Cloud Migration

Discover tips and tricks when migrating your app from one Openshift cluster to the next

Setting up your namespace

The pattern for building and deploying apps in the cloud should remain similar to what you originally had it set to. For BC Gov OCP projects this means that your team has a dev, test, tools, and prod namespace.

A common pattern for administering these namespaces are:

Dev: Has system:image-puller access to the Tools namespace. This is where development workloads are deployed.

Test: Also has system:image-puller access and typically will retag the Tools imagestream into Test.

Prod: Similar to Test

Tools: This is reserved for applications that help serve your main business application. Things like a Jenkins pipeline, SonarQube, Matomo etc.

Once you have these namespaces provisioned you will want to doublecheck that you have granted pull-access between the namespaces.

Updating Image Pull Access

# grant image pull access between your development namespaces and tools
oc policy add-role-to-user system:image-puller system:serviceaccount:<namespacename>-dev:default --namespace=<namespace-name>-tools

oc policy add-role-to-user system:image-puller system:serviceaccount:<namespace-name>-test:default  --namespace=<namespace-name>-tools

oc policy add-role-to-user system:image-puller system:serviceaccount:<namespace-name>-prod:default  --namespace=<namespace-name>-tools

DeploymentConfig Issues

  1. Implicit docker image registry is not the internal docker registry service. When pointing to namespaced images, Openshift will attempt to pull it directly from instead of the internal registry. You will need to specify the internal registry when referenced images outside of your namespace.
  2. ImagePullPolicy is IfNotPresent by default. The ImagePullPolicy is set to Always in 3.11. This is not the case in ARO. This means that when you push new images and redeploy a DeploymentConfig. It will not use the latest version of that imagestreamtag. You can switch the ImagePullPolicy to Always to rectify this

Pod Debugging Issues

  1. It appears in ARO specifically Pods logs can sometimes be truncated. This means that if you are attempting to debug a long stream of logs, the head logs are not available. A workaround for this is to make sure to view the logs as soon as the pod is available.
  • Create an Issue

Cloud Migration

  • home
  • disclaimer
  • privacy
  • accessibility
  • copyright
  • contact us
  • Government Of BC