When I logout the cluster, and rerun it. It failed to pull, push from the private registry namespace: redhat-operators-art/art. But, it works after login the cluster.
[root@dhcp-140-36 ~]# oc get clusterversion
error: You must be logged in to the server (Unauthorized)
[root@dhcp-140-36 ~]# docker login quay.io
Username (jiazha): 
Password: 
Login Succeeded
[root@dhcp-140-36 ~]# oc adm catalog build --appregistry-org=redhat-operators-art --to=quay.io/redhat-operators-art/art:v1 --loglevel=8
INFO[0001] loading Bundles                               dir=/tmp/manifests-429810255
INFO[0001] directory                                     dir=/tmp/manifests-429810255 file=manifests-429810255 load=bundles
INFO[0001] loading Packages and Entries                  dir=/tmp/manifests-429810255
INFO[0001] directory                                     dir=/tmp/manifests-429810255 file=manifests-429810255 load=package
...
...
Uploading ... I1118 17:21:19.906344   30111 credentials.go:108] Found secret to match https://quay.io/v2/auth (quay.io/auth): 
I1118 17:21:19.906386   30111 round_trippers.go:420] GET https://quay.io/v2/auth?account=jiazha&scope=repository%3Aredhat-operators-art%2Fart%3Apull%2Cpush&service=quay.io
I1118 17:21:19.906400   30111 round_trippers.go:427] Request Headers:
I1118 17:21:19.906416   30111 round_trippers.go:431]     Authorization: Basic <masked>
I1118 17:21:20.459863   30111 round_trippers.go:446] Response Status: 200 OK in 553 milliseconds
I1118 17:21:20.459881   30111 round_trippers.go:449] Response Headers:
I1118 17:21:20.459889   30111 round_trippers.go:452]     Cache-Control: no-cache, no-store, must-revalidate
I1118 17:21:20.459899   30111 round_trippers.go:452]     X-Frame-Options: DENY
I1118 17:21:20.459903   30111 round_trippers.go:452]     Strict-Transport-Security: max-age=63072000; preload
I1118 17:21:20.459909   30111 round_trippers.go:452]     Server: nginx/1.12.1
I1118 17:21:20.459917   30111 round_trippers.go:452]     Date: Mon, 18 Nov 2019 09:21:20 GMT
I1118 17:21:20.459922   30111 round_trippers.go:452]     Content-Type: application/json
I1118 17:21:20.459932   30111 round_trippers.go:452]     Content-Length: 1031
I1118 17:21:20.460000   30111 round_trippers.go:420] POST https://quay.io/v2/redhat-operators-art/art/blobs/uploads/
I1118 17:21:20.460012   30111 round_trippers.go:427] Request Headers:
I1118 17:21:20.460022   30111 round_trippers.go:431]     Content-Type: 
I1118 17:21:20.460032   30111 round_trippers.go:431]     Authorization: Bearer <masked>
I1118 17:21:20.725834   30111 round_trippers.go:446] Response Status: 401 Unauthorized in 265 milliseconds
I1118 17:21:20.725865   30111 round_trippers.go:449] Response Headers:
I1118 17:21:20.725884   30111 round_trippers.go:452]     Docker-Distribution-Api-Version: registry/2.0
I1118 17:21:20.725900   30111 round_trippers.go:452]     Www-Authenticate: Bearer realm="https://quay.io/v2/auth",service="quay.io",scope="repository:redhat-operators-art/art:pull,push"
I1118 17:21:20.725914   30111 round_trippers.go:452]     Server: nginx/1.12.1
I1118 17:21:20.725927   30111 round_trippers.go:452]     Date: Mon, 18 Nov 2019 09:21:20 GMT
I1118 17:21:20.725940   30111 round_trippers.go:452]     Content-Type: application/json
I1118 17:21:20.725954   30111 round_trippers.go:452]     Content-Length: 112
failed
F1118 17:21:20.726201   30111 helpers.go:114] error: unauthorized: access to the requested resource is not authorized

Jian,

Yes, that image needs to be mirrored to the cluster as well. The `oc adm catalog` commands are built on top of the concepts from `oc adm release mirror` commands. If you want to run this catalog build *inside* the disconnected cluster, you would need to do what Evan described above and mirror that image into your disconnected registry.

Is there a reason why you are trying to do the catalog build from inside a disconnected environment? My assumption is that this command to build the disconnected catalog should be run from *outside* the disconnected environment (so that it has access to the required builder images as well as access to quay.io's appregistry. Then, once the image is built using `oc adm catalog build`, you can mirror that image into the disconnected environment's registry and attempt to create a catalogsource pointing to it.

Am I missing something here?

https://docs.openshift.com/container-platform/4.2/installing/installing_restricted_networks/installing-restricted-networks-preparations.html?extIdCarryOver=true&sc_cid=701f2000001Css5AAC
https://github.com/operator-framework/olm-book/pull/13

Hi, Kevin

Thanks for your information.

> Is there a reason why you are trying to do the catalog build from inside a disconnected environment?

You know, some customers only have one disconnected environment. Previously, I hope this `oc adm catalog` command can work well too in the disconnected cluster to avoid the users do unneeded steps.
I see now, this `oc adm catalog` command is a precondition before starting to use the disconnected cluster. The users should use it to build the images first, right? If yes, the correct steps for the users as follows, right? If yes, I think I can verify this issue, thanks!
1, Logout the cluster(Don't log in to the disconnected cluster, otherwise, you cannot get the depended image: quay.io/operator-framework/operator-registry-server:latest).
2, Run the `oc adm catalog build --auth-token="basic xxx" --appregistry-org=<your registry> --to=<your image>` command to build your images

Hi, Nick

Thanks for your information! Verify it per comment 4.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0062