Skip to content

Commit

Permalink
📖 Document how to configure global pull secrets
Browse files Browse the repository at this point in the history
Closes #1409
  • Loading branch information
anik120 committed Oct 25, 2024
1 parent 3083879 commit ee89046
Show file tree
Hide file tree
Showing 2 changed files with 48 additions and 0 deletions.
46 changes: 46 additions & 0 deletions docs/howto/configure-global-pull-secrets.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# Configure global pull secrets for allowing components to pull private images

To configure `catalogd` and `operator-controller` to use authentication information for pulling private images (catalog/bundle images etc), the components can be informed about a kubernetes `Secret` object that contains the relevant auth information. The `Secret` must be of type `kubernetes.io/dockerconfigjson`.

Once the `Secret` is created, `catalogd` and `operator-controller` needs to be redeployed with an additional field, `--global-pull-secret=<secret-namespace>/<secret-name>` passed to the respective binaries.

For eg, create a `Secret` using locally available `config.json`:

```sh
$ kubectl create secret docker-registry test-secret \
--from-file=.dockerconfigjson=$HOME/.docker/config.json \
--namespace olmv1-system
secret/test-secret created
```

Verify that the Secret is created:

```sh
$ kubectl get secret test-secret -n olmv1-system -o yaml
apiVersion: v1
data:
.dockerconfigjson: ewogICJh....
kind: Secret
metadata:
creationTimestamp: "2024-10-25T12:05:46Z"
name: test-secret
namespace: olmv1-system
resourceVersion: "237734"
uid: 880138f1-5d98-4bb0-9e45-45e8ebaff647
type: kubernetes.io/dockerconfigjson
```

Modify the `config/base/manager/manager.yaml` file for `catalogd` and `operator-controller` to include the new field in the binary args:

```yaml
- command:
- ./manager
args:
- ...
- ...
- ...
- --global-pull-secret=olmv1-system/test-secret
```
With the above configuration, creating a `ClusterCatalog` or a `ClusterExention` whose content is packaged in a private container image hosted in an image registry, will become possible.

2 changes: 2 additions & 0 deletions docs/tutorials/install-extension.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ After you add a catalog to your cluster, you can install an extension by creatin
* The name, and optionally version, or channel, of the [supported extension](../project/olmv1_limitations.md) to be installed
* An existing namespace in which to install the extension

**Note** To install ClusterExentions that are shipped as private container images hosted in an image registry, please see [How to conifgure global pull secrets](../howto/configure-global-pull-secrets.md).

### ServiceAccount for ClusterExtension Installation and Management

Adhering to OLM v1's "Secure by Default" tenet, OLM v1 does not have the permissions
Expand Down

0 comments on commit ee89046

Please sign in to comment.