Creating an image pull secret for an IBM Cloud® based installation

You can create a global image pull secret that each worker node in the cluster can use to pull images from a private registry.

Before you begin

  • Download oc from OpenShift UI and IBM_Cloud_CLI (only for CPFS managed OCP).
  • Install ibmcloud plugin install container-service.
Download the jq JSON processor command-line package.

Procedure

  1. Create a secret value that holds the credentials to access your private registry and store the decoded secret value in a JSON file. When you create the secret value, the credentials are automatically encoded to base64. By using the --dry-run option, the secret value is created only and no secret object is created in your cluster. The decoded secret value is then stored in a JSON file to later use in your global pull secret. 
    oc create secret docker-registry <secret_name> \
--docker-server=${PROD_REGISTRY} \
--docker-username=${PROD_USER} \
--docker-password=${IBM_ENTITLEMENT_KEY} \
--docker-email=<email> \
--dry-run=client \
--output="jsonpath={.data.\.dockerconfigjson}" | base64 \
--decode > myregistryconfigjson
  2. Retrieve the decoded secret value of the default global pull secret and store the value in a dockerconfigjson file. 
    oc get secret pull-secret -n openshift-config \
--output="jsonpath={.data.\.dockerconfigjson}" | base64 \
--decode > dockerconfigjson
  3. Combine the downloaded private registry pull secret myregistryconfigjson file with the default global pull secret dockerconfigjson file. 
    jq -s '.[0] * .[1]' dockerconfigjson myregistryconfigjson > dockerconfigjson-merged
  4. Update the global pull secret with the combined dockerconfigjson merged file. 
    oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=dockerconfigjson-merged
  5. Verify that the global pull secret is updated. Check that your private registry and each of the default Red Hat registries are in the output of the following command. 
    oc get secret pull-secret -n openshift-config \
--output="jsonpath={.data.\.dockerconfigjson}" | base64 \
--decode
  6. To pick up the global configuration changes, reload all the worker nodes in your cluster.
    1. Note the ID of the worker nodes in your cluster. 
      ibmcloud oc worker ls -c <cluster_name_or_ID>
    2. Reload each worker node. You can reload multiple worker nodes by including multiple -w flags, but make sure to keep enough worker nodes running at the same time for your apps to avoid an outage.
      Note: For IBM VPC type clusters, the Reload option is not available. You can use the Replace option.
      ibmcloud oc worker reload -c <cluster_name_or_ID> 
-w <workerID_1> -w <workerID_2>
  7. After the worker nodes are back in a working state, verify that the global pull secret is updated on a worker node.
    1. Start a debugging pod to log in to a worker node. Use the Private IP that you retrieved earlier for the <node_name>. 
      oc debug node/<node_name>
    2. Change the root directory to the host so that you can view files on the worker node. 
      chroot /host
    3. Verify that the Docker configuration file has the registry credentials that match the global pull secret that you set. 
      cat /.docker/config.json