Platform Application Components Up-version - Portieris (dsR8)

Add missing registryk8s-registry
Fix conflict.
Add icr-registry and missing ghcr-registry

Story: 2010394
Task: 47866

Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
Change-Id: Iddf5b5c807d1ae1ca5ea342ccce53cc9da2f576e
This commit is contained in:
Elisamara Aoki Goncalves 2023-04-21 16:01:49 -03:00
parent d9c4b24d04
commit a1e1bfb155
15 changed files with 67 additions and 41 deletions

View File

@ -182,6 +182,8 @@ Bootstrap system on controller-0
url: myprivateregistry.abc.com:9001/docker.io
registry.k8s.io:
url: myprivateregistry.abc.com:9001/registry.k8s.io
icr.io:
url: myprivateregistry.abc.com:9001/icr.io
defaults:
type: docker
username: <your_myprivateregistry.abc.com_username>

View File

@ -182,6 +182,8 @@ Bootstrap system on controller-0
url: myprivateregistry.abc.com:9001/docker.io
registry.k8s.io
url: myprivateregistry.abc.com:9001/registry.k8s.io
icr.io:
url: myprivateregistry.abc.com:9001/icr.io
defaults:
type: docker
username: <your_myprivateregistry.abc.com_username>

View File

@ -36,6 +36,8 @@ your server is isolated from the public Internet.
url: <my-registry.io>/docker.elastic.co
registry.k8s.io:
url: <my-registry.io>/registry.k8s.io
icr.io:
url: <my-registry.io>/icr.io
defaults:
type: docker
username: <your_my-registry.io_username>

View File

@ -245,6 +245,8 @@ Bootstrap system on controller-0
url: myprivateregistry.abc.com:9001/docker.io
registry.k8s.io:
url: myprivateregistry.abc.com:9001/registry.k8s.io
icr.io:
url: myprivateregistry.abc.com:9001/icr.io
defaults:
type: docker
username: <your_myprivateregistry.abc.com_username>

View File

@ -285,6 +285,8 @@ subcloud, the subcloud installation has these phases:
url: registry.central:9001/docker.elastic.co
registry.k8s.io:
url: registry.central:9001/registry.k8s.io
icr.io:
url: registry.central:9001/icr.io
defaults:
username: sysinv
password: <sysinv_password>

View File

@ -199,6 +199,8 @@ subcloud, the subcloud installation process has two phases:
url: registry.central:9001/docker.elastic.co
registry.k8s.io:
url: registry.central:9001/registry.k8s.io
icr.io:
url: registry.central:9001/icr.io
defaults:
username: sysinv
password: <sysinv_password>

View File

@ -10,6 +10,19 @@ You can install Portieris on |prod| from the command line.
.. rubric:: |proc|
.. note::
For systems upgraded from a previous release, please add service parameters
for the new icr registry that will contain images used by Portieris. You
will need to add 1 service parameter for the URL at a minimum: ``system
service-parameter-add docker icr-registry
url=myprivateregistry.abc.com:9001/icr.io``.
Refer to :ref:`About Changing External Registries for StarlingX
Installation
<about-changing-external-registries-for-starlingx-installation>` for more
details.
#. Locate the Portieris tarball in /usr/local/share/applications/helm.
For example:
@ -44,7 +57,6 @@ You can install Portieris on |prod| from the command line.
~(keystone_admin)]$ system helm-override-update portieris portieris-certs portieris --values caCert.yaml
#. Apply the application.
.. code-block:: none

View File

@ -56,7 +56,7 @@ registry+notary server
.. code-block:: none
apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
apiVersion: portieris.cloud.ibm.com/v1
kind: ImagePolicy
metadata:
name: allow-all-icrio
@ -69,7 +69,7 @@ registry+notary server
.. code-block:: none
apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
apiVersion: portieris.cloud.ibm.com/v1
kind: ImagePolicy
metadata:
name: allow-custom

View File

@ -17,33 +17,6 @@ system.
~(keystone_admin)]$ system application-remove portieris
#. Delete kubernetes resources not automatically removed in the previous step.
This is required if you plan to reapply the application.
.. code-block:: none
~(keystone_admin)]$ kubectl delete clusterroles.rbac.authorization.k8s.io portieris
~(keystone_admin)]$ kubectl delete clusterrolebindings.rbac.authorization.k8s.io admission-portieris-webhook
~(keystone_admin)]$ kubectl delete -n portieris cm/image-policy-crds
~(keystone_admin)]$ kubectl delete -n portieris serviceaccounts/portieris
.. note::
If this step is done before removing the application in step 1, the
removal will fail, leaving the application in the **remove-failed**
state. In such cases you will need to issue the following commands
to recover:
.. code-block:: none
~(keystone_admin)]$ kubectl delete MutatingWebhookConfiguration image-admission-config --ignore-not-found=true
~(keystone_admin)]$ kubectl delete ValidatingWebhookConfiguration image-admission-config --ignore-not-found=true
~(keystone_admin)]$ kubectl delete crd clusterimagepolicies.securityenforcement.admission.cloud.ibm.com imagepolicies.securityenforcement.admission.cloud.ibm.com --ignore-not-found=true
~(keystone_admin)]$ kubectl delete clusterroles.rbac.authorization.k8s.io portieris --ignore-not-found=true
~(keystone_admin)]$ kubectl delete clusterrolebindings.rbac.authorization.k8s.io admission-portieris-webhook --ignore-not-found=true
~(keystone_admin)]$ kubectl delete ns/portieris --ignore-not-found=true
~(keystone_admin)]$ helm delete portieris-portieris --purge --no-hooks
~(keystone_admin)]$ system application-remove portieris
#. Delete the application.

View File

@ -11,11 +11,12 @@ and application updates.
When installing and upgrading |prod| or applying and updating |prod|
applications, container images are pulled from external registries, for various
services. By default, these container images are pulled from the following
public registries: ``k8s.gcr.io``, ``gcr.io``, ``quay.io``, and ``docker.io``.
During installation, specifically during the bootstrap step, these external registries
can be overridden using the 'docker_registries' variable in the bootstrap
override file. This task provides a procedure for changing these external
registries **after** installing |prod|.
public registries: ``k8s.gcr.io``, ``gcr.io``, ``quay.io``, ``docker.io``,
``icr.io``, ``ghcr.io``, and ``registry.k8s.io``. During installation,
specifically during the bootstrap step, these external registries can be
overridden using the 'docker_registries' variable in the bootstrap override
file. This task provides a procedure for changing these external registries
**after** installing |prod|.
.. rubric:: |context|

View File

@ -12,7 +12,7 @@ registries' URLs using the following command:
.. code-block:: none
NEW_URL_START=new-registry.domain.com:9001
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry registryk8s-registry
do
uuid=`system service-parameter-list |grep $registry | grep url | awk '{print $2}'`
url_path=`system service-parameter-show $uuid | grep value | awk '{print $4}' | cut -d '/' -f 2-`

View File

@ -17,7 +17,7 @@ To create the auth-secrets for the new registries, use the following command:
NEW_USERNAME_PASSWORD="username:docker password:********"
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry registryk8s-registry
do
openstack secret store -n ${registry}-secret -p "${NEW_USERNAME_PASSWORD}"
secret_uuid=`openstack secret list |grep ${registry}-secret | awk '{print $2}' | awk -F/ '{print $6}'`

View File

@ -18,7 +18,7 @@ To update the auth-secrets for the new registries, use the following command:
NEW_USERNAME_PASSWORD="username:docker password:********"
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry registryk8s-registry
do
secret=`openstack secret list | grep ${registry}-secret | awk '{print $2}'`
openstack secret delete ${secret}

View File

@ -10,7 +10,7 @@ To display the updated URLs, use the following command:
.. code-block:: none
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry registryk8s-registry
do
uuid=`system service-parameter-list |grep $registry | grep url | awk '{print $2}'`
url_path=`system service-parameter-show $uuid | grep value | awk '{print $4}'`
@ -23,6 +23,8 @@ You will get the following output:
docker-registry URL is new-registry.domain.com:9001/product-abc/starlingx/docker.io
quay-registry URL is new-registry.domain.com:9001/product-abc/starlingx/quay.io
icr-registry URL is new-registry.domain.com:9001/product-abc/starlingx/icr.io
ghcr-registry URL is new-registry.domain.com:9001/product-abc/starlingx/ghcr.io
elastic-registry URL is new-registry.domain.com:9001/product-abc/starlingx/docker.elastic.co
gcr-registry URL is new-registry.domain.com:9001/product-abc/starlingx/gcr.io
k8s-registry URL is new-registry.domain.com:9001/product-abc/starlingx/k8s.gcr.io

View File

@ -9,7 +9,7 @@ To verify the registries' secret configuration changes, use the following comman
.. code-block:: none
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry registryk8s-registry
do
echo $registry
secret_uuid=`openstack secret list |grep ${registry}-secret | awk '{print $2}'`
@ -64,6 +64,28 @@ gcr-registry
k8s-registry
.. table::
:widths: auto
+---------+-----------------------------------+
| Field | Value |
+---------+-----------------------------------+
| Payload | username:docker password:******** |
+---------+-----------------------------------+
icr-registry
.. table::
:widths: auto
+---------+-----------------------------------+
| Field | Value |
+---------+-----------------------------------+
| Payload | username:docker password:******** |
+---------+-----------------------------------+
ghcr-registry
.. table::
:widths: auto
@ -78,7 +100,7 @@ registry entries in the service parameter table, use the following command:
.. code-block:: none
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry
for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry
do
echo $registry
uuid=`system service-parameter-list |grep $registry | grep auth-secret | awk '{print $2}'`
@ -104,6 +126,10 @@ You will get the following output:
4c58aa1a-2026-49d2-8f9c-f3f6b4b34eb1 4c58aa1a-2026-49d2-8f9c-f3f6b4b34eb1
k8s-registry
96d722e6-ab97-4185-9b97-64ee90c6162c 96d722e6-ab97-4185-9b97-64ee90c6162c
icr-registry
6fdaf773-a253-4b48-b9ff-d9dce1401c33 6fdaf773-a253-4b48-b9ff-d9dce1401c33
ghcr-registry
56b03b2b-7685-449d-ade4-3d8c4e73649f 56b03b2b-7685-449d-ade4-3d8c4e73649f
To add the CA Certificate, go to :ref:`Add the CA Certificate for New Registry
<add-the-ca-certificate-for-new-registry>`.