How to change the global pull secret in OpenShift 4
Environment
- Red Hat OpenShift Container Platform (RHOCP)
- 4
- Pull Secret
Issue
- Unable to change global pull secret in OpenShift 4.
- Need to update or replace the global cluster pull secret.
Resolution
To change the pull secret used globally, it is needed to access to the cluster with a user that has cluster-admin permissions. The pull-secret downloaded from the This content is not included.Red Hat Hybrid Cloud Console will be also needed. It can be also downloaded using a REST API call.
Important Note: The pull secret change on its own will not update the cluster owner on This content is not included.Red Hat Hybrid Cloud Console, so it will be needed to initiate the transfer of the cluster before changing the pull secret. Changing owner without doing this will break telemetry reporting. Refer to transfer ownership of an OpenShift 4 cluster for additional information about ownership transfer.
Testing a new pull secret before changing it in the cluster
Before updating pull-secret, please test if the new pull-secret is valid and working:
$ podman pull --authfile /path/to/downloaded/pull-secret registry.redhat.io/ubi8/ubi:latest
Note: if the new downloaded pull secret is not working, it will be needed to rotate it as explained in how to request pull-secret rotation and download the new one after the rotation.
Changing the global pull secret
Refer to the documentation for [updating the global cluster pull secret](https://docs.openshift.com/container-platform/4.11/openshift_images/managing_images/using-image-pull-secrets.html#images-update-global-pull-secret_using-image-pull-secrets) for the required steps.
Note: As of OpenShift Container Platform 4.7.4, changes to the global pull secret no longer trigger a node drain or reboot.
For updating the pull secret in hosted HCP clusters, please refer to how to replace the pull secret in OpenShift Container Platform hosted control planes (HCP) instead.
Updating an existing secret
For updating the existing secret, use the following command:
$ oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=/path/to/downloaded/pull-secret
Creating a secret
If a secret does not already exist and needs to be created, the following command will create the secret:
$ oc create secret generic pull-secret -n openshift-config --type=kubernetes.io/dockerconfigjson --from-file=.dockerconfigjson=/path/to/downloaded/pull-secret
Root Cause
It is possible to update the global pull secret for a cluster by either replacing the current pull secret or appending a new pull secret.
Diagnostic Steps
Check the secret with the following command:
$ oc get secret pull-secret -n openshift-config --template='{{index .data ".dockerconfigjson" | base64decode}}'
Note: For easy review the content, if
jqis available, it's possible to append| jqat the end of the above command.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.