Loading Images to the Container Registry
Download the images from Passport Advantage and save them locally.
Consider the following example for loading the images.
In order to preserve the images digests in the container registry, we recommend copying the downloaded images into the container registry using a recent version (1.13.3+) of the skopeo utility (available as a package for most distributions: Installing Skopeo).
Note: The example uses basic authentication. If the authentication is by a token, replace --dest-creds with --dest-registry-token along with the authentication token in the commands below.
Make sure OCP’s internal container registry can be accessed from outside the cluster via a
Route. If not, consider adding the followingRoute:
Note: Change thehostvalue according to your environment.kind: Route apiVersion: route.openshift.io/v1 metadata: name: default-route namespace: openshift-image-registry spec: host: default-route-openshift-image-registry.apps.ocp4.mycluster.com to: kind: Service name: image-registry weight: 100 tls: termination: reencrypt wildcardPolicy: NoneSet variables with the source, destination, versions, credentials, etc. according to your environment:
CONTAINER_REGISTRY="default-route-openshift-image-registry.apps.ocp4.mycluster.com" DPOD_CLOUD_AGENT_NAMESPACE="dpod-cloud-agent" DPOD_CLOUD_AGENT_VERSION="1.0.20.2" DPOD_CLOUD_AGENT_OPERATOR_VERSION="1.0.2" IMAGES_DIR="/tmp" USER_ID="user"
Load the images to the container registry:
skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-catalog-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/openshift-marketplace/dpod-cloud-agent-operator-catalog:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-catalog-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-operator-catalog:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-bundle-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/openshift-marketplace/dpod-cloud-agent-operator-bundle:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-bundle-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-operator-bundle:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/openshift-operators/dpod-cloud-agent-operator:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-operator:${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-api-proxy-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-api-proxy:${DPOD_CLOUD_AGENT_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-http-ingester-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-http-ingester:${DPOD_CLOUD_AGENT_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-manager-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-manager:${DPOD_CLOUD_AGENT_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-messaging-broker-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-messaging-broker:${DPOD_CLOUD_AGENT_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-syslog-ingester-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-syslog-ingester:${DPOD_CLOUD_AGENT_VERSION}-amd64
Configuring Mirroring
Consider the following example for configuring the mirroring.
Note: Change the mirrors entries according to your environment (replace the namespace dpod-cloud-agent with the namespace DPOD_CLOUD_AGENT_NAMESPACE used above).
apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
name: dpod-cloud-agent-registry-mirror
spec:
repositoryDigestMirrors:
- mirrors:
- image-registry.openshift-image-registry.svc:5000/dpod-cloud-agent
source: cp.icr.io/cp/dpod
- mirrors:
- image-registry.openshift-image-registry.svc:5000/openshift-marketplace
- image-registry.openshift-image-registry.svc:5000/openshift-operators
- image-registry.openshift-image-registry.svc:5000/dpod-cloud-agent
source: icr.io/cpopen
If Mirroring doesn’t Work
Some OCP environments are not running the Machine Config Operator that allows modifying the nodes configuration files using K8S resources such as the ImageContentSourcePolicy.
For such environments, you must manually add the mirroring configuration for each one of the worker nodes in /etc/containers/registries.conf and reboot the worker nodes by issuing systemctl reboot on each one of them.
Note: Change the registry.mirror entries according to your environment (see notes of the examples above).
[[registry]]
prefix = ""
location = "cp.icr.io/cp/dpod"
mirror-by-digest-only = true
[[registry.mirror]]
location = "image-registry.openshift-image-registry.svc:5000/dpod-cloud-agent"
[[registry]]
prefix = ""
location = "icr.io/cpopen"
mirror-by-digest-only = true
[[registry.mirror]]
location = "image-registry.openshift-image-registry.svc:5000/openshift-marketplace"
[[registry.mirror]]
location = "image-registry.openshift-image-registry.svc:5000/openshift-operators"
[[registry.mirror]]
location = "image-registry.openshift-image-registry.svc:5000/dpod-cloud-agent"
Authenticating to the Container Registry
Consider the following example for configuring authentication by updating the global pull secret.
Note: The example uses basic authentication. If the authentication is by a token, replace --dest-creds with --dest-registry-token along with the authentication token in the commands below.
oc create sa image-puller -n openshift-config
oc adm policy add-cluster-role-to-user system:image-puller -z image-puller -n openshift-config
TOKEN=$(oc create token image-puller -n openshift-config)
oc get secret pull-secret -n openshift-config -o json | jq '.data.".dockerconfigjson"' -r | base64 -d > /tmp/pull-secret
oc registry login --registry=image-registry.openshift-image-registry.svc:5000 --auth-basic=image-puller:${TOKEN} --to=/tmp/pull-secret
oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=/tmp/pull-secret
If the Global Pull Secret doesn’t Work
Some OCP environments are not running the Machine Config Operator that allows modifying the nodes configuration files using K8S resources such as the global pull secret.
For such environments, you must manually add the authentication configuration for each one of the worker nodes in config.json.
Note: Change the auth value according to your environment. You can inspect the content of /tmp/pull-secret created above which includes the relevant configuration snippet.
{
"auths": {
...
"https://image-registry.openshift-image-registry.svc:5000": {
"auth": "..."
},
...
}
}