Merge pull request #31968 from mburke5678/BZ-1889413

mburke5678 · web-flow · commit ced1ac350314 · 2021-05-05T15:25:40.000-04:00
Only global pull secrets can be configured in clusters where ImageContentSourcePolicy is set
diff --git a/modules/builds-image-source.adoc b/modules/builds-image-source.adoc
@@ -39,6 +39,11 @@ source:
 <4> The directory relative to the build root where the build process can access the file.
 <5> The location of the file to be copied out of the referenced image.
 <6> An optional secret provided if credentials are needed to access the input image.
++
+[NOTE]
+====
+If your cluster uses an `ImageContentSourcePolicy` object to configure repository mirroring, you can use only global pull secrets for mirrored registries. You cannot add a pull secret to a project.
+====
 
 Optionally, if an input image requires a pull secret, you can link the pull secret to the service account used by the build. By default, builds use the `builder` service account. The pull secret is automatically added to the build if the secret contains a credential that matches the repository hosting the input image. To link a pull secret to the service account used by the build, run:
 
diff --git a/modules/images-configuration-registry-mirror.adoc b/modules/images-configuration-registry-mirror.adoc
@@ -30,10 +30,16 @@ By pulling container images needed by {product-title} and then bringing those im
 Even if you don't configure mirroring during {product-title} installation, you can do so later using the `ImageContentSourcePolicy` object.
 
 The following procedure provides a post-installation mirror configuration, where you create an `ImageContentSourcePolicy` object that identifies:
-
+--
 * The source of the container image repository you want to mirror.
 * A separate entry for each mirror repository you want to offer the content
 requested from the source repository.
+--
+
+[NOTE]
+====
+You can only configure global pull secrets for clusters that have an `ImageContentSourcePolicy` object. You cannot add a pull secret to a project. 
+====
 
 .Prerequisites
 * Access to the cluster as a user with the `cluster-admin` role.
diff --git a/modules/olm-mirroring-catalog.adoc b/modules/olm-mirroring-catalog.adoc
@@ -175,6 +175,11 @@ The manifests directory contains the following files, some of which might requir
 If you mirrored the content to local files, you must modify your `catalogSource.yaml` file to remove any backslash (`/`) characters from the `metadata.name` field. Otherwise, when you attempt to create the object, it fails with an "invalid resource name" error.
 ====
 * The `imageContentSourcePolicy.yaml` file defines an `ImageContentSourcePolicy` object that can configure nodes to translate between the image references stored in Operator manifests and the mirrored registry.
++
+[NOTE]
+====
+If your cluster uses an `ImageContentSourcePolicy` object to configure repository mirroring, you can use only global pull secrets for mirrored registries. You cannot add a pull secret to a project.
+====
 * The `mapping.txt` file contains all of the source images and where to map them in the target registry. This file is compatible with the `oc image mirror` command and can be used to further customize the mirroring configuration.
 +
 [IMPORTANT]
@@ -192,6 +197,7 @@ $ oc create -f <path/to/manifests/dir>/imageContentSourcePolicy.yaml
 +
 where `<path/to/manifests/dir>` is the path to the manifests directory for your mirrored content.
 
+
 You can now create a `CatalogSource` object to reference your mirrored index image and Operator content.
 
 :!index-image-pullspec:
diff --git a/modules/olm-mirroring-package-manifest-catalog.adoc b/modules/olm-mirroring-package-manifest-catalog.adoc
@@ -63,6 +63,11 @@ After running the command, a `manifests-<index_image_name>-<random_number>/` dir
 --
 * The `catalogSource.yaml` file is a basic definition for a `CatalogSource` object that is pre-populated with your catalog image tag and other relevant metadata. This file can be used as is or modified to add the catalog source to your cluster.
 * The `imageContentSourcePolicy.yaml` file defines an `ImageContentSourcePolicy` object that can configure nodes to translate between the image references stored in Operator manifests and the mirrored registry.
++
+[NOTE]
+====
+If your cluster uses an `ImageContentSourcePolicy` object to configure repository mirroring, you can use only global pull secrets for mirrored registries. You cannot add a pull secret to a project.
+====
 * The `mapping.txt` file contains all of the source images and where to map them in the target registry. This file is compatible with the `oc image mirror` command and can be used to further customize the mirroring configuration.
 --
 
diff --git a/modules/update-mirror-repository.adoc b/modules/update-mirror-repository.adoc
@@ -59,6 +59,11 @@ $ LOCAL_SECRET_JSON='<path_to_pull_secret>'
 ----
 +
 For `<path_to_pull_secret>`, specify the absolute path to and file name of the pull secret for your mirror registry that you created.
++
+[NOTE]
+====
+If your cluster uses an `ImageContentSourcePolicy` object to configure repository mirroring, you can use only global pull secrets for mirrored registries. You cannot add a pull secret to a project.
+====
 
 .. Export the release mirror:
 +
diff --git a/modules/update-restricted.adoc b/modules/update-restricted.adoc
@@ -25,3 +25,8 @@ $ oc adm upgrade --allow-explicit-upgrade --to-image ${LOCAL_REGISTRY}/${LOCAL_R
 <1> The `<sha256_sum_value>` value is the sha256 sum value for the release from the image signature ConfigMap, for example, `@sha256:81154f5c03294534e1eaf0319bef7a601134f891689ccede5d705ef659aa8c92`
 +
 If you use an `ImageContentSourcePolicy` for the mirror registry, you can use the canonical registry name instead of `LOCAL_REGISTRY`.
++
+[NOTE]
+====
+You can only configure global pull secrets for clusters that have an `ImageContentSourcePolicy` object. You cannot add a pull secret to a project. 
+====
diff --git a/openshift_images/image-configuration.adoc b/openshift_images/image-configuration.adoc
@@ -22,3 +22,7 @@ include::modules/images-configuration-shortname.adoc[leveloffset=+2]
 include::modules/images-configuration-cas.adoc[leveloffset=+2]
 
 include::modules/images-configuration-registry-mirror.adoc[leveloffset=+2]
+
+.Additional resources
+
+For more information about global pull secrets, see xref:../openshift_images/managing_images/using-image-pull-secrets.html#images-update-global-pull-secret_using-image-pull-secrets[Updating the global cluster pull secret].

Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,11 @@ $ LOCAL_SECRET_JSON='<path_to_pull_secret>'`
`59`	`59`	`----`
`60`	`60`	`+`
`61`	`61`	For `<path_to_pull_secret>`, specify the absolute path to and file name of the pull secret for your mirror registry that you created.
	`62`	`++`
	`63`	`+[NOTE]`
	`64`	`+====`
	`65`	+If your cluster uses an `ImageContentSourcePolicy` object to configure repository mirroring, you can use only global pull secrets for mirrored registries. You cannot add a pull secret to a project.
	`66`	`+====`
`62`	`67`
`63`	`68`	`.. Export the release mirror:`
`64`	`69`	`+`
Original file line number	Diff line number	Diff line change
`@@ -25,3 +25,8 @@ $ oc adm upgrade --allow-explicit-upgrade --to-image ${LOCAL_REGISTRY}/${LOCAL_R`
`25`	`25`	<1> The `<sha256_sum_value>` value is the sha256 sum value for the release from the image signature ConfigMap, for example, `@sha256:81154f5c03294534e1eaf0319bef7a601134f891689ccede5d705ef659aa8c92`
`26`	`26`	`+`
`27`	`27`	If you use an `ImageContentSourcePolicy` for the mirror registry, you can use the canonical registry name instead of `LOCAL_REGISTRY`.
	`28`	`++`
	`29`	`+[NOTE]`
	`30`	`+====`
	`31`	+You can only configure global pull secrets for clusters that have an `ImageContentSourcePolicy` object. You cannot add a pull secret to a project.
	`32`	`+====`