Add parameter to set global pull-secret secret

danpawlik · danpawlik · commit cccb6096a637 · 2024-07-02T12:14:23.000+02:00
Some projects might want to have an access to secured registry, but the credentials are not shared across projects. This commit adds GLOBAL_SECURED_REGISTRIES parameter, that will allow user to create similar pull-secret as it is done in openshift-config namespace to be available for other projects [1]. For example, the openshift-marketplace can not start properly, because it can not pull the image. We can add the pull-secret into the /var/lib/kubelet/config.json, but after clustersetup.sh script finish the Machine Config Pool would be marked as degraded (because there would be a missmatch). Adding the pull secret globaly will help avoid issue, that the image can not be downloaded. On the end, it can be deleted. [1] https://docs.openshift.com/container-platform/4.15/openshift_images/managing_images/using-image-pull-secrets.html#images-allow-pods-to-reference-images-from-secure-registries_using-image-pull-secrets
diff --git a/pkg/bundle/setup/clustersetup.sh b/pkg/bundle/setup/clustersetup.sh
@@ -15,6 +15,7 @@ PASS_DEVELOPER="${PASS_DEVELOPER:-"_PASS_DEVELOPER_"}"
 PASS_KUBEADMIN="${PASS_KUBEADMIN:-"_PASS_KUBEADMIN_"}"
 PASS_REDHAT="${PASS_REDHAT:-"_PASS_REDHAT_"}"
 MAXIMUM_LOGIN_RETRY=500
+GLOBAL_SECURED_REGISTRIES="${GLOBAL_SECURED_REGISTRIES:-"false"}"
 
 pr_info() {
     echo "[INF] $1" | tee -a $LOG_FILE > /dev/null
@@ -182,6 +183,15 @@ patch_pull_secret() {
     sleep $STEPS_SLEEP_TIME
 }
 
+global_pull_secret() {
+    pr_info "adding pull-secret as global cluster pull secret"
+    oc get secret/pull-secret -n openshift-config --template='{{index .data ".dockerconfigjson" | base64decode}}' > /tmp/pull-secret.txt
+    oc create secret generic global-pull-secret --from-file=.dockercfg=/tmp/pull-secret.txt --type=kubernetes.io/dockercfg
+    stop_if_failed $? "failed to create global pull secret"
+    rm /tmp/pull-secret.txt
+    sleep $STEPS_SLEEP_TIME
+}
+
 create_certificate_and_patch_secret() {
     pr_info  "creating OpenShift secrets"
     openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout nip.key -out nip.crt -subj "/CN=$EIP.nip.io" -addext "subjectAltName=DNS:apps.$EIP.nip.io,DNS:*.apps.$EIP.nip.io,DNS:api.$EIP.nip.io"
@@ -262,6 +272,9 @@ stop_if_failed $? "failed to recover Cluster after $(expr $CLUSTER_HEALTH_RETRIE
 
 
 patch_pull_secret
+if [[ "$GLOBAL_SECURED_REGISTRIES" =~ True|true ]]; then
+    global_pull_secret
+fi
 wait_cluster_become_healthy "etcd|openshift-apiserver"
 stop_if_failed $? "failed to recover Cluster after $(expr $CLUSTER_HEALTH_RETRIES \* $CLUSTER_HEALTH_SLEEP) seconds"
 
