diff --git a/collection/tools/roles/tools_get_openshift_release/defaults/main.yml b/collection/tools/roles/tools_get_openshift_release/defaults/main.yml
index f54042ac..64f604c6 100644
--- a/collection/tools/roles/tools_get_openshift_release/defaults/main.yml
+++ b/collection/tools/roles/tools_get_openshift_release/defaults/main.yml
@@ -2,6 +2,5 @@
 # defaults file for tools_get_openshift_release
 openshift_releasestream_url: "https://openshift-release.apps.ci.l2s4.p1.openshiftapps.com/api/v1/releasestream"
 release_name: "{{ openshift_release_build_name | default('') }}"
-openshift_download_url: "{{ 'https://openshift-release-artifacts.apps.ci.l2s4.p1.openshiftapps.com' + '/' + release_name }}"
 openshift_mirror_url: "https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp"
 ocp_build_info_file: "{{ controller_home_dir }}/latest_build.json"
diff --git a/collection/tools/roles/tools_get_openshift_release/tasks/get_openshift_release_binaries.yml b/collection/tools/roles/tools_get_openshift_release/tasks/get_openshift_release_binaries.yml
index a2515771..ce4dc41f 100644
--- a/collection/tools/roles/tools_get_openshift_release/tasks/get_openshift_release_binaries.yml
+++ b/collection/tools/roles/tools_get_openshift_release/tasks/get_openshift_release_binaries.yml
@@ -1,25 +1,33 @@
 ---
+# Extract OCP installer and/or client binaries directly from the release image
+# using `oc adm release extract --tools` instead of the release-controller's
+# file-cache (openshift-release-artifacts), which has no SLA and can get stuck
+# indefinitely during tool extraction.
 - name: Get the OCP installer and/or client binaries
   vars:
-    installer_url: "{{ openshift_download_url }}/openshift-install-linux-{{ release_name }}.tar.gz"
-    client_url: "{{ openshift_download_url }}/openshift-client-linux-{{ release_name }}.tar.gz"
+    installer_tarball: "openshift-install-linux-{{ release_name }}.tar.gz"
+    client_tarball: "openshift-client-linux-{{ release_name }}.tar.gz"
+    pull_secret_file: "{{ home_dir }}/pull-secret.json"
   block:
     - name: Fail if release_name var is not defined
       ansible.builtin.fail:
         msg: "'release_name' variable must be defined and cannot be empty"
       when: release_name == ''
 
-    - name: Wait for content to come up on {{ openshift_download_url }}
-      ansible.builtin.uri:
-        url: "{{ openshift_download_url }}"
-        method: GET
-        return_content: yes
-        status_code: 200
-        body_format: json
-      register: result
-      until: result.content.find("openshift-install-linux") != -1
-      retries: 20
-      delay: 60
+    - name: Fail if openshift_release_pull_spec is not defined
+      ansible.builtin.fail:
+        msg: "'openshift_release_pull_spec' must be set by get_openshift_release_build_name.yml"
+      when: openshift_release_pull_spec is not defined or openshift_release_pull_spec == ''
+
+    - name: Extract pull secret from host cluster
+      ansible.builtin.shell: >-
+        set -o pipefail &&
+        oc get secret pull-secret -n openshift-config
+        --kubeconfig={{ rhoso_kubeconfig }}
+        -o jsonpath='{.data.\.dockerconfigjson}'
+        | base64 -d > {{ pull_secret_file }}
+      changed_when: true
+      no_log: true
 
     - name: Create the installer directory
       ansible.builtin.file:
@@ -27,18 +35,27 @@
         state: directory
         mode: u=rwx,g=rw,o=r
 
+    - name: Extract OCP tools from release image {{ openshift_release_pull_spec }}
+      ansible.builtin.command:
+        cmd: >-
+          oc adm release extract
+          --tools
+          --registry-config={{ pull_secret_file }}
+          --to={{ home_dir }}/{{ release_name }}
+          {{ openshift_release_pull_spec }}
+      register: extract_result
+      until: extract_result is not failed
+      retries: 3
+      delay: 30
+
     - name: Get the installer binary and create a symlink
       when: "'installer' in binaries"
       block:
-        - name: Download and unarchive the installer from {{ installer_url }}
+        - name: Unarchive the installer from {{ installer_tarball }}
           ansible.builtin.unarchive:
-            src: "{{ installer_url }}"
+            src: "{{ home_dir }}/{{ release_name }}/{{ installer_tarball }}"
             dest: "{{ home_dir }}/{{ release_name }}"
             remote_src: yes
-          register: result
-          until: result is not failed
-          retries: 3
-          delay: 10
 
         - name: Create a symlink to the openshift-install binary from /usr/local/bin
           ansible.builtin.file:
@@ -47,18 +64,14 @@
             state: link
           become: true
 
-    - name: Get the installer binary and create symlinks
+    - name: Get the client binary and create symlinks
       when: "'client' in binaries"
       block:
-        - name: Download and unarchive the client from {{ client_url }}
+        - name: Unarchive the client from {{ client_tarball }}
           ansible.builtin.unarchive:
-            src: "{{ client_url }}"
+            src: "{{ home_dir }}/{{ release_name }}/{{ client_tarball }}"
             dest: "{{ home_dir }}/{{ release_name }}"
             remote_src: yes
-          register: result
-          until: result is not failed
-          retries: 3
-          delay: 10
 
         - name: Create a symlink to the oc binary from /usr/local/bin
           ansible.builtin.file:
@@ -73,3 +86,9 @@
             dest: /usr/bin/kubectl
             state: link
           become: true
+
+  always:
+    - name: Remove pull secret file
+      ansible.builtin.file:
+        path: "{{ pull_secret_file }}"
+        state: absent
diff --git a/collection/tools/roles/tools_get_openshift_release/tasks/get_openshift_release_build_name.yml b/collection/tools/roles/tools_get_openshift_release/tasks/get_openshift_release_build_name.yml
index 78c07a79..7461eb58 100644
--- a/collection/tools/roles/tools_get_openshift_release/tasks/get_openshift_release_build_name.yml
+++ b/collection/tools/roles/tools_get_openshift_release/tasks/get_openshift_release_build_name.yml
@@ -39,12 +39,25 @@
       ansible.builtin.set_fact:
         openshift_release_build_name: "{{ latest_build_info.name }}"
 
-- name: Set openshift_release_build_name when a specific build is given
-  ansible.builtin.set_fact:
-    openshift_release_build_name: "{{ build_name }}"
+    - name: Set openshift_release_pull_spec from release stream API response
+      ansible.builtin.set_fact:
+        openshift_release_pull_spec: "{{ latest_build_info.pullSpec }}"
+
+- name: Set build name and pull spec when a specific build is given
   when:
     - release is not match("4-stable")
     - build_name not in ['','candidate','fast','stable','eus']
+  block:
+    - name: Set openshift_release_build_name for specific build
+      ansible.builtin.set_fact:
+        openshift_release_build_name: "{{ build_name }}"
+
+    - name: Construct openshift_release_pull_spec for specific build
+      ansible.builtin.set_fact:
+        openshift_release_pull_spec: >-
+          {{ 'registry.ci.openshift.org/ocp/release:' + build_name
+             if build_name is search('nightly')
+             else 'quay.io/openshift-release-dev/ocp-release:' + build_name + '-x86_64' }}
 
 - name: Discover the release build name for the z-stream promoted to upgrade channel on {{ release }}
   # Ref: https://docs.openshift.com/container-platform/4.9/updating/understanding-upgrade-channels-release.html
@@ -68,3 +81,12 @@
     - name: Set openshift_release_build_name when openshift.build is set to a channel
       ansible.builtin.set_fact:
         openshift_release_build_name: "{{ result.stdout }}"
+
+    - name: Parse openshift_release_pull_spec from Pull From field in release.txt
+      ansible.builtin.shell: set -o pipefail && grep '^Pull From:' {{ home_dir }}/release.txt | awk '{print $3}'
+      changed_when: false
+      register: pull_from_result
+
+    - name: Set openshift_release_pull_spec from channel release.txt
+      ansible.builtin.set_fact:
+        openshift_release_pull_spec: "{{ pull_from_result.stdout }}"