15.9.5.3. 镜像到集群内部 registry

流程

1. 通过使用路由公开到 registry 的外部访问权限：

   $ oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge

2. 获取 registry 端点：

   REGISTRY=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')

3. 创建用于公开镜像的命名空间：

   $ oc create ns cnftests

4. 将该镜像流供用于测试的所有命名空间使用。这需要允许 test 命名空间从 cnftests 镜像流中获取镜像。

   $ oc policy add-role-to-user system:image-puller system:serviceaccount:sctptest:default --namespace=cnftests

   $ oc policy add-role-to-user system:image-puller system:serviceaccount:cnf-features-testing:default --namespace=cnftests

   $ oc policy add-role-to-user system:image-puller system:serviceaccount:performance-addon-operators-testing:default --namespace=cnftests

   $ oc policy add-role-to-user system:image-puller system:serviceaccount:dpdk-testing:default --namespace=cnftests

   $ oc policy add-role-to-user system:image-puller system:serviceaccount:sriov-conformance-testing:default --namespace=cnftests

5. 检索 docker secret 名称和 auth 令牌：

   SECRET=$(oc -n cnftests get secret | grep builder-docker | awk {'print $1'}
   TOKEN=$(oc -n cnftests get secret $SECRET -o jsonpath="{.data['\.dockercfg']}" | base64 --decode | jq '.["image-registry.openshift-image-registry.svc:5000"].auth')

6. 编写类似如下的 dockerauth.json:

   echo "{\"auths\": { \"$REGISTRY\": { \"auth\": $TOKEN } }}" > dockerauth.json

7. 进行镜像：

   $ docker run -v $(pwd)/:/kubeconfig -e KUBECONFIG=/kubeconfig/kubeconfig registry.redhat.io/openshift4/cnf-tests-rhel8:v4.6 /usr/bin/mirror -registry $REGISTRY/cnftests |  oc image mirror --insecure=true -a=$(pwd)/dockerauth.json -f -

8. 运行测试：

   $ docker run -v $(pwd)/:/kubeconfig -e KUBECONFIG=/kubeconfig/kubeconfig -e IMAGE_REGISTRY=image-registry.openshift-image-registry.svc:5000/cnftests cnf-tests-local:latest /usr/bin/test-run.sh