IBM Cloud Docs
Updating the global pull secret in Satellite clusters

Updating the global pull secret in Satellite clusters

After setting up a Satellite cluster, you can update the global pull secret in your cluster to pull from a private container registry other than quay.io or icr.io. For example, you might want to pull images from the Cloud Pak Entitled Registry (cp.icr.io) or your own private registry.

There are two ways to update the global pull secret in Satellite clusters.

Updating the global pull secret.
Use this approach if you have one or few clusters to maintain. You must repeat these steps for each cluster where you want to apply the secret.
Updating the global pull secret by using Satellite config.
Use this approach if you maintain several Satellite clusters and cluster groups. By using Satellite config, you can apply the secret changes across your Satellite clusters and cluster groups.

Updating the global pull secret

Complete the following steps to update the global pull secret in your Satellite cluster.

  1. Create a secret that has the credentials for the registry you want to use.
    oc create secret docker-registry docker-auth-secret \
    --docker-server=REGISTRY \
    --docker-username=USERNAME \
    --docker-password=PASSWORD \
    --namespace kube-system
    
    Example create secret command for using the Cloud Pak Entitled Registry.
    oc create secret docker-registry docker-auth-secret \
    --docker-server=cp.icr.io \
    --docker-username=cp \
    --docker-password=ENTITLEMENT-KEY \
    --namespace kube-system
    
  2. Create a DaemonSet to apply the secret across all worker nodes.
    cat << EOF | oc create -f -
    apiVersion: apps/v1
    kind: DaemonSet
    metadata:
      name: update-docker-config
      namespace: kube-system
      labels:
        app: update-docker-config
    spec:
      selector:
        matchLabels:
          name: update-docker-config
      template:
        metadata:
          labels:
            name: update-docker-config
        spec:
          initContainers:
            - command: ["/bin/sh", "-c"]
              args:
                - >
                  echo "Checking if RHEL or RHCOS host";
                  [[ -s /docker-config/.docker/config.json  ]] && CONFIG_PATH=/docker-config/.docker || CONFIG_PATH=/docker-config/root/.docker;
                  echo "Backing up or restoring config.json";
                  [[ -s \$CONFIG_PATH/config.json ]] && cp \$CONFIG_PATH/config.json \$CONFIG_PATH/config.json.bak || cp \$CONFIG_PATH/config.json.bak \$CONFIG_PATH/config.json;
                  echo "Merging secret with config.json";
                  /host/usr/bin/jq -s '.[0] * .[1]' \$CONFIG_PATH/config.json /auth/.dockerconfigjson > \$CONFIG_PATH/config.tmp;
                  mv \$CONFIG_PATH/config.tmp \$CONFIG_PATH/config.json;
                  echo "Sending signal to reload crio config";
                  pidof crio;
                  kill -1 \$(pidof crio)
              image: icr.io/ibm/alpine:latest
              imagePullPolicy: IfNotPresent
              name: updater
              resources: {}
              securityContext:
                privileged: true
              volumeMounts:
                - name: docker-auth-secret
                  mountPath: /auth
                - name: docker
                  mountPath: /docker-config
                - name: bin
                  mountPath: /host/usr/bin
                - name: lib64
                  mountPath: /lib64
          containers:
            - resources:
                requests:
                  cpu: 0.01
              image: icr.io/ibm/alpine:latest
              name: sleepforever
              command: ["/bin/sh", "-c"]
              args:
                - >
                  while true; do
                    sleep 100000;
                  done
          hostPID: true
          volumes:
            - name: docker-auth-secret
              secret:
                secretName: docker-auth-secret
            - name: docker
              hostPath:
                path: /
            - name: bin
              hostPath:
                path: /usr/bin
            - name: lib64
              hostPath:
                path: /lib64
                hostPathType: Directory
    EOF
    
  3. Verify the pods are running.
    oc get daemonset -n kube-system update-docker-config
    

Updating the global pull secret by using Satellite config

Complete the following steps to use Satellite config to apply the global pull secret across your Satellite clusters and cluster groups.

  1. Make sure you enable Satellite config.

  2. Add your clusters to cluster groups.

  3. Create a secret in one of your Satellite clusters. Note that this secret will be deleted later.

    oc create secret docker-registry docker-auth-secret \
    --docker-server=REGISTRY \
    --docker-username=USERNAME \
    --docker-password=PASSWORD \
    --namespace kube-system
    

    Example create secret command for using the Cloud Pak Entitled Registry.

    oc create secret docker-registry docker-auth-secret \
    --docker-server=cp.icr.io \
    --docker-username=cp \
    --docker-password=ENTITLEMENT-KEY \
    --namespace kube-system
    
  4. Get the details of your secret. Copy and save the base64 encoded dockerconfigjson section.

    oc get secret docker-auth-secret -o yaml
    
  5. Delete the secret.

    oc delete secret docker-auth-secret -n kube-system
    
  6. Create a configuration file called secret.yaml that has your registry credentials. Paste the base64 encoded dockerconfigjson section that you saved in the earlier step.

    kind: Secret
    apiVersion: v1
    metadata:
      name: docker-auth-secret
      namespace: kube-system
    data:
      .dockerconfigjson: >-
        BASE64-ENCODED-SECRET
    type: kubernetes.io/dockerconfigjson
    
  7. Create a Satellite config. In the --data-location option, specify the Managed from region of your Location.

    ibmcloud sat config create --data-location wdc --name my-config
    
  8. Add a version to your configuration. Specify the file path to the secret.yaml that you created earlier.

    ibmcloud sat config version create --name 1 --config my-config --file-format yaml --read-config /Users/username/Desktop/secret.yaml
    
  9. Create a subscription to apply the DaemonSet to a cluster group.

    ibmcloud sat subscription create --name my-subscription --config my-config --group GROUP
    
  10. Save the following DaemonSet to a file called ds.yaml.

    apiVersion: apps/v1
    kind: DaemonSet
    metadata:
      name: update-docker-config
      namespace: kube-system
      labels:
        app: update-docker-config
    spec:
      selector:
        matchLabels:
          name: update-docker-config
      template:
        metadata:
          labels:
            name: update-docker-config
        spec:
          initContainers:
            - command: ["/bin/sh", "-c"]
              args:
                - >
                  echo "Checking if RHEL or RHCOS host";
                  [[ -s /docker-config/.docker/config.json  ]] && CONFIG_PATH=/docker-config/.docker || CONFIG_PATH=/docker-config/root/.docker;
                  echo "Backing up or restoring config.json";
                  [[ -s \$CONFIG_PATH/config.json ]] && cp \$CONFIG_PATH/config.json \$CONFIG_PATH/config.json.bak || cp \$CONFIG_PATH/config.json.bak \$CONFIG_PATH/config.json;
                  echo "Merging secret with config.json";
                  /host/usr/bin/jq -s '.[0] * .[1]' \$CONFIG_PATH/config.json /auth/.dockerconfigjson > \$CONFIG_PATH/config.tmp;
                  mv \$CONFIG_PATH/config.tmp \$CONFIG_PATH/config.json;
                  echo "Sending signal to reload crio config";
                  pidof crio;
                  kill -1 \$(pidof crio)
              image: icr.io/ibm/alpine:latest
              imagePullPolicy: IfNotPresent
              name: updater
              resources: {}
              securityContext:
                privileged: true
              volumeMounts:
                - name: docker-auth-secret
                  mountPath: /auth
                - name: docker
                  mountPath: /docker-config
                - name: bin
                  mountPath: /host/usr/bin
                - name: lib64
                  mountPath: /lib64
          containers:
            - resources:
                requests:
                  cpu: 0.01
              image: icr.io/ibm/alpine:latest
              name: sleepforever
              command: ["/bin/sh", "-c"]
              args:
                - >
                  while true; do
                    sleep 100000;
                  done
          hostPID: true
          volumes:
            - name: docker-auth-secret
              secret:
                secretName: docker-auth-secret
            - name: docker
              hostPath:
                path: /
            - name: bin
              hostPath:
                path: /usr/bin
            - name: lib64
              hostPath:
                path: /lib64
                hostPathType: Directory
    
  11. Create a Satellite config. In the --data-location option, specify the Managed from region of your Location, for example wdc.

    ibmcloud sat config create --data-location wdc --name my-ds
    
  12. Add a version to your configuration. Specify the file path to the ds.yaml that you created earlier.

    ibmcloud sat config version create --name 1 --config my-ds --file-format yaml --read-config /Users/username/Desktop/ds.yaml
    
  13. Create a subscription to apply the DaemonSet to a cluster group.

    ibmcloud sat subscription create --name my-subscription --config my-ds --group GROUP
    
  14. Verify the secret and DaemonSet are deploy across your clusters.

    oc get secret docker-auth-secret -n kube-system
    
    oc get ds update-docker-config -n kube-system
    

You can also view and manage your configurations and subscriptions from the Satellite console.