Configuring the cluster to pull images

If you are using a private registry, you need to update your cluster configuration to ensure that your cluster can pull External S-TAPsoftware images. If you are using IBM Cloud® Container Registry, you can skip this step.

Permissions you need for this task
You must be a cluster administrator.
When you need to complete this task
You must complete this task the first time you install an External S-TAP.
Note: Best practice: You can run the commands in this task exactly as written if you set up environment variables that are described in step 2 of Deploying External S-TAP with an operator. Run the environment variable script before you run the commands in this task.

Procedure

You only need to configure a global pull-secret and update the image source content policy only if your cluster pulls images from a private container registry.

The global image pull-secret must contain the credentials of an account that can pull images from the registry.

Important: When you change the global image pull-secret, each node in the cluster is automatically restarted so that the Machine Config Operator can apply the changes. This restart process happens one node at a time. The cluster will wait for a node to restart before starting the process on the next node. In some situations, it takes more than 30 minutes for all of the nodes to be restarted. During this process, you might notice that resources are temporarily unavailable.

If your deployment is on cloud, you must manually reload the worker nodes in your cluster for the changes to take effect.

  1. Configure the global image pull-secret:
    1. Confirm that the following installation variables are set based on the private container registry that OpenShift is going to pull from:
      echo $REGISTRY_HOST
      echo $REGISTRY_PORT
      echo $REGISTRY_USERNAME
      echo $REGISTRY_PASSWORD
    2. Create an environment variable that points to a temporary directory on your workstation. For example:
      export WORK_ROOT=$HOME/temp/work
    3. Download the pull-secret for the cluster:
      oc get secret/pull-secret 
      -n openshift-config 
      --template='{{index .data ".dockerconfigjson" | base64decode}}' > $WORKDIR/global_pull_secret.cfg
    4. Store the registry credentials to the pull-secret config file:
      oc registry login --registry="$REGISTRY_HOST:$REGISTRY_PORT" --auth-basic="$REGISTRY_USERNAME:$REGISTRY_PASSWORD" --to=$WORKDIR/global_pull_secret.cfg
    5. Update the global pull-secret with the new data:

      oc set data secret/pull-secret 
      -n openshift-config 
      --from-file==$WORKDIR/global_pull_secret.cfg
    6. Watch the machine config pool (MCP) status to see when all worker nodes have been updated to use the new pull-secret data:
      watch oc get mcp
  2. Edit the image content source policy:
    1. Configure the cluster to pull from the mirror registry. Use the following command to open the source policy:
      oc edit imagecontentsourcepolicy

      Make changes to imagecontentsourcepolicy as needed for your system:

      apiVersion: v1
      kind: List
      items:
      - apiVersion: operator.openshift.io/v1alpha1
        kind: ImageContentSourcePolicy
        metadata:
          name: cloud-pak-for-data-cpfs-mirror
        spec:
          repositoryDigestMirrors:
          - mirrors:
            - $REGISTRY_HOST:$REGISTRY_PORT/cpopen
            source: icr.io/cpopen
          - mirrors:
            - $REGISTRY_HOST:$REGISTRY_PORT/guardium-insights
            source: icr.io/guardium-insights
    2. Run the imagecontentsourcepolicy policy and wait until all of the nodes are updated. You can use the following command to track the progress:
      watch oc get mcp

What's next

After you update the global pull-secret and push the images to the private repository, you can create your catalog sources as described in Creating catalog sources.