-
Notifications
You must be signed in to change notification settings - Fork 35
Working with a Private Repo & Image Pull Secrets
Are you working with a private registry? This article describes how to configure the Turbo Custom Resource to define a registry / repository location, use a pull secret, and details on what images to pull into your private repo.
NOTE: Your private repo must support multi-architecture images to be able to download the images from icr.io
NOTE: For example if using Artifactory you need to be running v7 as v6 does not support multi-architecture images
Content:
To leverage your own Private Repository, you will need to pull and stage Turbonomic product images. Turbonomic images are by default located in the following registries based on version, and whether you are deploying via OpenShift Operator Hub or direct deployment.
| Version | Deployment Method | Components | Default Repositories |
|---|---|---|---|
| V8.7.5 and older | OpenShift Operator Hub | Operators for Turbonomic Server, Kubeturbo, Prometurbo, Components for Turbonomic Server, Kubeturbo (CPU Getter Job *), Prometurbo (and DIF) | - registry.connect.redhat.com/turbonomic, registry.access.redhat.com/ubi8/ubi-minimal (*) |
| V8.7.5 and older | Direct Deployment | Operators for Turbonomic Server, Kubeturbo, Prometurbo, Components for Turbonomic Server, Kubeturbo (CPU Getter Job), Prometurbo (and DIF) | - index.docker.io/turbonomic |
| V8.7.5 and newer | OpenShift Operator Hub | Operators for Turbonomic Server, Kubeturbo, Prometurbo, Components for Turbonomic Server, Kubeturbo (CPU Getter Job *), Prometurbo (and DIF) | - icr.io/cpopen/turbonomic, icr.io/cpopen, registry.access.redhat.com/ubi8/ubi-minimal (*) |
| V8.7.5 and newer | Direct Deployment | Operators for Turbonomic Server, Kubeturbo, Prometurbo, Components for Turbonomic Server, Kubeturbo (CPU Getter Job), Prometurbo (and DIF) | - icr.io/cpopen/turbonomic, icr.io/cpopen |
Once the images are pulled in the customer’s private registry, the registry / repository location of the Turbonomic SERVER container images needs to be updated in the custom resource yaml, in addition to the changes made to the operator deployment yaml. Modify these values for your environment:
global:
repository: {yourRegistry}/{yourRepository}
_# uncomment line below if using RedHat Container Catalog, and specify `registry.connect.redhat.com/turbonomic` as the `repository`_
_# when deploying from the OCP Operator Hub the `repository` and `customImageNames` will be preconfigured for you_
# customImageNames: false
_# for pull credentials, registry parameter is required and the value can be the same as repository_
_# uncomment what you need below if you need to specify pull credentials. Note this will be used for all images._
# registry: {yourRegistry}/{yourRepository}
# imageUsername: turbouser
# imagePassword: turbopassword
# imagePullSecret: yourSecret
tag: {requiredTag}Note if you are running the t8c-operator prior to v42, then you will need to define registry and repository this way:
global:
registry: {yourRegistry}
# imageUsername: turbouser
# imagePassword: turbopassword
# imagePullSecret: yourSecret
repository: {yourRepository}
tag: {requiredTag}If you require credentials to access your registry, you have the option to specify the username and password credentials in the CR as shown below:
global:
repository: icr.io/cpopen/turbonomic
registry: icr.io/cpopen/turbonomic
imageUsername: turbouser
imagePassword: turbopassword
# imagePullSecret: yourSecret
tag: {requiredTag}NOTE:
- the
registryparameter is required in the CR to use the imageUsername/imagePassword or imagePullSecret parameters.- the
customImageNamesparameter set tofalseis required for working with Red Hat Operators and the Red Hat Container Catalog. You will also specifyregistry.connect.redhat.com/turbonomicfor BOTHregistryandrepository. NOTE when you deploy from the OCP OPERATOR HUB, these values should be preset for you.- This will method will create a kubernetes secret of type docker-registry with the default name of "turbocred", and then apply the pullSecret parameter to the Turbonomic component deployments.
The Operator Deployment will also need to be updated to pull from the repository, and this will be an update to the image: value.
containers:
- name: t8c-operator
image: {yourRegistry}/{yourRepo}/t8c-operator:42.23NOTE:
When working with an air-gapped OpenShift cluster AND you want to use the Operator Hub (OLM) experience, you need to follow the instructions from Red Hat on how to pull operator bundles: https://docs.openshift.com/container-platform/4.6/operators/admin/olm-restricted-networks.html
The Turbonomic Operator itself will also need to use the pull credentials if required. Options are to specify the image pull secret to the operator deployment, or add this secret to the t8c-operator service account. See the next section Image Pull Secrets for details.
Consider leveraging a kubernetes secret of a docker-registry type. Have the secret resource created in the same Turbonomic namespace and modify the CR to specify the secret name:
global:
registry: {yourRegistry}/{yourRepository}
customImageNames: false
imagePullSecret: {yourSecretName}
tag: {requiredTag}NOTE: the
registryparameter is required in the CR to use the imageUsername/imagePassword or imagePullSecret parameters.
Remember to also add this to the Turbonomic Operator deployment which can be done 2 ways:
- Update the deployment to use the secret
spec:
serviceAccountName: t8c-operator
imagePullSecrets:
- name: {yourSecretName}
containers:
- name: t8c-operator- Link the secret to the service account. For the operator, you can configure the
t8c-operatorservice account for the image pull secret. See this document for more details.
In OpenShift use the oc secrets link command: oc secrets link t8c-operator yourSecret --for=pull
NOTE if you want to use the link SA method for the Turbo application pods you will also have to associate the secret to the
defaultservice account.oc secrets link default yourSecret --for=pull
For more information on Kubernetes secrets see the K8s Secrets - Additional Info section in Using a Database: Secrets