OpenShift has a really handy feature called Image Streams. It also has a built-in Docker V2 registry which is also very useful. However, the registry isn't really exposed outside the cluster. So how do you do rolling updates of images?
1. Ensure you have the needed RBAC policies
In order to push/pull from the internal OpenShift registry, your OpenShift user needs to have a few permissions. As either another cluster-admin user or via the Master OpenShift node in the system:admin user context, apply the following policies to your intented_user:
$ oc adm policy add-role-to-user system:registry <intended_user> -n <namespace/project>
$ oc adm policy add-role-to-user system:image-builder <intended_user> -n <namespace/project>
## or for cluster-wide access...
$ oc adm policy add-cluster-role-to-user system:registry <intended_user>
$ oc adm policy add-cluster-role-to-user system:image-builder <intended_user>
With those policies, you can access the internal registry with the intended_user and perform docker push/pull
commands.
2. Log into your OpenShift application node
This is really the only trick to it - you don't want to do this on your Master nodes as that's in the system:admin context. You also can't do this on your local machine since it doesn't have access to the routed default.svc domain inside the cluster. So scoot on over to one of your infrastructure nodes and run the following:
$ oc login
$ sudo docker login -u openshift -p $(oc whoami -t) docker-registry.default.svc:5000
3. Pull n Push it Real Good
Now that we're logged into our internal OpenShift registry from an OpenShift application node, we can continue to push a new image to the Image Stream and Registry. When you have a Deployment Configuration that updates upon Image Change, this action will perform a Rolling Update as well.
$ sudo docker pull yourUser/someContainer:latest
$ sudo docker tag yourUser/someContainer:latest docker-registry.default.svc:5000/<namespace|project>/<image-stream-name>:<tag>
$ sudo docker push docker-registry.default.svc:5000/<namespace|project>/<image-stream-name>:<tag>
Now if your deployment is updated upon an Image Change you should see a rolling update happen very quicky - ultra-quick if you happen to be on the node that is running that pod since the image layers are already on the system from your docker pull
command!
If only someone were able to make this into an Ansible playbook that could be fired off as part of a script locally or via Ansible Tower...
Top comments (0)