 My name is Daniel Messer, I'm a product manager at Red Hat and today I want to show you the new mirror registry for OpenShift. This is a component of OpenShift that helps customers who are running clusters and disconnected network environments. Oftentimes these deployments start with the OpenShift installer in a disconnected network environment behind the firewall where no direct internet access exists. Then there's usually a highly available container registry running like Red Hat Quay that will store a mirror of the OpenShift images. This is done with the OpenShift CLI client from a system with internet access and needs to be completed before the first cluster exists. The OpenShift installer is then configured to pull the OpenShift core images from this registry and thus can deploy clusters that are disconnected from the public internet. But what if there is no registry in the disconnected environment yet? This may be the case when you are deploying in an environment where hardware resources are too limited to run a clustered container registry. Or you want to run a production grade registry on top of OpenShift, for instance Red Hat Quay with the Quay operator. However, OpenShift needs a registry before it can be installed. This sweaty mirror registry for Red Hat OpenShift comes in and bridges this initial gap. It allows you to run a single streamlined container registry based on the Red Hat Quay technology, which is then used as a target for the initial mirror of just the OpenShift core images. From this mirror, you can deploy a first cluster. On this cluster, you can then install a production registry like Red Hat Quay and use it to host a highly available image mirror for many other clusters in the disconnected environment. In this demo, we will show how easy it is to deploy the mirror registry and use it to install a first disconnected OpenShift cluster. So let's get started. Here we have a Red Hat Enterprise Linux system with 2 CPUs, 8GB of RAM and around 100GB of local storage. I have the mirror registry for Red Hat OpenShift downloaded in the form of a toggle here. So let's unpack that first. In there is a sole executable called Mirror Registry, which is actually the installer and another set of toggles that contain all required container images to run the mirror registry, making this a fully offline capable package. Let's take a look at the installer. It's kept very simple, offering a simple install command that can deploy the registry in a single step. I will only give a single argument to this command to ensure the registry is using the public host name of this machine. The install runs via a containerized as well playbook as you can probably tell by the output and takes only a couple of minutes to complete. We've sped up the recording here for gravity. At the end, the installer will report the public HTTPS endpoint of the registry along with the credentials that were automatically generated. That's all it takes to deploy the mirror registry. It's up and running and I can use Portman now for instance to log in with the username and password shown. I got an error here though because by default the installer deploys the mirror registry with self-signed TLS certificates. I can tell Portman to accept self-signed certificates for now by adding an additional CLI switch. And now it's able to log in. I can also check that the mirror registry is running on this machine by querying Portman. The mirror registry has been deployed in Portman pods, which are very similar to pods in Kubernetes and allow multiple containers to run together. Here we can see the Quay pod running as reported. The installer also configured these containers for auto-start on boot using SystemD. The appropriate SystemD unit files have been put in place and if we check the status on one of them, we can see that the Quay application container is running and configured to be enabled at SystemStart. At this point the mirror registry is ready for use, but I'm not quite happy about the self-signed TLS certificates. So let's fix that and take the opportunity to also show the uninstall capability of the mirror registry installer. A single uninstall command and an interactive confirmation is enough to cleanly remove everything that was deployed from the system. So let's head to another directory. In there I have public and private TLS keys prepared that are signed by a trusted certificate authority. A quick look at the help output of the installer shows me that I can customize certificates being used by the mirror registry at install time. So let's deploy the mirror registry again, this time with my custom TLS keys. You can probably tell by the name of these files that I obtained the keys with the Let's Encrypt service. The install kicks off and a couple of minutes later I have the mirror registry running again, this time with trusted TLS certificates. Now I can log in with Partman without disabling the certificate validation and it succeeds. The mirror registry also runs the Quay UI, so let's log in there as well with auto-generated user credentials. As you can see my browser trusts the HTTPS connection and I can successfully log into Quay. Note that while it looks like a regular Red Hat Quay deployment, essentially all advanced features of Quay like image scanning, image mirroring or geo-replication have been disabled, since this registry's sole purpose is to host a mirror set of OpenShift images. Of course the registry is still empty, so let's change that. What we've done so far is deploying the mirror registry on a single row system. Now we will use the OpenShift CLI client to start mirroring the container images that are required to install an OpenShift cluster. I have already downloaded the CLI client, the OpenShift installer and the pull secret in JSON format for the public Red Hat registries that you obtain from the Red Hat Cloud Console. I will need to add credentials to my mirror registry to this file as well. I can use Partman to do that by logging into the mirror registry again, but this time storing the login credentials in this JSON file instead of Partman's default location. If you follow the OpenShift product documentation, you can learn more about the mirroring process in detail. In a nutshell, we are setting a couple of options for the mirroring process in the form of shell environment variables and then use a single OCADM release mirror command to mirror the OpenShift core images from a system with internet access into the target registry. For the demo, I have already prepared these variables, so we will end up mirroring the stable OpenShift 4913 release for x86 systems into our registry, into an organization called OCP4, using the pull secret in the JSON file we prepared in the previous step. The mirroring process kicks off and will take about eight minutes to complete. Note that we've sped up the recording significantly here. In the process, 141 images will be downloaded and around 12 gigabytes worth of image layers will be pushed into our registry. At the end, the command will report successful completion of the mirroring process. For convenience, it also outputs a configuration stanza we can put into a OpenShift installer config later to point it to our mirror registry. If we now go back to the Quay UI, we can see that the images have been downloaded. They are organized into a single repository called OpenShift 4 with a separate tag for each OpenShift component, 141 in total as reported before. Note that I didn't have to pre-create either the organization nor the repository. This was done automatically by the mirror registry upon the first stack being pushed, which is also a new feature for Quay. Now we've completed setting up the image mirror. Finally, we are now going to use the OpenShift installer to leverage it for deploying a disconnected cluster. Let's bring up the OpenShift installer. First, I'm going to load credentials into my shell environment for my infrastructure provider that will host the cluster, in my case AWS. Then I'll ask the installer to create an installation configuration, which I recall disconnected install. The installer will ask me a few questions about the configuration of my AWS deployment, like the region, the nest domain, and cluster name to use. At the end, it's going to ask me for a pull secret. This is the content of the JSON file we saw earlier, concatenated to a single line, which I'm pasting here from my clipboard. Now it'll create a directory with the installation configuration file, which I need to modify next. The OC client earlier already provided the copy and paste ready configuration stanza that describes to the OpenShift installer where to find the images in my registry. Let's use that and add it to the install config file, which is called install config YAML. Simply paste it below the base domain property and you're done. This is all it takes to tell the installer to use the mirror registry and avoid trying to reach public redhead registries on the internet. We can now kick off the deployment using the installation configuration. This will take about 30 minutes to complete. Let's jump ahead to the end. The install completed and shows the login credentials for the default cluster admin and tells me where to find the OpenShift console. So let's try to log in. This looks like a healthy standard OpenShift deployment. The only difference is that it is running off images from my mirror registry. If you're looking at some of the OpenShift core components, you will see that they still refer to the public redhead registries like the API server container here referencing Quay.io. This is due to how OpenShift is running in disconnected networks. The image references in the Kubernetes manifests aren't changed, but the pull attempts are redirected at the container runtime level towards the mirror registry. To verify it's using our mirror, we can actually go back to the Quay UI and check the usage logs of the mirror repository. It'll show us that as part of deploying and running the cluster, images have been pulled from here over 600 times, which corresponds roughly to the six nodes my cluster has in total. From here on, you could deploy a registry on top of OpenShift that runs in scale out mode and can serve other disconnected clusters. That concludes this demonstration. Thanks for watching.