How to use the oc-mirror plug-in to mirror operators?

Solution Verified - Updated 26 Jul 2024

Environment

OpenShift Container Platform
- 4.11+
Disconnected environment

Issue

How to use oc-mirror plug-in to mirror operators.
How to find available operators using oc-mirror.

Resolution

Installing the oc-mirror plug-in.

$ curl -O https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable/oc-mirror.tar.gz
$ tar -xvf oc-mirror.tar.gz
$ chmod +x ./oc-mirror
$ sudo mv ./oc-mirror /usr/local/bin/

Disabling the default OperatorHub sources.

$ oc patch OperatorHub cluster --type json \
    -p '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]'

This content is not included.Get operator information.

a. Login OperatorHub catalogs

  $ podman login registry.redhat.io


b. Find the available catalogs for the target version.

  $ oc-mirror list operators --catalogs --version=4.11
  Available OpenShift OperatorHub catalogs:
  OpenShift 4.11:
  registry.redhat.io/redhat/redhat-operator-index:v4.11
  registry.redhat.io/redhat/certified-operator-index:v4.11
  registry.redhat.io/redhat/community-operator-index:v4.11
  registry.redhat.io/redhat/redhat-marketplace-index:v4.11


c. Find the available packages within the selected catalog.

  $ oc-mirror list operators --catalog=registry.redhat.io/redhat/redhat-operator-index:v4.11 > package.out
  $ cat package.out
  NAME                  DISPLAY NAME                                                      DEFAULT CHANNEL
  3scale-operator       Red Hat Integration - 3scale - Managed Application Services       threescale-mas
  [···]


d. Find channels for the selected package.

  $ oc-mirror list operators --catalog=registry.redhat.io/redhat/redhat-operator-index:v4.11 --package=cluster-logging
  NAME             DISPLAY NAME               DEFAULT CHANNEL
  cluster-logging  Red Hat OpenShift Logging  stable

  PACKAGE          CHANNEL     HEAD
  cluster-logging  stable      cluster-logging.5.5.5
  cluster-logging  stable-5.3  cluster-logging.5.3.9
  cluster-logging  stable-5.4  cluster-logging.5.4.9
  cluster-logging  stable-5.5  cluster-logging.5.5.5

  or

  $ for i in cluster-logging elasticsearch-operator ; do oc-mirror list operators -- 
  catalog=registry.redhat.io/redhat/redhat-operator-index:v4.11 --package=$i; done

e. Find package versions within the selected channel.

  $ oc-mirror list operators --catalog=registry.redhat.io/redhat/redhat-operator-index:v4.11 -- package=elasticsearch-operator --channel=stable-5.5
  VERSIONS
  5.5.5

Configuring credentials that allow images to be mirrored.

a. Download pull-secret(https://console.redhat.com/openshift/install/pull-secret).


b. Add local Image Registry credentials to the pull-secret.

  $ MIRROR_REGISTRY=docker.registry.example.net:5000
  $ podman login ${MIRROR_REGISTRY}
  $ podman login --authfile /root/pull-secret ${MIRROR_REGISTRY}


c. Save the file either as ~/.docker/config.json or $XDG_RUNTIME_DIR/containers/auth.json.

  $ cat /root/pull-secret | jq . > ${XDG_RUNTIME_DIR}/containers/auth.json
  $ cat ${XDG_RUNTIME_DIR}/containers/auth.json
  {
    "auths": {
      "cloud.openshift.com": {
        "auth": "xxxxxx...",
        "email": "you@example.com"
      },
      "docker.registry.example.net:5000": {
        "auth": "xxxxxx"
       [···]

Creating the imageset configuration.
Note: When running the oc-mirror plugin again, images gets pruned automatically from the target mirror registry if they are no longer included in the latest imageset that was generated and mirrored.

$ cat > imageset-config.yaml << EOF
apiVersion: mirror.openshift.io/v1alpha2
kind: ImageSetConfiguration
storageConfig:
 registry:                 
   imageURL: ${MIRROR_REGISTRY}/mirror/metadata    #<-- Do not delete or modify metadata generated by the oc-mirror plugin, use the same storage backend every time run the oc-mirror plugin for the same mirror registry.
   skipTLS: false
mirror:
  operators:
    - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.11   	#<-- Set the Operator catalog
      packages:
        - name: cluster-logging        #<-- Operator name
          channels:                    #<-- Specify channel and version
            - name: stable             #<-- Default Channel
            - name: stable-5.5         #<-- Target Channel - If the expected Channel is different from the Default Channel, need to set the Target Channel after setting the Default Channel
              minVersion: '5.5.5'      #<-- If the first field of the set value is a number, need to add ' '.
              maxVersion: '5.5.5'
        - name: elasticsearch-operator
          channels:
            - name: stable
            - name: stable-5.5
              minVersion: '5.5.5'
              maxVersion: '5.5.5'
        - name: cincinnati-operator
          channels:
            - name: v1
              minVersion: v5.0.0
              maxVersion: v5.0.0
        - name: kubernetes-nmstate-operator
          channels:
            - name: stable
            - name: '4.11'
              minVersion: '4.11.0-202212070335'
              maxVersion: '4.11.0-202212070335'
EOF

This page is not included, but the link has been rewritten to point to the nearest parent document.Mirroring an imageset to a mirror registry.

$ oc mirror --config=./imageset-config.yaml \
            docker://${MIRROR_REGISTRY} --dest-skip-tls
···
info: Mirroring completed in 1m57.76s (40.22MB/s)
Rendering catalog image "docker.registry.example.net:5000/redhat/redhat-operator-index:v4.11" with file-based catalog 
Writing image mapping to oc-mirror-workspace/results-1670920047/mapping.txt
Writing CatalogSource manifests to oc-mirror-workspace/results-1670920047
Writing ICSP manifests to oc-mirror-workspace/results-1670920047     #<-- This path is used in subsequent steps to create icsp and catalogsource

Create imageContentSourcePolicy and catalogsource.

$ ls oc-mirror-workspace/results-1670920047
catalogSource-redhat-operator-index.yaml  charts  imageContentSourcePolicy.yaml  mapping.txt  release-signatures

$ oc create -f imageContentSourcePolicy.yaml
imagecontentsourcepolicy.operator.openshift.io/operator-0 created

$ oc create -f catalogSource-redhat-operator-index.yaml
catalogsource.operators.coreos.com/redhat-operator-index create

Verify that the operator download is complete.

$ oc get catalogsource -n openshift-marketplace
NAME                      DISPLAY   TYPE   PUBLISHER   AGE
redhat-operator-index               grpc               13s

$ oc get packagemanifest -n openshift-marketplace
NAME                               CATALOG   AGE
cluster-logging                              33s
cincinnati-operator                          33s
elasticsearch-operator                       33s
kubernetes-nmstate-operator                  33s

If it is a completely disconnected environment, storageConfig.local.path needs to be set instead of storageConfig.registry.imageURL to This page is not included, but the link has been rewritten to point to the nearest parent document.mirror the imageset to disk with the metadata, then mirror the imageset file on disk to a mirror.

apiVersion: mirror.openshift.io/v1alpha2
kind: ImageSetConfiguration
storageConfig:
 registry:                 
   imageURL: ${MIRROR_REGISTRY}/mirror/metadata

***Change it to***

apiVersion: mirror.openshift.io/v1alpha2
kind: ImageSetConfiguration
storageConfig:
  local:
    path: /home/user/metadata

Note: Do not delete or modify metadata generated by the oc-mirror plugin, use the same storage backend every time run the oc-mirror plugin for the same mirror registry.

SBR

Product(s)

Red Hat OpenShift Container Platform

Components

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.