installation-restricted-network-samples.adoc

Using Samples Operator imagestreams with alternate or mirrored registries

Most imagestreams in the OpenShift namespace managed by the Samples Operator point to images located in the Red Hat registry at registry.redhat.io. The jenkins, jenkins-agent-maven, and jenkins-agent-nodejs imagestreams come from the install payload and are managed by the Samples

Note	The cli, installer, must-gather, and tests imagestreams, while part of the install payload, are not managed by the Samples Operator. These are not addressed in this procedure.

Prerequisites

• Access to the cluster as a user with the cluster-admin role.

• Create a pull secret for your mirror registry.

Procedure

1. Access the images of a specific imagestream to mirror, for example:

   $ oc get is <imagestream> -n openshift -o json | jq .spec.tags[].from.name | grep registry.redhat.io

2. Mirror images from registry.redhat.io associated with any imagestreams you need

   $ oc image mirror registry.redhat.io/rhscl/ruby-25-rhel7:latest ${MIRROR_ADDR}/rhscl/ruby-25-rhel7:latest

3. Add the required trusted CAs for the mirror in the cluster’s image configuration object:

   $ oc create configmap registry-config --from-file={MIRROR_ADDR}=$path/ca.crt -n openshift-config
   $ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-config"}}}' --type=merge

4. Update the samplesRegistry field in the Samples Operator configuration object to contain the hostname portion of the mirror location defined in the mirror configuration:

   $ oc get configs.samples.operator.openshift.io -n openshift-cluster-samples-operator

   Note	This is required because the imagestream import process does not use the mirror or search mechanism at this time.

5. Add any imagestreams that are not mirrored into the skippedImagestreams field of the Samples Operator configuration object. Or if you do not want to support any of the sample imagestreams, set the Samples Operator to Removed in the Samples Operator configuration object.

   Note	Any unmirrored imagestreams that are not skipped, or if the Samples Operator is not changed to Removed, will result in the Samples Operator reporting a Degraded status two hours after the imagestream imports start failing.

   Many of the templates in the OpenShift namespace reference the imagestreams. So using Removed to purge both the imagestreams and templates will eliminate the possibility of attempts to use them if they are not functional because of any missing imagestreams.