diff --git a/doc/source/deploy_install_guides/release/bare_metal/aio_duplex_install_kubernetes.rst b/doc/source/deploy_install_guides/release/bare_metal/aio_duplex_install_kubernetes.rst index a6f879471..a29608caf 100644 --- a/doc/source/deploy_install_guides/release/bare_metal/aio_duplex_install_kubernetes.rst +++ b/doc/source/deploy_install_guides/release/bare_metal/aio_duplex_install_kubernetes.rst @@ -182,6 +182,8 @@ Bootstrap system on controller-0 url: myprivateregistry.abc.com:9001/docker.io registry.k8s.io: url: myprivateregistry.abc.com:9001/registry.k8s.io + icr.io: + url: myprivateregistry.abc.com:9001/icr.io defaults: type: docker username: diff --git a/doc/source/deploy_install_guides/release/bare_metal/aio_simplex_install_kubernetes.rst b/doc/source/deploy_install_guides/release/bare_metal/aio_simplex_install_kubernetes.rst index db41783b8..d8e241d73 100644 --- a/doc/source/deploy_install_guides/release/bare_metal/aio_simplex_install_kubernetes.rst +++ b/doc/source/deploy_install_guides/release/bare_metal/aio_simplex_install_kubernetes.rst @@ -182,6 +182,8 @@ Bootstrap system on controller-0 url: myprivateregistry.abc.com:9001/docker.io registry.k8s.io url: myprivateregistry.abc.com:9001/registry.k8s.io + icr.io: + url: myprivateregistry.abc.com:9001/icr.io defaults: type: docker username: diff --git a/doc/source/deploy_install_guides/release/bare_metal/bootstrapping-from-a-private-docker-registry.rst b/doc/source/deploy_install_guides/release/bare_metal/bootstrapping-from-a-private-docker-registry.rst index c8b598967..c952a373a 100644 --- a/doc/source/deploy_install_guides/release/bare_metal/bootstrapping-from-a-private-docker-registry.rst +++ b/doc/source/deploy_install_guides/release/bare_metal/bootstrapping-from-a-private-docker-registry.rst @@ -36,6 +36,8 @@ your server is isolated from the public Internet. url: /docker.elastic.co registry.k8s.io: url: /registry.k8s.io + icr.io: + url: /icr.io defaults: type: docker username: diff --git a/doc/source/deploy_install_guides/release/bare_metal/controller_storage_install_kubernetes.rst b/doc/source/deploy_install_guides/release/bare_metal/controller_storage_install_kubernetes.rst index f685585ba..e402836c5 100644 --- a/doc/source/deploy_install_guides/release/bare_metal/controller_storage_install_kubernetes.rst +++ b/doc/source/deploy_install_guides/release/bare_metal/controller_storage_install_kubernetes.rst @@ -245,6 +245,8 @@ Bootstrap system on controller-0 url: myprivateregistry.abc.com:9001/docker.io registry.k8s.io: url: myprivateregistry.abc.com:9001/registry.k8s.io + icr.io: + url: myprivateregistry.abc.com:9001/icr.io defaults: type: docker username: diff --git a/doc/source/dist_cloud/kubernetes/installing-a-subcloud-using-redfish-platform-management-service.rst b/doc/source/dist_cloud/kubernetes/installing-a-subcloud-using-redfish-platform-management-service.rst index b90d8d571..e858683e9 100644 --- a/doc/source/dist_cloud/kubernetes/installing-a-subcloud-using-redfish-platform-management-service.rst +++ b/doc/source/dist_cloud/kubernetes/installing-a-subcloud-using-redfish-platform-management-service.rst @@ -285,6 +285,8 @@ subcloud, the subcloud installation has these phases: url: registry.central:9001/docker.elastic.co registry.k8s.io: url: registry.central:9001/registry.k8s.io + icr.io: + url: registry.central:9001/icr.io defaults: username: sysinv password: diff --git a/doc/source/dist_cloud/kubernetes/installing-a-subcloud-without-redfish-platform-management-service.rst b/doc/source/dist_cloud/kubernetes/installing-a-subcloud-without-redfish-platform-management-service.rst index c5af52ccd..4822a52eb 100644 --- a/doc/source/dist_cloud/kubernetes/installing-a-subcloud-without-redfish-platform-management-service.rst +++ b/doc/source/dist_cloud/kubernetes/installing-a-subcloud-without-redfish-platform-management-service.rst @@ -199,6 +199,8 @@ subcloud, the subcloud installation process has two phases: url: registry.central:9001/docker.elastic.co registry.k8s.io: url: registry.central:9001/registry.k8s.io + icr.io: + url: registry.central:9001/icr.io defaults: username: sysinv password: diff --git a/doc/source/security/kubernetes/install-portieris.rst b/doc/source/security/kubernetes/install-portieris.rst index 1e7c491a5..56f79eba3 100644 --- a/doc/source/security/kubernetes/install-portieris.rst +++ b/doc/source/security/kubernetes/install-portieris.rst @@ -10,6 +10,19 @@ You can install Portieris on |prod| from the command line. .. rubric:: |proc| +.. note:: + + For systems upgraded from a previous release, please add service parameters + for the new icr registry that will contain images used by Portieris. You + will need to add 1 service parameter for the URL at a minimum: ``system + service-parameter-add docker icr-registry + url=myprivateregistry.abc.com:9001/icr.io``. + + Refer to :ref:`About Changing External Registries for StarlingX + Installation + ` for more + details. + #. Locate the Portieris tarball in /usr/local/share/applications/helm. For example: @@ -44,7 +57,6 @@ You can install Portieris on |prod| from the command line. ~(keystone_admin)]$ system helm-override-update portieris portieris-certs portieris --values caCert.yaml - #. Apply the application. .. code-block:: none diff --git a/doc/source/security/kubernetes/portieris-clusterimagepolicy-and-imagepolicy-configuration.rst b/doc/source/security/kubernetes/portieris-clusterimagepolicy-and-imagepolicy-configuration.rst index 0b58a2d4b..3a13ecbbc 100644 --- a/doc/source/security/kubernetes/portieris-clusterimagepolicy-and-imagepolicy-configuration.rst +++ b/doc/source/security/kubernetes/portieris-clusterimagepolicy-and-imagepolicy-configuration.rst @@ -56,7 +56,7 @@ registry+notary server .. code-block:: none - apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1 + apiVersion: portieris.cloud.ibm.com/v1 kind: ImagePolicy metadata: name: allow-all-icrio @@ -69,7 +69,7 @@ registry+notary server .. code-block:: none - apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1 + apiVersion: portieris.cloud.ibm.com/v1 kind: ImagePolicy metadata: name: allow-custom diff --git a/doc/source/security/kubernetes/remove-portieris.rst b/doc/source/security/kubernetes/remove-portieris.rst index 70aa8242c..1f6b3042c 100644 --- a/doc/source/security/kubernetes/remove-portieris.rst +++ b/doc/source/security/kubernetes/remove-portieris.rst @@ -17,33 +17,6 @@ system. ~(keystone_admin)]$ system application-remove portieris -#. Delete kubernetes resources not automatically removed in the previous step. - - This is required if you plan to reapply the application. - - .. code-block:: none - - ~(keystone_admin)]$ kubectl delete clusterroles.rbac.authorization.k8s.io portieris - ~(keystone_admin)]$ kubectl delete clusterrolebindings.rbac.authorization.k8s.io admission-portieris-webhook - ~(keystone_admin)]$ kubectl delete -n portieris cm/image-policy-crds - ~(keystone_admin)]$ kubectl delete -n portieris serviceaccounts/portieris - - .. note:: - If this step is done before removing the application in step 1, the - removal will fail, leaving the application in the **remove-failed** - state. In such cases you will need to issue the following commands - to recover: - - .. code-block:: none - - ~(keystone_admin)]$ kubectl delete MutatingWebhookConfiguration image-admission-config --ignore-not-found=true - ~(keystone_admin)]$ kubectl delete ValidatingWebhookConfiguration image-admission-config --ignore-not-found=true - ~(keystone_admin)]$ kubectl delete crd clusterimagepolicies.securityenforcement.admission.cloud.ibm.com imagepolicies.securityenforcement.admission.cloud.ibm.com --ignore-not-found=true - ~(keystone_admin)]$ kubectl delete clusterroles.rbac.authorization.k8s.io portieris --ignore-not-found=true - ~(keystone_admin)]$ kubectl delete clusterrolebindings.rbac.authorization.k8s.io admission-portieris-webhook --ignore-not-found=true - ~(keystone_admin)]$ kubectl delete ns/portieris --ignore-not-found=true - ~(keystone_admin)]$ helm delete portieris-portieris --purge --no-hooks - ~(keystone_admin)]$ system application-remove portieris #. Delete the application. diff --git a/doc/source/system_configuration/kubernetes/about-changing-external-registries-for-starlingx-installation.rst b/doc/source/system_configuration/kubernetes/about-changing-external-registries-for-starlingx-installation.rst index a99f8a3d2..09fc3f831 100644 --- a/doc/source/system_configuration/kubernetes/about-changing-external-registries-for-starlingx-installation.rst +++ b/doc/source/system_configuration/kubernetes/about-changing-external-registries-for-starlingx-installation.rst @@ -11,11 +11,12 @@ and application updates. When installing and upgrading |prod| or applying and updating |prod| applications, container images are pulled from external registries, for various services. By default, these container images are pulled from the following -public registries: ``k8s.gcr.io``, ``gcr.io``, ``quay.io``, and ``docker.io``. -During installation, specifically during the bootstrap step, these external registries -can be overridden using the 'docker_registries' variable in the bootstrap -override file. This task provides a procedure for changing these external -registries **after** installing |prod|. +public registries: ``k8s.gcr.io``, ``gcr.io``, ``quay.io``, ``docker.io``, +``icr.io``, ``ghcr.io``, and ``registry.k8s.io``. During installation, +specifically during the bootstrap step, these external registries can be +overridden using the 'docker_registries' variable in the bootstrap override +file. This task provides a procedure for changing these external registries +**after** installing |prod|. .. rubric:: |context| diff --git a/doc/source/system_configuration/kubernetes/change-the-registry-url.rst b/doc/source/system_configuration/kubernetes/change-the-registry-url.rst index 9d3b01bb1..625ff9962 100644 --- a/doc/source/system_configuration/kubernetes/change-the-registry-url.rst +++ b/doc/source/system_configuration/kubernetes/change-the-registry-url.rst @@ -12,7 +12,7 @@ registries' URLs using the following command: .. code-block:: none NEW_URL_START=new-registry.domain.com:9001 - for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry + for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry registryk8s-registry do uuid=`system service-parameter-list |grep $registry | grep url | awk '{print $2}'` url_path=`system service-parameter-show $uuid | grep value | awk '{print $4}' | cut -d '/' -f 2-` diff --git a/doc/source/system_configuration/kubernetes/create-the-registry-secrets.rst b/doc/source/system_configuration/kubernetes/create-the-registry-secrets.rst index 6457df2f3..c89cf8bd8 100644 --- a/doc/source/system_configuration/kubernetes/create-the-registry-secrets.rst +++ b/doc/source/system_configuration/kubernetes/create-the-registry-secrets.rst @@ -17,7 +17,7 @@ To create the auth-secrets for the new registries, use the following command: NEW_USERNAME_PASSWORD="username:docker password:********" - for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry + for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry registryk8s-registry do openstack secret store -n ${registry}-secret -p "${NEW_USERNAME_PASSWORD}" secret_uuid=`openstack secret list |grep ${registry}-secret | awk '{print $2}' | awk -F/ '{print $6}'` diff --git a/doc/source/system_configuration/kubernetes/update-the-registry-secrets.rst b/doc/source/system_configuration/kubernetes/update-the-registry-secrets.rst index 964d900d4..d4d3ae608 100644 --- a/doc/source/system_configuration/kubernetes/update-the-registry-secrets.rst +++ b/doc/source/system_configuration/kubernetes/update-the-registry-secrets.rst @@ -18,7 +18,7 @@ To update the auth-secrets for the new registries, use the following command: NEW_USERNAME_PASSWORD="username:docker password:********" - for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry + for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry registryk8s-registry do secret=`openstack secret list | grep ${registry}-secret | awk '{print $2}'` openstack secret delete ${secret} diff --git a/doc/source/system_configuration/kubernetes/validate-existing-registry-and-new-url.rst b/doc/source/system_configuration/kubernetes/validate-existing-registry-and-new-url.rst index 6924528ef..ecd98d0f8 100644 --- a/doc/source/system_configuration/kubernetes/validate-existing-registry-and-new-url.rst +++ b/doc/source/system_configuration/kubernetes/validate-existing-registry-and-new-url.rst @@ -10,7 +10,7 @@ To display the updated URLs, use the following command: .. code-block:: none - for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry + for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry registryk8s-registry do uuid=`system service-parameter-list |grep $registry | grep url | awk '{print $2}'` url_path=`system service-parameter-show $uuid | grep value | awk '{print $4}'` @@ -23,6 +23,8 @@ You will get the following output: docker-registry URL is new-registry.domain.com:9001/product-abc/starlingx/docker.io quay-registry URL is new-registry.domain.com:9001/product-abc/starlingx/quay.io + icr-registry URL is new-registry.domain.com:9001/product-abc/starlingx/icr.io + ghcr-registry URL is new-registry.domain.com:9001/product-abc/starlingx/ghcr.io elastic-registry URL is new-registry.domain.com:9001/product-abc/starlingx/docker.elastic.co gcr-registry URL is new-registry.domain.com:9001/product-abc/starlingx/gcr.io k8s-registry URL is new-registry.domain.com:9001/product-abc/starlingx/k8s.gcr.io diff --git a/doc/source/system_configuration/kubernetes/verify-the-registry-secret-changes-and-secret-key-in-system-database.rst b/doc/source/system_configuration/kubernetes/verify-the-registry-secret-changes-and-secret-key-in-system-database.rst index 3562f24fd..ea1ede659 100644 --- a/doc/source/system_configuration/kubernetes/verify-the-registry-secret-changes-and-secret-key-in-system-database.rst +++ b/doc/source/system_configuration/kubernetes/verify-the-registry-secret-changes-and-secret-key-in-system-database.rst @@ -9,7 +9,7 @@ To verify the registries' secret configuration changes, use the following comman .. code-block:: none - for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry + for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry registryk8s-registry do echo $registry secret_uuid=`openstack secret list |grep ${registry}-secret | awk '{print $2}'` @@ -64,6 +64,28 @@ gcr-registry k8s-registry +.. table:: + :widths: auto + + +---------+-----------------------------------+ + | Field | Value | + +---------+-----------------------------------+ + | Payload | username:docker password:******** | + +---------+-----------------------------------+ + +icr-registry + +.. table:: + :widths: auto + + +---------+-----------------------------------+ + | Field | Value | + +---------+-----------------------------------+ + | Payload | username:docker password:******** | + +---------+-----------------------------------+ + +ghcr-registry + .. table:: :widths: auto @@ -78,7 +100,7 @@ registry entries in the service parameter table, use the following command: .. code-block:: none - for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry + for registry in docker-registry quay-registry elastic-registry gcr-registry k8s-registry icr-registry ghcr-registry do echo $registry uuid=`system service-parameter-list |grep $registry | grep auth-secret | awk '{print $2}'` @@ -104,6 +126,10 @@ You will get the following output: 4c58aa1a-2026-49d2-8f9c-f3f6b4b34eb1 4c58aa1a-2026-49d2-8f9c-f3f6b4b34eb1 k8s-registry 96d722e6-ab97-4185-9b97-64ee90c6162c 96d722e6-ab97-4185-9b97-64ee90c6162c + icr-registry + 6fdaf773-a253-4b48-b9ff-d9dce1401c33 6fdaf773-a253-4b48-b9ff-d9dce1401c33 + ghcr-registry + 56b03b2b-7685-449d-ade4-3d8c4e73649f 56b03b2b-7685-449d-ade4-3d8c4e73649f To add the CA Certificate, go to :ref:`Add the CA Certificate for New Registry `. \ No newline at end of file