Docker Images and Global Credentials in OpenShift
I recently fell foul of the docker rate limiting that was introduced back in 2020. It specifically rates anonymous pulls to 100 per IP endpoint within a 6 hour period. Now normally this is not an issue....except if you have a power outage overnight!!!
My lab UPS shut everything down smoothly, but upon starting everything up again, it pulled every image from fresh and with the OpenShift, RKE2 and multiple docker hosts all going at the same time...I hit that limit pretty quick. Now I do have a docker subscription at $60 per year which allows up to 5000 pulls per 6 hours, but I'd completely forgotten to add it to my OpenShift environment.
One quick google later and it's actually fairly easy to do.
Firstly you pull the existing global secret seed:
oc get secret/pull-secret -n openshift-config --template='{{index .data ".dockerconfigjson" | base64decode}}' > pull-secret.orig
Once you've done that you need to add in you docker hub credentials, making sure not to remove any of the other global authentication items for quay, redhat or any private registry's you've got in there.
oc create secret docker-registry docker \
--docker-server=docker.io \
--docker-username=<username> \
--docker-password=<password> \
--docker-email=<email>
oc secrets link default docker --for=pull
This creates a new secret for docker. Sometimes I've found it overwrites all the RedHat registry stuff, hence why we downloaded a copy of the original to the file pull-secret. We can the add that RedHat specific stuff back in so your file looks something like this:
cp pull-secret.orig pull-secret.new
nano pull-secret.new
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "************************"
},
"reg.lab.home": {
"auth": "************************"
},
"cloud.openshift.com": {
"auth": "************************",
"email": "<account email address>"
},
"registry.connect.redhat.com": {
"auth": "*************************",
"email": "<account email address>"
},
"registry.redhat.io": {
"auth": "***************************",
"email": "<account email address>"
},
"quay.io": {
"auth": "**************************",
"email": "<account email address>"
}
},
"plugins": {
"-x-cli-hints": {
"enabled": "true"
}
}
}
Just make sure that the formatting is correct, it's very easy to miss off a trailing comma at the end of a value pair line...this is an array of values after all. If having difficulty I've found pasting the entire thing into ChatGPT or CoPilot will often highlight the incorrect/missing elements.
Lastly we need to re-upload that pull-secret file to overwrite the existing config in OpenShift:
oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=pull-secret.new
If the formatting is correct it will overwrite the existing credentials, if wrong it will tell you. Once this is done you should be set to go using your new docker account credentials and avoid any future rate limiting.