Mirroring OpenShift Container Platform release images to enterprise registry

Mirror the OpenShift® Container Platform image repository to your registry to use during installation or upgrade.

Before you begin

Ensure that you go through the Before you begin section and About the task section of Mirroring your images to the enterprise registry.

About this task

For more information about Red Hat® OpenShift Container Platform, see Red Hat OpenShift Documentation.

Procedure

  1. Set the following environment variables:
    OCP_RELEASE=<your OCP version>
    PRODUCT_REPO='openshift-release-dev'
    RELEASE_NAME="ocp-release"
    ARCHITECTURE=x86_64
    LOCAL_SECRET_JSON='<relative path to pull-secret.json>'
    LOCAL_OCP_REGISTRY='<Your enterprise registry host>:<port>'
    LOCAL_OCP_REPOSITORY='<Your image path>'
    Here, enter the following values for the OCP_RELEASE:
    • For 2.8.0, it is 4.14.14 or 4.15.2
    • For 2.8.1, it is 4.14.24 or 4.15.12
    See the following sample values:
    
    LOCAL_SECRET_JSON='/home/mirror/pull-secret.json'
    LOCAL_OCP_REGISTRY='registryhost.com:443'
    LOCAL_OCP_REPOSITORY='mirror-ocp'

    LOCAL_SECRET_JSON is relative path for your pull-secret.json file.

    LOCAL_OCP_REGISTRY is your entitlement registry.

    LOCAL_OCP_REPOSITORY is the image path, in which you want to mirror the images. You can choose your own repository paths. For example, hci-2.8.0/isf or hci-2.8.0 or hci-2.8.1/isf or hci-2.8.1.

    Note: Change the values of LOCAL_SECRET_JSON, LOCAL_OCP_REGISTRY, and LOCAL_OCP_REPOSITORY. Keep the other values as is.
  2. Run the command to login to the Docker registry with your enterprise registry credentials.
    docker login $LOCAL_OCP_REGISTRY -u <your enterprise registry username> -p <your enterprise registry password>
    
  3. Run the command to create catalog mirror images:
    oc adm release mirror -a ${LOCAL_SECRET_JSON} --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} --to=${LOCAL_OCP_REGISTRY}/${LOCAL_OCP_REPOSITORY} --to-release-image=${LOCAL_OCP_REGISTRY}/${LOCAL_OCP_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}
    After successful mirroring, a confirmation message gets displayed. For example:
    Success
    Update image:  <Your enterprise registry>:<port>/<Your image path>:4.14.14-x86_64
    Mirror prefix: <Your enterprise registry>:<port>/<Your image path>
    Mirror prefix: <Your enterprise registry>:<port>/<Your image path>:4.14.14-x86_64 
    Note: If your enterprise registry is configured using self-signed certificate or if you get an error x509: certificate signed by unknown authority, then use --insecure=true to successfully complete the mirroring for OpenShift release image.
    Sample command:
    oc adm release mirror -a ${LOCAL_SECRET_JSON} --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} --to=${LOCAL_OCP_REGISTRY}/${LOCAL_OCP_REPOSITORY} --to-release-image=${LOCAL_OCP_REGISTRY}/${LOCAL_OCP_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} --insecure=true
  4. To verify whether the images were successfully mirrored, check that the command output contains the following information:
    imageContentSources:
    - mirrors:
      - <Your enterprise registry>:<port>/ocp4/openshift4
      source: quay.io/openshift-release-dev/ocp-release
    - mirrors:
      - <Your enterprise registry>:<port>/ocp4/openshift4
      source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
    See the following sample values:
    imageContentSources:
    - mirrors:
      - registryhost.com:443/mirror-ocp
      source: quay.io/openshift-release-dev/ocp-release
    - mirrors:
      - registryhost.com:443/mirror-ocp
      source: quay.io/openshift-release-dev/ocp-v4.0-art-dev