Air-gapped Installation of Application Images
Learn how to manage application images in air-gapped environments. Following are the five different options you can use to ensure your application images are available in air-gapped environments.
Option 1—Add Environment Variables to Helm Chart for Image Override
Helm charts can be configured to use images from an internal registry by overriding the default image paths with environment variables.
  overrideValues:
    centralConfiguration.image.image: $RELATED_IMAGE_DEPLOY_CENTRAL_CONFIGURATION
    master.image.image: $RELATED_IMAGE_DEPLOY_MASTER
    master.volumePermissions.image.image: $RELATED_IMAGE_DEPLOY_MASTER_VOLUME_PERMISSIONS
    worker.image.image: $RELATED_IMAGE_DEPLOY_WORKER
    worker.volumePermissions.image.image: $RELATED_IMAGE_DEPLOY_WORKER_VOLUME_PERMISSIONS
    busyBox.image.image: $RELATED_IMAGE_DEPLOY_BUSY_BOX
After deployment, verify that the images are being pulled from the internal registry by checking the image paths in the running pods.
kubectl get pods -n my-namespace -o=jsonpath='{range .items[*]}{.spec.containers[*].image}{"\n"}{end}'
Option 2—Customize Images only in Operator CR
If you have already deployment resource of the operator with overrideValues values and RELATED_IMAGE_* as mentioned in the section above, you can override images by using operator CR. By default, if you have overrideValues set they have precedence from the definition in the CR. But in some cases, you would like to override them in the CR, for that use the image.override flag.
  image: 
    pullPolicy: Always 
    repository: openshiftpoc/xl-deploy
    tag: 24.3.x
    # flag needs to be true to override the operartor deployment overrideValues definitions
    override: true 
The override can be used on all image: sections in the CR, except on the haproxy-ingress subchart.
Option 3—Mirroring Docker Images to an Internal Registry
Mirror Docker images from external registries to an internal OpenShift registry to ensure all the image pull requests are redirected to the internal registry.
Steps:
- 
Log into the registries. In this example, external registry is docker.io and internal is oc internal registry. docker login docker.io
 oc registry login
- 
Fetch the image digest. DIGEST=$(skopeo inspect docker://$SOURCE_IMAGE:$TAG | jq -r .Digest)
- 
Mirror the image and check the created imagestream. oc image mirror $SOURCE_IMAGE@$DIGEST $DESTINATION_REGISTRY:$TAG
- 
Check the mirrored image. Use the oc get iscommand to list the image streams and verify that the mirrored image exists. Describe the imagestream.oc get is -n $NAMESPACE
 oc describe imagestream $IMAGE_NAME
- 
Create or update the ImageContentSourcePolicy. cat << EOF | oc apply -f -
 apiVersion: operator.openshift.io/v1alpha1
 kind: ImageContentSourcePolicy
 metadata:
 name: use-internal-registry
 spec:
 repositoryDigestMirrors:
 - mirrors:
 - $DESTINATION_REGISTRY
 source: $SOURCE_IMAGE@$DIGEST
 EOF
- 
Check ImageContentSourcePolicy. Verify that the ICSP is configured correctly. Ensure the repositoryDigestMirrors section lists the internal registry and the correct source image with the digest. oc describe imagecontentsourcepolicy use-internal-registry
- 
If the Image ID shows the internal registry, it means the ICSP is working as expected. The image request is redirected to the internal registry. kubectl describe pod $POD_NAME | grep -A 1 'Image:'Script mirror_image.shwith steps explained above:#!/bin/bash
 # Define values for variables
 # $REGISTRY_NAMESPACE
 # $IMAGE_NAME
 # $NAMESPACE
 # Variables
 SOURCE_IMAGE="docker.io/$REGISTRY_NAMESPACE/$IMAGE_NAME"
 DESTINATION_REGISTRY="default-route-openshift-image-registry.apps.apollo-op.64jh.p1.openshiftapps.com/$NAMESPACE/$IMAGE_NAME"
 # Check if TAG is provided as an argument, if not default to 'latest'
 TAG=${1:-latest}
 # Fetch the digest of the image
 DIGEST=$(skopeo inspect docker://$SOURCE_IMAGE:$TAG | jq -r .Digest)
 # Mirror the image
 oc image mirror $SOURCE_IMAGE@$DIGEST $DESTINATION_REGISTRY:$TAG
 # Update ImageContentSourcePolicy
 cat <<EOF | oc apply -f -
 apiVersion: operator.openshift.io/v1alpha1
 kind: ImageContentSourcePolicy
 metadata:
 name: use-internal-registry
 spec:
 repositoryDigestMirrors:
 - mirrors:
 - $DESTINATION_REGISTRY
 source: $SOURCE_IMAGE@$DIGEST
 EOFIn this example, 24.3.0-redhat is used: ./mirror_image.sh 24.3.0-redhat