-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: Improve the airgap env preparation script [RHIDP-1442][RHIDP-4415] #705
chore: Improve the airgap env preparation script [RHIDP-1442][RHIDP-4415] #705
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
9ec9224
to
71d15f5
Compare
d15754f
to
71379e2
Compare
71379e2
to
d9b7010
Compare
d9b7010
to
6f15425
Compare
/cc @zdrapela |
Otherwise tools like 'skopeo login' will attempt to write to /run, which might be restricted in CI environments. This also ensures that the credentials don't conflict with any existing creds for the same registry. Co-authored-by: Zbynek Drapela <[email protected]>
This reverts commit c02beca.
This reverts commit c6dc186.
Otherwise tools like 'skopeo login' will attempt to write to /run, which might be restricted in CI environments. Since the user is required to be logged into the index image registry (and the target mirror registry eventually), it also makes sure these auth information are not lost when switching to a temporary auth file.
Otherwise, as depicted in [1], this might cause some 403 errors to be returned to Skopeo. This fixes the behavior seen on the QE airgap bastion host. [1] https://access.redhat.com/solutions/6022011
c6dc186
to
13b5e0a
Compare
oc-mirror v1 always loads the docker creds first [1]. But we want to use our own credentials file, which is not possible until oc-mirror v2 (currently tech preview). [1] https://github.com/openshift/oc-mirror/blob/main/pkg/image/credentials.go
By specifying `--filter-versions '*'`
This adds a new option: --oc-mirror-path Might be useful when troubleshooting issues.
…or --to-dir are specified
Because of targetCatalog in the ImageSet, the catalog image needs to exist in the target registry
…install-script-improvements
…the integrated OCP registry
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The script has been tested successfully on our airgapped OCP environment (via a bastion host):
Creating a CR also works by pulling the images from the internal OCP registry:
[azureuser@bastion4 zdrapela]$ oc get po -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
backstage-developer-hub-7f7c58cdc5-h8d2b 0/1 Running 0 3m17s 10.131.1.78 aro-disconnected-4-j8mbr-worker-eastus1-lbj56 <none> <none>
backstage-psql-developer-hub-0 1/1 Running 0 3m16s 10.130.2.111 aro-disconnected-4-j8mbr-worker-eastus3-2btbl <none> <none>
rhdh-operator-5f997f959-wzw6g 1/1 Running 0 8m21s 10.130.2.110 aro-disconnected-4-j8mbr-worker-eastus3-2btbl <none> <none>
[azureuser@bastion4 zdrapela]$ oc get pod backstage-psql-developer-hub-0 -o=jsonpath='{.spec.containers[*].name}{" => "}{.spec.containers[*].image}{"\n"}{.spec.initContainers[*].name}{" => "}{.spec.initContainers[*].image}{"\n"}'
postgresql => image-registry.openshift-image-registry.svc:5000/rhel9/postgresql-15:44a08b83a6c50714b52f4cf1c3476bc16b66faec21dd9a9bc07d1be5f97b8150
[azureuser@bastion4 zdrapela]$ oc get pod backstage-developer-hub-7f7c58cdc5-h8d2b -o=jsonpath='{.spec.containers[*].name}{" => "}{.spec.containers[*].image}{"\n"}{.spec.initContainers[*].name}{" => "}{.spec.initContainers[*].image}{"\n"}'
backstage-backend => image-registry.openshift-image-registry.svc:5000/rhdh/rhdh-hub-rhel9:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572
install-dynamic-plugins => image-registry.openshift-image-registry.svc:5000/rhdh/rhdh-hub-rhel9:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572
And I also tested it successfully on both vanilla K8s and ROSA clusters.
Merging it, to unblock #751
…415] (redhat-developer#705) * wip * Allow to mirror extra-images * Create IDMS on OCP and various fixes * Fix issue when pushing to the internal OCP registry Image names should follow this format: <project>/<name> * Update prepare-restricted-environment.sh script instead (in a backward compatible manner) * Default to installing the operator * Improve usage docs * Automatically detect and use the internal OCP registry unless --to-registry is set * Make sure the operand images can be pulles when using the internal OCP registry It works by adding the pull secrets to the namespace default service account. So it will only work when creating the CR in the operator namespace. Otherwise, we are displaying the instructions for different namespaces * Allow to use `oc-mirror` as tool for mirroring This is useful if users want to explicitly use `oc-mirror` as their tool of choice and they know they are already on OCP TBD: this currently does not work with the internal OCP registry when autodetected by the script * Fix an unbound variable issue * Fix unbound variable issue * Update docs * Use a temporary registry auth file for `skopeo` and `podman` Otherwise tools like 'skopeo login' will attempt to write to /run, which might be restricted in CI environments. This also ensures that the credentials don't conflict with any existing creds for the same registry. Co-authored-by: Zbynek Drapela <[email protected]> * Revert "Use a temporary registry auth file for `skopeo` and `podman`" This reverts commit c02beca. * Reapply "Use a temporary registry auth file for `skopeo` and `podman`" This reverts commit c6dc186. * Use a temporary registry auth file for `skopeo` and `podman` Otherwise tools like 'skopeo login' will attempt to write to /run, which might be restricted in CI environments. Since the user is required to be logged into the index image registry (and the target mirror registry eventually), it also makes sure these auth information are not lost when switching to a temporary auth file. * Disable redirects on the integrated OCP image registry Otherwise, as depicted in [1], this might cause some 403 errors to be returned to Skopeo. This fixes the behavior seen on the QE airgap bastion host. [1] https://access.redhat.com/solutions/6022011 * Fix registry auth creds loading oc-mirror v1 always loads the docker creds first [1]. But we want to use our own credentials file, which is not possible until oc-mirror v2 (currently tech preview). [1] https://github.com/openshift/oc-mirror/blob/main/pkg/image/credentials.go * Allow to filter all versions from the catalog By specifying `--filter-versions '*'` * Allow to override the path to the oc-mirror binary This adds a new option: --oc-mirror-path Might be useful when troubleshooting issues. * Provide hint to log into the OCP cluster when neither --to-registry nor --to-dir are specified * Fix issues with oc-mirror Because of targetCatalog in the ImageSet, the catalog image needs to exist in the target registry * Fix unbound variable issue * Append the default pull secrets in the catalog source manifest generated by oc-mirror * Remove note about oc-mirror limitation * Update docs * [oc-mirror] Fix target catalog image path in the registry when using the integrated OCP registry * Fix issues when mirroring with oc-mirror --------- Co-authored-by: Zbynek Drapela <[email protected]>
Description
This improves the airgap env preparation script so that:
It also has the option to leverage the
oc-mirror
tool since this is the recommended way to mirror on OCP.Which issue(s) does this PR fix or relate to
PR acceptance criteria
How to test changes / Special notes to the reviewer
Follow the procedure in https://github.com/rm3l/redhat-developer-hub-operator/blob/RHIDP-4415--airgap-install-script-improvements/.rhdh/docs/airgap.adoc
Note that this introduces new options to the script, but for backward compatibility, the previous ones are preserved (but deprecated) as much as possible (except
--helper_mirror_registry_storage
,--use_existing_mirror_registry
,--prod_operator_package_name
, andprod_operator_bundle_name
, which no longer make sense here).Usage