Getting access to the new container images for upgrade
To get access to the container images, you must have an IBM entitlement registry key to pull the images from the IBM docker registry or download the packages (.tgz files) from Passport Advantage (PPA).
About this task
- Airgap scenario
- For users with a cluster in a private network that doesn’t have public internet access, follow the steps in Setting up the private registry.
- Non-Airgap scenario
- For other users, you can choose one of the options:
Downloading container images from the IBM Entitled Registry
About this task
The deployment script uses the entitlement key to create the secret to pull the images. You can obtain your entitlement key from the Container Library. Therefore, you do not need to create the image pull secret unless you want to create the secret yourself or you do not plan to use the scripts.
If your platform is OpenShift based, you can also update the global pull secret for your cluster to ensure that all namespaces on your cluster have the necessary credentials to pull images.
Procedure
-
Choice 1: If you plan to use the deployment scripts and you do not want to use a global image pull secret, then you do not need to do anything as the secrets are created for you.
Choice 2: If you plan to use OCP or any CNCF Kubernetes platform, you can manually create pull secrets in the required namespaces.
You can create manually image pull secrets using the kubectl command-line. Following is an example using the IBM Entitled Registry. For more information about the procedure as it could be used with private registries, see Kubernetes documentation.
To pull images from the IBM Entitled Registry, create a secret in the target namespace naming the secret ibm-entitlement-key:
where:kubectl create secret docker-registry ibm-entitlement-key --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email> -n <namespace>
-
<your-registry-server> is
cp.icr.io
. -
<your-name> is
cp
. -
<your-pword> is your
entitlement-key
. -
<your-email> is your
email
. -
<namespace> is the namespace created for the deployment.
-
-
Choice 3: If you plan to use the OCP console to install, then you must create the secrets that you need in the appropriate namespaces.
- Click Create, and then select "image pull secret". Make sure that you are in the NAMESPACE where you want to create the secret. , click
- In the Create Image Pull Secret window, add the following details, and then click Create.
-
Choice 4: If you plan to use OCP and want to use the global pull secret:
Determine whether a global pull secret exists. From the OpenShift console, click openshift-config project.
and search for pull-secret in theFrom the OCP CLI, the following command generates a JSON file .dockerconfigjson if it does not exist.
oc extract secret/pull-secret -n openshift-config
Note: If a global pull secret exists forcp.icr.io
, then the operator can already pull images from IBM Entitled Registry. If it does not exist, you must add it.Table 2. Add IBM Entitled Registry credentials to the global pull secret OpenShift console OCP CLI Click
, and switch to theopenshift-config
namespace. If thepull-secret
secret does not exist, click Create, and then select "image pull secret".In the Create Image Pull Secret window, add the following details, and then click Create.- Name:
pull-secret
- Registry Server Address:
cp.icr.io
- Username:
cp
- Password: Your IBM Entitlement Key
- Email: Optional
If it does exist, select the secret and then click Add credentials, enter the information, and click Save.
. Then clickIf the .dockerconfigjson is empty.
- Set the following environment variables:
export REGISTRY_USER=cp export REGISTRY_PASSWORD=entitlement-key export REGISTRY_SERVER=cp.icr.io
Replace entitlement-key with your entitlement key.
- Run the following command to create the pull
secret:
oc create secret docker-registry \ --docker-server=${REGISTRY_SERVER} \ --docker-username=${REGISTRY_USER} \ --docker-password=${REGISTRY_PASSWORD} \ --docker-email=${REGISTRY_USER} \ -n openshift-config pull-secret
If the pull secret exists:
- Encode the username and password by using Base64 encoding:
echo -n "cp:entitlement-key" | base64 -w0
Replace entitlement-key with your entitlement key.
- Add an entry for the container registry to the
auths
section in the JSON file. In the following example, 1 is the new entry and 2 is the existing entry:{ "auths":{ 1 "registry-location":{ "auth":"base64-encoded-credentials", "email":"not-used" }, 2 "myregistry.example.com":{ "auth":"b3Blb=", "email":"not-used" } } }
Replace the following values:- registry-location: The value is cp.icr.io.
- base64-encoded-credentials: The encoded credentials that you generated in the previous step. For example, cmVnX3VzZXJuYW1lOnJlZ19wYXNzd29yZAo=.
- Apply the new configuration:
oc set data secret/pull-secret -n openshift-config \ --from-file=.dockerconfigjson=.dockerconfigjson
- Name:
Results
If you have a VPC Gen2 cluster and you use Portworx storage, see Portworx storage limitations before you reload your worker nodes.