文章目录
- 🎯1:**目标是啥?**
- 🧰 2:看都有哪些 Operator 可下
- 📦 3:看这个 Operator 都有哪些版本
- ✍️ 4:配置镜像下载文件
- 4.1:下载**所有版本**写法
- 4.2:只下载指定版本
- 🚚 5:开始下载镜像
- 📤 6:上传到你自己的私有仓库
- 🧩 7: 禁用在线 OperatorHub 源
- ✅ 8:告诉 OpenShift 用我们自己的离线源
- 8.1:创建 CatalogSource
- 8.2:设置镜像源映射(ImageContentSourcePolicy)
- 8.3:等节点自动滚动更新(这步要等一会)
- 8.4:自定义标签
- ✅ 方法一:手动给镜像打 tag(推荐)
- ✅ 方法二:手动编辑 mapping.txt 添加 tag(进阶)
- ✅ 方法三:在私有仓库(如 Harbor)中手动打 tag
- 📡 9:用图形界面安装 Cert-manager
- 🎉10: 大功告成!
在企业内网部署 OpenShift 时,经常会遇到一个问题:很多组件依赖公网,尤其是证书相关的服务。比如常见的 cert-manager,它是 Kubernetes 里用来自动签发和管理证书的工具,很多 Operator、Ingress 或 Webhook 服务都会用到它。
但 cert-manager 的安装方式默认是联网下载,比如直接从 GitHub 拉 YAML 文件,镜像则从 quay.io 拉。这在离线环境里根本行不通。
很多人尝试手动复制 YAML 文件或者用 oc apply 导入,但还是发现各种问题,比如镜像拉不下来、证书无法生成、Webhook 起不来等。这是因为 cert-manager 不只是几个 YAML 文件,它还依赖多个镜像、CRD 资源、Webhook 服务,必须一步到位配置好。
所以在 OpenShift 的离线环境中,安装 cert-manager 是必要的,也是有挑战的。你需要准备好镜像、调整配置,再部署进集群,才能保证相关服务正常运行。
这篇文章就是来帮你搞定这件事的
🎯1:目标是啥?
从 Red Hat 官方的 OperatorHub 上,把 cert-manager 下载回来,离线安装。你可以选择下载 所有版本 或 指定版本。
准备条件:
- OCP版本: 4.16.36
- Bastion(help node)节点操作系统: RHEL 9.4 x64
- 需要先在openshift集群完成仓库部署。
🧰 2:看都有哪些 Operator 可下
这条命令会告诉你当前这个 Operator Catalog 里都有哪些可选的 Operator。比如你找的是 cert-manager,你可以看到它的名称和默认的 channel(stable)。
Logging to .oc-mirror.log
NAME DISPLAY NAME DEFAULT CHANNEL
3scale-community-operator 3scale API Management threescale-2.14
ack-acm-controller AWS Controllers for Kubernetes - Amazon ACM alpha
ack-acmpca-controller AWS Controllers for Kubernetes - Amazon ACM PCA alpha
ack-apigateway-controller AWS Controllers for Kubernetes - Amazon API Gateway alpha
ack-apigatewayv2-controller AWS Controllers for Kubernetes - Amazon API Gateway v2 alpha
ack-applicationautoscaling-controller AWS Controllers for Kubernetes - Amazon Application Auto Scaling alpha
ack-athena-controller AWS Controllers for Kubernetes - Amazon Athena alpha
ack-cloudfront-controller AWS Controllers for Kubernetes - Amazon CloudFront alpha
ack-cloudtrail-controller AWS Controllers for Kubernetes - Amazon CloudTrail alpha
ack-cloudwatch-controller AWS Controllers for Kubernetes - Amazon CloudWatch alpha
ack-cloudwatchlogs-controller AWS Controllers for Kubernetes - Amazon CloudWatch Logs alpha
ack-documentdb-controller AWS Controllers for Kubernetes - Amazon DocumentDB alpha
ack-dynamodb-controller AWS Controllers for Kubernetes - Amazon DynamoDB alpha
ack-ec2-controller AWS Controllers for Kubernetes - Amazon EC2 alpha
ack-ecr-controller AWS Controllers for Kubernetes - Amazon ECR alpha
ack-ecs-controller AWS Controllers for Kubernetes - Amazon ECS alpha
ack-efs-controller AWS Controllers for Kubernetes - Amazon Elastic File System (Amazon EFS) alpha
ack-eks-controller AWS Controllers for Kubernetes - Amazon EKS alpha
ack-elasticache-controller AWS Controllers for Kubernetes - Amazon ElastiCache alpha
ack-elbv2-controller AWS Controllers for Kubernetes - Amazon ELB alpha
ack-emrcontainers-controller AWS Controllers for Kubernetes - Amazon EMR on EKS alpha
ack-eventbridge-controller AWS Controllers for Kubernetes - Amazon EventBridge alpha
ack-iam-controller AWS Controllers for Kubernetes - Amazon IAM alpha
ack-kafka-controller AWS Controllers for Kubernetes - Amazon Kafka alpha
ack-keyspaces-controller AWS Controllers for Kubernetes - Amazon Keyspaces alpha
ack-kinesis-controller AWS Controllers for Kubernetes - Amazon Kinesis alpha
ack-kms-controller AWS Controllers for Kubernetes - Amazon KMS alpha
ack-lambda-controller AWS Controllers for Kubernetes - Amazon Lambda alpha
ack-memorydb-controller AWS Controllers for Kubernetes - MemoryDB alpha
ack-mq-controller AWS Controllers for Kubernetes - Amazon MQ alpha
ack-networkfirewall-controller AWS Controllers for Kubernetes - Amazon Network Firewall alpha
ack-opensearchservice-controller AWS Controllers for Kubernetes - Amazon OpenSearch Service alpha
ack-organizations-controller AWS Controllers for Kubernetes - Amazon Organizations alpha
ack-pipes-controller AWS Controllers for Kubernetes - Amazon EventBridge Pipes alpha
ack-prometheusservice-controller AWS Controllers for Kubernetes - Amazon Prometheus alpha
ack-rds-controller AWS Controllers for Kubernetes - Amazon RDS alpha
ack-recyclebin-controller AWS Controllers for Kubernetes - Amazon Recycle Bin alpha
ack-route53-controller AWS Controllers for Kubernetes - Amazon Route53 alpha
ack-route53resolver-controller AWS Controllers for Kubernetes - Amazon Route53Resolver alpha
ack-s3-controller AWS Controllers for Kubernetes - Amazon S3 alpha
ack-sagemaker-controller AWS Controllers for Kubernetes - Amazon SageMaker alpha
ack-secretsmanager-controller AWS Controllers for Kubernetes - Amazon Secrets Manager alpha
ack-ses-controller AWS Controllers for Kubernetes - Amazon SES alpha
ack-sfn-controller AWS Controllers for Kubernetes - Amazon Step Functions alpha
ack-sns-controller AWS Controllers for Kubernetes - Amazon SNS alpha
ack-sqs-controller AWS Controllers for Kubernetes - Amazon SQS alpha
ack-ssm-controller AWS Controllers for Kubernetes - Amazon SSM alpha
ack-wafv2-controller AWS Controllers for Kubernetes - Amazon WAFV2 alpha
aerospike-kubernetes-operator Aerospike Kubernetes Operator stable
airflow-helm-operator Airflow Helm Operator alpha
alvearie-imaging-ingestion Alvearie Imaging Ingestion Operator alpha
amd-gpu-operator amd-gpu-operator alpha
analytics-operator Observability Analytics alpha
annotationlab NLPLab alpha
apicast-community-operator APIcast stable
apicurio-api-controller Apicurio API Controller 0.x
apicurio-registry Apicurio Registry Operator 2.x
apicurito API Designer latest
apimatic-kubernetes-operator APIMatic Operator alpha
application-services-metering-operator Application Services Metering Operator alpha
aqua Aqua Security Operator 2022.4.0
argocd-operator Argo CD alpha
assisted-service-operator Infrastructure Operator for Red Hat OpenShift alpha
authorino-operator Authorino Operator stable
automotive-infra Automotive-CI alpha
aws-efs-operator AWS EFS Operator stable
awss3-operator-registry AWS S3 Operator alpha
azure-service-operator Azure Service Operator stable
beegfs-csi-driver-operator BeeGFS CSI Driver stable
bookkeeper-operator BookKeeper Operator alpha
bpfd-operator Bpfd Operator alpha
bpfman-operator Bpfman Operator alpha
camel-k Camel K Operator stable-v2
camel-karavan-operator Camel Karavan Operator alpha
cass-operator-community DataStax Kubernetes Operator for Apache Cassandra stable
cert-manager cert-manager stable
cert-utils-operator Cert Utils Operator alpha
cluster-aas-operator Cluster as a service operator alpha
cluster-impairment-operator cluster-impairment-operator beta
cluster-manager Cluster Manager stable
cluster-relocation-operator Cluster Relocation Operator stable
cockroachdb CockroachDB Helm Operator stable-v6.x
codeflare-operator CodeFlare Operator alpha
community-kubevirt-hyperconverged KubeVirt HyperConverged Cluster Operator 1.10.7
community-trivy-operator Community Trivy Operator stable
community-windows-machine-config-operator Community Windows Machine Config Operator preview
customized-user-remediation Customized User Remediation Operator - Community Edition alpha
cxl-operator extend-community-operator alpha
dapr-kubernetes-operator Dapr Control Plane Operator alpha
datadog-operator Datadog Operator stable
datatrucker-operator DataTrucker.IO alpha
dbaas-operator OpenShift Database Access Operator stable
debezium-operator Debezium Operator debezium-latest
dell-csm-operator Dell Container Storage Modules stable
deployment-validation-operator Deployment Validation Operator alpha
devopsinabox Devops-in-a-box alpha
dns-operator DNS Operator stable
dynatrace-operator Dynatrace Operator alpha
eclipse-amlen-operator eclipse-amlen-operator alpha
eclipse-che Eclipse Che stable
ecr-secret-operator ECR Secret Operator v0.4
edp-keycloak-operator EDP Keycloak Operator stable
eginnovations-operator eG Innovations Universal Agent Operator beta
egressip-ipam-operator Egressip Ipam Operator alpha
ember-csi-community-operator Ember CSI Operator beta
etcd etcd singlenamespace-alpha
eventing-kogito Kogito Knative Eventing Source alpha
external-secrets-operator External Secrets Operator alpha
falcon-operator [DEPRECATED] CrowdStrike Operator alpha
fence-agents-remediation Fence Agents Remediation Operator - Community Edition stable
flink-kubernetes-operator Flink Kubernetes Operator alpha
flux Flux stable
flux-operator Flux Operator stable
forklift-operator Forklift Operator stable-v2.6
fossul-operator Fossul Operator alpha
github-arc-operator github-arc-operator alpha
gitlab-operator-kubernetes GitLab stable
gitlab-runner-operator GitLab Runner stable
gitops-primer gitops-primer alpha
gitwebhook-operator GitWebhook operator alpha
global-load-balancer-operator Global Load Balancer Operator alpha
grafana-operator Grafana Operator v5
group-sync-operator Group Sync Operator alpha
hawtio-operator Hawtio Operator stable-v1
hazelcast-platform-operator [DEPRECATED] Hazelcast Platform Operator alpha
hedvig-operator Hedvig Operator stable
hive-operator Hive for Red Hat OpenShift alpha
horreum-operator Horreum alpha
hyperfoil-bundle Hyperfoil alpha
ibm-block-csi-operator-community IBM block storage CSI driver operator stable
ibm-security-verify-access-operator IBM Security Verify Access Operator stable
ibm-spectrum-scale-csi-operator IBM Spectrum Scale CSI Plugin Operator stable
ibmcloud-operator IBM Cloud Operator stable
infinispan Infinispan Operator stable
integrity-shield-operator K8s Integrity Shield alpha-0.3.3
ipfs-operator IPFS Operator alpha
istio-workspace-operator Istio Workspace alpha
jaeger Community Jaeger Operator stable
k8gb k8gb alpha
kaoto-operator Kaoto Operator alpha
keda [DEPRECATED] KEDA alpha
keepalived-operator Keepalived Operator alpha
kepler-operator Kepler alpha
keycloak-operator Keycloak Operator fast
keycloak-permissions-operator Keycloak Permissions Operator alpha
kiali Kiali Community Operator stable
klusterlet Klusterlet stable
kogito-operator Kogito 1.x
koku-metrics-operator Koku Metrics Operator beta
konveyor-operator Konveyor Operator beta
korrel8r Korrel8r stable
kuadrant-operator Kuadrant Operator stable
kube-green kube-green alpha
kubecost Kubecost alpha
kubernetes-imagepuller-operator Kubernetes Image Puller Operator stable
kubeturbo Kubeturbo Operator stable
l5-operator L5 Operator alpha
layer7-operator Layer7 Operator preview
lbconfig-operator External Load-Balancer Configuration Operator beta
lib-bucket-provisioner lib-bucket-provisioner alpha
limitador-operator Limitador stable
logging-operator Logging Operator beta
loki-helm-operator Loki Helm Operator alpha
loki-operator Community Loki Operator alpha
machine-deletion-remediation Machine Deletion Remediation Operator - Community Edition stable
mariadb-operator MariaDB Operator alpha
marin3r MARIN3R stable
mercury-operator Mercury Operator 1.0.x
microcks Microcks Operator stable
mongodb-atlas-kubernetes MongoDB Atlas Operator stable
mongodb-operator MongoDB Operator alpha
move2kube-operator Konveyor Move2Kube stable
multi-nic-cni-operator multi-nic-cni-operator stable
multicluster-global-hub-operator Multicluster Global Hub Operator release-2.12
multicluster-operators-subscription Multicluster Subscription Operator release-2.5
must-gather-operator Must Gather Operator alpha
namespace-configuration-operator Namespace Configuration Operator alpha
ncn-operator ncn-operator betav1
ndmspc-operator NdmSpc operator alpha
netobserv-operator NetObserv Operator community
neuvector-community-operator NeuVector Operator beta
nexus-operator EDP Nexus Operator alpha
nexus-operator-m88i Nexus Operator alpha
nfs-provisioner-operator NFS Provisioner Operator alpha
nlp-server nlp-server alpha
node-discovery-operator node-discovery-operator alpha
node-healthcheck-operator Node Health Check Operator stable
node-maintenance-operator Node Maintenance Operator - Community Edition stable
nsm-operator nsm-operator alpha
oadp-operator OADP Operator stable
observability-operator Observability Operator development
oci-ccm-operator oci-ccm-operator alpha
ocm-operator OpenShift Cluster Manager Operator alpha
odf-node-recovery-operator ODF Node Recovery Operator alpha
odoo-operator Odoo Operator alpha
opendatahub-operator Open Data Hub Operator fast
openebs OpenEBS alpha
openshift-nfd-operator Node Feature Discovery Operator stable
openshift-node-upgrade-mutex-operator OpenShift Node Upgrade Mutex Operator alpha
openshift-qiskit-operator QiskitPlayground alpha
opentelemetry-operator Community OpenTelemetry Operator alpha
patch-operator Patch Operator alpha
patterns-operator Validated Patterns Operator fast
pcc-operator Prisma Cloud Compute Operator stable
pelorus-operator Pelorus Operator alpha
percona-postgresql-operator Percona Operator for PostgreSQL stable
percona-server-mongodb-operator Percona Distribution for MongoDB Operator stable
percona-xtradb-cluster-operator Percona Operator for MySQL based on Percona XtraDB Cluster stable
portworx-essentials Portworx Essentials stable
postgresql Crunchy Postgres for Kubernetes v5
proactive-node-scaling-operator Proactive Node Scaling Operator alpha
project-quay Quay stable-3.13
prometheus Prometheus Operator beta
prometheus-exporter-operator Prometheus Exporter Operator alpha
prometurbo Prometurbo Operator stable
pubsubplus-eventbroker-operator Solace PubSub+ Event Broker Operator stable
pulp-operator Pulp Project beta
pulsar-operator Pulsar Operator alpha
pulsar-resources-operator Pulsar Resources Operator alpha
rabbitmq-cluster-operator RabbitMQ-cluster-operator stable
rabbitmq-messaging-topology-operator rabbitmq-messaging-topology-operator stable
rabbitmq-single-active-consumer-operator rabbitmq-single-active-consumer-operator stable
redis-operator Redis Operator stable
registry-operator Devfile Registry Operator beta
reportportal-operator reportportal-operator alpha
resource-locker-operator Resource Locker Operator alpha
rhoas-operator OpenShift Application Services (RHOAS) beta
ripsaw benchmark-operator alpha
sailoperator Sail Operator 3.0-nightly
sap-commerce-operator SAP Commerce Operator alpha
sap-data-intelligence-observer-operator SAP Data Intelligence 3 - Observer Operator stable
sap-hana-express-operator SAP Hana Express Operator stable
seldon-operator Seldon Operator stable
self-node-remediation Self Node Remediation Operator - Community Edition stable
service-binding-operator Service Binding Operator stable
shipwright-operator Shipwright Operator alpha
sigstore-helm-operator sigstore alpha
silicom-sts-operator Silicom STS Operator alpha
skupper-operator Skupper stable
sn-operator StreamNative Operator alpha
snapscheduler SnapScheduler stable
snyk-operator Snyk Operator stable
socmmd socmmd stable
sonar-operator EDP Sonar Operator alpha
sonataflow-operator SonataFlow Operator alpha
sosivio Sosivio | Predictive Troubleshooting for Kubernetes stable
sosreport-operator sosreport-operator alpha
spark-helm-operator Spark Helm Operator alpha
special-resource-operator Special Resource Operator alpha
stackgres-community StackGres candidate
stolostron Stolostron community-0.5
stolostron-engine Stolostron Engine community-0.5
strimzi-kafka-operator Strimzi stable
susql-operator SusQL alpha
syndesis Syndesis Operator latest
t8c Turbonomic Platform Operator stable
tagger Tagger alpha
tempo-operator Community Tempo Operator alpha
tf-controller Weave GitOps Terraform Controller stable
tidb-operator TiDB Operator stable
trident-operator NetApp Trident stable
trustify-operator Trustify Operator alpha
ucs-ci-solutions-operator UCS-CI-Solutions-Operator alpha
universal-crossplane Upbound Universal Crossplane (UXP) stable
varnish-operator Varnish Operator alpha
vault-config-operator Vault Config Operator alpha
verticadb-operator VerticaDB Operator v2-stable
victoriametrics-operator VictoriaMetrics Operator beta
volume-expander-operator Volume Expander Operator alpha
wandb-operator Weights & Biases Operator stable
windup-operator Windup Operator alpha
yaks YAKS Operator alpha
zookeeper-operator ZooKeeper Operator alpha- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41.
- 42.
- 43.
- 44.
- 45.
- 46.
- 47.
- 48.
- 49.
- 50.
- 51.
- 52.
- 53.
- 54.
- 55.
- 56.
- 57.
- 58.
- 59.
- 60.
- 61.
- 62.
- 63.
- 64.
- 65.
- 66.
- 67.
- 68.
- 69.
- 70.
- 71.
- 72.
- 73.
- 74.
- 75.
- 76.
- 77.
- 78.
- 79.
- 80.
- 81.
- 82.
- 83.
- 84.
- 85.
- 86.
- 87.
- 88.
- 89.
- 90.
- 91.
- 92.
- 93.
- 94.
- 95.
- 96.
- 97.
- 98.
- 99.
- 100.
- 101.
- 102.
- 103.
- 104.
- 105.
- 106.
- 107.
- 108.
- 109.
- 110.
- 111.
- 112.
- 113.
- 114.
- 115.
- 116.
- 117.
- 118.
- 119.
- 120.
- 121.
- 122.
- 123.
- 124.
- 125.
- 126.
- 127.
- 128.
- 129.
- 130.
- 131.
- 132.
- 133.
- 134.
- 135.
- 136.
- 137.
- 138.
- 139.
- 140.
- 141.
- 142.
- 143.
- 144.
- 145.
- 146.
- 147.
- 148.
- 149.
- 150.
- 151.
- 152.
- 153.
- 154.
- 155.
- 156.
- 157.
- 158.
- 159.
- 160.
- 161.
- 162.
- 163.
- 164.
- 165.
- 166.
- 167.
- 168.
- 169.
- 170.
- 171.
- 172.
- 173.
- 174.
- 175.
- 176.
- 177.
- 178.
- 179.
- 180.
- 181.
- 182.
- 183.
- 184.
- 185.
- 186.
- 187.
- 188.
- 189.
- 190.
- 191.
- 192.
- 193.
- 194.
- 195.
- 196.
- 197.
- 198.
- 199.
- 200.
- 201.
- 202.
- 203.
- 204.
- 205.
- 206.
- 207.
- 208.
- 209.
- 210.
- 211.
- 212.
- 213.
- 214.
- 215.
- 216.
- 217.
- 218.
- 219.
- 220.
- 221.
- 222.
- 223.
- 224.
- 225.
- 226.
- 227.
- 228.
- 229.
- 230.
- 231.
- 232.
- 233.
- 234.
- 235.
- 236.
- 237.
- 238.
- 239.
- 240.
- 241.
- 242.
- 243.
- 244.
- 245.
- 246.
- 247.
- 248.
- 249.
- 250.
- 251.
- 252.
- 253.
- 254.
- 255.
- 256.
- 257.
- 258.
- 259.
- 260.
- 261.
- 262.
- 263.
- 264.
- 265.
- 266.
- 267.
- 268.
- 269.
- 270.
- 271.
- 272.
- 273.
- 274.
- 275.
发现 cert-manager 默认Channel 是stable。
📦 3:看这个 Operator 都有哪些版本
它会告诉你像 1.16.1、1.16.5这些版本都可以下。你可以决定要不要全部下载,或者只要某个版本。
Logging to .oc-mirror.log
VERSIONS
1.4.0
1.6.0
1.6.1
1.16.5
1.9.1
1.7.1
1.15.2
1.5.4
1.7.2
1.8.0
1.13.1-rc1
1.11.0
1.13.1
1.13.3
1.4.2
1.4.3
1.5.3
1.10.2
1.11.4
1.15.0
1.16.1
1.10.1
1.12.2
1.6.2
1.4.4
1.14.2
1.4.1
1.8.2
1.10.0- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
✍️ 4:配置镜像下载文件
我们先要告诉 oc mirror 工具,该从哪个 Operator Catalog 拉哪些镜像。
4.1:下载所有版本写法
适用于你希望拉取某个 Operator 所有历史版本的场景。
$ vim cert-manager-ImageSetConfiguration.yaml
apiVersion: mirror.openshift.io/v1alpha2
kind: ImageSetConfiguration
storageConfig:
local:
path: /root/ocp4/OperatorHub/cert-manager-1.16.5
mirror:
operators:
- catalog: registry.redhat.io/redhat/community-operator-index:v4.16
packages:
- name: cert-manager
channels:
- name: stable- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
4.2:只下载指定版本
如果你只需要 cert-manager 的某个具体版本(例如 1.16.5),可以明确限制范围:
$ vim cert-manager-ImageSetConfiguration.yaml
apiVersion: mirror.openshift.io/v1alpha2
kind: ImageSetConfiguration
storageConfig:
registry:
imageURL: registry.ocp.local:8443/init/mirror
skipTLS: false
mirror:
operators:
- catalog: registry.redhat.io/redhat/community-operator-index:v4.16
packages:
- name: cert-manager
channels:
- name: stable
minVersion: '1.16.5'
maxVersion: '1.16.5'- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
这会大大减少镜像大小,避免下载过多版本。
🚚 5:开始下载镜像
这条命令会:
- 下载 cert-manager 的相关 Operator 镜像
- 生成本地目录 oc-mirror-workspace
- 自动归档成 .tar 文件,方便离线导入
你看到类似这些输出说明下载成功:
校验下载镜像
可以打包至你的离线 openshift 环境上传至私有仓库。
📤 6:上传到你自己的私有仓库
我们离线环境没法上网,所以得从有网的环境先把 Operator 的镜像全下载下来,然后手动“搬运”进集群本地。
解压介质包
上传镜像至镜像仓库。
-
<YOUR_REGISTRY_URL>替换为你的本地 registry; -
<Project>是你创建的项目名; -
<Subpath>是镜像的路径名。
例如:
你看到的提示类似:
Rendering catalog image "registry.ocp.local:8443/init/mirror/redhat/community-operator-index:v4.16" with file-based catalog
Writing image mapping to oc-mirror-workspace/results-1747728348/mapping.txt
Writing CatalogSource manifests to oc-mirror-workspace/results-1747728348
Writing ICSP manifests to oc-mirror-workspace/results-1747728348- 1.
- 2.
- 3.
- 4.
就是让你把下载好的镜像用 oc adm catalog mirror 推到你自己私有的 registry(比如你自己搭的 registry.ocp.local)。
🧩 7: 禁用在线 OperatorHub 源
OpenShift 默认会连 Red Hat 的官方源,也就是:
certified-operatorscommunity-operatorsredhat-operatorsredhat-marketplace
通过以下命令也可以看到:
$ oc get catalogsource -n openshift-marketplace
NAME DISPLAY TYPE PUBLISHER AGE
certified-operators Certified Operators grpc Red Hat 94m
community-operators Community Operators grpc Red Hat 94m
redhat-marketplace Red Hat Marketplace grpc Red Hat 94m
redhat-operators Red Hat Operators grpc Red Hat 94m- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
这些源都是“在线的”,连接外网才能安装。为了避免离线环境中报错(比如拉不到镜像),我们要关掉这些在线源:
oc patch OperatorHub cluster --type json -p '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]'
oc patch operatorhub cluster --type merge -p '{
"spec": {
"sources": [
{"name": "redhat-operators", "disabled": true},
{"name": "certified-operators", "disabled": true},
{"name": "redhat-marketplace", "disabled": true},
{"name": "community-operators", "disabled": true}
]
}
}'- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
👉 这条命令是干嘛的?
这条命令的意思就是:
👉 把 OpenShift 的所有“在线源”给关掉,只用你自己配的离线源。
✅ 为什么要关?
- 🧠 如果你是纯离线环境(根本连不了外网),关了不会有任何副作用,反而能避免 OpenShift 报一堆拉不动镜像的错误。
- 😩 有时候你在离线环境没关这些在线源,OperatorHub 页面会显示不出离线的 Operator,还报错:拉不到 xxx 镜像。
✅ 什么时候建议执行?
- 如果你是完全离线环境 ✅ 建议执行
- 如果你是“半离线”,网络偶尔能连外网 ❓ 看情况,可以不关。
执行后 openshift-marketplace 屏蔽掉了在线安装的应用软件包:
✅ 8:告诉 OpenShift 用我们自己的离线源
OpenShift 默认是连 Red Hat 的官方源安装 Operator 的,现在要告诉它改用你下载回来的本地源。
8.1:创建 CatalogSource
进入你刚刚的目录,然后执行这个命令:
这个文件定义了一个新的 Operator 安装源,也就是从你本地的 registry 去找 Operator,比如你本地搭了个 registry.ocp.local:8443 的仓库。
再次检查 catalogs。
8.2:设置镜像源映射(ImageContentSourcePolicy)
这一步是告诉 OpenShift:
“原来你拉 quay.io/jetstack/cert-manager-controller,现在改从我自己的 registry 拉,但镜像仓库还能保持原来的不变。”
💡 另外,为什么既要 ImageContentSourcePolicy 又要 ImageTagMirrorSet?
- ImageContentSourcePolicy(ICSP)是早期 OpenShift 用来做镜像源替换的机制,但它已经被标记为废弃(Deprecated)。
- 新推荐使用的是:
ImageTagMirrorSet(ITMS)或者imagedigestmirrorsets,它更灵活,也符合 OpenShift 的长期支持策略,这里我们选择ImageTagMirrorSet(ITMS)。
所以,还是进入你刚刚的目录,你可以复制 ICSP 的内容,改个格式,升级为 ITMS。
默认你仍旧可以创建 ICSP:
然后再创建 ITMS:
编辑 ImageTagMirrorSet.yaml
$ vim ImageTagMirrorSet.yaml
---
apiVersion: config.openshift.io/v1
kind: ImageTagMirrorSet
metadata:
annotations:
description: "Replace cert-manager mirrors with internal registry"
environment: "production"
generation: 1
name: cert-manager-mirror
spec:
imageTagMirrors:
- mirrors:
- registry.ocp.local:8443/init/mirror/jetstack
source: quay.io/jetstack
- mirrors:
- registry.ocp.local:8443/init/mirror/community-operator-pipeline-prod
source: quay.io/community-operator-pipeline-prod- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
然后执行:
这个文件是告诉 OpenShift:“原来你要从 registry.redhat.io 拉镜像,现在改成去 registry.ocp.local:8443 拉”。
但有时候你会看到这个报错:
意思是:这个配置你之前已经加过一次了,不能重复创建。
💡 解决办法:直接编辑已有的那个配置,手动加上你需要的新内容就行了。
执行:
在里面追加你的离线镜像地址,比如加上下面这两段:
改完保存退出。
8.3:等节点自动滚动更新(这步要等一会)
你加完 ImageContentSourcePolicy 后,OpenShift 会自动让所有节点重启一下相关服务,让系统知道以后镜像要去新地址拉。
你可以这样看更新进度:
你可能会看到:
这说明正在更新中,等个十几分钟,直到你看到:
就说明更新完成了,节点都识别了新的镜像地址。
你也可以看一下 MachineConfig Operator 的状态:
输出长这样就代表 OK:
8.4:自定义标签
有时候 oc mirror 默认不会给镜像打上你想要的标签(如 v1.16.5)。
🔍 为什么 oc mirror 有时候不会保留原来的 tag?
这是由 oc mirror 的工作机制决定的,它:
- 在镜像拉取和打包阶段,使用镜像的 digest(即哈希值)来保证内容唯一性。
- 上传到私有仓库时,默认只保证 digest 一致,不一定还原所有 tag。
- 生成的 mapping.txt 文件中会有 tag 信息,但执行上传时并不总是完整同步 tag。
🧰 如何解决?
✅ 方法一:手动给镜像打 tag(推荐)
- 登录到你的私有仓库机器
- 找到你上传后的镜像列表
- 用 skopeo 或 podman/docker 给对应 digest 手动加 tag:
✅ 方法二:手动编辑 mapping.txt 添加 tag(进阶)
在上传阶段前,oc mirror 会生成一个 mapping.txt 文件,类似这样:
你可以 手动修改它 为:
然后使用 oc mirror --from=mapping.txt 重新上传。
✅ 方法三:在私有仓库(如 Harbor)中手动打 tag
以 Quay.io 为例:
- 进入项目 → 找到镜像 jetstack/cert-manager-controller
- 点进该镜像
- 在 “Tags” 页面,手动创建一个新的标签,如:v1.16.5
- 指向你上传的 digest 或 image ID
点击其中一个镜像,点击右边的设置按钮,点击“Add New Tag”。
设置为v1.16.5 版本。
四个镜像依次操作。
📡 9:用图形界面安装 Cert-manager
前面这些是后台准备工作,搞定之后,你就可以:
- 打开 OpenShift 的 Web 控制台(console 页面)
- 进入 OperatorHub 页面
- 搜索你要装的 cert-manager
- 看到它成功显示在列表里,说明 CatalogSource 生效了
- 点进去图形化安装就行了 ✅
点击“Install”。
默认即可。
安装中。
安装成功。
命令行查看
🎉10: 大功告成!
- 你现在已经成功在 OpenShift 上用离线方式安装了 cert-manager。
扫一扫
363
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
