Mirroring specific versions of K8S Operators
In the past two to three years the process of mirroring / importing openshift and or k8s operator images to a disconnected or to a connected (with a DMZ) environment was a painfull process.
In the article, I’ll explain how you can save time and ease the mirroring process for “air-gapped” environments using the updatedoc-mirror tool from RedHat.
Let’s get started!
Prerequisites
- Openshift Container Platform v4.9.xx and up
- A Bastion server based on a RHEL8 operating system.
- OC CLI
- Registry:2 container running
Preparations
Download the needed installation files tooc-mirror tools.
1) https://console.redhat.com/openshift/downloads#tool-oc-mirror-plugin
Under the downloads locate the “oc-mirror-plugin” item and click download
2) Transfer the tar file to the bastion server and open with the following commands.
$ tar xvf oc-mirror.tar -C /usr/bin/
$ chmod +x /usr/bin/oc-mirror3) From the same link copy your pull secret under “tokens” to the bastion server. The following pull secret is a token in json format, the password is “encoded” in base64.
Copy the file contents to to following file — IF the dir does not exist please create it.
# DIR CREATION = mkdir -p ~/.docker
$ vim ~/.docker/config.jsonUsing the tool
1) How to list available operator catalogs:$ oc-mirror list operators --catalogs --version=4.X** In each ocp version you will have all four of theese catlogs available: **registry.redhat.io/redhat/redhat-operator-index:v4.X
registry.redhat.io/redhat/certified-operator-index:v4.X
registry.redhat.io/redhat/community-operator-index:v4.X
registry.redhat.io/redhat/redhat-marketplace-index:v4.X2) How to list available operators in chosen catalog:$ oc-mirror list operators --catalog=<cvhosen_catalog_url>:<v4.X>3) Listing the available release channels of a specific operator:$ oc-mirror list operators --catalog=<chosen_catalog_url>:<v4.X> --package=<operator_name>4) List the available versions under a specific release channel:$ oc-mirror list operators --catalog=<chosen_catalog_url>:<v4.X> --package=<operator_name> --channel=<channel_name>
Creating the config file & The logic itself
Following the steps in the help section you can find any operator, its version, channel and other info. From there you can create a config.yaml file that with its use the “oc-mirror” command will “download” for your use any operator in any specific version.
$ podman login registry.redhat.io
$ oc-mirror list operators
Available OpenShift OperatorHub catalog versions:
v4.11
v4.10
v4.9
.
.For example im running openshift v4.9.33 (major=4.9):
> oc-mirror list operators --catalogs --version=4.9
Available OpenShift OperatorHub catalogs:
OpenShift 4.9:
registry.redhat.io/redhat/redhat-operator-index:v4.9
registry.redhat.io/redhat/certified-operator-index:v4.9
registry.redhat.io/redhat/community-operator-index:v4.9
registry.redhat.io/redhat/redhat-marketplace-index:v4.9In this case we will try to mirror the “ACM Operator”. The operator is developed by RedHat, so it will be under the “redhat-operator-index”.
If you dont know which index image to use, you can list each one of them until you find your desired operator:
$ oc-mirror list operators --catalog=registry.redhat.io/redhat/redhat-operator-index:v4.9NAME
advanced-cluster-management
DISPLAY NAME
Advanced Cluster Management for Kubernetes DEFAULT CHANNEL
release-2.5
(## It will displayed in a list ##)
...
Listing channels of the operator (if you do knot know the channel its ok):
$ oc-mirror list operators --catalog=registry.redhat.io/redhat/redhat-operator-index:v4.9 --package=advanced-cluster-management
NAME
advanced-cluster-management
DISPLAY NAME
Advanced Cluster Management for Kubernetes
DEFAULT CHANNEL
release-2.5PACKAGE CHANNEL HEAD
advan... release-2.3 advanced-cluster-management.v2.3.11
advan... release-2.4 advanced-cluster-management.v2.4.5
advan... release-2.5 advanced-cluster-management.v2.5.1
Listing the versions in channel (if you do not have the versions its ok):
$ oc-mirror list operators --catalog=registry.redhat.io/redhat/redhat-operator-index:v4.9 --package=advanced-cluster-management --channel=release-2.5
VERSIONS
2.5.0
2.5.1Config file — Choosing a specific version
apiVersion: mirror.openshift.io/v1alpha2
kind: ImageSetConfiguration
archiveSize: 50
mirror:
operators:
- catalog: registry.redhat.io/redhat/redhat-operator-index:v4.9
packages:
- name: advanced-cluster-management
channels:
- name: release-2.5
minVersion: '2.5.1'
maxVersion: '2.5.1'Config file — Latest version
apiVersion: mirror.openshift.io/v1alpha2
kind: ImageSetConfiguration
archiveSize: 50
mirror:
operators:
- catalog: registry.redhat.io/redhat/redhat-operator-index:v4.9
packages:
- name: advanced-cluster-managementRunning the mirror process
$ oc mirror --config=config.yaml file://<file_name>At the end you will be left with a dir by the name <file_name> from the command beforehand, inside the dir you will have a file by the name <mirror_tar_sequence>.tar .
Congrats — You have successfully mirrored your operator archive, proceed with importing the operator (.tar archive) into you desired network.
— — — — — — — — — — — — — — — — — — — — — —
Disconnected / Air Gapped Network
— — — — — — — — — — — — — — — — — — — — — —
Import & install in the same way as prior on the “connected bastion” server the oc-mirror cli.
**Bastion server must be rhel v8 and up **
Using Operator Lifecycle Manager on restricted networks
Documentation from RedHat’s official documentation
For OpenShift Container Platform clusters that are installed on restricted networks, also known as disconnected clusters, Operator Lifecycle Manager (OLM) by default cannot access the Red Hat-provided OperatorHub sources hosted on remote registries because those remote sources require full internet connectivity.
However, as a cluster administrator you can still enable your cluster to use OLM in a restricted network if you have a workstation that has full internet access. The workstation, which requires full internet access to pull the remote OperatorHub content, is used to prepare local mirrors of the remote sources, and push the content to a mirror registry.
The mirror registry can be located on a bastion host, which requires connectivity to both your workstation and the disconnected cluster, or a completely disconnected, or airgapped, host, which requires removable media to physically move the mirrored content to the disconnected environment.
Copy the pull secret for you local registry.
Locate your disconnected registry’s pull secret.
For example: when logging in to the local registry (localhost:5000) a default file will be created in most cases under the following path “/run/user/0/containers/auth.json”
If the file is not located in this path feel free to use the following command.
$ updatedb
$ locate auth.jsonThe following pull secret is a token in json format, the password is “encoded” in base64.
Copy the file contents to to following file — IF the dir does not exist please create it.
Make sure that the login credentials are to the registry’s fqdn.
# DIR CREATION = mkdir -p ~/.docker
$ vim ~/.docker/config.jsonNow run the command — verify that you have edited it to fit your operator.
$ oc-mirror --from <mirror_tar_sequence>.tar docker://<registry_fqdn>:<port>/<operator_name> --dest-skip-tlsApplying the ICSP & CatalogueSource yaml’s:
After running the oc-mirror — — from… command located in your current dir will be created a new dir called comething along the sorts of “oc-mirror-workspace” under this dir you will then find another dir called “results”, under this dir oc-mirror will have created the following files ImageContentSourcePolicy.yaml (aka — icsp) and a CatalogueSource.yaml.
Please inspect both files before entering the oc apply -f …. command, these files will add your operator into the MarketPlace and tell the operator’s index image where are located all of it’s relevant images.
