Mirroring images directly to the private container registry (only CPFS managed OCP)

If your client workstation can connect to the internet and to the private container registry, you can mirror the images directly to your private container registry.

Installation phase

Preparing your cluster

Obtaining your IBM entitlement API key

Installing the Open Shift CLI

Preparing to run installs from a private container registry

Creating an image pull secret

Installing IBM® Concert

Who needs to complete this task?

Registry administrator A registry administrator or a user with permissions to push images to the private container registry must complete this task.

When to complete this task

If you want to pull images from a private container registry, you must complete this task before you install Red Hat® OpenShift®.

One-time setup With careful planning, you can identify all components that you plan to install on the cluster so that you can complete this task.
Repeat as needed However, if you decide to install more services and the images are not in your private container registry, you might need to complete this task multiple times.

Before you begin

Before you mirror the images to the private container registry, make sure that you have sufficient space for the images that you plan to mirror. For information about approximate image sizes, see Hardware requirements.

About this task

Use the ibm-concert-manage.sh script to mirror the images from the IBM Entitled Registry to the private container registry. You can access the script from the Concert software GitHub repository.

The following steps assume that you mirror all of the components in a single step. The components that are mirrored are determined by the ${COMPONENTS} variable, from the installation environment variables script. If you want to mirror a specific component instead of multiple components, you can export COMPONENTS with the appropriate component ID. .

Procedure

./ibm-concert-manage.sh manage login-entitled-registry \
${IBM_ENTITLEMENT_KEY}

Log in to the private container registry.
The following command assumes that you are using a private container registry that is secured with credentials:
```
./ibm-concert-manage.sh manage login-private-registry \
${PRIVATE_REGISTRY_LOCATION} \
${PRIVATE_REGISTRY_PUSH_USER} \
${PRIVATE_REGISTRY_PUSH_PASSWORD}
```
If your private registry is not secured omit the following arguments:
- ${PRIVATE_REGISTRY_PUSH_USER}
- ${PRIVATE_REGISTRY_PUSH_PASSWORD
Confirm that you have access to the images that you want to mirror from the IBM Entitled Registry:
1. Inspect the IBM Entitled Registry.
  Tip: If you want to validate that you have access to the images for a specific component, you can run the following command before you run the list-images command:
```
export COMPONENTS=<component-ID>
```
  The list-images command downloads the CASE packages for the specified components. By default, the packages are downloaded from github.com/IBM. If you cannot access GitHub, add the following option to the command to download the packages from the IBM Entitled Registry: --from_oci=true.
```
./ibm-concert-manage.sh manage list-images \
--components=${COMPONENTS} \
--release=${VERSION} \
--inspect_source_registry=true
```
  The output is saved to the list_images.csv file in the work/offline/${VERSION} directory.
2. Check the output for errors:
```
grep "level=fatal" list_images.csv
```
  The command returns images that failed because of authorization errors or network errors.
EDB Postgres Standard users only: If you purchased EDB Postgres Standard, run the following command to remove the EDB Postgres Enterprise images from the list of images that will be mirrored to the private container registry:
- Workstations that use the default cpd-cli-workspace/olm-utils-workspace/work directory:
```
sed -i -e '/edb-postgres-advanced/d' ./cpd-cli-workspace/olm-utils-workspace/work/offline/${VERSION}/.ibm-pak/data/cases/ibm-cpd-edb/*/ibm-cpd-edb-*-images.csv
```
- Workstations that use the CPD_CLI_MANAGE_WORKSPACE environment variable:
```
sed -i -e '/edb-postgres-advanced/d' ${CPD_CLI_MANAGE_WORKSPACE}/work/offline/${VERSION}/.ibm-pak/data/cases/ibm-cpd-edb/*/ibm-cpd-edb-*-images.csv
```
Mirror the images to the private container registry.
Tip: Determine whether you need to modify the behavior of this command:
- By default, this command mirrors only the images that are needed for your cluster architecture. If you want to mirror the images for all supported architectures, remove the --arch=${IMAGE_ARCH} option.
- This command mirrors the images for all components that are specified in the ${COMPONENTS} environment variable. If you want to mirror images for a specific component, you can run export COMPONENTS=<component-ID> before you run the command.
```
 ./ibm-concert-manage.sh manage mirror-images \
--components=${COMPONENTS} \
--release=${VERSION} \
--target_registry=${PRIVATE_REGISTRY_LOCATION} \
--arch=${IMAGE_ARCH} \
--case_download=false
```
For each component, the command generates a log file in the work directory.
Tip: Run the following command to print out any errors in the log files:
```
grep "error" mirror_*.log
```
Confirm that the images were mirrored to the private container registry:
1. Inspect the contents of the private container registry:
```
./ibm-concert-manage.sh manage list-images \
--components=${COMPONENTS} \
--release=${VERSION} \
--target_registry=${PRIVATE_REGISTRY_LOCATION} \
--case_download=false
```
  The output is saved to the list_images.csv file in the work/offline/${VERSION} directory.
2. Check the output for errors:
```
grep "level=fatal" list_images.csv
```
  The command returns images that are missing or that cannot be inspected.

Results

The images are mirrored to the private container registry.

Note: Some components provide only multi-arch images, in which case all images are mirrored to the private container registry.