Normal In OCP, one can use ImageDigestMirrorSets (or the TagSets variant) to tell the container runtime that images from X repo should be pulled from Y repo.
This means you can mirror images into a private AWS ECR repo, for example, and pull all images there, creating an air-gapped style cluster.
However, this feature is not able to use native things like the ecr-credential-helper in kubelet to dynamically fetch credentials from AWS ECR, by nature of the images still being marked as the upstream repo in Pod specs (like image: quay.io/foo/bar:latest)
If instead OCP supported a top level config that allowed you to say "all images from this repo should be re-written as this other repo" then all the native integrations would work.
Example:
Image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d2b4d13cb246d20d061f8d58e37d7d87ee05baaa92ca213bab5b6448698acc44 # Should become Image: my-ecr-mirror.amazonaws.com/ocp-v4.0-art-dev@sha256:d2b4d13cb246d20d061f8d58e37d7d87ee05baaa92ca213bab5b6448698acc44
https://issues.redhat.com/browse/OCPBUGS-73672 is related.
- is caused by
-
OCPBUGS-73672 ImageMirrorDigestSet does not work with kubelet's ecr-credential-helper
-
- ASSIGNED
-