In an OpenShift cluster, accessing an internal image registry requires a username and password for authentication. If you encounter issues accessing the registry, updating the pull secret with the appropriate credentials may be necessary. This can be achieved by creating a service account with the required permissions and referencing its username and token within the pull secret.
To create a service account named image-puller with the system:image-puller cluster role associated, use the following command:
oc adm policy add-cluster-role-to-user \
system:image-puller -z image-puller \
-n openshift-config
The -z flag specifies the service account's name, and the -n flag specifies the namespace in which it should be created. The system:image-puller role grants permissions to pull images from the image registry.
Next, obtain the token associated with the service account using the following command:
TOKEN=$(oc sa get-token image-puller -n openshift-config)
This command retrieves the token associated with the image-puller service account in the openshift-config namespace and stores it in a variable named TOKEN.
Now, retrieve the existing pull secret from the openshift-config namespace and decode it to a file using the following command:
oc get secret pull-secret -n openshift-config -o json \
| jq '.data.".dockerconfigjson"' -r \
| base64 -d > /tmp/pull-secret
This command retrieves the pull secret associated with the openshift-config namespace, decodes it, and writes it to a file named /tmp/pull-secret.
Finally, use the oc registry login command to update the pull secret with the service account credentials using the following command:
oc registry login \
--registry=image-registry.openshift-image-registry.svc:5000 \
--auth-basic=image-puller:${TOKEN} \
--to=/tmp/pull-secret
This command updates the pull secret with the image-puller service account credentials and writes the updated secret back to the /tmp/pull-secret file.
To apply the updated pull secret to the OpenShift cluster, use the following command:
oc set data secret/pull-secret -n openshift-config \
--from-file=.dockerconfigjson=/tmp/pull-secret
This command sets the updated pull secret in the openshift-config namespace. The .dockerconfigjson key references the updated pull secret file.
This should fix the authentication error.
Top comments (2)
after fixing tls ingress from bastion node to internal registry, i was having trouble with auth from the bastion. after many hours of experimentation, this article fixed the issue. nice work!
Greate to hear Tim, thank you for the feedback :)