Configuring the cluster to pull images
If you are using a private registry, you need to update your cluster configuration to ensure that your cluster can pull External S-TAP®software images. If you are using IBM Cloud® Container Registry, you can skip this step.
- Permissions you need for this task
- You must be a cluster administrator.
- When you need to complete this task
- You must complete this task the first time you install an External S-TAP.
Procedure
You only need to configure a global pull-secret and update the image source content policy only if your cluster pulls images from a private container registry.
The global image pull-secret must contain the credentials of an account that can pull images from the registry.
If your deployment is on cloud, you must manually reload the worker nodes in your cluster for the changes to take effect.
- Configure the global image pull-secret:
- Confirm that the following installation variables are set based on the private container
registry that OpenShift is going to pull from:
echo $REGISTRY_HOST echo $REGISTRY_PORT echo $REGISTRY_USERNAME echo $REGISTRY_PASSWORD
- Create an environment variable that points to a temporary directory on your workstation. For
example:
export WORK_ROOT=$HOME/temp/work
- Download the pull-secret for the
cluster:
oc get secret/pull-secret -n openshift-config --template='{{index .data ".dockerconfigjson" | base64decode}}' > $WORKDIR/global_pull_secret.cfg
- Store the registry credentials to the pull-secret config
file:
oc registry login --registry="$REGISTRY_HOST:$REGISTRY_PORT" --auth-basic="$REGISTRY_USERNAME:$REGISTRY_PASSWORD" --to=$WORKDIR/global_pull_secret.cfg
-
Update the global pull-secret with the new data:
oc set data secret/pull-secret -n openshift-config --from-file==$WORKDIR/global_pull_secret.cfg
- Watch the machine config pool (MCP) status to see when all worker nodes have been updated to use
the new pull-secret data:
watch oc get mcp
- Confirm that the following installation variables are set based on the private container
registry that OpenShift is going to pull from:
- Edit the image content source policy:
- Configure the cluster to pull from the mirror registry. Use the following command to open the
source policy:
oc edit imagecontentsourcepolicy
Make changes to imagecontentsourcepolicy as needed for your system:
apiVersion: v1 kind: List items: - apiVersion: operator.openshift.io/v1alpha1 kind: ImageContentSourcePolicy metadata: name: cloud-pak-for-data-cpfs-mirror spec: repositoryDigestMirrors: - mirrors: - $REGISTRY_HOST:$REGISTRY_PORT/cpopen source: icr.io/cpopen - mirrors: - $REGISTRY_HOST:$REGISTRY_PORT/guardium-insights source: icr.io/guardium-insights
- Run the imagecontentsourcepolicy policy and wait until all of the nodes are
updated. You can use the following command to track the
progress:
watch oc get mcp
- Configure the cluster to pull from the mirror registry. Use the following command to open the
source policy:
What's next
After you update the global pull-secret and push the images to the private repository, you can create your catalog sources as described in Creating catalog sources.