You can use the Samples Operator with an alternate registry by first creating a mirror registry.

You must have access to the internet to obtain the necessary container images. In this procedure, you place the mirror registry on a mirror host that has access to both your network and the internet.

About the mirror registry

You can mirror the images that are required for OKD installation and subsequent product updates to a mirror registry. These actions use the same process. The release image, which contains the description of the content, and the images it references are all mirrored. In addition, the Operator catalog source image and the images that it references must be mirrored for each Operator that you use. After you mirror the content, you configure each cluster to retrieve this content from your mirror registry.

The mirror registry can be any container registry that supports the most recent container image API, which is referred to as schema2. All major cloud provider registries, as well as Red Hat Quay, Artifactory, and the open source Docker distribution registry have the necessary support. Using one of these registries ensures that OKD can verify the integrity of each image in disconnected environments.

The mirror registry must be reachable by every machine in the clusters that you provision. If the registry is unreachable installation, updating, or normal operations such as workload relocation might fail. For that reason, you must run mirror registries in a highly available way, and the mirror registries must at least match the production availability of your OKD clusters.

When you populate a mirror registry with OKD images, you can follow two scenarios. If you have a host that can access both the internet and your mirror registry, but not your cluster nodes, you can directly mirror the content from that machine. This process is referred to as connected mirroring. If you have no such host, you must mirror the images to a file system and then bring that host or removable media into your restricted environment. This process is referred to as disconnected mirroring.

Preparing the mirror host

Before you create the mirror registry, you must prepare the mirror host.

Installing the CLI by downloading the binary

You can install the OpenShift CLI (oc) in order to interact with OKD from a command-line interface. You can install oc on Linux, Windows, or macOS.

If you installed an earlier version of oc, you cannot use it to complete all of the commands in OKD Latest. Download and install the new version of oc.

Installing the CLI on Linux

You can install the OpenShift CLI (oc) binary on Linux by using the following procedure.

Procedure
  1. Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.

  2. Download oc.tar.gz.

  3. Unpack the archive:

    $ tar xvzf <file>
  4. Place the oc binary in a directory that is on your PATH.

    To check your PATH, execute the following command:

    $ echo $PATH

After you install the CLI, it is available using the oc command:

$ oc <command>

Installing the CLI on Windows

You can install the OpenShift CLI (oc) binary on Windows by using the following procedure.

Procedure
  1. Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.

  2. Download oc.zip.

  3. Unzip the archive with a ZIP program.

  4. Move the oc binary to a directory that is on your PATH.

    To check your PATH, open the command prompt and execute the following command:

    C:\> path

After you install the CLI, it is available using the oc command:

C:\> oc <command>

Installing the CLI on macOS

You can install the OpenShift CLI (oc) binary on macOS by using the following procedure.

Procedure
  1. Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.

  2. Download oc.tar.gz.

  3. Unpack and unzip the archive.

  4. Move the oc binary to a directory on your PATH.

    To check your PATH, open a terminal and execute the following command:

    $ echo $PATH

After you install the CLI, it is available using the oc command:

$ oc <command>

Creating a mirror registry

Create a registry to host the mirrored content that you require for installing OKD.

The following procedure creates a simple registry that stores data in the /opt/registry folder and runs in a podman container. You can use a different registry solution, such as Red Hat Quay. Review the following procedure to ensure that your registry functions correctly.

Prerequisites
  • You have a Red Hat Enterprise Linux (RHEL) server on your network to use as the registry host.

  • The registry host can access the internet.

Procedure
  1. Install the required packages:

    # yum -y install podman httpd-tools

    The podman package provides the container package that you run the registry in. The httpd-tools package provides the htpasswd utility, which you use to create users.

  2. Create folders for the registry:

    # mkdir -p /opt/registry/{auth,certs,data}

    These folders are mounted inside the registry container.

  3. Provide a certificate for the registry. If you do not have an existing, trusted certificate authority, you can generate a self-signed certificate:

    $ cd /opt/registry/certs
    # openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 365 -out domain.crt

    At the prompts, provide the required values for the certificate:

    Country Name (2 letter code)

    Specify the two-letter ISO country code for your location. See the ISO 3166 country codes standard.

    State or Province Name (full name)

    Enter the full name of your state or province.

    Locality Name (eg, city)

    Enter the name of your city.

    Organization Name (eg, company)

    Enter your company name.

    Organizational Unit Name (eg, section)

    Enter your department name.

    Common Name (eg, your name or your server’s hostname)

    Enter the host name for the registry host. Ensure that your hostname is in DNS and that it resolves to the expected IP address.

    Email Address

    Enter your email address. For more information, see the req description in the OpenSSL documentation.

  4. Generate a user name and a password for your registry that uses the bcrpt format:

    # htpasswd -bBc /opt/registry/auth/htpasswd <user_name> <password> (1)
    1 Replace <user_name> and <password> with a user name and a password.
  5. Create the mirror-registry container to host your registry:

    # podman run --name mirror-registry -p <local_registry_host_port>:5000 \ (1)
         -v /opt/registry/data:/var/lib/registry:z \
         -v /opt/registry/auth:/auth:z \
         -e "REGISTRY_AUTH=htpasswd" \
         -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
         -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
         -v /opt/registry/certs:/certs:z \
         -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
         -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
         -e REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true \
         -d docker.io/library/registry:2
    1 For <local_registry_host_port>, specify the port that your mirror registry uses to serve content.
  6. Open the required ports for your registry:

    # firewall-cmd --add-port=<local_registry_host_port>/tcp --zone=internal --permanent (1)
    # firewall-cmd --add-port=<local_registry_host_port>/tcp --zone=public   --permanent (1)
    # firewall-cmd --reload
    1 For <local_registry_host_port>, specify the port that your mirror registry uses to serve content.
  7. Add the self-signed certificate to your list of trusted certificates:

    # cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
    # update-ca-trust

    You must trust your certificate to log in to your registry during the mirror process.

  8. Confirm that the registry is available:

    $ curl -u <user_name>:<password> -k https://<local_registry_host_name>:<local_registry_host_port>/v2/_catalog (1)
    
    {"repositories":[]}
    1 For <user_name> and <password>, specify the user name and password for your registry. For <local_registry_host_name>, specify the registry domain name that you specified in your certificate, such as registry.example.com. For <local_registry_host_port>, specify the port that your mirror registry uses to serve content.

    If the command output displays an empty repository, your registry is available.

Configuring credentials that allow images to be mirrored

Create a container image registry credentials file that allows mirroring images from Red Hat to your mirror.

Prerequisites
  • You configured a mirror registry to use in your restricted network.

Procedure

Complete the following steps on the installation host:

  1. Log in to your registry by using the following command:

    $ oc registry login --to ./pull-secret.json --registry "<registry_host_and_port>" --auth-basic=<username>:<password>

    Provide both the registry details and a valid user name and password for the registry.

Mirroring the OKD image repository

Mirror the OKD image repository to your registry to use during cluster installation or upgrade.

Prerequisites
  • Your mirror host has access to the internet.

  • You configured a mirror registry to use in your restricted network and can access the certificate and credentials that you configured.

  • You have created a pull secret for your mirror repository.

Procedure

Complete the following steps on the mirror host:

  1. Review the OKD downloads page to determine the version of OKD that you want to install and determine the corresponding tag on the Repository Tags page.

  2. Set the required environment variables:

    1. Export the release version:

      $ OCP_RELEASE=<release_version>

      For <release_version>, specify the tag that corresponds to the version of OKD to install, such as 4.5.4.

    2. Export the local registry name and host port:

      $ LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>'

      For <local_registry_host_name>, specify the registry domain name for your mirror repository, and for <local_registry_host_port>, specify the port that it serves content on.

    3. Export the local repository name:

      $ LOCAL_REPOSITORY='<local_repository_name>'

      For <local_repository_name>, specify the name of the repository to create in your registry, such as ocp4/openshift4.

    4. Export the name of the repository to mirror:

      $ PRODUCT_REPO='openshift-release-dev'

      For a production release, you must specify openshift-release-dev.

    5. Export the path to your registry pull secret:

      $ LOCAL_SECRET_JSON='<path_to_pull_secret>'

      For <path_to_pull_secret>, specify the absolute path to and file name of the pull secret for your mirror registry that you created.

    6. Export the release mirror:

      $ RELEASE_NAME="ocp-release"

      For a production release, you must specify ocp-release.

    7. Export the type of architecture for your server, such as x86_64.:

      $ ARCHITECTURE=<server_architecture>
    8. Export the path to the directory to host the mirrored images:

      $ REMOVABLE_MEDIA_PATH=<path>
  3. Mirror the version images to the internal container registry:

    • If your mirror host does not have internet access, take the following actions:

      1. Connect the removable media to a system that is connected to the internet.

      2. Review the images and configuration manifests to mirror:

        $ oc adm -a ${LOCAL_SECRET_JSON} release mirror \
             --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \
             --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \
             --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} --dry-run
      3. Record the entire imageContentSources section from the output of the previous command. The information about your mirrors is unique to your mirrored repository, and you must add the imageContentSources section to the install-config.yaml file during installation.

      4. Mirror the images to a directory on the removable media:

        $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE}
      5. Take the media to the restricted network environment and upload the images to the local container registry.

        $ oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror "file://openshift/release:${OCP_RELEASE}*" ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}
    • If the local container registry is connected to the mirror host, take the following actions:

      1. Directly push the release images to the local registry by using following command:

        $ oc adm -a ${LOCAL_SECRET_JSON} release mirror \
             --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \
             --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \
             --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}

        This command pulls the release information as a digest, and its output includes the imageContentSources data that you require when you install your cluster.

      2. Record the entire imageContentSources section from the output of the previous command. The information about your mirrors is unique to your mirrored repository, and you must add the imageContentSources section to the install-config.yaml file during installation.

  4. To create the installation program that is based on the content that you mirrored, extract it and pin it to the release:

    $ oc adm -a ${LOCAL_SECRET_JSON} release extract --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}"

    To ensure that you use the correct images for the version of OKD that you selected, you must extract the installation program from the mirrored content.

    You must perform this step on a machine with an active internet connection.

Using Samples Operator imagestreams with alternate or mirrored registries

Most imagestreams in the OpenShift namespace managed by the Samples Operator point to images located in the Red Hat registry at registry.redhat.io.

The jenkins, jenkins-agent-maven, and jenkins-agent-nodejs imagestreams come from the install payload and are managed by the Samples Operator.

Setting the samplesRegistry field in the Sample Operator configuration file to registry.redhat.io is redundant because it is already directed to registry.redhat.io for everything but Jenkins images and imagestreams. It also breaks the installation payload for Jenkins imagestreams.

The Samples Operator prevents the use of the following registries for the Jenkins imagestreams:

The cli, installer, must-gather, and tests imagestreams, while part of the install payload, are not managed by the Samples Operator. These are not addressed in this procedure.

Prerequisites
  • Access to the cluster as a user with the cluster-admin role.

  • Create a pull secret for your mirror registry.

Procedure
  1. Access the images of a specific imagestream to mirror, for example:

    $ oc get is <imagestream> -n openshift -o json | jq .spec.tags[].from.name | grep registry.redhat.io
  2. Mirror images from registry.redhat.io associated with any imagestreams you need

    $ oc image mirror registry.redhat.io/rhscl/ruby-25-rhel7:latest ${MIRROR_ADDR}/rhscl/ruby-25-rhel7:latest
  3. Create the cluster’s image configuration object:

    $ oc create configmap registry-config --from-file=${MIRROR_ADDR_HOSTNAME}..5000=$path/ca.crt -n openshift-config
  4. Add the required trusted CAs for the mirror in the cluster’s image configuration object:

    $ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-config"}}}' --type=merge
  5. Update the samplesRegistry field in the Samples Operator configuration object to contain the hostname portion of the mirror location defined in the mirror configuration:

    $ oc edit configs.samples.operator.openshift.io -n openshift-cluster-samples-operator

    This is required because the imagestream import process does not use the mirror or search mechanism at this time.

  6. Add any imagestreams that are not mirrored into the skippedImagestreams field of the Samples Operator configuration object. Or if you do not want to support any of the sample imagestreams, set the Samples Operator to Removed in the Samples Operator configuration object.

    Any unmirrored imagestreams that are not skipped, or if the Samples Operator is not changed to Removed, will result in the Samples Operator reporting a Degraded status two hours after the imagestream imports start failing.

    Many of the templates in the OpenShift namespace reference the imagestreams. So using Removed to purge both the imagestreams and templates will eliminate the possibility of attempts to use them if they are not functional because of any missing imagestreams.