Last active
August 17, 2020 23:01
-
-
Save pweil-/e7b156476c6171f04140370708f0cd56 to your computer and use it in GitHub Desktop.
Air Gap Mirroring
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### | |
| # Create mirror repo following disconnected instructions | |
| ### | |
| # create dir | |
| mkdir -p ~/registry1/{auth,certs,data} | |
| # create cert | |
| openssl req -newkey rsa:4096 -nodes -sha256 -keyout ~/registry1/certs/domain.key -x509 -days 365 -out ~/registry1/certs/domain.crt | |
| # create auth | |
| htpasswd -bBc ~/registry1/auth/htpasswd user pass | |
| Adding password for user user | |
| # run mirror repo | |
| podman run --name mirror-registry -p 5000:5000 \ | |
| -v ~/registry1/data:/var/lib/registry:z \ | |
| -v ~/registry1/auth:/auth:z \ | |
| -e "REGISTRY_AUTH=htpasswd" \ | |
| -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ | |
| -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ | |
| -v ~/registry1/certs:/certs:z \ | |
| -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ | |
| -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ | |
| -d docker.io/library/registry:2 | |
| # validate repo is up | |
| curl -u user:pass -k https://localhost:5000/v2/_catalog | |
| {"repositories":[]} | |
| # get auth for config | |
| echo -n 'user:pass' | base64 -w0 | |
| dXNlcjpwYXNz | |
| # get config | |
| cat ~/Downloads/pull-secret.txt | jq . > /tmp/pull-secret.json | |
| # edit pull-secret.json to add auth, not needed? | |
| "localhost:5000": { | |
| "auth": "dXNlcjpwYXNz", | |
| "email": "foo@bar.com" | |
| } | |
| # setup vars | |
| export OCP_RELEASE=4.3.3-x86_64 | |
| export LOCAL_REGISTRY='localhost:5000' | |
| export LOCAL_REPOSITORY='ocp' | |
| export PRODUCT_REPO='openshift-release-dev' | |
| export LOCAL_SECRET_JSON='/tmp/pull-secret.json' | |
| export RELEASE_NAME="ocp-release" | |
| # create dir to mirror to | |
| mkdir /tmp/mirror-file | |
| # mirror to dir | |
| # this secret file must have your quay pull secret in it | |
| ./oc adm release mirror -a ${LOCAL_SECRET_JSON} --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE} --to-dir=/tmp/mirror-file | |
| # copy to a disk, walk over to where real registry is installed | |
| # mirror to registry | |
| # note this secret file can be limited to only the auth required for the mirror registry | |
| ./oc image mirror -a ${LOCAL_SECRET_JSON} --dir=/tmp/mirror-file file://openshift/release:4.3.3* ${LOCAL_REGISTRY}/ocp-4.3 | |
| # verifying tags exist | |
| curl -u user:pass -k https://localhost:5000/v2/ocp-4.3/tags/list | |
| {"name":"ocp-4.3","tags":["4.3.3-configmap-reloader","4.3.3-prom-label-proxy","4.3.3-cluster-update-keys","4.3.3-cluster-authentication-operator","4.3.3-cluster-node-tuning-operator","4.3.3-cluster-kube-apiserver-operator","4.3.3-cli-artifacts","4.3.3-ironic","4.3.3-installer","4.3.3-local-storage-static-provisioner","4.3.3-ironic-inspector","4.3.3-docker-registry","4.3.3-cluster-policy-controller","4.3.3-gcp-machine-controllers","4.3.3-ironic-ipa-downloader","4.3.3-cluster-autoscaler","4.3.3-telemeter","4.3.3-console","4.3.3-pod","4.3.3-cluster-bootstrap","4.3.3-openstack-machine-controllers","4.3.3-tests","4.3.3-jenkins-agent-maven","4.3.3-grafana","4.3.3-cli","4.3.3-thanos","4.3.3-machine-os-content","4.3.3-docker-builder","4.3.3-cluster-svcat-apiserver-operator","4.3.3-prometheus-alertmanager","4.3.3-service-catalog","4.3.3","4.3.3-baremetal-installer","4.3.3-cluster-image-registry-operator","4.3.3-cluster-autoscaler-operator","4.3.3-jenkins-agent-nodejs","4.3.3-service-ca-operator","4.3.3-sdn","4.3.3-etcd","4.3.3-k8s-prometheus-adapter","4.3.3-console-operator","4.3.3-oauth-proxy","4.3.3-libvirt-machine-controllers","4.3.3-kuryr-controller","4.3.3-hyperkube","4.3.3-ironic-machine-os-downloader","4.3.3-openshift-apiserver","4.3.3-cluster-kube-controller-manager-operator","4.3.3-baremetal-operator","4.3.3-installer-artifacts","4.3.3-prometheus-operator","4.3.3-cluster-machine-approver","4.3.3-cluster-version-operator","4.3.3-ironic-static-ip-manager","4.3.3-ovn-kubernetes","4.3.3-operator-lifecycle-manager","4.3.3-cluster-config-operator","4.3.3-prometheus-node-exporter","4.3.3-coredns","4.3.3-baremetal-machine-controllers","4.3.3-cluster-openshift-controller-manager-operator","4.3.3-kube-proxy","4.3.3-multus-cni","4.3.3-cluster-network-operator","4.3.3-haproxy-router","4.3.3-container-networking-plugins","4.3.3-operator-registry","4.3.3-multus-admission-controller","4.3.3-cloud-credential-operator","4.3.3-cluster-samples-operator","4.3.3-cluster-storage-operator","4.3.3-insights-operator","4.3.3-kube-rbac-proxy","4.3.3-cluster-openshift-apiserver-operator","4.3.3-operator-marketplace","4.3.3-cluster-kube-scheduler-operator","4.3.3-kube-state-metrics","4.3.3-prometheus-config-reloader","4.3.3-jenkins","4.3.3-azure-machine-controllers","4.3.3-must-gather","4.3.3-cluster-monitoring-operator","4.3.3-mdns-publisher","4.3.3-cluster-node-tuned","4.3.3-cluster-svcat-controller-manager-operator","4.3.3-prometheus","4.3.3-kuryr-cni","4.3.3-deployer","4.3.3-openshift-state-metrics","4.3.3-kube-etcd-signer-server","4.3.3-baremetal-runtimecfg","4.3.3-machine-config-operator","4.3.3-ironic-hardware-inventory-recorder","4.3.3-keepalived-ipfailover","4.3.3-cluster-ingress-operator","4.3.3-kube-client-agent","4.3.3-aws-machine-controllers","4.3.3-machine-api-operator","4.3.3-oauth-server","4.3.3-cluster-dns-operator","4.3.3-openshift-controller-manager"]} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
from Christian:
You can add your secret with a fancy jq command