Red Hat Summit8.3. Creating custom catalogs using the oc-mirror plugin
You can create custom catalogs with widely available Operators and mirror them by using the oc-mirror OpenShift CLI (oc) plugin.
8.3.1. Using Red Hat-provided Operator catalogs and mirror registries
You can filter and prune catalogs to get specific Operators and mirror them by using the oc-mirror OpenShift CLI (oc) plugin. You can also use Operators in disconnected settings or embedded in Red Hat Enterprise Linux for Edge (RHEL for Edge) images. To read more details about how to configure your systems for mirroring, use the links in the following "Additional resources" section. If you are ready to deploy Operators from Red Hat-provided Operator catalogs, mirror them, or to embed them in RHEL for Edge images, start with the following section, "Inspecting catalog contents by using the oc-mirror plugin."
8.3.2. About the oc-mirror plugin for creating a mirror registry
You can use the oc-mirror OpenShift CLI (oc) plugin with MicroShift to filter and prune Operator catalogs. You can then mirror the filtered catalog contents to a mirror registry or use the container images in disconnected or offline deployments with RHEL for Edge.
MicroShift uses the generally available version (1) of the oc-mirror plugin. Do not use the following procedures with the Technical Preview version (2) of oc-mirror plugin.
You can mirror the container images required by the desired Operators locally or to a container mirror registry that supports Docker v2-2, such as Red Hat Quay. The procedure to mirror content from Red Hat-hosted registries connected to the internet to a disconnected image registry is the same, independent of the registry you choose. After you mirror the contents of your catalog, configure each cluster to retrieve this content from your mirror registry.
8.3.2.1. Connectivity considerations when populating a mirror registry
When you populate your registry, you can use one of following connectivity scenarios:
- Connected mirroring
- If you have a host that can access both the internet and your mirror registry, but not your cluster node, you can directly mirror the content from that machine.
- Disconnected mirroring
If you do not have a host that can access both the internet and your mirror registry, you must mirror the images to a file system and then bring that host or removable media into your disconnected environment.
重要A container registry must be reachable by every machine in the clusters that you provision. Installing, updating, and other operations, such as relocating workloads, might fail if the registry is unreachable.
To avoid problems caused by an unreachable registry, use the following standard practices:
- Run mirror registries in a highly available way.
- Ensure that the mirror registry at least matches the production availability of your clusters.
8.3.2.2. Inspecting catalog contents by using the oc-mirror plugin
Use the following example procedure to select a catalog and list Operators from available OpenShift Container Platform content to add to your oc-mirror plugin image set configuration file.
If you use your own catalogs and Operators, you can push the images directly to your internal registry.
Prerequisites
-
The OpenShift CLI (
oc) is installed. - Operator Lifecycle Manager (OLM) is installed.
- The oc-mirror OpenShift CLI (oc) plugin is installed.
Procedure
Get a list of available Red Hat-provided Operator catalogs to filter by running the following command:
$ oc mirror list operators --version 4.17 --catalogsGet a list of Operators in the Red Hat Operators catalog by running the following command:
$ oc mirror list operators <--catalog=<catalog_source>>1 - 1
- Specifies your catalog source, such as
registry.redhat.io/redhat/redhat-operator-index:v4.17orquay.io/operatorhubio/catalog:latest.
-
Select an Operator. For this example,
amq-broker-rhel8is selected. Optional: To inspect the channels and versions of the Operator you want to filter, enter the following commands:
Get a list of channels by running the following command:
$ oc mirror list operators --catalog=registry.redhat.io/redhat/redhat-operator-index:v4.17 --package=amq-broker-rhel8Get a list of versions within a channel by running the following command:
$ oc mirror list operators --catalog=registry.redhat.io/redhat/redhat-operator-index:v4.17 --package=amq-broker-rhel8 --channel=7.11.x
Next steps
- Create and edit an image set configuration file using the information gathered in this procedure.
- Mirror the images from the transformed image set configuration file to a mirror registry or disk.
8.3.2.3. Creating an image set configuration file
You must create an image set configuration file to mirror catalog contents with the oc-mirror plugin. The image set configuration file defines which Operators to mirror along with other configuration settings for the oc-mirror plugin. After generating a default image set file, you must edit the contents so that remaining entries are compatible with both MicroShift and the Operator you plan to use.
You must specify a storage backend in the image set configuration file. This storage backend can be a local directory or a registry that supports Docker v2-2. The oc-mirror plugin stores metadata in this storage backend during image set creation.
Do not delete or modify the metadata that is generated by the oc-mirror plugin. You must use the same storage backend every time you run the oc-mirror plugin for the same mirror registry.
Prerequisites
- You have created a container image registry credentials file. See Configuring credentials that allow images to be mirrored.
Procedure
Use the
oc mirror initcommand to create a template for the image set configuration and save it to a file calledimageset-config.yaml:$ oc mirror init --registry <storage_backend> > imageset-config.yaml1 - 1
- Specifies the location of your storage backend, such as
example.com/mirror/oc-mirror-metadata.
Example default image set configuration file
kind: ImageSetConfiguration apiVersion: mirror.openshift.io/v1alpha2 storageConfig: registry: imageURL: registry.example.com/oc-mirror skipTLS: false mirror: platform:1 channels: - name: stable-4.17 type: ocp operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.17 packages: - name: serverless-operator channels: - name: stable additionalImages:2 - name: registry.redhat.io/ubi8/ubi:latest helm: {}3 Edit the values of your image set configuration file to meet the requirements of both MicroShift and the Operator you want to mirror, like the following example:
Example edited MicroShift image set configuration file
kind: ImageSetConfiguration apiVersion: mirror.openshift.io/v1alpha2 storageConfig:1 registry: imageURL: <storage_backend>2 skipTLS: false mirror: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.173 packages: - name: amq-broker-rhel84 channels: - name: 7.11.x5 - 1
- Set the backend location where the image set metadata is saved. This location can be a registry or local directory. It is required to specify
storageConfigvalues. - 2
- Set the registry URL for the storage backend, such as
<example.com/mirror/oc-mirror-metadata. - 3
- Set the Operator catalog to retrieve images from.
- 4
- Specify the Operator packages to include in the image set. Remove this field to retrieve all packages in the catalog.
- 5
- Specify only certain channels of the Operator packages to include in the image set. You must always include the default channel for the Operator package even if you do not use the bundles in that channel. You can find the default channel by running the following command:
oc mirror list operators --catalog=<catalog_name> --package=<package_name>.
- Save the updated file.
Next steps
- Use the oc-mirror plugin to mirror an image set directly to a target mirror registry.
- Configure CRI-O.
- Apply the catalog sources to your clusters.
8.3.2.3.1. Image set configuration parameters
The oc-mirror plugin requires an image set configuration file that defines what images to mirror. The following table lists the available parameters for the ImageSetConfiguration resource.
| Parameter | Description | Values |
|---|---|---|
|
|
The API version for the |
String. For example: |
|
| The configuration of the image set. | Object |
|
| The additional images configuration of the image set. | Array of objects. For example: |
|
| The tag or digest of the image to mirror. |
String. For example: |
|
| The full tag, digest, or pattern of images to block from mirroring. |
Array of strings. For example: |
|
| The Operators configuration of the image set. | Array of objects. For example: |
|
| The Operator catalog to include in the image set. |
String. For example: |
|
|
When |
Boolean. The default value is |
|
| The Operator packages configuration. | Array of objects. For example: |
|
| The Operator package name to include in the image set |
String. For example: |
|
| The Operator package channel configuration. | Object |
|
| The Operator channel name, unique within a package, to include in the image set. |
String. For example: |
|
| The highest version of the Operator mirror across all channels in which it exists. See the following note for further information. |
String. For example: |
|
| The name of the minimum bundle to include, plus all bundles in the update graph to the channel head. Set this field only if the named bundle has no semantic version metadata. |
String. For example: |
|
| The lowest version of the Operator to mirror across all channels in which it exists. See the following note for further information. |
String. For example: |
|
| The highest version of the Operator to mirror across all channels in which it exists. See the following note for further information. |
String. For example: |
|
| The lowest version of the Operator to mirror across all channels in which it exists. See the following note for further information. |
String. For example: |
|
|
If |
Boolean. The default value is |
|
| An alternative name and optional namespace hierarchy to mirror the referenced catalog as. |
String. For example: |
|
| An alternative name to mirror the referenced catalog as.
The |
String. For example: |
|
|
An alternative tag to append to the |
String. For example: |
|
| The back-end configuration of the image set. | Object |
|
| The local back-end configuration of the image set. | Object |
|
| The path of the directory to contain the image set metadata. |
String. For example: |
|
| The registry back-end configuration of the image set. | Object |
|
| The back-end registry URI. Can optionally include a namespace reference in the URI. |
String. For example: |
|
| Optionally skip TLS verification of the referenced back-end registry. |
Boolean. The default value is |
Using the minVersion and maxVersion properties to filter for a specific Operator version range can result in a multiple channel heads error. The error message states that there are multiple channel heads. This is because when the filter is applied, the update graph of the Operator is truncated.
Operator Lifecycle Manager requires that every Operator channel contains versions that form an update graph with exactly one end point, that is, the latest version of the Operator. When the filter range is applied, that graph can turn into two or more separate graphs or a graph that has more than one end point.
To avoid this error, do not filter out the latest version of an Operator. If you still run into the error, depending on the Operator, either the maxVersion property must be increased or the minVersion property must be decreased. Because every Operator graph can be different, you might need to adjust these values until the error resolves.
8.3.2.4. Mirroring from mirror to mirror
You can use the oc-mirror plugin to mirror an image set directly to a target mirror registry that is accessible during image set creation.
You are required to specify a storage backend in the image set configuration file. This storage backend can be a local directory or a Docker v2 registry. The oc-mirror plugin stores metadata in this storage backend during image set creation.
Do not delete or modify the metadata that is generated by the oc-mirror plugin. You must use the same storage backend every time you run the oc-mirror plugin for the same mirror registry.
Prerequisites
- You have access to the internet to get the necessary container images.
-
You have installed the OpenShift CLI (
oc). -
You have installed the
oc-mirrorCLI plugin. - You have created the image set configuration file.
Procedure
Run the
oc mirrorcommand to mirror the images from the specified image set configuration to a specified registry:$ oc mirror --config=./<imageset-config.yaml> \1 docker://registry.example:50002 - 1
- Specify the image set configuration file that you created. For example,
imageset-config.yaml. - 2
- Specify the registry to mirror the image set file to. The registry must start with
docker://. If you specify a top-level namespace for the mirror registry, you must also use this same namespace on subsequent executions.
Example output
Rendering catalog image "registry.example.com/redhat/redhat-operator-index:v{ocp-version}" with file-based catalogVerification
-
Navigate into the
oc-mirror-workspace/directory that was generated. -
Navigate into the results directory, for example,
results-1639608409/. -
Verify that YAML files are present for the
ImageContentSourcePolicyandCatalogSourceresources.
The ImageContentSourcePolicy YAML file is used as reference content for manual configuration of CRI-O in MicroShift. You cannot apply the resource directly into a MicroShift cluster.
Next steps
-
Convert the
ImageContentSourcePolicyYAML content for use in manually configuring CRI-O. - If required, mirror the images from mirror to disk for disconnected or offline use.
- Configure your cluster to use the resources generated by oc-mirror.
Troubleshooting
8.3.2.5. Configuring CRI-O for using a registry mirror for Operators
You must transform the imageContentSourcePolicy.yaml file created with the oc-mirror plugin into a format that is compatible with the CRI-O container runtime configuration used by MicroShift.
Prerequisites
-
The OpenShift CLI (
oc) is installed. - Operator Lifecycle Manager (OLM) is installed.
- The oc-mirror OpenShift CLI (oc) plugin is installed.
-
The
yqbinary is installed. -
ImageContentSourcePolicyandCatalogSourceYAML files are available in theoc-mirror-workspace/results-*directory.
Procedure
Confirm the contents of the
imageContentSourcePolicy.yamlfile by running the following command:$ cat oc-mirror-workspace/<results-directory>/imageContentSourcePolicy.yaml1 - 1
- Specify the
resultsdirectory name, such as<results-1707148826>.
Example output
apiVersion: operator.openshift.io/v1alpha1 kind: ImageContentSourcePolicy metadata: labels: operators.openshift.org/catalog: "true" name: operator-0 spec: repositoryDigestMirrors: - mirrors: - registry.<example.com>/amq7 source: registry.redhat.io/amq7Transform the
imageContentSourcePolicy.yamlinto a format ready for CRI-O configuration by running the following command:yq '.spec.repositoryDigestMirrors[] as $item ireduce([]; . + [{"mirror": $item.mirrors[], "source": ($item | .source)}]) | .[] | "[[registry]] prefix = \"" + .source + "\" location = \"" + .mirror + "\" mirror-by-digest-only = true insecure = true "' ./icsp.yamlExample output
[[registry]] prefix = "registry.redhat.io/amq7" location = "registry.example.com/amq7" mirror-by-digest-only = true insecure = trueAdd the output to the CRI-O configuration file in the
/etc/containers/registries.conf.d/directory:Example
crio-config.yamlmirror configuration file[[registry]] prefix = "registry.redhat.io/amq7" location = "registry.example.com/amq7" mirror-by-digest-only = true insecure = true [[registry]] prefix = "" location = "quay.io" mirror-by-digest-only = true [[registry.mirror]] location = "<registry_host>:<port>"1 insecure = false- 1
- Specify the host name and port of your mirror registry server, for example
microshift-quay:8443.
Apply the CRI-O configuration changes by restarting MicroShift with the following command:
$ sudo systemctl restart crio
8.3.2.6. Installing a custom catalog created with the oc-mirror plugin
After you mirror your image set to the mirror registry, you must apply the generated CatalogSource custom resource (CR) into the cluster. The CatalogSource CR is used by Operator Lifecycle Manager (OLM) to retrieve information about the available Operators in the mirror registry. You must then create and apply a subscription CR to subscribe to your custom catalog.
Prerequisites
- You mirrored the image set to your registry mirror.
- You added image reference information to the CRI-O container runtime configuration.
Procedure
Apply the catalog source configuration file from the results directory to create the catalog source object by running the following command:
$ oc apply -f ./oc-mirror-workspace/results-1708508014/catalogSource-cs-redhat-operator-index.yamlExample catalog source configuration file
apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: name: redhat-catalog namespace: openshift-marketplace1 spec: sourceType: grpc image: registry.example.com/redhat/redhat-operator-index:v4.17 updateStrategy: registryPoll: interval: 60m- 1
- Specifies the global namespace. Setting the
metadata.namespacetoopenshift-marketplaceenables the catalog to reference catalogs in all namespaces. Subscriptions in any namespace can reference catalogs created in theopenshift-marketplacenamespace.
Example output
catalogsource.operators.coreos.com/cs-redhat-operator-index createdVerify that the
CatalogSourceresources were successfully installed by running the following command:$ oc get catalogsource --all-namespacesVerify that the catalog source is running by using the following command:
$ oc get pods -n openshift-marketplaceExample output
NAME READY STATUS RESTARTS AGE cs-redhat-operator-index-4227b 2/2 Running 0 2m5sCreate a
SubscriptionCR, similar to the following example:Example
SubscriptionCRapiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: amq-broker namespace: openshift-operators spec: channel: 7.11.x name: amq-broker-rhel8 source: cs-redhat-operator-index sourceNamespace: openshift-marketplaceApply the Subscription CR configuration by running the following command:
$ oc apply -f ./<my-subscription-cr.yaml>1 - 1
- Specify the name of your subscription, such as
my-subscription-cr.yaml.
Example output
subscription.operators.coreos.com/amq-broker created
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}