Create the ImageContentSourcePolicy
object:
$ oc create -f ./manifests-redhat-operators-<random_number>/imageContentSourcePolicy.yaml
You can now create a CatalogSource
object to reference your mirrored content.
If your catalog image is hosted on a private registry and requires authentication, see Accessing images for Operators from private registries.
After a cluster administrator has configured OperatorHub to use custom Operator catalog images, administrators can keep their OKD cluster up to date with the latest Operators by capturing updates made to App Registry catalogs provided by Red Hat. This is done by building and pushing a new Operator catalog image, then replacing the existing spec.image
parameter in the CatalogSource
object with the new image digest.
For this example, the procedure assumes a custom redhat-operators
catalog image is already configured for use with OperatorHub.
Only the Linux version of the |
Workstation with unrestricted network access
oc
version 4.3.5+ Linux client
podman
version 1.9.3+
Access to mirror registry that supports Docker v2-2
The internal registry of the OKD cluster cannot be used as the target registry because it does not support pushing without a tag, which is required during the mirroring process. |
OperatorHub configured to use custom catalog images
If you are working with private registries, set the REG_CREDS
environment variable to the file path of your registry credentials for use in later steps. For example, for the podman
CLI:
$ REG_CREDS=${XDG_RUNTIME_DIR}/containers/auth.json
If you are working with private namespaces that your quay.io account has access to, you must set a Quay authentication token. Set the AUTH_TOKEN
environment variable for use with the --auth-token
flag by making a request against the login API using your quay.io credentials:
$ AUTH_TOKEN=$(curl -sH "Content-Type: application/json" \
-XPOST https://quay.io/cnr/api/v1/users/login -d '
{
"user": {
"username": "'"<quay_username>"'",
"password": "'"<quay_password>"'"
}
}' | jq -r '.token')
On the workstation with unrestricted network access, authenticate with the target mirror registry:
$ podman login <registry_host_name>
Authenticate with registry.redhat.io
so that the base image can be pulled during the build:
$ podman login registry.redhat.io
Build a new catalog image based on the redhat-operators
catalog from Quay.io, tagging and pushing it to your mirror registry:
$ oc adm catalog build \
--appregistry-org redhat-operators \(1)
--from=quay.io/openshift/origin-operator-registry:4.7.0 \(2)
--filter-by-os="linux/amd64" \(3)
--to=<registry_host_name>:<port>/olm/redhat-operators:v2 \(4)
[-a ${REG_CREDS}] \(5)
[--insecure] \(6)
[--auth-token "${AUTH_TOKEN}"] (7)
1 | Organization (namespace) to pull from an App Registry instance. |
2 | Set --from to the Operator Registry base image using the tag that matches the target OKD cluster major and minor version. |
3 | Set --filter-by-os to the operating system and architecture to use for the base image, which must match the target OKD cluster. Valid values are linux/amd64 , linux/ppc64le , and linux/s390x . |
4 | Name your catalog image and include a tag, for example, v2 because it is the updated catalog. |
5 | Optional: If required, specify the location of your registry credentials file. |
6 | Optional: If you do not want to configure trust for the target registry, add the --insecure flag. |
7 | Optional: If other application registry catalogs are used that are not public, specify a Quay authentication token. |
INFO[0013] loading Bundles dir=/var/folders/st/9cskxqs53ll3wdn434vw4cd80000gn/T/300666084/manifests-829192605
...
Pushed sha256:f73d42950021f9240389f99ddc5b0c7f1b533c054ba344654ff1edaf6bf827e3 to example_registry:5000/olm/redhat-operators:v2
Mirror the contents of your catalog to your target registry. The following oc adm catalog mirror
command extracts the contents of your custom Operator catalog image to generate the manifests required for mirroring and mirrors the images to your registry:
$ oc adm catalog mirror \
<registry_host_name>:<port>/olm/redhat-operators:v2 \ (1)
<registry_host_name>:<port> \ (2)
[-a ${REG_CREDS}] \ (3)
[--insecure] \ (4)
[--index-filter-by-os='<platform>/<arch>'] (5)
1 | Specify your new Operator catalog image. |
2 | Specify the fully qualified domain name (FQDN) for the target registry. |
3 | Optional: If required, specify the location of your registry credentials file. |
4 | Optional: If you do not want to configure trust for the target registry, add the --insecure flag. |
5 | Optional: Specify which platform and architecture of the catalog image to select when multiple variants are available. Images are passed as '<platform>/<arch>[/<variant>]' . This does not apply to images referenced by the catalog image. Valid values are linux/amd64 , linux/ppc64le , and linux/s390x . |
Apply the newly generated manifests:
$ oc replace -f ./manifests-redhat-operators-<random_number>
It is possible that you do not need to apply the |
Update your CatalogSource
object that references your catalog image.
If you have your original catalogsource.yaml
file for this CatalogSource
object:
Edit your catalogsource.yaml
file to reference your new catalog image in the spec.image
field:
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: my-operator-catalog
namespace: openshift-marketplace
spec:
sourceType: grpc
image: <registry_host_name>:<port>/olm/redhat-operators:v2 (1)
displayName: My Operator Catalog
publisher: grpc
1 | Specify your new Operator catalog image. |
Use the updated file to replace the CatalogSource
object:
$ oc replace -f catalogsource.yaml
Alternatively, edit the catalog source using the following command and reference your new catalog image in the spec.image
parameter:
$ oc edit catalogsource <catalog_source_name> -n openshift-marketplace
Updated Operators should now be available from the OperatorHub page on your OKD cluster.
You can validate Operator catalog image content by running it as a container and querying its gRPC API. To further test the image, you can then resolve a subscription in Operator Lifecycle Manager (OLM) by referencing the image in a catalog source. For this example, the procedure uses a custom redhat-operators
catalog image previously built and pushed to a supported registry.
A custom Package Manifest Format catalog image pushed to a supported registry
podman
version 1.9.3+
oc
version 4.3.5+
Access to mirror registry that supports Docker v2-2
The internal registry of the OKD cluster cannot be used as the target registry because it does not support pushing without a tag, which is required during the mirroring process. |
Pull the Operator catalog image:
$ podman pull <registry_host_name>:<port>/olm/redhat-operators:v1
Run the image:
$ podman run -p 50051:50051 \
-it <registry_host_name>:<port>/olm/redhat-operators:v1
Query the running image for available packages using grpcurl
:
$ grpcurl -plaintext localhost:50051 api.Registry/ListPackages
{
"name": "3scale-operator"
}
{
"name": "amq-broker"
}
{
"name": "amq-online"
}
Get the latest Operator bundle in a channel:
$ grpcurl -plaintext -d '{"pkgName":"kiali-ossm","channelName":"stable"}' localhost:50051 api.Registry/GetBundleForChannel
{
"csvName": "kiali-operator.v1.0.7",
"packageName": "kiali-ossm",
"channelName": "stable",
...
Get the digest of the image:
$ podman inspect \
--format='{{index .RepoDigests 0}}' \
<registry_host_name>:<port>/olm/redhat-operators:v1
example_registry:5000/olm/redhat-operators@sha256:f73d42950021f9240389f99ddc5b0c7f1b533c054ba344654ff1edaf6bf827e3
Assuming an Operator group exists in namespace my-ns
that supports your Operator and its dependencies, create a CatalogSource
object using the image digest. For example:
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: custom-redhat-operators
namespace: my-ns
spec:
sourceType: grpc
image: example_registry:5000/olm/redhat-operators@sha256:f73d42950021f9240389f99ddc5b0c7f1b533c054ba344654ff1edaf6bf827e3
displayName: Red Hat Operators
Create a subscription that resolves the latest available servicemeshoperator
and its dependencies from your catalog image:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: servicemeshoperator
namespace: my-ns
spec:
source: custom-redhat-operators
sourceNamespace: my-ns
name: servicemeshoperator
channel: "1.0"
If certain images relevant to Operators managed by Operator Lifecycle Manager (OLM) are hosted in an authenticated container image registry, also known as a private registry, OLM and OperatorHub are unable to pull the images by default. To enable access, you can create a pull secret that contains the authentication credentials for the registry. By referencing one or more pull secrets in a catalog source, OLM can handle placing the secrets in the Operator and catalog namespace to allow installation.
Other images required by an Operator or its Operands might require access to private registries as well. OLM does not handle placing the secrets in target tenant namespaces for this scenario, but authentication credentials can be added to the global cluster pull secret or individual namespace service accounts to enable the required access.
The following types of images should be considered when determining whether Operators managed by OLM have appropriate pull access:
A CatalogSource
object can reference an index image or a catalog image, which are catalog sources packaged as container images hosted in images registries. Index images use the Bundle Format and reference bundle images, while catalog images use the Package Manifest Format. If an index or catalog image is hosted in a private registry, a secret can be used to enable pull access.
Operator bundle images are metadata and manifests packaged as container images that represent a unique version of an Operator. If any bundle images referenced in a catalog source are hosted in one or more private registries, a secret can be used to enable pull access.
If an Operator installed from a catalog source uses a private image, either for the Operator image itself or one of the Operand images it watches, the Operator will fail to install because the deployment will not have access to the required registry authentication. Referencing secrets in a catalog source does not enable OLM to place the secrets in target tenant namespaces in which Operands are installed.
Instead, the authentication details can be added to the global cluster pull secret in the openshift-config
namespace, which provides access to all namespaces on the cluster. Alternatively, if providing access to the entire cluster is not permissible, the pull secret can be added to the default
service accounts of the target tenant namespaces.
At least one of the following hosted in a private registry:
An index image or catalog image.
An Operator bundle image.
An Operator or Operand image.
Create a secret for each required private registry.
Log in to the private registry to create or update your registry credentials file:
$ podman login <registry>:<port>
The file path of your registry credentials can be different depending on the container tool used to log in to the registry. For the |
It is recommended to include credentials for only one registry per secret, and manage credentials for multiple registries in separate secrets. Multiple secrets can be included in a CatalogSource
object in later steps, and OKD will merge the secrets into a single virtual credentials file for use during an image pull.
A registry credentials file can, by default, store details for more than one registry. Verify the current contents of your file. For example:
{
"auths": {
"registry.redhat.io": {
"auth": "FrNHNydQXdzclNqdg=="
},
"quay.io": {
"auth": "Xd2lhdsbnRib21iMQ=="
}
}
}
Because this file is used to create secrets in later steps, ensure that you are storing details for only one registry per file. This can be accomplished by using either of the following methods:
Use the podman logout <registry>
command to remove credentials for additional registries until only the one registry you want remains.
Edit your registry credentials file and separate the registry details to be stored in multiple files. For example:
{
"auths": {
"registry.redhat.io": {
"auth": "FrNHNydQXdzclNqdg=="
}
}
}
{
"auths": {
"quay.io": {
"auth": "Xd2lhdsbnRib21iMQ=="
}
}
}
Create a secret in the openshift-marketplace
namespace that contains the authentication credentials for a private registry:
$ oc create secret generic <secret_name> \
-n openshift-marketplace \
--from-file=.dockerconfigjson=<path/to/registry/credentials> \
--type=kubernetes.io/dockerconfigjson
Repeat this step to create additional secrets for any other required private registries, updating the --from-file
flag to specify another registry credentials file path.
Create or update an existing CatalogSource
object to reference one or more secrets:
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: my-operator-catalog
namespace: openshift-marketplace
spec:
sourceType: grpc
secrets: (1)
- "<secret_name_1>"
- "<secret_name_2>"
image: <registry>:<port>/<namespace>/<image>:<tag>
displayName: My Operator Catalog
publisher: <publisher_name>
updateStrategy:
registryPoll:
interval: 30m
1 | Add a spec.secrets section and specify any required secrets. |
If any Operator or Operand images that are referenced by a subscribed Operator require access to a private registry, you can either provide access to all namespaces in the cluster, or individual target tenant namespaces.
To provide access to all namespaces in the cluster, add authentication details to the global cluster pull secret in the openshift-config
namespace.
Cluster resources must adjust to the new global pull secret, which can temporarily limit the usability of the cluster. |
Extract the .dockerconfigjson
file from the global pull secret:
$ oc extract secret/pull-secret -n openshift-config --confirm
Update the .dockerconfigjson
file with your authentication credentials for the required private registry or registries and save it as a new file:
$ cat .dockerconfigjson | \
jq --compact-output '.auths["<registry>:<port>/<namespace>/"] |= . + {"auth":"<token>"}' \(1)
> new_dockerconfigjson
1 | Replace <registry>:<port>/<namespace> with the private registry details and <token> with your authentication credentials. |
Update the global pull secret with the new file:
$ oc set data secret/pull-secret -n openshift-config \
--from-file=.dockerconfigjson=new_dockerconfigjson
To update an individual namespace, add a pull secret to the service account for the Operator that requires access in the target tenant namespace.
Recreate the secret that you created for the openshift-marketplace
in the tenant namespace:
$ oc create secret generic <secret_name> \
-n <tenant_namespace> \
--from-file=.dockerconfigjson=<path/to/registry/credentials> \
--type=kubernetes.io/dockerconfigjson
Verify the name of the service account for the Operator by searching the tenant namespace:
$ oc get sa -n <tenant_namespace> (1)
1 | If the Operator was installed in an individual namespace, search that namespace. If the Operator was installed for all namespaces, search the openshift-operators namespace. |
NAME SECRETS AGE
builder 2 6m1s
default 2 6m1s
deployer 2 6m1s
etcd-operator 2 5m18s (1)
1 | Service account for an installed etcd Operator. |
Link the secret to the service account for the Operator:
$ oc secrets link <operator_sa> \
-n <tenant_namespace> \
<secret_name> \
--for=pull
See What is a secret? for more information on the types of secrets, including those used for registry credentials.
See Updating the global cluster pull secret for more details on the impact of changing this secret.
See Allowing pods to reference images from other secured registries for more details on linking pull secrets to service accounts per namespace.
Operator catalogs that source content provided by Red Hat and community projects are configured for OperatorHub by default during an OKD installation. As a cluster administrator, you can disable the set of default catalogs.
Disable the sources for the default catalogs by adding disableAllDefaultSources: true
to the OperatorHub
object:
$ oc patch OperatorHub cluster --type json \
-p '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]'
Alternatively, you can use the web console to manage catalog sources. From the Administration → Cluster Settings → Global Configuration → OperatorHub page, click the Sources tab, where you can create, delete, disable, and enable individual sources. |
As a cluster administrator, you can remove custom Operator catalogs that have been previously added to your cluster by deleting the related catalog source.
In the Administrator perspective of the web console, navigate to Administration → Cluster Settings.
Click the Global Configuration tab, and then click OperatorHub.
Click the Sources tab.
Select the Options menu for the catalog that you want to remove, and then click Delete CatalogSource.