IBM Cloud Docs
Updating the global pull secret in Satellite clusters

Updating the global pull secret in Satellite clusters

After setting up a Satellite cluster, you can update the global pull secret in your cluster to pull from a private container registry other than quay.io or icr.io. For example, you might want to pull images from the Cloud Pak Entitled Registry (cp.icr.io) or your own private registry.

There are two ways to update the global pull secret in Satellite clusters.

Updating the global pull secret.
Use this approach if you have one or few clusters to maintain. You must repeat these steps for each cluster where you want to apply the secret.
Updating the global pull secret by using Satellite config.
Use this approach if you maintain several Satellite clusters and cluster groups. By using Satellite config, you can apply the secret changes across your Satellite clusters and cluster groups.

Updating the global pull secret

Complete the following steps to update the global pull secret in your Satellite cluster.

  1. Create a secret that has the credentials for the registry you want to use.
    oc create secret docker-registry docker-auth-secret \
--docker-server=REGISTRY \
--docker-username=USERNAME \
--docker-password=PASSWORD \
--namespace kube-system
    Example create secret command for using the Cloud Pak Entitled Registry.
    oc create secret docker-registry docker-auth-secret \
--docker-server=cp.icr.io \
--docker-username=cp \
--docker-password=ENTITLEMENT-KEY \
--namespace kube-system
  2. Create a DaemonSet to apply the secret across all worker nodes.
    cat << EOF | oc create -f -
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: update-docker-config
  namespace: kube-system
  labels:
    app: update-docker-config
spec:
  selector:
    matchLabels:
      name: update-docker-config
  template:
    metadata:
      labels:
        name: update-docker-config
    spec:
      initContainers:
        - command: ["/bin/sh", "-c"]
          args:
            - >
              echo "Checking if RHEL or RHCOS host";
              [[ -s /docker-config/.docker/config.json  ]] && CONFIG_PATH=/docker-config/.docker || CONFIG_PATH=/docker-config/root/.docker;
              echo "Backing up or restoring config.json";
              [[ -s \$CONFIG_PATH/config.json ]] && cp \$CONFIG_PATH/config.json \$CONFIG_PATH/config.json.bak || cp \$CONFIG_PATH/config.json.bak \$CONFIG_PATH/config.json;
              echo "Merging secret with config.json";
              /host/usr/bin/jq -s '.[0] * .[1]' \$CONFIG_PATH/config.json /auth/.dockerconfigjson > \$CONFIG_PATH/config.tmp;
              mv \$CONFIG_PATH/config.tmp \$CONFIG_PATH/config.json;
              echo "Sending signal to reload crio config";
              pidof crio;
              kill -1 \$(pidof crio)
          image: icr.io/ibm/alpine:latest
          imagePullPolicy: IfNotPresent
          name: updater
          resources: {}
          securityContext:
            privileged: true
          volumeMounts:
            - name: docker-auth-secret
              mountPath: /auth
            - name: docker
              mountPath: /docker-config
            - name: bin
              mountPath: /host/usr/bin
            - name: lib64
              mountPath: /lib64
      containers:
        - resources:
            requests:
              cpu: 0.01
          image: icr.io/ibm/alpine:latest
          name: sleepforever
          command: ["/bin/sh", "-c"]
          args:
            - >
              while true; do
                sleep 100000;
              done
      hostPID: true
      volumes:
        - name: docker-auth-secret
          secret:
            secretName: docker-auth-secret
        - name: docker
          hostPath:
            path: /
        - name: bin
          hostPath:
            path: /usr/bin
        - name: lib64
          hostPath:
            path: /lib64
            hostPathType: Directory
EOF
  3. Verify the pods are running.
    oc get daemonset -n kube-system update-docker-config

Updating the global pull secret by using Satellite config

Complete the following steps to use Satellite config to apply the global pull secret across your Satellite clusters and cluster groups.

  1. Make sure you enable Satellite config.

  2. Add your clusters to cluster groups.

  3. Create a secret in one of your Satellite clusters. Note that this secret will be deleted later.

    oc create secret docker-registry docker-auth-secret \
--docker-server=REGISTRY \
--docker-username=USERNAME \
--docker-password=PASSWORD \
--namespace kube-system

    Example create secret command for using the Cloud Pak Entitled Registry.

    oc create secret docker-registry docker-auth-secret \
--docker-server=cp.icr.io \
--docker-username=cp \
--docker-password=ENTITLEMENT-KEY \
--namespace kube-system

  4. Get the details of your secret. Copy and save the base64 encoded dockerconfigjson section.

    oc get secret docker-auth-secret -o yaml

  5. Delete the secret.

    oc delete secret docker-auth-secret -n kube-system

  6. Create a configuration file called secret.yaml that has your registry credentials. Paste the base64 encoded dockerconfigjson section that you saved in the earlier step.

    kind: Secret
apiVersion: v1
metadata:
  name: docker-auth-secret
  namespace: kube-system
data:
  .dockerconfigjson: >-
    BASE64-ENCODED-SECRET
type: kubernetes.io/dockerconfigjson

  7. Create a Satellite config. In the --data-location option, specify the Managed from region of your Location.

    ibmcloud sat config create --data-location wdc --name my-config

  8. Add a version to your configuration. Specify the file path to the secret.yaml that you created earlier.

    ibmcloud sat config version create --name 1 --config my-config --file-format yaml --read-config /Users/username/Desktop/secret.yaml

  9. Create a subscription to apply the DaemonSet to a cluster group.

    ibmcloud sat subscription create --name my-subscription --config my-config --group GROUP

  10. Save the following DaemonSet to a file called ds.yaml.

    apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: update-docker-config
  namespace: kube-system
  labels:
    app: update-docker-config
spec:
  selector:
    matchLabels:
      name: update-docker-config
  template:
    metadata:
      labels:
        name: update-docker-config
    spec:
      initContainers:
        - command: ["/bin/sh", "-c"]
          args:
            - >
              echo "Checking if RHEL or RHCOS host";
              [[ -s /docker-config/.docker/config.json  ]] && CONFIG_PATH=/docker-config/.docker || CONFIG_PATH=/docker-config/root/.docker;
              echo "Backing up or restoring config.json";
              [[ -s \$CONFIG_PATH/config.json ]] && cp \$CONFIG_PATH/config.json \$CONFIG_PATH/config.json.bak || cp \$CONFIG_PATH/config.json.bak \$CONFIG_PATH/config.json;
              echo "Merging secret with config.json";
              /host/usr/bin/jq -s '.[0] * .[1]' \$CONFIG_PATH/config.json /auth/.dockerconfigjson > \$CONFIG_PATH/config.tmp;
              mv \$CONFIG_PATH/config.tmp \$CONFIG_PATH/config.json;
              echo "Sending signal to reload crio config";
              pidof crio;
              kill -1 \$(pidof crio)
          image: icr.io/ibm/alpine:latest
          imagePullPolicy: IfNotPresent
          name: updater
          resources: {}
          securityContext:
            privileged: true
          volumeMounts:
            - name: docker-auth-secret
              mountPath: /auth
            - name: docker
              mountPath: /docker-config
            - name: bin
              mountPath: /host/usr/bin
            - name: lib64
              mountPath: /lib64
      containers:
        - resources:
            requests:
              cpu: 0.01
          image: icr.io/ibm/alpine:latest
          name: sleepforever
          command: ["/bin/sh", "-c"]
          args:
            - >
              while true; do
                sleep 100000;
              done
      hostPID: true
      volumes:
        - name: docker-auth-secret
          secret:
            secretName: docker-auth-secret
        - name: docker
          hostPath:
            path: /
        - name: bin
          hostPath:
            path: /usr/bin
        - name: lib64
          hostPath:
            path: /lib64
            hostPathType: Directory

  11. Create a Satellite config. In the --data-location option, specify the Managed from region of your Location, for example wdc.

    ibmcloud sat config create --data-location wdc --name my-ds

  12. Add a version to your configuration. Specify the file path to the ds.yaml that you created earlier.

    ibmcloud sat config version create --name 1 --config my-ds --file-format yaml --read-config /Users/username/Desktop/ds.yaml

  13. Create a subscription to apply the DaemonSet to a cluster group.

    ibmcloud sat subscription create --name my-subscription --config my-ds --group GROUP

  14. Verify the secret and DaemonSet are deploy across your clusters.

    oc get secret docker-auth-secret -n kube-system

    oc get ds update-docker-config -n kube-system

You can also view and manage your configurations and subscriptions from the Satellite console.