Image mirroring

How to mirror container images into quay.io/cki/mirror, the img-mirror job, and Renovate for OpenShift images.

Problem

Internal OpenShift clusters are restricted to certain Managed Platform approved registries. This means that when deploying a new (tipically external) service, we need to make sure the referenced container images comply with the policy.

To do so, we can either:

  • ask the service owner to publish the image to an approved registry
  • mirror the image into an approved registry (e.g. quay.io)

Overview

GitOps file deployment-all/vars.yml stores and pins external container images. Some of those images must be copied into the CKI Quay org under the quay.io/cki/mirror/... prefix to be used by internal OpenShift clusters.

In short, this is achieved by:

  • MP_APPROVED_REGISTRIES — Registries whose images are pulled directly in deployments without any mirroring.

  • IMAGES — Map of container images. Images that already live on an approved registry can be directly referenced. Entries that need mirroring use instead: quay.io/cki/mirror/<upstream-image-path>:<tag>@sha256:...

    If an image reference does not come from an approved registry nor is mirrored, linting will fail.

  • Renovate — Image tags and digests under IMAGES are bumped by Renovate, using the regex custom manager in deployment-all/renovate.json. After a Renovate merge request lands, the img-mirror job still needs to run for any quay.io/cki/mirror/... entries so Quay matches the new digest.

Adding or updating a container image

Whenever you want to deploy a service using such external images, you need to add the container image to the IMAGES map in deployment-all/vars.yml.

To do so, you need to:

  1. Pin the image to an immutable digest (@sha256:...) with skopeo inspect --format '{{.Digest}}' "docker://<your_image>:<tag>".
  2. If the image lives on an approved registry, set the corresponding IMAGES entry to <your_image>:<tag>@sha256:.... Otherwise, set the corresponding IMAGES entry to quay.io/cki/mirror/<your_image>:<tag>@sha256:... to mirror into Quay.
  3. Merge the change, then ensure the img-mirror job has run so the image exists in Quay before OpenShift pulls it.

If using cki-tools render, you can then reference the image using:

image: {{ cki_variable('IMAGES').<YOUR_IMAGE_NAME> }}

Pipeline schedule

Deployment-all repository has a pipeline schedule to update mirrored images configured in deployment-all/gitlab-repo-config:

  • Name: Mirror container images onto quay.io
  • Branch: production
  • Cron: 0 1 * * * (UTC)
  • Variable: ONLY_JOB_NAME=img-mirror

To mirror immediately after changing IMAGES in vars.yml, run a pipeline on the appropriate branch with the same variable, or wait for the nightly job.