IBM DataPower Operations Dashboard v1.0.19.0

A newer version of this product documentation is available.

You are viewing an older version. View latest at IBM DPOD Documentation.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Current »

Loading Images to a Container Registry

DPOD Cloud Agent images are currently only available for download from Passport Advantage (PPA) and need to be loaded to a container registry, so they can be pulled by the Kubernetes cluster. The container registry may be a private registry which is accessible to the cluster, or OCP’s internal container registry (if using OCP). In the future, the images will be available via IBM’s icr.io/cpopen and cp.icr.io/cp/dpod container registries.

Download the images from PPA and save them locally.

This is the list of the image file names (as available on PPA) and their corresponding images names and tags. See Cloud Agent Overview for a list of available versions.

Image File Name

Image Name and Tag

dpod-ca-operator-catalog-<DPOD-VERSION>.tgz

dpod-cloud-agent-operator-catalog:<OPERATOR-VERSION>-amd64

dpod-ca-operator-bundle-<DPOD-VERSION>.tgz

dpod-cloud-agent-operator-bundle:<OPERATOR-VERSION>-amd64

dpod-ca-operator-<DPOD-VERSION>.tgz

dpod-cloud-agent-operator:<OPERATOR-VERSION>-amd64

dpod-ca-api-proxy-<DPOD-VERSION>.tgz

dpod-cloud-agent-api-proxy:<DPOD-VERSION>-amd64

dpod-ca-http-ingester-<DPOD-VERSION>.tgz

dpod-cloud-agent-http-ingester:<DPOD-VERSION>-amd64

dpod-ca-manager-<DPOD-VERSION>.tgz

dpod-cloud-agent-manager:<DPOD-VERSION>-amd64

dpod-ca-messaging-broker-<DPOD-VERSION>.tgz

dpod-cloud-agent-messaging-broker:<DPOD-VERSION>-amd64

dpod-ca-syslog-ingester-<DPOD-VERSION>.tgz

dpod-cloud-agent-syslog-ingester:<DPOD-VERSION>-amd64

In order to preserve the images digests in the container registry, we recommend copying the downloaded images into the container registry using the skopeo utility (available as a package for most distributions: Installing Skopeo).

The skopeo syntax is as follows:

skopeo copy --all --dest-creds=<destination container registry credentials if needed> docker-archive:<image file full path> \
    docker://<destination container registry path>/<image name>:<image tag>

Example 1: Loading Downloaded Images to a Private Container Registry

Consider the following example for loading the images to a private container registry.
Note: It is assumed that the authentication is by a user ID and a password. If the authentication is by a token, replace --dest-creds with --dest-registry-token along with the authentication token in the commands below.

  1. Set variables with the source, destination, versions, etc. according to your environment:

    CONTAINER_REGISTRY_PATH="my-container-registry.example.com/dpod-cloud-agent"
DPOD_CLOUD_AGENT_VERSION="1.0.19.0"
DPOD_CLOUD_AGENT_OPERATOR_VERSION="0.1.0"
IMAGES_DIR="/tmp"
USER_ID="user"
USER_PASSWORD="password"

  2. Load the images to the container registry:

    skopeo copy --all --dest-creds=${USER_ID}:${USER_PASSWORD} docker-archive:${IMAGES_DIR}/dpod-ca-operator-catalog-${DPOD_CLOUD_AGENT_VERSION}.tgz \
    docker://${CONTAINER_REGISTRY_PATH}/dpod-cloud-agent-operator-catalog:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64
skopeo copy --all --dest-creds=${USER_ID}:${USER_PASSWORD} docker-archive:${IMAGES_DIR}/dpod-ca-operator-bundle-${DPOD_CLOUD_AGENT_VERSION}.tgz \
    docker://${CONTAINER_REGISTRY_PATH}/dpod-cloud-agent-operator-bundle:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64	
skopeo copy --all --dest-creds=${USER_ID}:${USER_PASSWORD} docker-archive:${IMAGES_DIR}/dpod-ca-operator-${DPOD_CLOUD_AGENT_VERSION}.tgz \
    docker://${CONTAINER_REGISTRY_PATH}/dpod-cloud-agent-operator:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64
skopeo copy --all --dest-creds=${USER_ID}:${USER_PASSWORD} docker-archive:${IMAGES_DIR}/dpod-ca-api-proxy-${DPOD_CLOUD_AGENT_VERSION}.tgz \
    docker://${CONTAINER_REGISTRY_PATH}/dpod-cloud-agent-api-proxy:${DPOD_CLOUD_AGENT_VERSION}-amd64
skopeo copy --all --dest-creds=${USER_ID}:${USER_PASSWORD} docker-archive:${IMAGES_DIR}/dpod-ca-http-ingester-${DPOD_CLOUD_AGENT_VERSION}.tgz \
    docker://${CONTAINER_REGISTRY_PATH}/dpod-cloud-agent-http-ingester:${DPOD_CLOUD_AGENT_VERSION}-amd64
skopeo copy --all --dest-creds=${USER_ID}:${USER_PASSWORD} docker-archive:${IMAGES_DIR}/dpod-ca-manager-${DPOD_CLOUD_AGENT_VERSION}.tgz \
    docker://${CONTAINER_REGISTRY_PATH}/dpod-cloud-agent-manager:${DPOD_CLOUD_AGENT_VERSION}-amd64
skopeo copy --all --dest-creds=${USER_ID}:${USER_PASSWORD} docker-archive:${IMAGES_DIR}/dpod-ca-messaging-broker-${DPOD_CLOUD_AGENT_VERSION}.tgz \
    docker://${CONTAINER_REGISTRY_PATH}/dpod-cloud-agent-messaging-broker:${DPOD_CLOUD_AGENT_VERSION}-amd64
skopeo copy --all --dest-creds=${USER_ID}:${USER_PASSWORD} docker-archive:${IMAGES_DIR}/dpod-ca-syslog-ingester-${DPOD_CLOUD_AGENT_VERSION}.tgz \
    docker://${CONTAINER_REGISTRY_PATH}/dpod-cloud-agent-syslog-ingester:${DPOD_CLOUD_AGENT_VERSION}-amd64

Example 2: Loading Downloaded Images to the OCP Internal Container Registry OPENSHIFT

Consider the following example for loading the images to OpenShift’s (OCP) internal container registry.
Note: It is assumed that the authentication is by a user ID and a password. If the authentication is by a token, replace --dest-creds with --dest-registry-token along with the authentication token in the commands below.

  1. Make sure OCP’s internal container registry can be accessed from outside the cluster via a Route. If not, consider adding the following Route:
    Note: Change the host value according to your environment.

    kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: default-route
  namespace: openshift-image-registry
spec:
  host: default-route-openshift-image-registry.apps.ocp4.mycluster.com
  to:
    kind: Service
    name: image-registry
    weight: 100
  tls:
    termination: reencrypt
  wildcardPolicy: None

  2. Set variables with the source, destination, versions, etc. according to your environment:

    CONTAINER_REGISTRY="default-route-openshift-image-registry.apps.ocp4.mycluster.com"
DPOD_CLOUD_AGENT_NAMESPACE="dpod-cloud-agent"
DPOD_CLOUD_AGENT_VERSION="1.0.19.0"
DPOD_CLOUD_AGENT_OPERATOR_VERSION="0.1.0"
IMAGES_DIR="/tmp"
USER_ID="user"

  3. Load the images to the various namespaces (both for cluster scope and namespace scope):

    skopeo copy --all --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-catalog-${DPOD_CLOUD_AGENT_VERSION}.tgz \
    docker://${CONTAINER_REGISTRY}/openshift-marketplace/dpod-cloud-agent-operator-catalog:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64
skopeo copy --all --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-catalog-${DPOD_CLOUD_AGENT_VERSION}.tgz \
    docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-operator-catalog:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64
skopeo copy --all --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-bundle-${DPOD_CLOUD_AGENT_VERSION}.tgz \
    docker://${CONTAINER_REGISTRY}/openshift-marketplace/dpod-cloud-agent-operator-bundle:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64
skopeo copy --all --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-bundle-${DPOD_CLOUD_AGENT_VERSION}.tgz \
    docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-operator-bundle:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64
skopeo copy --all --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-${DPOD_CLOUD_AGENT_VERSION}.tgz \
    docker://${CONTAINER_REGISTRY}/openshift-operators/dpod-cloud-agent-operator:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64
skopeo copy --all --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-${DPOD_CLOUD_AGENT_VERSION}.tgz \
    docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-operator:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64
skopeo copy --all --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-api-proxy-${DPOD_CLOUD_AGENT_VERSION}.tgz \
    docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-api-proxy:${DPOD_CLOUD_AGENT_VERSION}-amd64
skopeo copy --all --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-http-ingester-${DPOD_CLOUD_AGENT_VERSION}.tgz \
    docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-http-ingester:${DPOD_CLOUD_AGENT_VERSION}-amd64
skopeo copy --all --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-manager-${DPOD_CLOUD_AGENT_VERSION}.tgz \
    docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-manager:${DPOD_CLOUD_AGENT_VERSION}-amd64
skopeo copy --all --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-messaging-broker-${DPOD_CLOUD_AGENT_VERSION}.tgz \
    docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-messaging-broker:${DPOD_CLOUD_AGENT_VERSION}-amd64
skopeo copy --all --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-syslog-ingester-${DPOD_CLOUD_AGENT_VERSION}.tgz \
    docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-syslog-ingester:${DPOD_CLOUD_AGENT_VERSION}-amd64

Mirroring Images

The DPOD Cloud Agent will deploy containers with images referencing to IBM’s icr.io/cpopen and cp.icr.io/cp/dpod container registries. Since the images are currently not available in these registries, a mirroring needs to be configured so the Kubernetes cluster can fetch the images.

Without a proper mirroring the pods will fail on ImagePullBackOff error when trying to pull the images.

Example 1: Configuring Mirroring with OCP’s ImageContentSourcePolicy to a Private Container Registry OPENSHIFT

Consider the following example which configures mirroring of icr.io/cpopen and cp.icr.io/cp/dpod to a private container registry.
Note: Change the mirrors entries according to the container registry path that the images were loaded into (the value of CONTAINER_REGISTRY_PATH used above).

apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
  name: dpod-cloud-agent-registry-mirror
spec:
  repositoryDigestMirrors:
    - mirrors:
        - my-container-registry.example.com/dpod-cloud-agent
      source: cp.icr.io/cp/dpod
    - mirrors:
        - my-container-registry.example.com/dpod-cloud-agent
      source: icr.io/cpopen

Example 2: Configuring Mirroring with OCP’s ImageContentSourcePolicy to the OCP Internal Container Registry OPENSHIFT

Consider the following example which configures mirroring of icr.io/cpopen and cp.icr.io/cp/dpod to OCP’s internal container registry.
Note: Change the mirrors entries according to your environment (replace the namespace dpod-cloud-agent with the namespace DPOD_CLOUD_AGENT_NAMESPACE used above).

apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
  name: dpod-cloud-agent-registry-mirror
spec:
  repositoryDigestMirrors:
    - mirrors:
        - image-registry.openshift-image-registry.svc:5000/dpod-cloud-agent
      source: cp.icr.io/cp/dpod
    - mirrors:
        - image-registry.openshift-image-registry.svc:5000/openshift-marketplace
        - image-registry.openshift-image-registry.svc:5000/openshift-operators
        - image-registry.openshift-image-registry.svc:5000/dpod-cloud-agent
      source: icr.io/cpopen

Example 3: Configuring Mirroring by Manually Editing the Nodes Configuration File OPENSHIFT

Some OCP environments are not running the Machine Config Operator that allows modifying the nodes configuration files using K8S resources.

For such environments, manually add the mirroring configuration for each one of the worker nodes in /etc/containers/registries.conf and add the following entries.
Note: Change the registry.mirror entries according to your environment (see notes of the examples above).

[[registry]]
  prefix = ""
  location = "cp.icr.io/cp/dpod"
  mirror-by-digest-only = true
  [[registry.mirror]]
    location = "image-registry.openshift-image-registry.svc:5000/dpod-cloud-agent"

[[registry]]
  prefix = ""
  location = "icr.io/cpopen"
  mirror-by-digest-only = true
  [[registry.mirror]]
    location = "image-registry.openshift-image-registry.svc:5000/openshift-marketplace"
  [[registry.mirror]]
    location = "image-registry.openshift-image-registry.svc:5000/openshift-operators"
  [[registry.mirror]]
    location = "image-registry.openshift-image-registry.svc:5000/dpod-cloud-agent"

Reboot the worker nodes by issuing systemctl reboot on each one of them.

Authenticating to a Container Registry

In order to pull images from the container registry, it is often required to authenticate with credentials.

Create the necessary pull secret and add it to the default service account in the appropriate namespaces, or alternatively update the global pull secret with the credentials.

  • No labels

Copyright © 2015 MonTier Software (2015) Ltd.