`manage add-cred-to-global-pull-secret`

Update the global image pull secret to enable the cluster to pull images from your private container registry.

Required role: Cluster administrator To run this command, you must be a cluster administrator.

Note: The add-cred-to-global-pull-secret command is applicable only if you mirror the IBM Cloud Pak® for Data software images to a private container registry.

If you pull images from the IBM® Entitled Registry, see manage add-icr-cred-to-global-pull-secret.

Extended description

If your cluster pulls images from a private container registry, the global image pull secret must contain the credentials of an account that can pull images from the registry.

Run this command to update the global image pull secret with the appropriate credentials.

Important: This process will temporarily disable scheduling on each node in the cluster, so you might notice that resources are temporarily unavailable. However, this process happens on one node at a time. The cluster will temporarily disable scheduling on a node, apply the configuration change, and then re-enable scheduling before starting the process on the next node.

After you run the command, get the status of the nodes:

oc get nodes

Wait until all the nodes are Ready before you run other commands. For example, if you see Ready,SchedulingDisabled, wait for the process to complete:

NAME                           STATUS                     ROLES    AGE     VERSION
master0                        Ready                      master   5h57m   v1.20.0
master1                        Ready                      master   5h57m   v1.20.0
master2                        Ready                      master   5h57m   v1.20.0
worker0                        Ready,SchedulingDisabled   worker   5h48m   v1.20.0
worker1                        Ready                      worker   5h48m   v1.20.0
worker2                        Ready                      worker   5h48m   v1.20.0

You can use the watch oc get nodes command to monitor the status of the nodes. The command provides an update every 2 seconds. When all nodes return Ready you can exit the command by pressing Ctrl+C.

Alternatively, if you find that the oc get nodes command returns Ready prematurely, you can use the oc get mcp command to get the real-time status of the nodes.

Syntax

cpd-cli manage add-cred-to-global-pull-secret \
--registry=<private-registry-location> \
--registry_pull_user=<private-registry-pull-user> \
--registry_pull_password=<private-registry-pull-password> \
[--preview=true|false]

Arguments

The add-cred-to-global-pull-secret command has no arguments.

Options

Option	Description
`--preview`	Preview the commands that run when you issue this CLI command. The command issues a series of `oc` commands. You can see the list of `oc` commands that are associated with the command. The `oc` commands are saved to the `preview.sh` file in the `work` directory. Status Optional. Syntax `--preview=true\|false` Default value false If you omit this option, the default value is used. Valid values false Run the commands to apply the changes to your cluster. true Preview the commands without running them. You can copy the `oc` commands from the output and run them yourself. However, this method is not recommended. When you run the commands manually, you do not have access to the additional helper scripts that are included in the underlying Ansible® playbook.
`--registry`	The hostname or IP address of the private container registry. Status Required. Syntax `--registry=<private-registry-location>` Default value No default. Valid values The hostname or IP address of the private container registry. Keep the following guidance in mind: Do not specify `http://` or `https://`. If the registry is running on port `80` or `443` you can omit the port. However, if the registry is running on a different port, you must specify the port.
`--registry_pull_user`	The username of a user who has the required privileges to pull images from the private container registry. Status Required. Syntax `--registry_pull_user=<private-registry-pull-user>` Default value No default. Valid values The username of a user who has the required privileges to pull images from the private container registry.
`--registry_pull_password`	The password of the user who has the required privileges to pull images from the private container registry. Status Required. Syntax `--registry_pull_password=<private-registry-pull-password>` Default value No default. Valid values The password of the user who has the required privileges to pull images from the private container registry.

Table 1: Command options

Examples

Best practice: The following example uses the recommended installation environment variables.

It is strongly recommended that you use a script to create environment variables with the correct values for your environment. For details, see Best practice: Setting up installation environment variables.

Add your private container registry credentials to the global pull secret

cpd-cli manage add-cred-to-global-pull-secret \
--registry=${PRIVATE_REGISTRY_LOCATION} \
--registry_pull_user=${PRIVATE_REGISTRY_PULL_USER} \
--registry_pull_password=${PRIVATE_REGISTRY_PULL_PASSWORD}

Preview the oc commands to add your private container registry credentials to the global pull secret

cpd-cli manage add-cred-to-global-pull-secret \
--registry=${PRIVATE_REGISTRY_LOCATION} \
--registry_pull_user=${PRIVATE_REGISTRY_PULL_USER} \
--registry_pull_password=${PRIVATE_REGISTRY_PULL_PASSWORD} \
--preview=true