Container mirror registry rules for Watson Machine Learning Accelerator
Set extra container registry rules for Watson Machine Learning Accelerator in an air-gapped cluster.
To mirror requests from a source registry to a mirror registry, create an ImageContentSourcePolicy. This redirects image pull requests of the source registry to the mirror registry; the registry where images are mirrored on a local machine or a portable device.
To create the ImageContentSourcePolicy run the following
command:
cat <<EOF| oc apply -f -
apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
name: #Name of ImageContentSourcePolicy, can be customized
spec:
repositoryDigestMirrors:
- mirrors:
- mirror.ibm.com.example #Set local registry where images are mirrored to
source: source #Set source registry to pull images from
- mirrors:
- mirror2.ibm.com.example #Set local registry where images are mirrored to
source: source2 #Set source registry to pull images from
EOF
Note: In a situation where multiple
ImageContentSourcePolicy exist, ensure that the image pull requests are
redirected to the correct mirror registry. Applying this policy causes all the nodes in the cluster
to restart, wait a few minutes for this policy to take effect.
For example, redirects pull requests from icr.io/cpopen to
api.qhe.cp.ibm.com:5000/cp and cp.icr.io to
api.qhe.cp.ibm.com:5000:
cat <<EOF| oc apply -f -
apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
name: wmlaairgappolicy
spec:
repositoryDigestMirrors:
- mirrors:
- api.qhe.cp.ibm.com:5000/cp
source: icr.io/cpopen
- mirrors:
- api.qhe.cp.ibm.com:5000
source: cp.icr.io
EOF
Insecure registries
Mirror registries that do not use valid SSL certificates or do not require HTTPS connections are considered insecure.
If you are using an insecure registry, you must add the mirror registry to the cluster
insecureRegistries list by editing
image.config.openshift.io/cluster. Otherwise, you will get a certificate error
when pulling
images.
oc patch image.config.openshift.io/cluster --type=merge -p '{"spec":{"registrySources":{"insecureRegistries":["'${LOCAL_DOCKER_REGISTRY}'"]}}}'
For
example:
oc patch image.config.openshift.io/cluster --type=merge -p '{"spec":{"registrySources":{"insecureRegistries":["api.qhe.cp.ibm.com:5000"]}}}'