Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This guide covers adding or updating your Red Hat pull secret for an existing Azure Red Hat OpenShift (ARO) 4.x cluster.
If you're creating a cluster for the first time, you can add your pull secret when you create your cluster. For more information about creating an ARO cluster with a Red Hat pull secret, see Create an Azure Red Hat OpenShift 4 cluster.
Prerequisites
This guide assumes you have an existing Azure Red Hat OpenShift 4 cluster. Ensure that you have administrator access to your cluster.
Prepare your pull secret
When you create an ARO cluster without adding a Red Hat pull secret, a pull secret is still created on your cluster automatically. However, this pull secret isn't fully populated.
This section walks through updating that pull secret with other values from your Red Hat pull secret.
Fetch the secret named
pull-secretin theopenshift-confignamespace and save it to a separate file by running the following command:oc get secrets pull-secret -n openshift-config -o template='{{index .data ".dockerconfigjson"}}' | base64 -d > pull-secret.jsonYour output should be similar to the following example and the actual secret value was removed.
{ "auths": { "arosvc.azurecr.io": { "auth": "<my-aroscv.azurecr.io-secret>" } } }Go to your Red Hat OpenShift cluster manager portal and select Download pull secret. Your Red Hat pull secret looks like the following sample and the actual secret values were removed.
{ "auths": { "cloud.openshift.com": { "auth": "<my-crc-secret>", "email": "violet@contoso.com" }, "quay.io": { "auth": "<my-quayio-secret>", "email": "violet@contoso.com" }, "registry.connect.redhat.com": { "auth": "<my-registry.connect.redhat.com-secret>", "email": "violet@contoso.com" }, "registry.redhat.io": { "auth": "<my-registry.redhat.io-secret>", "email": "violet@contoso.com" } } }Edit the pull secret file you got from your cluster by adding in the entries found in your Red Hat pull secret.
Important
If you include the
cloud.openshift.comentry from your Red Hat pull secret your cluster sends telemetry data to Red Hat. Include this section only if you want to send telemetry data. Otherwise, exclude the following section.{ "cloud.openshift.com": { "auth": "<my-crc-secret>", "email": "violet@contoso.com" }Caution
Don't remove or alter the
arosvc.azurecr.ioentry from your pull secret. This section is needed for your cluster to function properly."arosvc.azurecr.io": { "auth": "<my-aroscv.azurecr.io-secret>" }Your final file should look like the following example and the actual secret values were removed.
{ "auths": { "cloud.openshift.com": { "auth": "<my-crc-secret>", "email": "violet@contoso.com" }, "quay.io": { "auth": "<my-quayio-secret>", "email": "violet@contoso.com" }, "registry.connect.redhat.com": { "auth": "<my-registry.connect.redhat.com-secret>", "email": "violet@contoso.com" }, "registry.redhat.io": { "auth": "<my-registry.redhat.io-secret>", "email": "violet@contoso.com" }, "arosvc.azurecr.io": { "auth": "<my-aroscv.azurecr.io-secret>" } } }Ensure that the file is valid JSON. There are many ways to validate your JSON. The following example uses
jqto validate the file.cat pull-secret.json | jqIf there's an error in the file, it appears as
parse error.
Add your pull secret to your cluster
Run the following command to update your pull secret. In ARO 4.9 or older, running this command causes your cluster nodes to restart one by one as they're updated. In ARO 4.10 version or later, a restart isn't triggered.
oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=./pull-secret.json
Verify that pull secret is in place
oc exec -n openshift-apiserver $(oc get pod -n openshift-apiserver -o jsonpath="{.items[0].metadata.name}") -- cat /var/lib/kubelet/config.json
After the secret is set, you're ready to enable Red Hat Certified Operators.
Modify the configuration files
Modify the following objects to enable Red Hat Operators.
Modify the Samples Operator configuration file. Then, you can run the following command to edit the configuration file:
oc edit configs.samples.operator.openshift.io/cluster -o yaml
Change the spec.managementState value from Removed to Managed.
The following YAML snippet shows only the relevant sections of the edited YAML file:
apiVersion: samples.operator.openshift.io/v1
kind: Config
metadata:
...
spec:
architectures:
- x86_64
managementState: Managed
Run the following command to edit the Operator Hub configuration file:
oc edit operatorhub cluster -o yaml
Change the Spec.Sources.Disabled value from true to false for any sources you want enabled.
The following YAML snippet shows only the relevant sections of the edited YAML file:
Name: cluster
...
dd3310b9-e520-4a85-98e5-8b4779ee0f61
Spec:
Sources:
Disabled: false
Name: certified-operators
Disabled: false
Name: redhat-operators
Save the file to apply your edits.
Validate that your secret is working
After you add your pull secret and modify the correct configuration files, your cluster updates can take several minutes to finish. To check that your cluster was updated, run the following command to show the Certified Operators and Red Hat Operators sources available:
$ oc get catalogsource -A
NAMESPACE NAME DISPLAY TYPE PUBLISHER AGE
openshift-marketplace certified-operators Certified Operators grpc Red Hat 10s
openshift-marketplace community-operators Community Operators grpc Red Hat 18h
openshift-marketplace redhat-operators Red Hat Operators grpc Red Hat 11s
If you don't see the Certified Operators and Red Hat Operators, wait a few minutes and try again.
To ensure that your pull secret was updated and is functional, open OperatorHub and check for any Red Hat verified Operator. For example, check to see if the OpenShift Container Storage Operator is available, and see if you have permissions to install.
Next steps
- To learn more about Red Hat pull secrets, see Using image pull secrets.
- To learn more about Red Hat OpenShift 4, see Red Hat OpenShift Container Platform Documentation.