Pull Secret in OCP Cluster

Question

Pull Secret in OCP Cluster

saranshan85 opened this issue 2 years ago · comments

Hi,

I am trying to bring up an OCP cluster using kubeinit.
It fails asking for a pull secret. I have my pullsecret , but not sure where should i provide it and in what format.

TASK [kubeinit.kubeinit.kubeinit_openshift : Check for openshift pullsecret in kubeinit secrets] ***
task path: /home/saranya/.ansible/collections/ansible_collections/kubeinit/kubeinit/roles/kubeinit_openshift/tasks/prepare_cluster.yml:30
fatal: [localhost]: FAILED! => {
"msg": "The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'openshift-pullsecret'\n\nThe error appears to be in '/home/saranya/.ansible/collections/ansible_collections/kubeinit/kubeinit/roles/kubeinit_openshift/tasks/prepare_cluster.yml': line 30, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n - name: Check for openshift pullsecret in kubeinit secrets\n ^ here\n"
}
[localhost] TASK: kubeinit.kubeinit.kubeinit_openshift : Check for openshift pullsecret in kubeinit secrets

Please can you provide an example of how the pullsecret needs to be populated.

Thanks in advance.
Appreciate your help.

Saranya

github-actions · Answer 1 · Fri Nov 18 2022 09:50:43 GMT+0800 (China Standard Time)

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days

Carlos Camacho Gonzalez · Answer 2 · Fri Nov 18 2022 17:05:32 GMT+0800 (China Standard Time)

@gmarcy would you mind to share the current steps you used to deploy OCP? Thanks!

Glenn Marcy · Answer 3 · Fri Nov 18 2022 21:09:11 GMT+0800 (China Standard Time)

this is my setup:

export KUBEINIT_SECRET_OPENSHIFT_PULLSECRET=~/.kubeinit/.secrets/openshift-pullsecret

the contents of that file is the pullsecret

for added security, but totally optional, I encrypt that data with ansible-vault

Carlos Camacho Gonzalez · Answer 4 · Fri Nov 18 2022 22:45:23 GMT+0800 (China Standard Time)

@saranshan85 and its content should be created following the docs 1

An example would look like:

apiVersion: v1
data:
  .dockerconfigjson: ewogICAiYXV0aHMiOnsKICAgICAgIm0iOnsKICAgICAgIsKICAgICAgICAgImF1dGgiOiJiM0JsYj0iLAogICAgICAgICAiZW1haWwiOiJ5b3VAZXhhbXBsZS5jb20iCiAgICAgIH0KICAgfQp9Cg==
kind: Secret
metadata:
  creationTimestamp: "2021-09-09T19:10:11Z"
  name: pull-secret
  namespace: default
  resourceVersion: "37676"
  uid: e2851531-01bc-48ba-878c-de96cfe31020
type: Opaque

@gmarcy am I correct?

Glenn Marcy · Answer 5 · Fri Nov 18 2022 23:45:54 GMT+0800 (China Standard Time)

no, that's where we put the information in the cluster. what's in the pullsecret file is the json that becomes that blob, i.e.

{
  "auths": {
    "cloud.openshift.com": {
      "auth": "b...g==",
      "email": "user@domain.com"
    },
    "quay.io": {
      "auth": "b...g==",
      "email": "user@domain.com"
    },
    "registry.connect.redhat.com": {
      "auth": "f...Q==",
      "email": "user@domain.com"
    },
    "registry.redhat.io": {
      "auth": "f...Q==",
      "email": "user@domain.com"
    }
  }
}

it doesn't need to be formatted pretty, often it's just one line, and it should be the exact same data you get from the redhat site when you ask for a pullsecret.