Uploaded image for project: 'OpenShift Workloads'
  1. OpenShift Workloads
  2. WRKLDS-297

Mirror OperatorHub content


    • Icon: Story Story
    • Resolution: Done
    • Icon: Major Major
    • None
    • None

      Story: As an OpenShift administrator I want to use a CLI tool to easily mirror the OpenShift OperatorHub content images so that I can use Operators in a disconnected OpenShift cluster.

      Background: Today's oc adm catalog mirror flows consists of a a multi step process which creates a pruned catalog first and then proceeds in mirroring all the related images into the target registry. In between a user has to understand the various source catalogs, setting the target registry credentials and target registry namespace as well as create a flat file with the input fo the underlying oc image mirror command in order to drive parallelization or additional checks. Common mirroring scenarios like mirroring just a single, pruned catalog always result in multiple steps with multiple inputs.

      Prior work:

      • oc adm mirror CLI proposed in disconnected mirroring improvement proposal (link)
      • fake README.md for new disconnected mirroring process (link)

      Acceptance criteria:

      • in order to mirror the OperatorHub content the CLI can run without any specific switches in which case it will assume the following:
        • a locally available registry on port 443
        • existing credentials for this local registry
        • existing pull secret for the release image registry
        • the OCP release version is the version of the oc utility
        • the target registry namespace / organization is openshift-<catalog-name-and-version) where catalog-name-and-version is the respective catalog is being mirrored, e.g. redhat-operator:v4.7)
        • the architecture filter is currently not usable, so it should be hidden and raise an error if used, later on the default architecture filter should filter for the architecture of the of the oc binary, otherwise x86_64 is the default
        • the source to download the catalog images should be default catalog images that correspond to the minor OCP release that the oc version corresponds to
        • all of the by default enabled OCP Operator catalogs should be mirrored
      • the CLI optionally allows to override the catalog name and version as well as the target registry URL (incl. port), target registry namespace (Quay organization) for the OCP Operator catalog images, all values can be supplied independently
      • the CLI has a switch to turn off catalog mirroring entirely in which case all of the above is ignored
      • the CLI will expect registry credentials (both for the (local) target registry as well as the release image (source) registry) in the default credentials location of podman and docker ($XDG_RUNTIME_DIR/containers/auth.json om RHEL/CentOS/Fedora)
      • the CLI allows to override both registry credentials separately
      • the CLI will probe both registries before doing any work by attempting to login using the existing credentials and fall back to user input of username and password if this fails, the CLI will error out if any of the interactively provided credentials fail to authenticate
      • the CLI will error out immediately if any of the catalog images fail to be pulled from the source registry
      • the CLI will error out immediately if any of the catalog images fail to be pushed to the (local) target registry
      • the CLI will report a warning if any of the Operator dependent images fail to be pulled from the source registry, producing a summary at the end of the mirroring run, this behavior should be configurable to fail immediately instead of producing a warning
      • the CLI will error out immediately if any of the catalog images fail to be pushed to the (local) target registry

            lfrfla Alex Flom (Inactive)
            DanielMesser Daniel Messer
            0 Vote for this issue
            3 Start watching this issue