How to replace the pull secret in OpenShift hosted control planes (HCP)

Solution Verified - Updated 9 Jul 2025

---

Environment

• Red Hat OpenShift Container Platform (RHOCP)
  • 4
• Hosted control planes (HCP)

Issue

• How to replace the pull secret in OpenShift hosted control plane (HCP) clusters.
• Need to change the pull secret of a hosted control plane (HCP) cluster.

Resolution

The solution how to change the global pull secret in OpenShift 4 provides generic information for updating/changing the pull secret in OpenShift 4 clusters.

For HCP clusters, refer to the above solution to change the pull secret for the hosting cluster (the management cluster), and if the pull secret needs to be changed in a hosted cluster, continue reading this solution.

Testing a pull secret before changing it in the cluster

Before updating the pull secret in the cluster, please test if the new pull secret is valid and working:

$ podman pull --authfile /path/to/downloaded/pull-secret registry.redhat.io/ubi8/ubi:latest

Replacing the pull secret for a hosted HCP cluster

`clusters` is the namespace from the host cluster used in this example. Change it accordingly with the namespace where the `HostedCluster` Custom Resource (CR) for which the pull request is going to be changed is deployed.

• Create a new secret using updated pull secret data like below:

  $ oc create secret generic <new-pull-secret> --from-file=.dockerconfigjson=./pull-secret.txt --type=kubernetes.io/dockerconfigjson -n clusters
  

• Update the HostedCluster Custom Resource (CR) .spec.pullSecret.name with newly created secret:

  $ oc edit hostedclusters.hypershift.openshift.io <HostedCluster_name> -n clusters
  

• Verify the secret is correctly added to HostedCluster CR:

  $ oc get hostedclusters.hypershift.openshift.io <HostedCluster_name> -o json -n clusters | jq .spec.pullSecret.name
    "<new-pull-secret>"  
  

• Verify the respective NodePool is started updating with new pull secret change:

      $ oc get nodepools.hypershift.openshift.io -n clusters
  
      NAME                               CLUSTER              DESIRED NODES  CURRENT NODES  AUTOSCALING  AUTOREPAIR  VERSION  UPDATINGVERSION  UPDATINGCONFIG  MESSAGE
      <hosted_cluster>-ap-south-1a       <hosted_cluster>     2              2              False        False       4.18.12  False            True       
  

Root Cause

To update the pull secret of a hosted HCP cluster, changes needs to be done in the hostedclusters resource from the host cluster.

SBR

• Shift
• Shift Install Upgrade

Product(s)

• Red Hat OpenShift Container Platform

Components

• HyperShift
• openshift

Category

• Configure

Tags

• hosted
• ocp_4
• openshift
• shift_auth
• shift_node

---

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.