-
Notifications
You must be signed in to change notification settings - Fork 24
Description
It seems that Quay won't apply so-called “default” permissions to repositories created by a robot account; and quay-bridge-operator doesn't directly manipulate permissions either. Therefore, we appear to be left with a gap, whereby the only way to push and pull images to and from Quay is to manipulate permissions through the Quay UI, largely defeating the purpose of quay-bridge-operator.
Using Red Hat Quay Bridge Operator version 3.9 against OpenShift 4.13.12.
What I am trying to do vs. what happens:
oc create namespace test-quay-bridge-1- Expected: quay-bridge-operator should (tell Quay to) create an Organization with three Robot Accounts fitted with suitable Permission Prototypes
- Actual: ✓ (see: ¹)
oc apply -f an-imagestream-in-that-namespace.yaml- Expected: quay-bridge-operator should (tell Quay to) create a Repository with suitable permissions for the above Robot Accounts
- Actual: the Repository gets created indeed², but none of the aforementioned robot accounts have any rights to it³.
Now, I understand that there are workarounds that involve a number of clicks in the Quay UI by at least two different people; however, there used to be no need for that in OpenShift's internal registry (at least in version 3 that I have used).
Footnotes
¹ In Quay's Flask shell:
from data.database import (User, PermissionPrototype)
[dict(username=u.username, robot=u.robot, organization=u.organization)
for u in User.select()
if u.username.startswith("fsd_test-quay-bridge-1")]
[dict(who=p.delegate_user.username, what=p.role.name)
for p in PermissionPrototype.select().join(User, on = PermissionPrototype.org)
.where(User.username == "fsd_test-quay-bridge-1")]
²
from data.database import Repository
Repository.select().where(Repository.name == "test-imagestream").first()
³
from data import model
[p for robot in ("fsd_test-quay-bridge-1+deployer", "fsd_test-quay-bridge-1+builder",
"fsd_test-quay-bridge-1+default")
for p in model.permission.list_robot_permissions(robot)]