Mirror the OpenShift® Container Platform image repository
to your registry to use during installation or upgrade.
About this task
For more information about Red Hat®
OpenShift Container Platform, see Red Hat OpenShift Documentation.
Procedure
- Set the following environment variables:
OCP_RELEASE=<your OCP version>
PRODUCT_REPO='openshift-release-dev'
RELEASE_NAME="ocp-release"
ARCHITECTURE=x86_64
LOCAL_SECRET_JSON='<relative path to pull-secret.json>'
LOCAL_OCP_REGISTRY='<Your enterprise registry host>:<port>'
LOCAL_OCP_REPOSITORY='<Your image path>'
See the following sample values:
LOCAL_SECRET_JSON='/home/mirror/pull-secret.json'
LOCAL_OCP_REGISTRY='registryhost.com:443'
LOCAL_OCP_REPOSITORY='mirror-ocp'
LOCAL_SECRET_JSON
is relative path for your pull-secret.json
file.
LOCAL_OCP_REGISTRY
is your entitlement registry.
LOCAL_OCP_REPOSITORY
is the image path, in which you want to mirror the images.
You can choose your own repository paths. For example, hci-2.9.0/isf or
hci-2.9.0 or
hci-2.9.0/isf.
Note: Change the values of LOCAL_SECRET_JSON
, LOCAL_OCP_REGISTRY
,
and LOCAL_OCP_REPOSITORY
. Keep the other values as is.
- Run the command to login to the Docker registry with your enterprise registry
credentials.
docker login $LOCAL_OCP_REGISTRY -u <your enterprise registry username> -p <your enterprise registry password>
- Run the command to create catalog mirror images:
oc adm release mirror -a ${LOCAL_SECRET_JSON} --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} --to=${LOCAL_OCP_REGISTRY}/${LOCAL_OCP_REPOSITORY} --to-release-image=${LOCAL_OCP_REGISTRY}/${LOCAL_OCP_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}
After successful mirroring, a confirmation message gets displayed. For example:
Success
Update image: <Your enterprise registry>:<port>/<Your image path>:4.16.4-x86_64
Mirror prefix: <Your enterprise registry>:<port>/<Your image path>
Mirror prefix: <Your enterprise registry>:<port>/<Your image path>:4.16.4-x86_64
Note: If
your enterprise registry is configured using self-signed certificate or if you get an error
x509: certificate signed by unknown authority
, then use
--insecure=true
to successfully complete the mirroring for OpenShift release image.
Sample
command:
oc adm release mirror -a ${LOCAL_SECRET_JSON} --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} --to=${LOCAL_OCP_REGISTRY}/${LOCAL_OCP_REPOSITORY} --to-release-image=${LOCAL_OCP_REGISTRY}/${LOCAL_OCP_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} --insecure=true
- To verify whether the images were successfully mirrored, check that the command output
contains the following information:
imageContentSources:
- mirrors:
- <Your enterprise registry>:<port>/ocp4/openshift4
source: quay.io/openshift-release-dev/ocp-release
- mirrors:
- <Your enterprise registry>:<port>/ocp4/openshift4
source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
See the following sample values:
imageContentSources:
- mirrors:
- registryhost.com:443/mirror-ocp
source: quay.io/openshift-release-dev/ocp-release
- mirrors:
- registryhost.com:443/mirror-ocp
source: quay.io/openshift-release-dev/ocp-v4.0-art-dev