我的书签
添加书签
移除书签Pushing the odo init image to the restricted cluster registry
Depending on the configuration of your cluster and your operating system you can either push the odo init image to a mirror registry or directly to an internal registry.
Prerequisites
Install
ocon the client operating system.Install
odoon the client operating system.Access to a restricted cluster with a configured internal registry or a mirror registry.
Pushing the odo init image to a mirror registry
Depending on your operating system, you can push the odo init image to a cluster with a mirror registry as follows:
Pushing the init image to a mirror registry on Linux
Procedure
Use
base64to encode the root certification authority (CA) content of your mirror registry:$ echo <content_of_additional_ca> | base64 --decode > disconnect-ca.crt
Copy the encoded root CA certificate to the appropriate location:
$ sudo cp ./disconnect-ca.crt /etc/pki/ca-trust/source/anchors/<mirror-registry>.crt
Trust a CA in your client platform and log into the OKD mirror registry:
$ sudo update-ca-trust enable && sudo systemctl daemon-reload && sudo systemctl restart / docker && docker login <mirror-registry>:5000 -u <username> -p <password>
Mirror the
odoinit image:$ oc image mirror registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> <mirror-registry>:5000/openshiftdo/odo-init-image-rhel7:<tag>
Override the default
odoinit image path by setting theODO_BOOTSTRAPPER_IMAGEenvironment variable:$ export ODO_BOOTSTRAPPER_IMAGE=<mirror-registry>:5000/openshiftdo/odo-init-image-rhel7:<tag>
Pushing the init image to a mirror registry on MacOS
Procedure
Use
base64to encode the root certification authority (CA) content of your mirror registry:$ echo <content_of_additional_ca> | base64 --decode > disconnect-ca.crt
Copy the encoded root CA certificate to the appropriate location:
Restart Docker using the Docker UI.
Run the following command:
$ docker login <mirror-registry>:5000 -u <username> -p <password>
Mirror the
odoinit image:$ oc image mirror registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> <mirror-registry>:5000/openshiftdo/odo-init-image-rhel7:<tag>
Override the default
odoinit image path by setting theODO_BOOTSTRAPPER_IMAGEenvironment variable:$ export ODO_BOOTSTRAPPER_IMAGE=<mirror-registry>:5000/openshiftdo/odo-init-image-rhel7:<tag>
Pushing the init image to a mirror registry on Windows
Procedure
Use
base64to encode the root certification authority (CA) content of your mirror registry:PS C:\> echo <content_of_additional_ca> | base64 --decode > disconnect-ca.crt
As an administrator, copy the encoded root CA certificate to the appropriate location by executing the following command:
PS C:\WINDOWS\system32> certutil -addstore -f "ROOT" disconnect-ca.crt
Trust a CA in your client platform and log into the OKD mirror registry:
Restart Docker using the Docker UI.
Run the following command:
PS C:\WINDOWS\system32> docker login <mirror-registry>:5000 -u <username> -p <password>
Mirror the
odoinit image:PS C:\> oc image mirror registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> <mirror-registry>:5000/openshiftdo/odo-init-image-rhel7:<tag>
Override the default
odoinit image path by setting theODO_BOOTSTRAPPER_IMAGEenvironment variable:PS C:\> $env:ODO_BOOTSTRAPPER_IMAGE="<mirror-registry>:5000/openshiftdo/odo-init-image-rhel7:<tag>"
Pushing the odo init image to an internal registry directly
If your cluster allows images to be pushed to the internal registry directly, push the odo init image to the registry as follows:
Pushing the init image directly on Linux
Procedure
Enable the default route:
$ oc patch configs.imageregistry.operator.openshift.io cluster -p '{"spec":{"defaultRoute":true}}' --type='merge' -n openshift-image-registry
Get a wildcard route CA:
$ oc get secret router-certs-default -n openshift-ingress -o yaml
Example output
apiVersion: v1data:tls.crt: **************************tls.key: ##################kind: Secretmetadata:[...]type: kubernetes.io/tls
Use
base64to encode the root certification authority (CA) content of your mirror registry:$ echo <tls.crt> | base64 --decode > ca.crt
Trust a CA in your client platform:
$ sudo cp ca.crt /etc/pki/ca-trust/source/anchors/externalroute.crt && sudo update-ca-trust enable && sudo systemctl daemon-reload && sudo systemctl restart docker
Log into the internal registry:
$ oc get route -n openshift-image-registryNAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARDdefault-route <registry_path> image-registry <all> reencrypt None$ docker login <registry_path> -u kubeadmin -p $(oc whoami -t)
Push the
odoinit image:$ docker pull registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag>$ docker tag registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> <registry_path>/openshiftdo/odo-init-image-rhel7:<tag>$ docker push <registry_path>/openshiftdo/odo-init-image-rhel7:<tag>
Override the default
odoinit image path by setting theODO_BOOTSTRAPPER_IMAGEenvironment variable:$ export ODO_BOOTSTRAPPER_IMAGE=<registry_path>/openshiftdo/odo-init-image-rhel7:1.0.1
Pushing the init image directly on MacOS
Procedure
Enable the default route:
$ oc patch configs.imageregistry.operator.openshift.io cluster -p '{"spec":{"defaultRoute":true}}' --type='merge' -n openshift-image-registry
Get a wildcard route CA:
$ oc get secret router-certs-default -n openshift-ingress -o yaml
Example output
apiVersion: v1data:tls.crt: **************************tls.key: ##################kind: Secretmetadata:[...]type: kubernetes.io/tls
Use
base64to encode the root certification authority (CA) content of your mirror registry:$ echo <tls.crt> | base64 --decode > ca.crt
Trust a CA in your client platform:
$ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.crt
Log into the internal registry:
$ oc get route -n openshift-image-registryNAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARDdefault-route <registry_path> image-registry <all> reencrypt None$ docker login <registry_path> -u kubeadmin -p $(oc whoami -t)
Push the
odoinit image:$ docker pull registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag>$ docker tag registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> <registry_path>/openshiftdo/odo-init-image-rhel7:<tag>$ docker push <registry_path>/openshiftdo/odo-init-image-rhel7:<tag>
Override the default
odoinit image path by setting theODO_BOOTSTRAPPER_IMAGEenvironment variable:$ export ODO_BOOTSTRAPPER_IMAGE=<registry_path>/openshiftdo/odo-init-image-rhel7:1.0.1
Pushing the init image directly on Windows
Procedure
Enable the default route:
PS C:\> oc patch configs.imageregistry.operator.openshift.io cluster -p '{"spec":{"defaultRoute":true}}' --type='merge' -n openshift-image-registry
Get a wildcard route CA:
PS C:\> oc get secret router-certs-default -n openshift-ingress -o yaml
Example output
apiVersion: v1data:tls.crt: **************************tls.key: ##################kind: Secretmetadata:[...]type: kubernetes.io/tls
Use
base64to encode the root certification authority (CA) content of your mirror registry:PS C:\> echo <tls.crt> | base64 --decode > ca.crt
As an administrator, trust a CA in your client platform by executing the following command:
PS C:\WINDOWS\system32> certutil -addstore -f "ROOT" ca.crt
Log into the internal registry:
PS C:\> oc get route -n openshift-image-registryNAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARDdefault-route <registry_path> image-registry <all> reencrypt NonePS C:\> docker login <registry_path> -u kubeadmin -p $(oc whoami -t)
Push the
odoinit image:PS C:\> docker pull registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag>PS C:\> docker tag registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> <registry_path>/openshiftdo/odo-init-image-rhel7:<tag>PS C:\> docker push <registry_path>/openshiftdo/odo-init-image-rhel7:<tag>
Override the default
odoinit image path by setting theODO_BOOTSTRAPPER_IMAGEenvironment variable:PS C:\> $env:ODO_BOOTSTRAPPER_IMAGE="<registry_path>/openshiftdo/odo-init-image-rhel7:<tag>"
