Air-gapped Installation of Application Images
Learn how to manage application images in air-gapped environments. Following are the five different options you can use to ensure your application images are available in air-gapped environments.
Option 1—Add Environment Variables to Helm Chart for Image Override
Helm charts can be configured to use images from an internal registry by overriding the default image paths with environment variables.
overrideValues:
image.image: $RELATED_IMAGE_RELEASE
volumePermissions.image.image: $RELATED_IMAGE_RELEASE_VOLUME_PERMISSIONS
busyBox.image.image: $RELATED_IMAGE_RELEASE_BUSY_BOX
After deployment, verify that the images are being pulled from the internal registry by checking the image paths in the running pods.
kubectl get pods -n my-namespace -o=jsonpath='{range .items[*]}{.spec.containers[*].image}{"\n"}{end}'
Option 2—Customize Images only in Operator CR
If you have already deployment resource of the operator with overrideValues values and RELATED_IMAGE_* as mentioned in the section above, you can override images by using operator CR. By default, if you have overrideValues set they have precedence from the definition in the CR. But in some cases, you would like to override them in the CR, for that use the image.override flag.
image:
pullPolicy: Always
repository: openshiftpoc/xl-deploy
tag: 24.1.x
# flag needs to be true to override the operartor deployment overrideValues definitions
override: true
The override can be used on all image: sections in the CR, except on the haproxy-ingress subchart.
Option 3—Mirroring Docker Images to an Internal Registry
Mirror Docker images from external registries to an internal OpenShift registry to ensure all the image pull requests are redirected to the internal registry.
Steps:
- Log into the registries. In this example, external registry is docker.io and internal is oc internal registry.
docker login docker.io
oc registry login
- Fetch the image digest.
DIGEST=$(skopeo inspect docker://$SOURCE_IMAGE:$TAG | jq -r .Digest)
- Mirror the image and check the created imagestream.
oc image mirror $SOURCE_IMAGE@$DIGEST $DESTINATION_REGISTRY:$TAG
- Check the mirrored image. Use the
oc get iscommand to list the image streams and verify that the mirrored image exists. Describe the imagestream.
oc get is -n $NAMESPACE
oc describe imagestream $IMAGE_NAME
- Create or update the ImageContentSourcePolicy.
cat <<EOF | oc apply -f -
apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
name: use-internal-registry
spec:
repositoryDigestMirrors:
- mirrors:
- $DESTINATION_REGISTRY
source: $SOURCE_IMAGE@$DIGEST
EOF
- Check ImageContentSourcePolicy. Verify that the ICSP is configured correctly. Ensure the repositoryDigestMirrors section lists the internal registry and the correct source image with the digest.
oc describe imagecontentsourcepolicy use-internal-registry
- If the Image ID shows the internal registry, it means the ICSP is working as expected. The image request is redirected to the internal registry.
kubectl describe pod $POD_NAME | grep -A 1 'Image:'
Script mirror_image.sh with steps explained above:
#!/bin/bash
# Define values for variables
# $REGISTRY_NAMESPACE
# $IMAGE_NAME
# $NAMESPACE
# Variables
SOURCE_IMAGE="docker.io/$REGISTRY_NAMESPACE/$IMAGE_NAME"
DESTINATION_REGISTRY="default-route-openshift-image-registry.apps.apollo-op.64jh.p1.openshiftapps.com/$NAMESPACE/$IMAGE_NAME"
# Check if TAG is provided as an argument, if not default to 'latest'
TAG=${1:-latest}
# Fetch the digest of the image
DIGEST=$(skopeo inspect docker://$SOURCE_IMAGE:$TAG | jq -r .Digest)
# Mirror the image
oc image mirror $SOURCE_IMAGE@$DIGEST $DESTINATION_REGISTRY:$TAG
# Update ImageContentSourcePolicy
cat <<EOF | oc apply -f -
apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
name: use-internal-registry
spec:
repositoryDigestMirrors:
- mirrors:
- $DESTINATION_REGISTRY
source: $SOURCE_IMAGE@$DIGEST
EOF
In this example, 24.1.0-redhat is used:
./mirror_image.sh 24.1.0-redhat