Merge pull request #56250 from mburke5678/nodes-mirror-by-tags

OSDOCS#4981: Allow mirroring images by tags

Author: mburke5678

modules/builds-image-source.adoc

@@ -45,7 +45,7 @@ source:
 +
 [NOTE]
 ====
-If your cluster uses an `ImageContentSourcePolicy` object to configure repository mirroring, you can use only global pull secrets for mirrored registries. You cannot add a pull secret to a project.
+If your cluster uses an `ImageDigestMirrorSet` or `ImageTagMirrorSet` object to configure repository mirroring, you can use only global pull secrets for mirrored registries. You cannot add a pull secret to a project.
 ====
 
 .Images that require pull secrets

modules/images-configuration-registry-mirror-convert.adoc

@@ -0,0 +1,66 @@
+// Module included in the following assemblies:
+//
+// * openshift_images/image-configuration.adoc
+// * post_installation_configuration/preparing-for-users.adoc
+// * updating/updating-restricted-network-cluster/restricted-network-update.adoc
+
+:_content-type: PROCEDURE
+[id="images-configuration-registry-mirror-convert_{context}"]
+= Converting ImageContentSourcePolicy (ICSP) files for image registry repository mirroring
+
+Using an `ImageContentSourcePolicy` (ICSP) object to configure repository mirroring is a deprecated feature. This functionality is still included in {product-title} and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. 
+
+ICSP objects are being replaced by `ImageDigestMirrorSet` and `ImageTagMirrorSet` objects to configure repository mirroring. If you have existing YAML files that you used to create `ImageContentSourcePolicy` objects, you can use the `oc adm migrate icsp` command to convert those files to an `ImageDigestMirrorSet` YAML file. The command updates the API to the current version, changes the `kind` value to `ImageDigestMirrorSet`, and changes `spec.repositoryDigestMirrors` to `spec.imageDigestMirrors`. The rest of the file is not changed. 
+
+For more information about `ImageDigestMirrorSet` or `ImageTagMirrorSet` objects, see "Configuring image registry repository mirroring" in the previous section.
+
+.Prerequisites
+
+* Ensure that you have access to the cluster as a user with the `cluster-admin` role.
+
+* Ensure that you have `ImageContentSourcePolicy` objects on your cluster.
+
+.Procedure
+
+. Use the following command to convert one or more `ImageContentSourcePolicy` YAML files to an `ImageDigestMirrorSet` YAML file:
++
+[source,terminal]
+----
+$ oc adm migrate iscp <file_name>.yaml <file_name>.yaml <file_name>.yaml --dest-dir <path_to_the_directory>
+----
++
+--
+where:
+
+`<file_name>`:: Specifies the name of the source `ImageContentSourcePolicy` YAML. You can list multiple file names.
+`--dest-dir`:: Optional: Specifies a directory for the output `ImageDigestMirrorSet` YAML. If unset, the file is written to the current directory.
+--
++
+For example, the following command converts the `icsp.yaml` and `icsp-2.yaml` file and saves the new YAML files to the `idms-files` directory.
++
+[source,terminal]
+----
+$ oc adm migrate icsp icsp.yaml icsp-2.yaml --dest-dir idms-files
+----
++
+.Example output
+[source,terminal]
+----
+wrote ImageDigestMirrorSet to idms-files/imagedigestmirrorset_ubi8repo.5911620242173376087.yaml
+wrote ImageDigestMirrorSet to idms-files/imagedigestmirrorset_ubi9repo.6456931852378115011.yaml
+----
+
+. Create the CR object by running the following command:
++
+[source,terminal]
+----
+$ oc create -f <path_to_the_directory>/<file-name>.yaml
+----
++
+--
+where:
+
+`<path_to_the_directory>`:: Specifies the path to the directory, if you used the `--dest-dir` flag.
+`<file_name>`:: Specifies the name of the `ImageDigestMirrorSet` YAML.
+--
+

modules/images-configuration-registry-mirror.adoc

@@ -8,12 +8,12 @@
 [id="images-configuration-registry-mirror_{context}"]
 = Configuring image registry repository mirroring
 
-Setting up container registry repository mirroring enables you to do the following:
+Setting up container registry repository mirroring enables you to perform the following tasks:
 
 * Configure your {product-title} cluster to redirect requests to pull images from a repository on a source image registry and have it resolved by a repository on a mirrored image registry.
 * Identify multiple mirrored repositories for each target repository, to make sure that if one mirror is down, another can be used.
 
-The attributes of repository mirroring in {product-title} include:
+Repository mirroring in {product-title} includes the following attributes:
 
 * Image pulls are resilient to registry downtimes.
 * Clusters in disconnected environments can pull images from critical locations, such as quay.io, and have registries behind a company firewall provide the requested images.
@@ -29,9 +29,20 @@ By pulling container images needed by {product-title} and then bringing those im
 
 * After {product-title} installation:
 +
-Even if you don't configure mirroring during {product-title} installation, you can do so later using the `ImageContentSourcePolicy` object.
+If you did not configure mirroring during {product-title} installation, you can do so post-installation by using one of the following custom resource (CR) objects:
++
+--
+** `ImageDigestMirrorSet`. This CR allows you to pull images from a mirrored registry by using digest specifications.
++
+** `ImageTagMirrorSet`. This CR allows you to pull images from a mirrored registry by using image tags.
+--
++
+[IMPORTANT]
+====
+Using an `ImageContentSourcePolicy` (ICSP) object to configure repository mirroring is a deprecated feature. Deprecated functionality is still included in {product-title} and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. If you have existing YAML files that you used to create `ImageContentSourcePolicy` objects, you can use the `oc adm migrate icsp` command to convert those files to an `ImageDigestMirrorSet` YAML file. For more information, see "Converting ImageContentSourcePolicy (ICSP) files for image registry repository mirroring" in the following section. 
+====
 
-The following procedure provides a post-installation mirror configuration, where you create an `ImageContentSourcePolicy` object that identifies:
+Both of these custom resource objects identify the following information:
 --
 * The source of the container image repository you want to mirror.
 * A separate entry for each mirror repository you want to offer the content
@@ -40,11 +51,26 @@ requested from the source repository.
 
 [NOTE]
 ====
-You can only configure global pull secrets for clusters that have an `ImageContentSourcePolicy` object. You cannot add a pull secret to a project.
+If your cluster uses an `ImageDigestMirrorSet` or `ImageTagMirrorSet` object to configure repository mirroring, you can use only global pull secrets for mirrored registries. You cannot add a pull secret to a project.
 ====
 
+The following procedure creates a post-installation mirror configuration, where you create an `ImageDigestMirrorSet` object.
+
 .Prerequisites
-* Access to the cluster as a user with the `cluster-admin` role.
+* Ensure that you have access to the cluster as a user with the `cluster-admin` role.
+
+* Ensure that there are no `ImageContentSourcePolicy` objects on your cluster. For example, you can use the following command:
++
+[source, terminal]
+----
+$ oc get ImageContentSourcePolicy
+----
++
+.Example output
+[source, terminal]
+----
+No resources found
+----
 
 .Procedure
 
@@ -66,55 +92,71 @@ In this example, you have a container image registry that is named `example.io`
 
 . Log in to your {product-title} cluster.
 
-. Create an `ImageContentSourcePolicy` file (for example, `registryrepomirror.yaml`), replacing the source and mirrors with your own registry and repository pairs and images:
+. Create an `ImageDigestMirrorSet` or `ImageTagMirrorSet` CR, as needed, replacing the source and mirrors with your own registry and repository pairs and images:
 +
 [source,yaml]
 ----
-apiVersion: operator.openshift.io/v1alpha1
-kind: ImageContentSourcePolicy
+apiVersion: config.openshift.io/v1 <1>
+kind: ImageDigestMirrorSet <2>
 metadata:
   name: ubi8repo
 spec:
-  repositoryDigestMirrors:
+  imageDigestMirrors: <3>
   - mirrors:
-    - example.io/example/ubi-minimal <1>
-    - example.com/example/ubi-minimal <2>
-    source: registry.access.redhat.com/ubi8/ubi-minimal <3>
+    - example.io/example/ubi-minimal <4>
+    - example.com/example/ubi-minimal <5>
+    source: registry.access.redhat.com/ubi8/ubi-minimal <6>
+    mirrorSourcePolicy: AllowContactingSource <7>
   - mirrors:
     - mirror.example.com/redhat
-    source: registry.redhat.io/openshift4 <4>
+    source: registry.redhat.io/openshift4 <8>
+    mirrorSourcePolicy: AllowContactingSource
   - mirrors:
     - mirror.example.com
-    source: registry.redhat.io <5>
+    source: registry.redhat.io <9>
+    mirrorSourcePolicy: AllowContactingSource
   - mirrors:
     - mirror.example.net/image
-    source: registry.example.com/example/myimage <6>
+    source: registry.example.com/example/myimage <10>
+    mirrorSourcePolicy: AllowContactingSource
   - mirrors:
     - mirror.example.net
-    source: registry.example.com/example <7>
+    source: registry.example.com/example <11>
+    mirrorSourcePolicy: AllowContactingSource
   - mirrors:
     - mirror.example.net/registry-example-com
-    source: registry.example.com <8>
+    source: registry.example.com <12>
+    mirrorSourcePolicy: AllowContactingSource
 ----
-<1> Indicates the name of the image registry and repository.
-<2> Indicates multiple mirror repositories for each target repository. If one mirror is down, the target repository can use another mirror.
-<3> Indicates the registry and repository containing the content that is mirrored.
-<4> You can configure a namespace inside a registry to use any image in that namespace. If you use a registry domain as a source, the `ImageContentSourcePolicy` resource is applied to all repositories from the registry.
-<5> If you configure the registry name, the `ImageContentSourcePolicy` resource is applied to all repositories from a source registry to a mirror registry.
-<6> Pulls the image `mirror.example.net/image@sha256:...`.
-<7> Pulls the image `myimage` in the source registry namespace from the mirror `mirror.example.net/myimage@sha256:...`.
-<8> Pulls the image `registry.example.com/example/myimage` from the mirror registry `mirror.example.net/registry-example-com/example/myimage@sha256:...`. The `ImageContentSourcePolicy` resource is applied to all repositories from a source registry to a mirror registry `mirror.example.net/registry-example-com`.
-
-. Create the new `ImageContentSourcePolicy` object:
+<1> Indicates the API to use with this CR. This must be `config.openshift.io/v1`.
+<2> Indicates the kind of object according to the pull type:
+** `ImageDigestMirrorSet`: Pulls a digest reference image.
+** `ImageTagMirrorSet`: Pulls a tag reference image.
+<3> Indicates the type of image pull method, either:
+** `imageDigestMirrors`: Use for an `ImageDigestMirrorSet` CR.
+** `imageTagMirrors`: Use for an `ImageTagMirrorSet` CR. 
+<4> Indicates the name of the mirrored image registry and repository.
+<5> Optional: Indicates a secondary mirror repository for each target repository. If one mirror is down, the target repository can use another mirror.
+<6> Indicates the registry and repository source, which is the repository that is referred to in image pull specifications.
+<7> Optional: Indicates the fallback policy if the image pull fails:
+** `AllowContactingSource`: Allows continued attempts to pull the image from the source repository. This is the default. 
+** `NeverContactSource`: Prevents continued attempts to pull the image from the source repository.
+<8> Optional: Indicates a namespace inside a registry, which allows you to use any image in that namespace. If you use a registry domain as a source, the object is applied to all repositories from the registry.
+<9> Optional: Indicates a registry, which allows you to use any image in that registry. If you specify a registry name, the object is applied to all repositories from a source registry to a mirror registry.
+<10> Pulls the image `registry.example.com/example/myimage@sha256:...` from the mirror `mirror.example.net/image@sha256:..`.
+<11> Pulls the image `registry.example.com/example/image@sha256:...` in the source registry namespace from the mirror `mirror.example.net/image@sha256:...`.
+<12> Pulls the image `registry.example.com/myimage@sha256` from the mirror registry `example.net/registry-example-com/myimage@sha256:...`. The `ImageContentSourcePolicy` resource is applied to all repositories from a source registry to a mirror registry `mirror.example.net/registry-example-com`.
+
+. Create the new object:
 +
 [source,terminal]
 ----
 $ oc create -f registryrepomirror.yaml
 ----
 +
-After the `ImageContentSourcePolicy` object is created, the new settings are deployed to each node and the cluster starts using the mirrored repository for requests to the source repository.
+After the object is created, the Machine Config Operator (MCO) cordons the nodes as the new settings are deployed to each node. The MCO restarts the nodes for an `ImageTagMirrorSet` object only. The MCO does not restart the nodes for `ImageDigestMirrorSet` objects. When the nodes are uncordoned, the cluster starts using the mirrored repository for requests to the source repository.
 
-. To check that the mirrored configuration settings, are applied, do the following on one of the nodes.
+. To check that the mirrored configuration settings are applied, do the following on one of the nodes.
 
 .. List your nodes:
 +
@@ -134,8 +176,6 @@ ip-10-0-147-35.ec2.internal    Ready                      worker   7m   v1.25.0
 ip-10-0-153-12.ec2.internal    Ready                      worker   7m   v1.25.0
 ip-10-0-154-10.ec2.internal    Ready                      master   11m  v1.25.0
 ----
-+
-The `Imagecontentsourcepolicy` resource does not restart the nodes.
 
 .. Start the debugging process to access the node:
 +
@@ -166,6 +206,8 @@ the changes were made:
 sh-4.2# cat /etc/containers/registries.conf
 ----
 +
+The following output represents a `registries.conf` file where an `ImageDigestMirrorSet` object and an `ImageTagMirrorSet` object were applied. The final two entries are marked `digest-only` and `tag-only` respectively.
++
 .Example output
 [source,terminal]
 ----
@@ -174,57 +216,71 @@ short-name-mode = ""
 
 [[registry]]
   prefix = ""
-  location = "registry.access.redhat.com/ubi8/ubi-minimal"
-  mirror-by-digest-only = true
+  location = "registry.access.redhat.com/ubi9/ubi-minimal" <1>
 
   [[registry.mirror]]
-    location = "example.io/example/ubi-minimal"
+    location = "example.io/example/ubi-minimal" <2>
+    pull-from-mirror = "digest-only" <3>
 
   [[registry.mirror]]
     location = "example.com/example/ubi-minimal"
+    pull-from-mirror = "digest-only"
 
 [[registry]]
   prefix = ""
   location = "registry.example.com"
-  mirror-by-digest-only = true
 
   [[registry.mirror]]
     location = "mirror.example.net/registry-example-com"
+    pull-from-mirror = "digest-only"
 
 [[registry]]
   prefix = ""
   location = "registry.example.com/example"
-  mirror-by-digest-only = true
 
   [[registry.mirror]]
     location = "mirror.example.net"
+    pull-from-mirror = "digest-only"
 
 [[registry]]
   prefix = ""
   location = "registry.example.com/example/myimage"
-  mirror-by-digest-only = true
 
   [[registry.mirror]]
     location = "mirror.example.net/image"
+    pull-from-mirror = "digest-only"
 
 [[registry]]
   prefix = ""
   location = "registry.redhat.io"
-  mirror-by-digest-only = true
 
   [[registry.mirror]]
     location = "mirror.example.com"
+    pull-from-mirror = "digest-only"
 
 [[registry]]
   prefix = ""
   location = "registry.redhat.io/openshift4"
-  mirror-by-digest-only = true
 
   [[registry.mirror]]
     location = "mirror.example.com/redhat"
+    pull-from-mirror = "digest-only"
+[[registry]]
+  prefix = ""
+  location = "registry.access.redhat.com/ubi8/ubi-minimal"
+  blocked = true <4>
+
+  [[registry.mirror]]
+    location = "example.io/example/ubi-minimal-tag"
+    pull-from-mirror = "tag-only" <5>
 ----
+<1> Indicates the repository that is referred to in a pull spec.
+<2> Indicates the mirror for that repository.
+<3> Indicates that the image pull from the mirror is a digest reference image.
+<4> Indicates that the `NeverContactSource` parameter is set for this repository. 
+<5> Indicates that the image pull from the mirror is a tag reference image. 
 
-.. Pull an image digest to the node from the source and check if it is resolved by the mirror. `ImageContentSourcePolicy` objects support image digests only, not image tags.
+.. Pull an image to the node from the source and check if it is resolved by the mirror.
 +
 [source,terminal]
 ----
@@ -239,3 +295,5 @@ If the repository mirroring procedure does not work as described, use the follow
 * The main registry is only used if no other mirror works.
 * From the system context, the `Insecure` flags are used as fallback.
 * The format of the `/etc/containers/registries.conf` file has changed recently. It is now version 2 and in TOML format.
+* You cannot add the same repository to both an `ImageDigestMirrorSet` and an `ImageTagMirrorSet` object.
+

modules/troubleshooting-disabling-autoreboot-mco.adoc

@@ -17,7 +17,7 @@ The following modifications do not trigger a node reboot:
 ** Changes to the global pull secret or pull secret in the `openshift-config` namespace.
 ** Automatic rotation of the `/etc/kubernetes/kubelet-ca.crt` certificate authority (CA) by the Kubernetes API Server Operator.
 
-* When the MCO detects changes to the `/etc/containers/registries.conf` file, such as adding or editing an `ImageContentSourcePolicy` object, it drains the corresponding nodes, applies the changes, and uncordons the nodes. The node drain does not happen when there is a mirror configuration change in the `ImageContentSourcePolicy` (ICSP) object such as a new mirror added to an existing registry or a new registry added that has the setting `mirror-by-digest-only=true`.
+* When the MCO detects changes to the `/etc/containers/registries.conf` file, such as adding or editing an `ImageDigestMirrorSet` or `ImageTagMirrorSet` object, it drains the corresponding nodes, applies the changes, and uncordons the nodes. The node drain does not happen when there is a mirror configuration change in the object, such as adding a new mirror to an existing registry by using an `ImageDigestMirrorSet` object. The MCO does restart the nodes if you add a new mirror to an existing registry by uisng an`ImageTagMirrorSet` object.
 ====
 
 To avoid unwanted disruptions, you can modify the machine config pool (MCP) to prevent automatic rebooting after the Operator makes changes to the machine config.