Before you install a cluster on infrastructure that you provision in a restricted network, you must create a mirror registry. Installations on a restricted network are supported on only infrastructure that you provision, not infrastructure that the installer provisions.

You must have access to the internet to obtain the data that populates the mirror repository. In this procedure, you place the mirror registry on a bastion host that has access to both your network and the internet. If you do not have access to a bastion host, use the method that best fits your restrictions to bring the contents of the mirror registry into your restricted network.

About the mirror registry

You can mirror the contents of the OKD registry and the images that are required to generate the installation program.

The mirror registry is a key component that is required to complete an installation in a restricted network. You can create this mirror on a bastion host, which can access both the internet and your closed network, or by using other methods that meet your restrictions.

Because of the way that OKD verifies integrity for the release payload, the image references in your local registry are identical to the ones that are hosted by Red Hat on During the bootstrapping process of installation, the images must have the same digests no matter which repository they are pulled from. To ensure that the release payload is identical, you mirror the images to your local repository.

Preparing the bastion host

Before you create the mirror registry, you must prepare the bastion host.

Installing the CLI by downloading the binary

You can install the CLI in order to interact with OKD using a command-line interface.

If you installed an earlier version of oc, you cannot use it to complete all of the commands in OKD Latest. Download and install the new version of oc.

  1. From the Infrastructure Provider page on the Red Hat OpenShift Cluster Manager site, navigate to the page for your installation type and click Download Command-line Tools.

  2. Click the folder for your operating system and architecture and click the compressed file.

    You can install oc on Linux, Windows, or macOS.

  3. Save the file to your file system.

  4. Extract the compressed file.

  5. Place it in a directory that is on your PATH.

After you install the CLI, it is available using the oc command:

$ oc <command>

Creating a mirror registry

Create a registry to host the mirrored content that you require for installing OKD. For installation in a restricted network, you must place the mirror on your bastion host.

The following procedure creates a simple registry that stores data in the /opt/registry folder and runs in a podman container. You can use a different registry solution, such as Red Hat Quay. Review the following procedure to ensure that your registry functions correctly.

  • You have a Red Hat Enterprise Linux (RHEL) server on your network to use as the registry host.

  • The registry host can access the internet.


On the bastion host, take the following actions:

  1. Install the required packages:

    # yum -y install podman httpd-tools

    The podman package provides the container package that you run the registry in. The httpd-tools package provides the htpasswd utility, which you use to create users.

  2. Create folders for the registry:

    # mkdir -p /opt/registry/{auth,certs,data}

    These folders are mounted inside the registry container.

  3. Provide a certificate for the registry. If you do not have an existing, trusted certificate authority, you can generate a self-signed certificate:

    $ cd /opt/registry/certs
    # openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 365 -out domain.crt

    At the prompts, provide the required values for the certificate:

    Country Name (2 letter code)

    Specify the two-letter ISO country code for your location. See the ISO 3166 country codes standard.

    State or Province Name (full name)

    Enter the full name of your state or province.

    Locality Name (eg, city)

    Enter the name of your city.

    Organization Name (eg, company)

    Enter your company name.

    Organizational Unit Name (eg, section)

    Enter your department name.

    Common Name (eg, your name or your server’s hostname)

    Enter the host name for the registry host. Ensure that your hostname is in DNS and that it resolves to the expected IP address.

    Email Address

    Enter your email address. For more information, see the req description in the OpenSSL documentation.

  4. Generate a user name and a password for your registry that uses the bcrpt format:

    # htpasswd -bBc /opt/registry/auth/htpasswd <user_name> <password> (1)
    1 Replace <user_name> and <password> with a user name and a password.
  5. Create the mirror-registry container to host your registry:

    # podman run --name mirror-registry -p <local_registry_host_port>:5000 \ (1)
         -v /opt/registry/data:/var/lib/registry:z \
         -v /opt/registry/auth:/auth:z \
         -e "REGISTRY_AUTH=htpasswd" \
         -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
         -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
         -v /opt/registry/certs:/certs:z \
         -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
         -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
    1 For <local_registry_host_port>, specify the port that your mirror registry uses to serve content.
  6. Open the required ports for your registry:

    # firewall-cmd --add-port=<local_registry_host_port>/tcp --zone=internal --permanent (1)
    # firewall-cmd --add-port=<local_registry_host_port>/tcp --zone=public   --permanent (1)
    # firewall-cmd --reload
    1 For <local_registry_host_port>, specify the port that your mirror registry uses to serve content.
  7. Add the self-signed certificate to your list of trusted certificates:

    # cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
    # update-ca-trust

    You must trust your certificate to log in to your registry during the mirror process.

  8. Confirm that the registry is available:

    $ curl -u <user_name>:<password> -k https://<local_registry_host_name>:<local_registry_host_port>/v2/_catalog (1)
    1 For <user_name> and <password>, specify the user name and password for your registry. For <local_registry_host_name>, specify the registry domain name that you specified in your certificate, such as For <local_registry_host_port>, specify the port that your mirror registry uses to serve content.

    If the command output displays an empty repository, your registry is available.

Adding the registry to your pull secret

Modify your the pull secret for your OKD cluster to describe your local registry before you install an OKD cluster in a restricted network.

  • You configured a mirror registry to use in your restricted network.


Complete the following steps on the bastion host:

  1. Download your pull secret from the Pull Secret page on the Red Hat OpenShift Cluster Manager site.

  2. Generate the base64-encoded user name and password or token for your mirror registry:

    $ echo -n '<user_name>:<password>' | base64 -w0 (1)
    1 For <user_name> and <password>, specify the user name and password that you configured for your registry.
  3. Make a copy of your pull secret in JSON format:

    $ cat ./pull-secret.text | jq .  > <path>/<pull-secret-file>(1)
    1 Specify the path to the folder to store the pull secret in and a name for the JSON file that you create.

    The contents of the file resemble the following example:

      "auths": {
        "": {
          "auth": "b3BlbnNo...",
          "email": ""
        "": {
          "auth": "b3BlbnNo...",
          "email": ""
        "": {
          "auth": "NTE3Njg5Nj...",
          "email": ""
        "": {
          "auth": "NTE3Njg5Nj...",
          "email": ""
  4. Edit the new file and add a section that describes your registry to it:

      "auths": {
        "<local_registry_host_name>:<local_registry_host_port>": { (1)
          "auth": "<credentials>", (2)
          "email": ""
    1 For <local_registry_host_name>, specify the registry domain name that you specified in your certificate, and for <local_registry_host_port>, specify the port that your mirror registry uses to serve content.
    2 For <credentials>, specify the base64-encoded user name and password for the mirror registry that you generated.

    The file resembles the following example:

      "auths": {
        "": {
          "auth": "b3BlbnNo...",
          "email": ""
        "": {
          "auth": "b3BlbnNo...",
          "email": ""
        "": {
          "auth": "NTE3Njg5Nj...",
          "email": ""
        "<local_registry_host_name>:<local_registry_host_port>": {
          "auth": "<credentials>",
          "email": ""
        "": {
          "auth": "NTE3Njg5Nj...",
          "email": ""

Mirroring the OKD image repository

Mirror the OKD image repository to use during cluster installation or upgrade.

  • You configured a mirror registry to use in your restricted network and can access the certificate and credentials that you configured.

  • You downloaded the pull secret from the Pull Secret page on the Red Hat OpenShift Cluster Manager site and modified it to include authentication to your mirror repository.


Complete the following steps on the bastion host:

  1. Review the OKD downloads page to determine the version of OKD that you want to install and determine the corresponding tag on the Repository Tags page.

  2. Set the required environment variables:

    $ export OCP_RELEASE=<release_version> (1)
    $ export LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>' (2)
    $ export LOCAL_REPOSITORY='<repository_name>' (3)
    $ export PRODUCT_REPO='openshift-release-dev' (4)
    $ export LOCAL_SECRET_JSON='<path_to_pull_secret>' (5)
    $ export RELEASE_NAME="ocp-release" (6)
    1 For <release_version>, specify the tag that corresponds to the version of OKD to install for your architecture, such as 4.3.0-x86_64.
    2 For <local_registry_host_name>, specify the registry domain name for your mirror repository, and for <local_registry_host_port>, specify the port that it serves content on.
    3 For <repository_name>, specify the name of the repository to create in your registry, such as ocp4/openshift4.
    4 The repository to mirror. For a production release, you must specify openshift-release-dev.
    5 For <path_to_pull_secret>, specify the absolute path to and file name of the pull secret for your mirror registry that you created.
    6 The release mirror. For a production release, you must specify ocp-release.
  3. Mirror the repository:

    $ oc adm -a ${LOCAL_SECRET_JSON} release mirror \${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE} \

    This command pulls the release information as a digest, and its output includes the imageContentSources data that you require when you install your cluster.

  4. Record the entire imageContentSources section from the output of the previous command. The information about your mirrors is unique to your mirrored repository, and you must add the imageContentSources section to the install-config.yaml file during installation.

  5. To create the installation program that is based on the content that you mirrored, extract it and pin it to the release:

    $ oc adm -a ${LOCAL_SECRET_JSON} release extract --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}"

    To ensure that you use the correct images for the version of OKD that you selected, you must extract the installation program from the mirrored content.

    You must perform this step on a machine with an active internet connection.

Using Samples Operator imagestreams with alternate or mirrored registries

Most imagestreams in the OpenShift namespace managed by the Samples Operator point to images located in the Red Hat registry at Mirroring will not apply to these imagestreams. The jenkins, jenkins-agent-maven, and jenkins-agent-nodejs imagestreams come from the install payload and are managed by the Samples Operator, so no further mirroring procedures are needed for those imagestreams.

The cli, installer, must-gather, and tests imagestreams, while part of the install payload, are not managed by the Samples Operator. These are not addressed in this procedure.

  • Access to the cluster as a user with the cluster-admin role.

  • Create a pull secret for your mirror registry.

  1. Access the images of a specific imagestream to mirror, for example:

    $ oc get is <imagestream> -n openshift -o json | jq .spec.tags[] | grep
  2. Mirror images from associated with any imagestreams you need in the restricted network environment into one of the defined mirrors, for example:

    $ oc image mirror ${MIRROR_ADDR}/rhscl/ruby-25-rhel7:latest
  3. Add the required trusted CAs for the mirror in the cluster’s image configuration object:

    $ oc create configmap registry-config --from-file=${MIRROR_ADDR_HOSTNAME}..5000=$path/ca.crt -n openshift-config
    $ oc patch --patch '{"spec":{"additionalTrustedCA":{"name":"registry-config"}}}' --type=merge
  4. Update the samplesRegistry field in the Samples Operator configuration object to contain the hostname portion of the mirror location defined in the mirror configuration:

    $ oc get -n openshift-cluster-samples-operator

    This is required because the imagestream import process does not use the mirror or search mechanism at this time.

  5. Add any imagestreams that are not mirrored into the skippedImagestreams field of the Samples Operator configuration object. Or if you do not want to support any of the sample imagestreams, set the Samples Operator to Removed in the Samples Operator configuration object.

    Any unmirrored imagestreams that are not skipped, or if the Samples Operator is not changed to Removed, will result in the Samples Operator reporting a Degraded status two hours after the imagestream imports start failing.

    Many of the templates in the OpenShift namespace reference the imagestreams. So using Removed to purge both the imagestreams and templates will eliminate the possibility of attempts to use them if they are not functional because of any missing imagestreams.

Next steps