Regression: OCP 4.14 KMM v2 unable to pull pre-built certified driver container image

[hershpa]

Summary:

Regression: KMM v2.0.0/v2.0.1 on OCP 4.14 is unable to pull the certified driver container image from Red Hat registry once the pre-built mode module is deployed in default openshift-kmm namespace. This behavior is unexpected as it is working on KMM v1 deployments. See issue filed in KMM downstream repo: https://github.com/rh-ecosystem-edge/kernel-module-management/issues/992

Note: Only KMM v2.0.0/v2.0.1 is available on OCP 4.14+. KMM v1 is unavailable.

Analysis:

In KMM v1, the node successfully pulled the image with default OCP cluster global pull secret. In KMM v2, the worker pod pulls the image but the global pull secret is not mounted on the pod and thus the pull fails.

Workaround:

1. Use command below to Copy global pull secret pull-secret in openshift-config namespace to openshift-kmm namespace.

   $ oc get secrets pull-secret -n openshift-config -o json  | jq 'del(.metadata["namespace","creationTimestamp","resourceVersion","selfLink","uid","annotations"])'  | oc apply -n openshift-kmm -f -

2. Set module.spec.imageRepoSecret.name to pull-secret in pre-build mode KMM Module intel-dgpu.yaml.

Impact:

Above workaround is an additional nontrivial step that impacts the user experience. Pre-built mode is intended to be as seamless as possible.

Tentative Proposal:

Request KMM to use the global pull secret and mount it on the worker pod.

Update:

Fix to be included in KMM 2.0.2, official release target Feb 27

[qbarrand]

KMM v2.0.2, which includes a fix for this issue, was released earlier today.

cc @uMartinXu @vbedida79

[hershpa]

Thanks @qbarrand! We validated the fix is working as expected.