Platform Application Components Up-version - Portieris (dsR8)
Add missing registryk8s-registry Fix conflict. Add icr-registry and missing ghcr-registry Story: 2010394 Task: 47866 Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: Iddf5b5c807d1ae1ca5ea342ccce53cc9da2f576e
This commit is contained in:
parent
d9c4b24d04
commit
a1e1bfb155
@ -182,6 +182,8 @@ Bootstrap system on controller-0
|
||||
url: myprivateregistry.abc.com:9001/docker.io
|
||||
registry.k8s.io:
|
||||
url: myprivateregistry.abc.com:9001/registry.k8s.io
|
||||
icr.io:
|
||||
url: myprivateregistry.abc.com:9001/icr.io
|
||||
defaults:
|
||||
type: docker
|
||||
username: <your_myprivateregistry.abc.com_username>
|
||||
|
@ -182,6 +182,8 @@ Bootstrap system on controller-0
|
||||
url: myprivateregistry.abc.com:9001/docker.io
|
||||
registry.k8s.io
|
||||
url: myprivateregistry.abc.com:9001/registry.k8s.io
|
||||
icr.io:
|
||||
url: myprivateregistry.abc.com:9001/icr.io
|
||||
defaults:
|
||||
type: docker
|
||||
username: <your_myprivateregistry.abc.com_username>
|
||||
|
@ -36,6 +36,8 @@ your server is isolated from the public Internet.
|
||||
url: <my-registry.io>/docker.elastic.co
|
||||
registry.k8s.io:
|
||||
url: <my-registry.io>/registry.k8s.io
|
||||
icr.io:
|
||||
url: <my-registry.io>/icr.io
|
||||
defaults:
|
||||
type: docker
|
||||
username: <your_my-registry.io_username>
|
||||
|
@ -245,6 +245,8 @@ Bootstrap system on controller-0
|
||||
url: myprivateregistry.abc.com:9001/docker.io
|
||||
registry.k8s.io:
|
||||
url: myprivateregistry.abc.com:9001/registry.k8s.io
|
||||
icr.io:
|
||||
url: myprivateregistry.abc.com:9001/icr.io
|
||||
defaults:
|
||||
type: docker
|
||||
username: <your_myprivateregistry.abc.com_username>
|
||||
|
@ -285,6 +285,8 @@ subcloud, the subcloud installation has these phases:
|
||||
url: registry.central:9001/docker.elastic.co
|
||||
registry.k8s.io:
|
||||
url: registry.central:9001/registry.k8s.io
|
||||
icr.io:
|
||||
url: registry.central:9001/icr.io
|
||||
defaults:
|
||||
username: sysinv
|
||||
password: <sysinv_password>
|
||||
|
@ -199,6 +199,8 @@ subcloud, the subcloud installation process has two phases:
|
||||
url: registry.central:9001/docker.elastic.co
|
||||
registry.k8s.io:
|
||||
url: registry.central:9001/registry.k8s.io
|
||||
icr.io:
|
||||
url: registry.central:9001/icr.io
|
||||
defaults:
|
||||
username: sysinv
|
||||
password: <sysinv_password>
|
||||
|
@ -10,6 +10,19 @@ You can install Portieris on |prod| from the command line.
|
||||
|
||||
.. rubric:: |proc|
|
||||
|
||||
.. note::
|
||||
|
||||
For systems upgraded from a previous release, please add service parameters
|
||||
for the new icr registry that will contain images used by Portieris. You
|
||||
will need to add 1 service parameter for the URL at a minimum: ``system
|
||||
service-parameter-add docker icr-registry
|
||||
url=myprivateregistry.abc.com:9001/icr.io``.
|
||||
|
||||
Refer to :ref:`About Changing External Registries for StarlingX
|
||||
Installation
|
||||
<about-changing-external-registries-for-starlingx-installation>` for more
|
||||
details.
|
||||
|
||||
#. Locate the Portieris tarball in /usr/local/share/applications/helm.
|
||||
|
||||
For example:
|
||||
@ -44,7 +57,6 @@ You can install Portieris on |prod| from the command line.
|
||||
|
||||
~(keystone_admin)]$ system helm-override-update portieris portieris-certs portieris --values caCert.yaml
|
||||
|
||||
|
||||
#. Apply the application.
|
||||
|
||||
.. code-block:: none
|
||||
|
@ -56,7 +56,7 @@ registry+notary server
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
|
||||
apiVersion: portieris.cloud.ibm.com/v1
|
||||
kind: ImagePolicy
|
||||
metadata:
|
||||
name: allow-all-icrio
|
||||
@ -69,7 +69,7 @@ registry+notary server
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
|
||||
apiVersion: portieris.cloud.ibm.com/v1
|
||||
kind: ImagePolicy
|
||||
metadata:
|
||||
name: allow-custom
|
||||
|
@ -17,33 +17,6 @@ system.
|
||||
|
||||
~(keystone_admin)]$ system application-remove portieris
|
||||
|
||||
#. Delete kubernetes resources not automatically removed in the previous step.
|
||||
|
||||
This is required if you plan to reapply the application.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
~(keystone_admin)]$ kubectl delete clusterroles.rbac.authorization.k8s.io portieris
|
||||
~(keystone_admin)]$ kubectl delete clusterrolebindings.rbac.authorization.k8s.io admission-portieris-webhook
|
||||
~(keystone_admin)]$ kubectl delete -n portieris cm/image-policy-crds
|
||||
~(keystone_admin)]$ kubectl delete -n portieris serviceaccounts/portieris
|
||||
|
||||
.. note::
|
||||
If this step is done before removing the application in step 1, the
|
||||
removal will fail, leaving the application in the **remove-failed**
|
||||
state. In such cases you will need to issue the following commands
|
||||
to recover:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
~(keystone_admin)]$ kubectl delete MutatingWebhookConfiguration image-admission-config --ignore-not-found=true
|
||||
~(keystone_admin)]$ kubectl delete ValidatingWebhookConfiguration image-admission-config --ignore-not-found=true
|
||||
~(keystone_admin)]$ kubectl delete crd clusterimagepolicies.securityenforcement.admission.cloud.ibm.com imagepolicies.securityenforcement.admission.cloud.ibm.com --ignore-not-found=true
|
||||
~(keystone_admin)]$ kubectl delete clusterroles.rbac.authorization.k8s.io portieris --ignore-not-found=true
|
||||
~(keystone_admin)]$ kubectl delete clusterrolebindings.rbac.authorization.k8s.io admission-portieris-webhook --ignore-not-found=true
|
||||
~(keystone_admin)]$ kubectl delete ns/portieris --ignore-not-found=true
|
||||
~(keystone_admin)]$ helm delete portieris-portieris --purge --no-hooks
|
||||
~(keystone_admin)]$ system application-remove portieris
|
||||
|
||||
#. Delete the application.
|
||||
|
||||
|
@ -11,11 +11,12 @@ and application updates.
|
||||
When installing and upgrading |prod| or applying and updating |prod|
|
||||
applications, container images are pulled from external registries, for various
|
||||
services. By default, these container images are pulled from the following
|
||||
public registries: ``k8s.gcr.io``, ``gcr.io``, ``quay.io``, and ``docker.io``.
|
||||
During installation, specifically during the bootstrap step, these external registries
|
||||
can be overridden using the 'docker_registries' variable in the bootstrap
|
||||
override file. This task provides a procedure for changing these external
|
||||
registries **after** installing |prod|.
|
||||
public registries: ``k8s.gcr.io``, ``gcr.io``, ``quay.io``, ``docker.io``,
|
||||
``icr.io``, ``ghcr.io``, and ``registry.k8s.io``. During installation,
|
||||
specifically during the bootstrap step, these external registries can be
|
||||
overridden using the 'docker_registries' variable in the bootstrap override
|
||||
file. This task provides a procedure for changing these external registries
|
||||
**after** installing |prod|.
|
||||
|
||||
.. rubric:: |context|
|
||||
|
||||
|
@ -12,7 +12,7 @@ registries' URLs using the following command:
|
||||
.. code-block:: none
|
||||
|
||||
NEW_URL_START=new-registry.domain.com:9001
|
||||
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry
|
||||
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry registryk8s-registry
|
||||
do
|
||||
uuid=`system service-parameter-list |grep $registry | grep url | awk '{print $2}'`
|
||||
url_path=`system service-parameter-show $uuid | grep value | awk '{print $4}' | cut -d '/' -f 2-`
|
||||
|
@ -17,7 +17,7 @@ To create the auth-secrets for the new registries, use the following command:
|
||||
|
||||
NEW_USERNAME_PASSWORD="username:docker password:********"
|
||||
|
||||
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry
|
||||
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry registryk8s-registry
|
||||
do
|
||||
openstack secret store -n ${registry}-secret -p "${NEW_USERNAME_PASSWORD}"
|
||||
secret_uuid=`openstack secret list |grep ${registry}-secret | awk '{print $2}' | awk -F/ '{print $6}'`
|
||||
|
@ -18,7 +18,7 @@ To update the auth-secrets for the new registries, use the following command:
|
||||
|
||||
NEW_USERNAME_PASSWORD="username:docker password:********"
|
||||
|
||||
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry
|
||||
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry registryk8s-registry
|
||||
do
|
||||
secret=`openstack secret list | grep ${registry}-secret | awk '{print $2}'`
|
||||
openstack secret delete ${secret}
|
||||
|
@ -10,7 +10,7 @@ To display the updated URLs, use the following command:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry
|
||||
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry registryk8s-registry
|
||||
do
|
||||
uuid=`system service-parameter-list |grep $registry | grep url | awk '{print $2}'`
|
||||
url_path=`system service-parameter-show $uuid | grep value | awk '{print $4}'`
|
||||
@ -23,6 +23,8 @@ You will get the following output:
|
||||
|
||||
docker-registry URL is new-registry.domain.com:9001/product-abc/starlingx/docker.io
|
||||
quay-registry URL is new-registry.domain.com:9001/product-abc/starlingx/quay.io
|
||||
icr-registry URL is new-registry.domain.com:9001/product-abc/starlingx/icr.io
|
||||
ghcr-registry URL is new-registry.domain.com:9001/product-abc/starlingx/ghcr.io
|
||||
elastic-registry URL is new-registry.domain.com:9001/product-abc/starlingx/docker.elastic.co
|
||||
gcr-registry URL is new-registry.domain.com:9001/product-abc/starlingx/gcr.io
|
||||
k8s-registry URL is new-registry.domain.com:9001/product-abc/starlingx/k8s.gcr.io
|
||||
|
@ -9,7 +9,7 @@ To verify the registries' secret configuration changes, use the following comman
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry
|
||||
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry registryk8s-registry
|
||||
do
|
||||
echo $registry
|
||||
secret_uuid=`openstack secret list |grep ${registry}-secret | awk '{print $2}'`
|
||||
@ -64,6 +64,28 @@ gcr-registry
|
||||
|
||||
k8s-registry
|
||||
|
||||
.. table::
|
||||
:widths: auto
|
||||
|
||||
+---------+-----------------------------------+
|
||||
| Field | Value |
|
||||
+---------+-----------------------------------+
|
||||
| Payload | username:docker password:******** |
|
||||
+---------+-----------------------------------+
|
||||
|
||||
icr-registry
|
||||
|
||||
.. table::
|
||||
:widths: auto
|
||||
|
||||
+---------+-----------------------------------+
|
||||
| Field | Value |
|
||||
+---------+-----------------------------------+
|
||||
| Payload | username:docker password:******** |
|
||||
+---------+-----------------------------------+
|
||||
|
||||
ghcr-registry
|
||||
|
||||
.. table::
|
||||
:widths: auto
|
||||
|
||||
@ -78,7 +100,7 @@ registry entries in the service parameter table, use the following command:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry
|
||||
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry
|
||||
do
|
||||
echo $registry
|
||||
uuid=`system service-parameter-list |grep $registry | grep auth-secret | awk '{print $2}'`
|
||||
@ -104,6 +126,10 @@ You will get the following output:
|
||||
4c58aa1a-2026-49d2-8f9c-f3f6b4b34eb1 4c58aa1a-2026-49d2-8f9c-f3f6b4b34eb1
|
||||
k8s-registry
|
||||
96d722e6-ab97-4185-9b97-64ee90c6162c 96d722e6-ab97-4185-9b97-64ee90c6162c
|
||||
icr-registry
|
||||
6fdaf773-a253-4b48-b9ff-d9dce1401c33 6fdaf773-a253-4b48-b9ff-d9dce1401c33
|
||||
ghcr-registry
|
||||
56b03b2b-7685-449d-ade4-3d8c4e73649f 56b03b2b-7685-449d-ade4-3d8c4e73649f
|
||||
|
||||
To add the CA Certificate, go to :ref:`Add the CA Certificate for New Registry
|
||||
<add-the-ca-certificate-for-new-registry>`.
|
Loading…
x
Reference in New Issue
Block a user