Updating the global image pull secret for IBM Software Hub on Red Hat OpenShift on IBM Cloud

If your Red Hat OpenShift on IBM Cloud cluster contains Red Hat Enterprise Linux® CoreOS worker nodes, you must create an image pull secret and apply the secret to all of the worker nodes on the cluster.

The global image pull secret is required for components that support only OLM installation. You must create the global image pull secret to ensure that any components that use OLM have access to the credentials for pulling images.

Installation phase
  • You are not here. Setting up a client workstation
  • You are not here. Setting up a cluster
  • You are not here. Collecting required information
  • You are not here. Preparing to run installs in a restricted network
  • You are not here. Preparing to run installs from a private container registry
  • You are here icon. Preparing the cluster for IBM Software Hub
  • You are not here. Preparing to install an instance of IBM Software Hub
  • You are not here. Installing an instance of IBM Software Hub
  • You are not here. Setting up the control plane
  • You are not here. Installing solutions and services
Who needs to complete this task?

Cluster administrator A cluster administrator must complete this task.

When do you need to complete this task?

One-time setup You must complete this task before you install IBM Software Hub for the first time.

Complete this task only if the following statements are true:
  • You are running Red Hat OpenShift on IBM Cloud.
  • Your cluster is running Red Hat OpenShift Container Platform Version 4.18 or later.
  • Your cluster contains Red Hat Enterprise Linux CoreOS worker nodes.

If the preceding statements do not apply to your environment, complete Updating the global image pull secret for IBM Software Hub instead.

About this task

If your Red Hat OpenShift on IBM Cloud cluster contains Red Hat Enterprise Linux CoreOS worker nodes, you must create an image pull secret in the kube-system project.

After you create the secret, you must create a DaemonSet to apply the secret to all of the worker nodes on the cluster.

Procedure

  1. Log the cpd-cli in to the Red Hat OpenShift Container Platform cluster: 
    ${CPDM_OC_LOGIN}
    Remember: CPDM_OC_LOGIN is an alias for the cpd-cli manage login-to-ocp command.
  2. Create a secret that contains the appropriate credentials based on the registry that your cluster pulls images from:
    IBM Entitled Registry

    Run the following command to create a secret that contains your IBM entitlement API key:

    oc create secret docker-registry docker-auth-secret \
--docker-server=cp.icr.io \
--docker-username=cp \
--docker-password=${IBM_ENTITLEMENT_KEY} \
--namespace kube-system
    Private container registry

    Run the following command to create a secret that contains the credentials of a user that can pull images from the registry:

    oc create secret docker-registry docker-auth-secret \
--docker-server=${PRIVATE_REGISTRY_LOCATION} \
--docker-username=${PRIVATE_REGISTRY_PULL_USER} \
--docker-password=${PRIVATE_REGISTRY_PULL_PASSWORD} \
--namespace kube-system
  3. Create a DaemonSet named update-docker-config to apply the secret to the cluster nodes: 
    cat << EOF | oc create -f -
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: update-docker-config
  namespace: kube-system
  labels:
    app: update-docker-config
spec:
  selector:
    matchLabels:
      name: update-docker-config
  template:
    metadata:
      labels:
        name: update-docker-config
    spec:
      initContainers:
        - command: ["/bin/sh", "-c"]
          args:
            - >
              echo "Checking if RHEL or RHCOS host";
              [[ -s /docker-config/.docker/config.json  ]] && CONFIG_PATH=/docker-config/.docker || CONFIG_PATH=/docker-config/root/.docker;
              echo "Backing up or restoring config.json";
              [[ -s \$CONFIG_PATH/config.json ]] && cp \$CONFIG_PATH/config.json \$CONFIG_PATH/config.json.bak || cp \$CONFIG_PATH/config.json.bak \$CONFIG_PATH/config.json;
              echo "Merging secret with config.json";
              /host/usr/bin/jq -s '.[0] * .[1]' \$CONFIG_PATH/config.json /auth/.dockerconfigjson > \$CONFIG_PATH/config.tmp;
              mv \$CONFIG_PATH/config.tmp \$CONFIG_PATH/config.json;
              echo "Sending signal to reload crio config";
              pidof crio;
              kill -1 \$(pidof crio)
          image: icr.io/ibm/alpine:latest
          imagePullPolicy: IfNotPresent
          name: updater
          resources: {}
          securityContext:
            privileged: true
          volumeMounts:
            - name: docker-auth-secret
              mountPath: /auth
            - name: docker
              mountPath: /docker-config
            - name: bin
              mountPath: /host/usr/bin
            - name: lib64
              mountPath: /lib64
      containers:
        - resources:
            requests:
              cpu: 0.01
          image: icr.io/ibm/alpine:latest
          name: sleepforever
          command: ["/bin/sh", "-c"]
          args:
            - >
              while true; do
                sleep 100000;
              done
      hostPID: true
      volumes:
        - name: docker-auth-secret
          secret:
            secretName: docker-auth-secret
        - name: docker
          hostPath:
            path: /
        - name: bin
          hostPath:
            path: /usr/bin
        - name: lib64
          hostPath:
            path: /lib64
            hostPathType: Directory
EOF
  4. Confirm that the DaemonSet pods are running on all worker nodes: 
    oc get daemonset update-docker-config \
--namespace kube-system
    Ensure that the number of nodes in each of the following columns is the same:
    • DESIRED
    • CURRENT
    • READY
    • UP-TO-DATE
    • AVAILABLE
If you encounter issues while completing this task, review Updating the global image pull secret in the Red Hat OpenShift on IBM Cloud documentation.