Mirror an Image to an External Registry
In order to mirror an image built by CI to Quay, that image must be promoted.
If the image is promoted into a namespace for which no other image mirroring is set up yet, some RBAC needs to be configured:
- Create a folder in clusters/app.ci/registry-access with the name of the namespace, containing the manifests of the namespace and the RBAC regarding to that namespace. Provide an
OWNERSfile to allow your team to make changes to those manifests.
- The admin of the namespace should allow the SA in the mirroring job defined below to access the images with
oc image mirror, like this, which makes the images open to the public:
oc image mirror is used to push a configured set of images to Quay repositories. A number of Quay
repositories already have mirroring pipelines configured; each directory
here corresponds to a repository.
These directories contain mapping files that define tags on images in the target repository. New images may be submitted
to mirror to existing organizations, or new ones. When naming your new image, please follow the naming guidelines.
Submit a pull request adding the image source and target to the appropriate mirroring file. For instance, adding a new
image tag to the
quay.io/openshift:4.6 image would require a new entry in the
file. Adding a new image entirely would require a new
WarningImages that are mirrored to Quay for the first time are private by default and need to be made public by an administrator of the Quay organization. For the
openshiftorganization, contact Clayton Coleman, Ben Parees, or Justin Pierce about making images public. They will be checking to ensure your image does not contain private or licensed content such as RHEL or internal RHEL packages.
Configuring Mirroring for New Organization
Submit a PR adding a new subdirectory
here, with at least a single mapping file
OWNERS file (so that you can maintain your mappings). The mapping files
should follow the
mapping_$name$anything naming convention to avoid conflicts
when put into a
Additionally, you will need to add a new Periodic job
here. You can use
any of the jobs as sample and simply replace all occurences of the value found in the
knative) with the name of your repository (which should be the same as the name of the directory you created).
In oder to push images to an external repository, credentials are needed. Use
podman to create a docker config
file as described here
and then use our self-service portal to add it to the clusters,
using the following keys in Vault:
Then, the mirroring jobs can mount the secret as a volume: