Container mirror registry rules for Watson Machine Learning Accelerator

Set extra container registry rules for Watson Machine Learning Accelerator in an air-gapped cluster.

To mirror requests from a source registry to a mirror registry, create an ImageContentSourcePolicy. This redirects image pull requests of the source registry to the mirror registry; the registry where images are mirrored on a local machine or a portable device.

To create the ImageContentSourcePolicy run the following command:

        cat <<EOF| oc apply -f -
        apiVersion: operator.openshift.io/v1alpha1
        kind: ImageContentSourcePolicy
        metadata:
          name:                        #Name of ImageContentSourcePolicy, can be customized
        spec:
          repositoryDigestMirrors:
          - mirrors:
            - mirror.ibm.com.example                     #Set local registry where images are mirrored to
            source:  source             #Set source registry to pull images from
          - mirrors:
            - mirror2.ibm.com.example                     #Set local registry where images are mirrored to
            source: source2               #Set source registry to pull images from
        EOF

Note: In a situation where multiple ImageContentSourcePolicy exist, ensure that the image pull requests are redirected to the correct mirror registry. Applying this policy causes all the nodes in the cluster to restart, wait a few minutes for this policy to take effect.

For example, redirects pull requests from icr.io/cpopen to api.qhe.cp.ibm.com:5000/cp and cp.icr.io to api.qhe.cp.ibm.com:5000:

        cat <<EOF| oc apply -f -
        apiVersion: operator.openshift.io/v1alpha1
        kind: ImageContentSourcePolicy
        metadata:
          name: wmlaairgappolicy
        spec:
          repositoryDigestMirrors:
          - mirrors:
            - api.qhe.cp.ibm.com:5000/cp
            source: icr.io/cpopen
          - mirrors:
            - api.qhe.cp.ibm.com:5000
            source: cp.icr.io
        EOF

Insecure registries

Mirror registries that do not use valid SSL certificates or do not require HTTPS connections are considered insecure.

If you are using an insecure registry, you must add the mirror registry to the cluster insecureRegistries list by editing image.config.openshift.io/cluster. Otherwise, you will get a certificate error when pulling images.

oc patch image.config.openshift.io/cluster --type=merge -p '{"spec":{"registrySources":{"insecureRegistries":["'${LOCAL_DOCKER_REGISTRY}'"]}}}'

For example:

oc patch image.config.openshift.io/cluster --type=merge -p '{"spec":{"registrySources":{"insecureRegistries":["api.qhe.cp.ibm.com:5000"]}}}'