Description of problem:
Ran into an auth problem doing oc adm release new but the default error output didn't clarify what exactly was failing.
❯ oc adm release new --from-release registry.svc.ci.openshift.org/ocp/release:4.5.0-0.nightly-2020-08-06-050650 cloud-credential-operator=quay.io/dgoodwin/cloud-credential-operator:latest --to-image quay.io/dgoodwin/origin-release:latest
info: Loading sha256:725ac6e4957036d8d85d6f9ae8fb4fe93b0fb8008fc12c81d72459bb4e1f866b operator-marketplace
info: Loading sha256:d908715bc7102d256dc4c00bb99db860d57c85a2c6a61928ded208b2fb63a00b service-ca-operator
error: unauthorized: access to the requested resource is not authorized
With loglevel 9 it turned out this was actually MY repo the auth was failing on.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. oc adm release new with a --to-image you do not have auth for.
Unauthorized error but unclear what or where.
Indicate this was the auth to the --to-image that failed.
Right, this error message can/should be clarified so user knows which registry/repo and/or image caused the failure. In this case, 'oc adm release new' requires 2 auths, one for pulling and one for the push, and this isn't possible with the same-registry/different-repo
(quay.io/openshift-release-dev for the pull and quay.io/dgoodwin for the push) in a single auth file. This is a limitation of docker, podman, and oc -these tools cannot authenticate with a single auth file that holds creds for registry/repo1 and registry/repo2. In such a scenario, only the first listed auth will be used. With 'oc adm release new' the workaround is to mirror the nightly to disk, then `oc adm release new` from disk to quay.io/anyrepo OR, instead of pushing the release to your quay account, you can push to docker hub.
For this bz, I'll clarify the error message.