Unauthorized error thrown while using catalog mirror command with Quay registry

Solution Verified - Updated

Environment

  • Openshift 4.5.7
  • oc client 4.5.7
  • Redhat Quay 3.3

Issue

Following error is thrown when using oc adm catalog mirror command is used with Redhat Quay as mirror registry.

error: unable to upload blob sha256:ba1ba4a40a7516fad0d3a5d99716a01f2476f2f8bfac67659e401ea617c68802 to quay.example.com/openshift4/ose-metering-hadoop: unauthorized: access to the requested resource is not authorized

Resolution

Please follow following steps in order to mirror images to Quay registry.

  • Login to Redhat Quay registry and create an organization inside Quay of your choice, In following example we are creating an organization called olms.
  • Perform docker or podman login to your Redhat Quay registry and registry.redhat.io
  • Build and push Operator catalog image by running following oc adm catalog build command as shown below. Ensure to replace quay.example.com with host name of your Quay registry in all the steps. 
oc adm catalog build --appregistry-org redhat-operators --from=registry.redhat.io/openshift4/ose-operator-registry:v4.5 --filter-by-os="linux/amd64"  --to=quay.example.com/olms/redhat-operators:v1 --insecure
  • Disable default Operatorsource inside your Openshift cluster to configure OLM and OperatorHub to use a custom catalog image as shown below.
oc patch OperatorHub cluster --type json \
    -p '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]'
  • Run following oc adm catalog mirror command to mirror all the images to your Quay registry.
oc adm catalog mirror quay.example.com/olms/redhat-operators:v1 quay.example.com/olms --insecure  --filter-by-os="linux/amd64"  --max-components=2

Note: Ensure your oc client is 4.5.7 or above and use the option --max-components=2 while running the command.

Root Cause

Redhat Quay doesn't allows nested repositories inside an organization or namespaces, Which results in unauthorized error. In order to overcome this issue newer of oc client provides an option --max-components=2 which disables creation of nested repositories.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.