Loading Images to the Container Registry
Download the images from Passport Advantage and save them locally.
Consider the following example for loading the images.
In order to preserve the images digests in the container registry, we recommend copying the downloaded images into the container registry using a recent version the skopeo
utility (available as a package for most distributions: Installing Skopeo).
Note: The example uses basic authentication. If the authentication is by a token, replace --dest-creds
with --dest-registry-token
along with the authentication token in the commands below.
Make sure OCP’s internal container registry can be accessed from outside the cluster via a
Route
. If not, consider adding the followingRoute
:
Note: Change thehost
value according to your environment.kind: Route apiVersion: route.openshift.io/v1 metadata: name: default-route namespace: openshift-image-registry spec: host: default-route-openshift-image-registry.apps.ocp4.mycluster.com to: kind: Service name: image-registry weight: 100 tls: termination: reencrypt wildcardPolicy: None
Set variables with the source, destination, versions, credentials, etc. according to your environment:
CONTAINER_REGISTRY="default-route-openshift-image-registry.apps.ocp4.mycluster.com" DPOD_CLOUD_AGENT_NAMESPACE="dpod-cloud-agent" DPOD_CLOUD_AGENT_VERSION="1.0.20.0" DPOD_CLOUD_AGENT_OPERATOR_VERSION="1.0.0" IMAGES_DIR="/tmp" USER_ID="user"
Load the images to the container registry:
skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-catalog-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/openshift-marketplace/dpod-cloud-agent-operator-catalog:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-catalog-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-operator-catalog:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-bundle-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/openshift-marketplace/dpod-cloud-agent-operator-bundle:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-bundle-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-operator-bundle:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/openshift-operators/dpod-cloud-agent-operator:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-operator:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-api-proxy-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-api-proxy:${DPOD_CLOUD_AGENT_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-http-ingester-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-http-ingester:${DPOD_CLOUD_AGENT_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-manager-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-manager:${DPOD_CLOUD_AGENT_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-messaging-broker-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-messaging-broker:${DPOD_CLOUD_AGENT_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-syslog-ingester-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-syslog-ingester:${DPOD_CLOUD_AGENT_VERSION}-amd64
Configuring Mirroring
Consider the following example for configuring the mirroring.
Note: Change the mirrors
entries according to your environment (replace the namespace dpod-cloud-agent
with the namespace DPOD_CLOUD_AGENT_NAMESPACE
used above).
apiVersion: operator.openshift.io/v1alpha1 kind: ImageContentSourcePolicy metadata: name: dpod-cloud-agent-registry-mirror spec: repositoryDigestMirrors: - mirrors: - image-registry.openshift-image-registry.svc:5000/dpod-cloud-agent source: cp.icr.io/cp/dpod - mirrors: - image-registry.openshift-image-registry.svc:5000/openshift-marketplace - image-registry.openshift-image-registry.svc:5000/openshift-operators - image-registry.openshift-image-registry.svc:5000/dpod-cloud-agent source: icr.io/cpopen
If Mirroring doesn’t Work
Some OCP environments are not running the Machine Config Operator that allows modifying the nodes configuration files using K8S resources such as the ImageContentSourcePolicy
.
For such environments, you must manually add the mirroring configuration for each one of the worker nodes in /etc/containers/registries.conf
and reboot the worker nodes by issuing systemctl reboot
on each one of them.
Note: Change the registry.mirror
entries according to your environment (see notes of the examples above).
[[registry]] prefix = "" location = "cp.icr.io/cp/dpod" mirror-by-digest-only = true [[registry.mirror]] location = "image-registry.openshift-image-registry.svc:5000/dpod-cloud-agent" [[registry]] prefix = "" location = "icr.io/cpopen" mirror-by-digest-only = true [[registry.mirror]] location = "image-registry.openshift-image-registry.svc:5000/openshift-marketplace" [[registry.mirror]] location = "image-registry.openshift-image-registry.svc:5000/openshift-operators" [[registry.mirror]] location = "image-registry.openshift-image-registry.svc:5000/dpod-cloud-agent"
Authenticating to the Container Registry
Consider the following example for configuring authentication by updating the global pull secret.
Note: The example uses basic authentication. If the authentication is by a token, replace --dest-creds
with --dest-registry-token
along with the authentication token in the commands below.
oc create sa image-puller -n openshift-config oc adm policy add-cluster-role-to-user system:image-puller -z image-puller -n openshift-config TOKEN=$(oc create token image-puller -n openshift-config) oc get secret pull-secret -n openshift-config -o json | jq '.data.".dockerconfigjson"' -r | base64 -d > /tmp/pull-secret oc registry login --registry=image-registry.openshift-image-registry.svc:5000 --auth-basic=image-puller:${TOKEN} --to=/tmp/pull-secret oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=/tmp/pull-secret
If the Global Pull Secret doesn’t Work
Some OCP environments are not running the Machine Config Operator that allows modifying the nodes configuration files using K8S resources such as the global pull secret.
For such environments, you must manually add the authentication configuration for each one of the worker nodes in /.docker/config.json
.
Note: Change the auth
value according to your environment. You can inspect the content of /tmp/pull-secret
created above which includes the relevant configuration snippet.
{ "auths": { ... "https://image-registry.openshift-image-registry.svc:5000": { "auth": "..." }, ... } }