In most operator samples, it is assumed that the Kubernetes cluster has a single worker node
and any images that are needed by that node have either been created on that node or
externally pulled to the node from a registry (using docker pull).
This is fine for most demonstration purposes,
and if this assumption is correct, then no additional steps
are needed to ensure that Kubernetes has access to the image.
Otherwise, additional steps are typically required to ensure that a Kubernetes cluster has access to domain images.
For example, it is typical in production deployments for the Kubernetes cluster to be remote and have multiple worker nodes, and to store domain images in a central repository that requires authentication.
Here are two typical scenarios for supplying domain images to such deployments:
Option 1: Store images in a central registry and set up image pull secrets on each domain resource
Option 2: Store images in a central registry and set up a Kubernetes service account with image pull secrets in each domain namespace
The most commonly used option is to store the image in a central registry and set up image pull secrets for a domain resource:
A Kubernetes docker-registry secret containing the registry credentials must be created
in the same namespace as domain resources with a domain.spec.image attribute that reference the image.
For example, to create a secret with OCR credentials:
$ kubectl create secret docker-registry SECRET_NAME \
-n NAMESPACE_WHERE_YOU_DEPLOY_DOMAINS \
--docker-server=container-registry.oracle.com \
--docker-username=YOUR_USERNAME \
--docker-password=YOUR_PASSWORD \
--docker-email=YOUR_EMAIL
The name of the secret must be added to these domain resources using
the domain.spec.imagePullSecrets field. For example:
...
spec:
...
imagePullSecrets:
- name: SECRET_NAME
...
If you are using the Oracle Container Registry, then you must use the web interface to accept the Oracle Standard Terms and Restrictions for the Oracle software images that you intend to deploy. You need to do this only once for a particular image. See Obtain images from the Oracle Container Registry.
For more information about creating Kubernetes Secrets for accessing the registry, see the Kubernetes documentation, Pull an image from a private registry.
An option for accessing an image that is stored in a private registry
is to set up the Kubernetes ServiceAccount in the namespace running the
WebLogic domain with a set of image pull secrets thus avoiding the need to
set imagePullSecrets for each Domain resource being created (because each resource
instance represents a WebLogic domain that the operator is managing):
Create a Kubernetes docker-registry secret as shown
in Option 1.
Modify the ServiceAccount that is in the same namespace
as your domain resources to include this image pull secret:
$ kubectl patch serviceaccount default -n domain1-ns \
-p '{"imagePullSecrets": [{"name": "my-registry-pull-secret"}]}'
Note that this patch command entirely replaces the current list of
image pull secrets (if any). To include multiple secrets, use
the following format:
-p '{"imagePullSecrets": [{"name": "my-registry-pull-secret"}, {"name": "my-registry-pull-secret2"}]}'.
For more information about updating a Kubernetes ServiceAccount
for accessing the registry, see the Kubernetes documentation,
Configure service accounts for pods.