openshift
diff --git a/‎modules/builds-image-source.adoc
Lines changed: 1 addition & 4 deletions b/‎modules/builds-image-source.adoc
Lines changed: 1 addition & 4 deletions
diff --git a/‎modules/images-configuration-registry-mirror-configuring.adoc
Lines changed: 265 additions & 0 deletions b/‎modules/images-configuration-registry-mirror-configuring.adoc
Lines changed: 265 additions & 0 deletions
diff --git a/‎modules/images-configuration-registry-mirror-convert.adoc
Lines changed: 5 additions & 0 deletions b/‎modules/images-configuration-registry-mirror-convert.adoc
Lines changed: 5 additions & 0 deletions
@@ -43,10 +43,7 @@ source:
 <5> The location of the file to be copied out of the referenced image.
 <6> An optional secret provided if credentials are needed to access the input image.
 +
-[NOTE]
-====
-If your cluster uses an `ImageDigestMirrorSet` or `ImageTagMirrorSet` object to configure repository mirroring, you can use only global pull secrets for mirrored registries. You cannot add a pull secret to a project.
-====
+include::snippets/idms-global-pull-secret.adoc[]
 
 .Images that require pull secrets
 
 
@@ -0,0 +1,265 @@
+// Module included in the following assemblies:
+//
+// * openshift_images/image-configuration.adoc
+// * post_installation_configuration/preparing-for-users.adoc
+// * updating/updating_a_cluster/updating_disconnected_cluster/disconnected-update.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="images-configuration-registry-mirror-configuring_{context}"]
+= Configuring image registry repository mirroring
+
+You can create postinstallation mirror configuration custom resources (CR) to redirect image pull requests from a source image registry to a mirrored image registry.
+
+.Prerequisites
+ifndef::openshift-rosa,openshift-dedicated[]
+* Access to the cluster as a user with the `cluster-admin` role.
+endif::openshift-rosa,openshift-dedicated[]
+ifdef::openshift-rosa,openshift-dedicated[]
+* Access to the cluster as a user with the `dedicated-admin` role.
+endif::openshift-rosa,openshift-dedicated[]
+
+.Procedure
+
+. Configure mirrored repositories, by either:
++
+* Setting up a mirrored repository with Red Hat Quay, as described in link:https://access.redhat.com/documentation/en-us/red_hat_quay/3/html/manage_red_hat_quay/repo-mirroring-in-red-hat-quay[Red Hat Quay Repository Mirroring]. Using Red Hat Quay allows you to copy images from one repository to another and also automatically sync those repositories repeatedly over time.
+
+* Using a tool such as `skopeo` to copy images manually from the source repository to the mirrored repository.
++
+For example, after installing the skopeo RPM package on a Red Hat Enterprise Linux (RHEL) 7 or RHEL 8 system, use the `skopeo` command as shown in this example:
++
+[source,terminal]
+----
+$ skopeo copy \
+docker://registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:5cf... \
+docker://example.io/example/ubi-minimal
+----
++
+In this example, you have a container image registry that is named `example.io` with an image repository named `example` to which you want to copy the `ubi9/ubi-minimal` image from `registry.access.redhat.com`. After you create the mirrored registry, you can configure your {product-title} cluster to redirect requests made of the source repository to the mirrored repository.
+
+. Log in to your {product-title} cluster.
+
+. Create a postinstallation mirror configuration CR, by using one of the following examples:
+
+* Create an `ImageDigestMirrorSet` or `ImageTagMirrorSet` CR, as needed, replacing the source and mirrors with your own registry and repository pairs and images:
++
+[source,yaml]
+----
+apiVersion: config.openshift.io/v1 <1>
+kind: ImageDigestMirrorSet <2>
+metadata:
+  name: ubi9repo
+spec:
+  imageDigestMirrors: <3>
+  - mirrors:
+    - example.io/example/ubi-minimal <4>
+    - example.com/example/ubi-minimal <5>
+    source: registry.access.redhat.com/ubi9/ubi-minimal <6>
+    mirrorSourcePolicy: AllowContactingSource <7>
+  - mirrors:
+    - mirror.example.com/redhat
+    source: registry.redhat.io/openshift4 <8>
+    mirrorSourcePolicy: AllowContactingSource
+  - mirrors:
+    - mirror.example.com
+    source: registry.redhat.io <9>
+    mirrorSourcePolicy: AllowContactingSource
+  - mirrors:
+    - mirror.example.net/image
+    source: registry.example.com/example/myimage <10>
+    mirrorSourcePolicy: AllowContactingSource
+  - mirrors:
+    - mirror.example.net
+    source: registry.example.com/example <11>
+    mirrorSourcePolicy: AllowContactingSource
+  - mirrors:
+    - mirror.example.net/registry-example-com
+    source: registry.example.com <12>
+    mirrorSourcePolicy: AllowContactingSource
+----
+<1> Indicates the API to use with this CR. This must be `config.openshift.io/v1`.
+<2> Indicates the kind of object according to the pull type:
+** `ImageDigestMirrorSet`: Pulls a digest reference image.
+** `ImageTagMirrorSet`: Pulls a tag reference image.
+<3> Indicates the type of image pull method, either:
+** `imageDigestMirrors`: Use for an `ImageDigestMirrorSet` CR.
+** `imageTagMirrors`: Use for an `ImageTagMirrorSet` CR.
+<4> Indicates the name of the mirrored image registry and repository.
+<5> Optional: Indicates a secondary mirror repository for each target repository. If one mirror is down, the target repository can use another mirror.
+<6> Indicates the registry and repository source, which is the repository that is referred to in image pull specifications.
+<7> Optional: Indicates the fallback policy if the image pull fails:
+** `AllowContactingSource`: Allows continued attempts to pull the image from the source repository. This is the default.
+** `NeverContactSource`: Prevents continued attempts to pull the image from the source repository.
+<8> Optional: Indicates a namespace inside a registry, which allows you to use any image in that namespace. If you use a registry domain as a source, the object is applied to all repositories from the registry.
+<9> Optional: Indicates a registry, which allows you to use any image in that registry. If you specify a registry name, the object is applied to all repositories from a source registry to a mirror registry.
+<10> Pulls the image `registry.example.com/example/myimage@sha256:...` from the mirror `mirror.example.net/image@sha256:..`.
+<11> Pulls the image `registry.example.com/example/image@sha256:...` in the source registry namespace from the mirror `mirror.example.net/image@sha256:...`.
+<12> Pulls the image `registry.example.com/myimage@sha256` from the mirror registry `example.net/registry-example-com/myimage@sha256:...`. 
+
+* Create an `ImageContentSourcePolicy` custom resource, replacing the source and mirrors with your own registry and repository pairs and images:
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: ImageContentSourcePolicy
+metadata:
+  name: mirror-ocp
+spec:
+  repositoryDigestMirrors:
+  - mirrors:
+    - mirror.registry.com:443/ocp/release <1>
+    source: quay.io/openshift-release-dev/ocp-release <2>
+  - mirrors:
+    - mirror.registry.com:443/ocp/release
+    source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
+----
+<1> Specifies the name of the mirror image registry and repository.
+<2> Specifies the online registry and repository containing the content that is mirrored.
+
+. Create the new object:
++
+[source,terminal]
+----
+$ oc create -f registryrepomirror.yaml
+----
++
+After the object is created, the Machine Config Operator (MCO) drains the nodes for `ImageTagMirrorSet` objects only. The MCO does not drain the nodes for `ImageDigestMirrorSet` and `ImageContentSourcePolicy` objects.
+
+. To check that the mirrored configuration settings are applied, do the following on one of the nodes.
+
+.. List your nodes:
++
+[source,terminal]
+----
+$ oc get node
+----
++
+.Example output
+[source,terminal]
+----
+NAME                           STATUS                     ROLES    AGE  VERSION
+ip-10-0-137-44.ec2.internal    Ready                      worker   7m   v1.28.5
+ip-10-0-138-148.ec2.internal   Ready                      master   11m  v1.28.5
+ip-10-0-139-122.ec2.internal   Ready                      master   11m  v1.28.5
+ip-10-0-147-35.ec2.internal    Ready                      worker   7m   v1.28.5
+ip-10-0-153-12.ec2.internal    Ready                      worker   7m   v1.28.5
+ip-10-0-154-10.ec2.internal    Ready                      master   11m  v1.28.5
+----
+
+.. Start the debugging process to access the node:
++
+[source,terminal]
+----
+$ oc debug node/ip-10-0-147-35.ec2.internal
+----
++
+.Example output
+[source,terminal]
+----
+Starting pod/ip-10-0-147-35ec2internal-debug ...
+To use host binaries, run `chroot /host`
+----
+
+.. Change your root directory to `/host`:
++
+[source,terminal]
+----
+sh-4.2# chroot /host
+----
+
+.. Check the `/etc/containers/registries.conf` file to make sure the changes were made:
++
+[source,terminal]
+----
+sh-4.2# cat /etc/containers/registries.conf
+----
++
+The following output represents a `registries.conf` file where postinstallation mirror configuration CRs were applied. The final two entries are marked `digest-only` and `tag-only` respectively.
++
+.Example output
+[source,terminal]
+----
+unqualified-search-registries = ["registry.access.redhat.com", "docker.io"]
+short-name-mode = ""
+
+[[registry]]
+  prefix = ""
+  location = "registry.access.redhat.com/ubi9/ubi-minimal" <1>
+
+  [[registry.mirror]]
+    location = "example.io/example/ubi-minimal" <2>
+    pull-from-mirror = "digest-only" <3>
+
+  [[registry.mirror]]
+    location = "example.com/example/ubi-minimal"
+    pull-from-mirror = "digest-only"
+
+[[registry]]
+  prefix = ""
+  location = "registry.example.com"
+
+  [[registry.mirror]]
+    location = "mirror.example.net/registry-example-com"
+    pull-from-mirror = "digest-only"
+
+[[registry]]
+  prefix = ""
+  location = "registry.example.com/example"
+
+  [[registry.mirror]]
+    location = "mirror.example.net"
+    pull-from-mirror = "digest-only"
+
+[[registry]]
+  prefix = ""
+  location = "registry.example.com/example/myimage"
+
+  [[registry.mirror]]
+    location = "mirror.example.net/image"
+    pull-from-mirror = "digest-only"
+
+[[registry]]
+  prefix = ""
+  location = "registry.redhat.io"
+
+  [[registry.mirror]]
+    location = "mirror.example.com"
+    pull-from-mirror = "digest-only"
+
+[[registry]]
+  prefix = ""
+  location = "registry.redhat.io/openshift4"
+
+  [[registry.mirror]]
+    location = "mirror.example.com/redhat"
+    pull-from-mirror = "digest-only"
+[[registry]]
+  prefix = ""
+  location = "registry.access.redhat.com/ubi9/ubi-minimal"
+  blocked = true <4>
+
+  [[registry.mirror]]
+    location = "example.io/example/ubi-minimal-tag"
+    pull-from-mirror = "tag-only" <5>
+----
+<1> Indicates the repository that is referred to in a pull spec.
+<2> Indicates the mirror for that repository.
+<3> Indicates that the image pull from the mirror is a digest reference image.
+<4> Indicates that the `NeverContactSource` parameter is set for this repository.
+<5> Indicates that the image pull from the mirror is a tag reference image.
+
+.. Pull an image to the node from the source and check if it is resolved by the mirror.
++
+[source,terminal]
+----
+sh-4.2# podman pull --log-level=debug registry.access.redhat.com/ubi9/ubi-minimal@sha256:5cf...
+----
+
+.Troubleshooting repository mirroring
+
+If the repository mirroring procedure does not work as described, use the following information about how repository mirroring works to help troubleshoot the problem.
+
+* The first working mirror is used to supply the pulled image.
+* The main registry is only used if no other mirror works.
+* From the system context, the `Insecure` flags are used as fallback.
+* The format of the `/etc/containers/registries.conf` file has changed recently. It is now version 2 and in TOML format.
@@ -12,6 +12,8 @@ Using an `ImageContentSourcePolicy` (ICSP) object to configure repository mirror
 
 ICSP objects are being replaced by `ImageDigestMirrorSet` and `ImageTagMirrorSet` objects to configure repository mirroring. If you have existing YAML files that you used to create `ImageContentSourcePolicy` objects, you can use the `oc adm migrate icsp` command to convert those files to an `ImageDigestMirrorSet` YAML file. The command updates the API to the current version, changes the `kind` value to `ImageDigestMirrorSet`, and changes `spec.repositoryDigestMirrors` to `spec.imageDigestMirrors`. The rest of the file is not changed.
 
+Because the migration does not change the `registries.conf` file, the cluster does not need to reboot. 
+
 For more information about `ImageDigestMirrorSet` or `ImageTagMirrorSet` objects, see "Configuring image registry repository mirroring" in the previous section.
 
 .Prerequisites
@@ -69,3 +71,6 @@ where:
 `<file_name>`:: Specifies the name of the `ImageDigestMirrorSet` YAML.
 --
 
+. Remove the ICSP objects after the IDMS objects are rolled out.
+
+