Chapter 3. Using the Cluster Samples Operator with an alternate registry

Procedure

1. Download your registry.redhat.io pull secret from Red Hat OpenShift Cluster Manager.

2. Make a copy of your pull secret in JSON format by running the following command:

   $ cat ./pull-secret | jq . > <path>/<pull_secret_file_in_json>

   Specify the path to the directory to store the pull secret in and a name for the JSON file that you create.

   Example pull secret

   {
     "auths": {
       "cloud.openshift.com": {
         "auth": "b3BlbnNo...",
         "email": "you@example.com"
       },
       "quay.io": {
         "auth": "b3BlbnNo...",
         "email": "you@example.com"
       },
       "registry.connect.redhat.com": {
         "auth": "NTE3Njg5Nj...",
         "email": "you@example.com"
       },
       "registry.redhat.io": {
         "auth": "NTE3Njg5Nj...",
         "email": "you@example.com"
       }
     }
   }

3. Generate the base64-encoded user name and password or token for your mirror registry by running the following command:

   $ echo -n '<user_name>:<password>' | base64 -w0

   For <user_name> and <password>, specify the user name and password that you configured for your registry.

   Example output

   BGVtbYk3ZHAtqXs=

4. Edit the JSON file and add a section that describes your registry to it:

     "auths": {
       "<mirror_registry>": {
         "auth": "<credentials>",
         "email": "you@example.com"
       }
     },

   • For the <mirror_registry> value, specify the registry domain name, and optionally the port, that your mirror registry uses to serve content. For example, registry.example.com or registry.example.com:8443.

   • For the <credentials> value, specify the base64-encoded user name and password for the mirror registry.

     Example modified pull secret

     {
       "auths": {
         "registry.example.com": {
           "auth": "BGVtbYk3ZHAtqXs=",
           "email": "you@example.com"
         },
         "cloud.openshift.com": {
           "auth": "b3BlbnNo...",
           "email": "you@example.com"
         },
         "quay.io": {
           "auth": "b3BlbnNo...",
           "email": "you@example.com"
         },
         "registry.connect.redhat.com": {
           "auth": "NTE3Njg5Nj...",
           "email": "you@example.com"
         },
         "registry.redhat.io": {
           "auth": "NTE3Njg5Nj...",
           "email": "you@example.com"
         }
       }
     }

Procedure

1. Review the Download OpenShift Dedicated page to determine the version of OpenShift Dedicated that you want to install and determine the corresponding tag on the Repository Tags page.

2. Set the following required environment variables:

   1. Export the release version:

      $ OCP_RELEASE=<release_version>

      For <release_version>, specify the tag that corresponds to the version of OpenShift Dedicated to install, such as 4.21.1.

   2. Export the local registry name and host port:

      $ LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>'

      For <local_registry_host_name>, specify the registry domain name for your mirror repository, and for <local_registry_host_port>, specify the port that it serves content on.

   3. Export the local repository name:

      $ LOCAL_REPOSITORY='<local_repository_name>'

      For <local_repository_name>, specify the name of the repository to create in your registry, such as ocp4/openshift4.

   4. Export the name of the repository to mirror:

      $ PRODUCT_REPO='openshift-release-dev'

      For a production release, you must specify openshift-release-dev.

   5. Export the path to your registry pull secret:

      $ LOCAL_SECRET_JSON='<path_to_pull_secret>'

      For <path_to_pull_secret>, specify the absolute path to and file name of the pull secret for your mirror registry that you created.

   6. Export the release mirror:

      $ RELEASE_NAME="ocp-release"

      For a production release, you must specify ocp-release.

   7. Export the type of architecture for your cluster:

      $ ARCHITECTURE=<cluster_architecture>

      Specify the architecture of the cluster, such as x86_64, aarch64, s390x, or ppc64le.

   8. Export the path to the directory to host the mirrored images:

      $ REMOVABLE_MEDIA_PATH=<path>

      Specify the full path, including the initial forward slash (/) character.

3. Mirror the version images to the mirror registry:

   1. Directly push the release images to the local registry by using following command:

      $ oc adm release mirror -a ${LOCAL_SECRET_JSON}  \
           --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \
           --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \
           --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}

      This command pulls the release information as a digest, and its output includes the imageContentSources data that you require when you install your cluster.

   2. Record the entire imageContentSources section from the output of the previous command. The information about your mirrors is unique to your mirrored repository, and you must add the imageContentSources section to the install-config.yaml file during installation.

      Note

      The image name gets patched to Quay.io during the mirroring process, and the Podman images show quay.io in the registry on the bootstrap virtual machine.

4. To create the installation program that is based on the content that you mirrored, extract it and pin it to the release by running the following command:

   $ oc adm release extract -a ${LOCAL_SECRET_JSON} --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}"

   Important

   To ensure that you use the correct images for the version of OpenShift Dedicated that you selected, you must extract the installation program from the mirrored content.

   You must perform this step on a machine with an active internet connection.

5. For clusters using installer-provisioned infrastructure, run the following command:

   $ openshift-install

Procedure

1. Access the images of a specific image stream to mirror, for example:

   $ oc get is <imagestream> -n openshift -o json | jq .spec.tags[].from.name | grep registry.redhat.io

2. Mirror images from registry.redhat.io associated with any image streams you need

   $ oc image mirror registry.redhat.io/rhscl/ruby-25-rhel7:latest ${MIRROR_ADDR}/rhscl/ruby-25-rhel7:latest

3. Create the image configuration object for the cluster by running the following command:

   $ oc create configmap registry-config --from-file=${MIRROR_ADDR_HOSTNAME}..5000=$path/ca.crt -n openshift-config

4. Add the required trusted CAs for the mirror in the image configuration object:

   $ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-config"}}}' --type=merge

5. Update the samplesRegistry field in the Cluster Samples Operator configuration object to contain the hostname portion of the mirror location defined in the mirror configuration:

   $ oc edit configs.samples.operator.openshift.io -n openshift-cluster-samples-operator

   Important

   This step is required because the image stream import process does not use the mirror or search mechanism at this time.

6. Add any image streams that are not mirrored into the skippedImagestreams field of the Cluster Samples Operator configuration object. Or if you do not want to support any of the sample image streams, set the Cluster Samples Operator to Removed in the Cluster Samples Operator configuration object.

   Note

   The Cluster Samples Operator issues alerts if image stream imports are failing but the Cluster Samples Operator is either periodically retrying or does not appear to be retrying them.

   Many of the templates in the openshift namespace reference the image streams. You can use Removed to purge both the image streams and templates. This eliminates the possibility of attempts to use the templates if they are not functional because of any missing image streams.