diff --git a/scripts/image-redirection-tools/hcp/README.md b/scripts/image-redirection-tools/hcp/README.md new file mode 100644 index 000000000..c090ca7c8 --- /dev/null +++ b/scripts/image-redirection-tools/hcp/README.md @@ -0,0 +1,34 @@ +# Overview + +On [OpenShift Hosted Control Planes](https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/hosted_control_planes/hosted-control-planes-overview), there is no first class support for image registry redirection, which is on OpenShift deployments provided via [`ImageContentSourcePolicy`](https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/images/image-configuration#images-configuration-blocked-payload) or [`ImageDigestMirrorSet`](https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/config_apis/imagedigestmirrorset-config-openshift-io-v1) + +There if RFE to provide support for image registry redirection https://issues.redhat.com/browse/XCMSTRAT-994 , yet this document provides stop-gap solution on Hosted Control Planes, before the first class support is provided. + +The procedure consists of two steps: +- creating an image pull secret for the registry mirror to use +- create a (privileged) `DaemonSet` which updates the worker node's container runtime configuration file `/var/lib/kubelet/config.json` + +## Step 1 - create a secret for the additional config.json. + +The config.json can be created by `podman login --authfile`: + +```sh +podman login -u [user]] -p [password] --authfile=/path/to/your/additional/config.json [registry] +``` + +Create the image pull secret `docker-auth-secret` in `kube-system` namespace: + +```sh +oc create secret generic docker-auth-secret \ +--namespace kube-system \ +--from-file=.dockerconfigjson=/path/to/your/additional/config.json \ +--type=kubernetes.io/dockerconfigjson --dry-run=client -o yaml | oc apply -f +``` + +## Step 2 - create a DaemonSet updating container runtime configuration + +The DeamonSet init container updates the container runtime configuration on each of the worker node and then sleeps indefinitely. + +```sh +oc apply -f update-docker-config-ds.yaml +``` diff --git a/scripts/image-redirection-tools/hcp/update-docker-config-ds.yaml b/scripts/image-redirection-tools/hcp/update-docker-config-ds.yaml new file mode 100644 index 000000000..a86b27f2a --- /dev/null +++ b/scripts/image-redirection-tools/hcp/update-docker-config-ds.yaml @@ -0,0 +1,68 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: update-docker-config + namespace: kube-system + labels: + app: update-docker-config +spec: + selector: + matchLabels: + name: update-docker-config + template: + metadata: + labels: + name: update-docker-config + spec: + initContainers: + - command: ["/bin/sh", "-c"] + args: + - > + echo "Backing up or restoring config.json"; + [[ -s /docker-config/config.json ]] && cp /docker-config/config.json /docker-config/config.json.bak || cp /docker-config/config.json.bak /docker-config/config.json; + echo "Merging secret with config.json"; + /host/usr/bin/jq -s '.[0] * .[1]' /docker-config/config.json /auth/.dockerconfigjson > /docker-config/config.tmp; + mv /docker-config/config.tmp /docker-config/config.json; + systemctl reload crio + image: registry.access.redhat.com/ubi9:latest + imagePullPolicy: IfNotPresent + name: updater + resources: {} + securityContext: + privileged: true + volumeMounts: + - name: docker-auth-secret + mountPath: /auth + - name: docker + mountPath: /docker-config + - name: bin + mountPath: /host/usr/bin + - name: lib64 + mountPath: /lib64 + containers: + - resources: + requests: + cpu: "0.01" + image: registry.access.redhat.com/ubi9:latest + name: sleepforever + command: ["/bin/sh", "-c"] + args: + - > + while true; do + sleep 100000; + done + hostPID: true + volumes: + - name: docker-auth-secret + secret: + secretName: docker-auth-secret + - name: docker + hostPath: + path: /var/lib/kubelet/ + - name: bin + hostPath: + path: /usr/bin + - name: lib64 + hostPath: + path: /lib64 + hostPathType: Directory