Update Credentials Used by Subcloud for Install Registry (registry.central)

On a subcloud that uses the System Controller’s Docker registry (registry.central) as its install registry, you should use the System Controller’s sysinv service credentials for accessing registry.central. This makes access to registry.central independent of changes to the Distributed Cloud’s Keystone admin user password.

Warning

If the following registry information/credentials are changed, a new subcloud backup must be taken to avoid having a backup that contains old registry credentials.

Use the following procedure to update credentials used by the Subcloud to access its install registry (registry.central) to the sysinv service credentials of the System Controller.

Procedure

1. On the System Controller, get the password for the sysinv services.

   $ keyring get sysinv services
   

2. On each subcloud, run the following script to update the Docker registry credentials to sysinv:

   $ ./update_docker_registry_auth.sh sysinv <sysinv_password>
   

   Where ./update_docker_registry_auth.sh script is:

   #!/bin/bash -e
   
   USAGE="usage: ${0##*/} <username> <password>"
   
   if [ "$#" -ne 2 ]
   then
     echo Missing arguments.
     echo $USAGE
     echo
     exit
   fi
   
   NEW_CREDS="username:$1 password:$2"
   
   echo
   
   for REGISTRY in docker-registry quay-registry elastic-registry gcr-registry k8s-registry
   do
   
     echo -n "Updating" $REGISTRY "credentials ."
     SECRET_UUID=`system service-parameter-list | fgrep $REGISTRY | fgrep auth-secret | awk '{print $10}'`
     if [ -z "$SECRET_UUID" ]
     then
      echo "No $REGISTRY entry in service-parameters"
      echo
      continue
     fi
     SECRET_REF=`openstack secret list | fgrep ${SECRET_UUID} | awk '{print $2}'`
     echo -n "."
     SECRET_VALUE=`openstack secret get ${SECRET_REF} --payload -f value`
     echo -n "."
   
     openstack secret delete ${SECRET_REF} > /dev/null
     echo -n "."
     NEW_SECRET_VALUE=$NEW_CREDS
     openstack secret store -n ${REGISTRY}-secret -p "${NEW_SECRET_VALUE}" > /dev/null
     echo -n "."
     NEW_SECRET_REF=`openstack secret list | fgrep ${REGISTRY}-secret | awk '{print $2}'`
     NEW_SECRET_UUID=`echo "${NEW_SECRET_REF}" | awk -F/ '{print $6}'`
     system service-parameter-modify docker $REGISTRY auth-secret="${NEW_SECRET_UUID}" > /dev/null
     echo -n "."
     echo " done."
   
     echo -n "Validating $REGISTRY credentials updated to:  "
     SECRET_UUID=`system service-parameter-list | fgrep $REGISTRY | fgrep auth-secret | awk '{print $10}'`
     if [ -z "$SECRET_UUID" ]
     then
      continue
     fi
     SECRET_REF=`openstack secret list | fgrep ${SECRET_UUID} | awk '{print $2}'`
     SECRET_VALUE=`openstack secret get ${SECRET_REF} --payload -f value`
     echo $SECRET_VALUE
   
     echo
   
   done
   

3. Lock and Unlock the Controller.

   ~(keystone_admin)]$ system host-lock controller-0
   

   ~(keystone_admin)]$ system host-unlock controller-0
   

Note

If the system is a AIO-DX, each controller will need to be locked and unlocked.