Configuring your cluster to pull Cloud Pak for Data images
To ensure that your cluster can pull Cloud Pak for Data software images, you must update your cluster configuration.
- Permissions you need for this task
- You must be a cluster administrator.
- When you need to complete this task
- You must complete this task the first time you install Cloud Pak for Data.
Before you begin
Ensure that you run the environment variable script before you run the commands in this task.
Procedure
The tasks that you must complete depend on whether your cluster pulls images directly from the IBM® Entitled Registry or from a private container registry.
Task | IBM Entitled Registry | Private container registry |
---|---|---|
1. Configuring the global image pull secret | Required | Required |
2. Configuring an image content source policy | Not applicable | Required |
1. Configuring the global image pull secret
Ensure that you run the environment variable script before you run the commands in this task.
The global image pull secret ensures that your cluster has the necessary credentials to pull images.
The credentials that you add to the global image pull secret depend on where you want to pull images from:
- IBM Entitled Registry
- If you are pulling images from the IBM Entitled Registry, the global image pull secret must contain your IBM entitlement API key.
- Private container registry
- If you are pulling images from a private container registry, the global image pull secret must contain the credentials of an account that can pull images from the registry.
If you have already configured the global image pull secret with the necessary credentials, you can skip this task.
If your deployment is on IBM Cloud, you must manually reload the worker nodes in your cluster for the changes to take effect.
To configure the global image pull secret:
- Confirm that the following installation environment
variables are set based on the container registry that OpenShift® is going to pull from:
IBM Entitled Registry
echo $IBM_ENTITLEMENT_SERVER echo $IBM_ENTITLEMENT_USER echo $IBM_ENTITLEMENT_KEY
Private container registry
echo $PRIVATE_REGISTRY_LOCATION echo $PRIVATE_REGISTRY_PULL_USER echo $PRIVATE_REGISTRY_PULL_PASSWORD
- Create an environment variable that points to a temporary directory on your workstation. For
example:
export WORK_ROOT=$HOME/temp/work
- Download the pull secret to the temporary
directory:
oc get secret/pull-secret \ -n openshift-config \ --template='{{index .data ".dockerconfigjson" | base64decode}}' > ${WORK_ROOT}/global_pull_secret.cfg
- Add the new pull secret to the local copy of the global_pull_secret.cfg
file:
IBM Entitled Registry
oc registry login \ --registry="${IBM_ENTITLEMENT_SERVER}" \ --auth-basic="${IBM_ENTITLEMENT_USER}:${IBM_ENTITLEMENT_KEY}" \ --to=${WORK_ROOT}/global_pull_secret.cfg
Private container registry
oc registry login \ --registry="${PRIVATE_REGISTRY_LOCATION}" \ --auth-basic="${PRIVATE_REGISTRY_PULL_USER}:${PRIVATE_REGISTRY_PULL_PASSWORD}" \ --to=${WORK_ROOT}/global_pull_secret.cfg
- Update the global pull secret on your
cluster:
oc set data secret/pull-secret \ -n openshift-config \ --from-file=.dockerconfigjson=${WORK_ROOT}/global_pull_secret.cfg
- Get the status of the nodes:
Wait until all the nodes areoc get nodes
Ready
before you proceed to the next step. For example, if you seeReady,SchedulingDisabled
, wait for the process to complete:NAME STATUS ROLES AGE VERSION master0 Ready master 5h57m v1.20.0 master1 Ready master 5h57m v1.20.0 master2 Ready master 5h57m v1.20.0 worker0 Ready,SchedulingDisabled worker 5h48m v1.20.0 worker1 Ready worker 5h48m v1.20.0 worker2 Ready worker 5h48m v1.20.0
Tip: You can use thewatch oc get nodes
command to monitor the status of the nodes. The command provides an update every 2 seconds. When all of the nodes returnReady
you can exit the command by pressing Ctrl+C.Alternatively, if you find that the
oc get nodes
command returnsReady
prematurely, you can use theoc get mcp
command to get the real-time status of the nodes.
- IBM Entitled Registry
- Now that you've updated the global pull secret to include your IBM entitlement API key, you're ready to complete Creating catalog sources.
- Private container registry
- Now that you've updated the global pull secret to include the credentials of an account that can pull images from the registry, you're ready to complete 2. Configuring an image content source policy.
2. Configuring an image content source policy
If you mirrored images to a private container registry, you must tell your cluster where to find the software images. (For more information how Red Hat® OpenShift Container Platform locates images from an mirrored repository, see Configuring image registry repository mirroring in the Red Hat OpenShift Container Platform documentation.)
To configure an image content source policy:
- Confirm that the following installation environment
variables is
set:
echo $PRIVATE_REGISTRY_LOCATION
- Create an image content source policy. The contents of the policy depend on whether you have an
existing policy for IBM Cloud Pak®
foundational services.
Options Image content source policy IBM Cloud Pak foundational services is already installed on the cluster If IBM Cloud Pak foundational services Version 3.18.0 is already installed, it is likely that you already have an image content source policy for icr.io/cpopen/cpfs
. Therefore, you do not need to create a mirroring policy for those images.cat <<EOF |oc apply -f - apiVersion: operator.openshift.io/v1alpha1 kind: ImageContentSourcePolicy metadata: name: cloud-pak-for-data-mirror spec: repositoryDigestMirrors: - mirrors: - ${PRIVATE_REGISTRY_LOCATION}/cp source: cp.icr.io/cp - mirrors: - ${PRIVATE_REGISTRY_LOCATION}/cp/cpd source: cp.icr.io/cp/cpd - mirrors: - ${PRIVATE_REGISTRY_LOCATION}/cpopen source: icr.io/cpopen - mirrors: - ${PRIVATE_REGISTRY_LOCATION}/db2u source: icr.io/db2u - mirrors: - ${PRIVATE_REGISTRY_LOCATION}/guardium-insights source: icr.io/guardium-insights EOF
IBM Cloud Pak foundational services is not installed on the cluster If IBM Cloud Pak foundational services is not installed, it is unlikely that you have an image content source policy for icr.io/cpopen/cpfs
, so you should create a mirroring policy for those images.cat <<EOF |oc apply -f - apiVersion: operator.openshift.io/v1alpha1 kind: ImageContentSourcePolicy metadata: name: cloud-pak-for-data-mirror spec: repositoryDigestMirrors: - mirrors: - ${PRIVATE_REGISTRY_LOCATION}/cpopen/cpfs source: icr.io/cpopen/cpfs - mirrors: - ${PRIVATE_REGISTRY_LOCATION}/cp source: cp.icr.io/cp - mirrors: - ${PRIVATE_REGISTRY_LOCATION}/cp/cpd source: cp.icr.io/cp/cpd - mirrors: - ${PRIVATE_REGISTRY_LOCATION}/cpopen source: icr.io/cpopen - mirrors: - ${PRIVATE_REGISTRY_LOCATION}/db2u source: icr.io/db2u - mirrors: - ${PRIVATE_REGISTRY_LOCATION}/guardium-insights source: icr.io/guardium-insights EOF
- Verify that the image content source policy was
created:
oc get imageContentSourcePolicy
- Confirm that the output includes
cloud-pak-for-data-mirror
. - Get the status of the nodes:
Wait until all the nodes areoc get nodes
Ready
before you proceed to the next step. For example, if you seeReady,SchedulingDisabled
, wait for the process to complete:NAME STATUS ROLES AGE VERSION master0 Ready master 5h57m v1.20.0 master1 Ready master 5h57m v1.20.0 master2 Ready master 5h57m v1.20.0 worker0 Ready,SchedulingDisabled worker 5h48m v1.20.0 worker1 Ready worker 5h48m v1.20.0 worker2 Ready worker 5h48m v1.20.0
Tip: You can use thewatch oc get nodes
command to monitor the status of the nodes. The command provides an update every 2 seconds. When all of the nodes returnReady
you can exit the command by pressing Ctrl+C.Alternatively, if you find that the
oc get nodes
command returnsReady
prematurely, you can use theoc get mcp
command to get the real-time status of the nodes.
What's next Now that you've configured the image content source policy, you're ready to complete Creating catalog sources.