The global image pull secret ensures that the remote physical location
has the necessary credentials to pull images. The credentials that you add to the global image pull
secret depend on where you want to pull images from.
- Who needs to complete this task?
-
Cluster administrator A cluster administrator
must complete this task.
- When do you need to complete this task?
-
One-time setup You must complete this task
before you install the Cloud Pak for Data
agents on the remote physical location.
Before you begin
Best practice: You can run the commands in
this task exactly as written if you use set up environment variables for the remote physical
location in addition to the installation environment variables script. For instructions, see
Setting up
environment variables for a remote physical location.Before you run the commands in this
task, ensure that you source the environment variables for:
- The primary cluster
- The remote physical location
About this task
Use the appropriate cpd-cli
manage command to create or update the global image pull secret with the
appropriate credentials:
- IBM
Entitled Registry
- If you are pulling images from the IBM
Entitled Registry,
the global image pull secret must contain your IBM entitlement API
key.
Use the cpd-cli
manage
add-icr-cred-to-global-pull-secret command to create or update the global image pull
secret.
- Private container registry
- If you are pulling images from a private container registry, the global image pull secret must
contain the credentials of an account that can pull images from the registry.
Use the
cpd-cli
manage
add-cred-to-global-pull-secret command to create or update the global image pull
secret.
Procedure
- Log the
cpd-cli in to the Red Hat®
OpenShift® Container Platform
cluster:
Remember:
REMOTE_CPDM_OC_LOGIN is an alias for the cpd-cli
manage
login-to-ocp command when you are connecting to a remote
cluster.
- Run the appropriate command to update the global image pull secret:
IBM
Entitled Registry
Run the following command to provide your IBM entitlement API key to the global image pull
secret:
cpd-cli manage add-icr-cred-to-global-pull-secret \
--entitled_registry_key=${IBM_ENTITLEMENT_KEY}
Private container registry
Run the following command to provide the credentials of a user that can pull images from
the registry:
cpd-cli manage add-cred-to-global-pull-secret \
--registry=${PRIVATE_REGISTRY_LOCATION} \
--registry_pull_user=${PRIVATE_REGISTRY_PULL_USER} \
--registry_pull_password=${PRIVATE_REGISTRY_PULL_PASSWORD}
- If you are setting up a remote physical location on Red Hat
OpenShift on IBM Cloud, you must manually reload the worker nodes in
your cluster for the changes to take effect. For more information, see Adding a private registry to the global pull secret in the
Red Hat
OpenShift on IBM Cloud documentation.
- Get the status of the nodes.
cpd-cli manage oc get nodes
Wait until all the nodes are Ready before you proceed to the next step. For
example, if you see Ready,SchedulingDisabled, wait for the process to complete:
NAME STATUS ROLES AGE VERSION
master0 Ready master 5h57m v1.20.0
master1 Ready master 5h57m v1.20.0
master2 Ready master 5h57m v1.20.0
worker0 Ready,SchedulingDisabled worker 5h48m v1.20.0
worker1 Ready worker 5h48m v1.20.0
worker2 Ready worker 5h48m v1.20.0
Tip: You can use the
watch oc get nodes command to monitor the status
of the nodes. The command provides an update every 2 seconds. When all of the nodes return
Ready you can exit the command by pressing
Ctrl+C.
Alternatively, if you find that the oc get nodes
command returns Ready prematurely, you can use the oc get mcp
command to get the real-time status of the nodes.
What to do next
Now that you've updated the global image pull secret for the remote physical location,
you're ready to complete Manually creating projects (namespaces) for the shared cluster components for a remote physical location.