Search

Chapter 12. Converting a connected cluster to a disconnected cluster

download PDF

There might be some scenarios where you need to convert your OpenShift Container Platform cluster from a connected cluster to a disconnected cluster.

A disconnected cluster, also known as a restricted cluster, does not have an active connection to the internet. As such, you must mirror the contents of your registries and installation media. You can create this mirror registry on a host that can access both the internet and your closed network, or copy images to a device that you can move across network boundaries.

This topic describes the general process for converting an existing, connected cluster into a disconnected cluster.

12.1. About the mirror registry

You can mirror the images that are required for OpenShift Container Platform installation and subsequent product updates to a container mirror registry such as Red Hat Quay, JFrog Artifactory, Sonatype Nexus Repository, or Harbor. If you do not have access to a large-scale container registry, you can use the mirror registry for Red Hat OpenShift, a small-scale container registry included with OpenShift Container Platform subscriptions.

You can use any container registry that supports Docker v2-2, such as Red Hat Quay, the mirror registry for Red Hat OpenShift, Artifactory, Sonatype Nexus Repository, or Harbor. Regardless of your chosen registry, the procedure to mirror content from Red Hat hosted sites on the internet to an isolated image registry is the same. After you mirror the content, you configure each cluster to retrieve this content from your mirror registry.

Important

The OpenShift image registry cannot be used as the target registry because it does not support pushing without a tag, which is required during the mirroring process.

If choosing a container registry that is not the mirror registry for Red Hat OpenShift, it must be reachable by every machine in the clusters that you provision. If the registry is unreachable, installation, updating, or normal operations such as workload relocation might fail. For that reason, you must run mirror registries in a highly available way, and the mirror registries must at least match the production availability of your OpenShift Container Platform clusters.

When you populate your mirror registry with OpenShift Container Platform images, you can follow two scenarios. If you have a host that can access both the internet and your mirror registry, but not your cluster nodes, you can directly mirror the content from that machine. This process is referred to as connected mirroring. If you have no such host, you must mirror the images to a file system and then bring that host or removable media into your restricted environment. This process is referred to as disconnected mirroring.

For mirrored registries, to view the source of pulled images, you must review the Trying to access log entry in the CRI-O logs. Other methods to view the image pull source, such as using the crictl images command on a node, show the non-mirrored image name, even though the image is pulled from the mirrored location.

Note

Red Hat does not test third party registries with OpenShift Container Platform.

12.2. Prerequisites

12.3. Preparing the cluster for mirroring

Before disconnecting your cluster, you must mirror, or copy, the images to a mirror registry that is reachable by every node in your disconnected cluster. In order to mirror the images, you must prepare your cluster by:

  • Adding the mirror registry certificates to the list of trusted CAs on your host.
  • Creating a .dockerconfigjson file that contains your image pull secret, which is from the cloud.openshift.com token.

Procedure

  1. Configuring credentials that allow image mirroring:

    1. Add the CA certificate for the mirror registry, in the simple PEM or DER file formats, to the list of trusted CAs. For example:

      $ cp </path/to/cert.crt> /usr/share/pki/ca-trust-source/anchors/
      where, </path/to/cert.crt>
      Specifies the path to the certificate on your local file system.
    2. Update the CA trust. For example, in Linux:

      $ update-ca-trust
    3. Extract the .dockerconfigjson file from the global pull secret:

      $ oc extract secret/pull-secret -n openshift-config --confirm --to=.

      Example output

      .dockerconfigjson

    4. Edit the .dockerconfigjson file to add your mirror registry and authentication credentials and save it as a new file:

      {"auths":{"<local_registry>": {"auth": "<credentials>","email": "you@example.com"}}},"<registry>:<port>/<namespace>/":{"auth":"<token>"}}}

      where:

      <local_registry>
      Specifies the registry domain name, and optionally the port, that your mirror registry uses to serve content.
      auth
      Specifies the base64-encoded user name and password for your mirror registry.
      <registry>:<port>/<namespace>
      Specifies the mirror registry details.
      <token>

      Specifies the base64-encoded username:password for your mirror registry.

      For example:

      $ {"auths":{"cloud.openshift.com":{"auth":"b3BlbnNoaWZ0Y3UjhGOVZPT0lOMEFaUjdPUzRGTA==","email":"user@example.com"},
      "quay.io":{"auth":"b3BlbnNoaWZ0LXJlbGVhc2UtZGOVZPT0lOMEFaUGSTd4VGVGVUjdPUzRGTA==","email":"user@example.com"},
      "registry.connect.redhat.com"{"auth":"NTE3MTMwNDB8dWhjLTFEZlN3VHkxOSTd4VGVGVU1MdTpleUpoYkdjaUailA==","email":"user@example.com"},
      "registry.redhat.io":{"auth":"NTE3MTMwNDB8dWhjLTFEZlN3VH3BGSTd4VGVGVU1MdTpleUpoYkdjaU9fZw==","email":"user@example.com"},
      "registry.svc.ci.openshift.org":{"auth":"dXNlcjpyWjAwWVFjSEJiT2RKVW1pSmg4dW92dGp1SXRxQ3RGN1pwajJhN1ZXeTRV"},"my-registry:5000/my-namespace/":{"auth":"dXNlcm5hbWU6cGFzc3dvcmQ="}}}

12.4. Mirroring the images

After the cluster is properly configured, you can mirror the images from your external repositories to the mirror repository.

Procedure

  1. Mirror the Operator Lifecycle Manager (OLM) images:

    $ oc adm catalog mirror registry.redhat.io/redhat/redhat-operator-index:v{product-version} <mirror_registry>:<port>/olm -a <reg_creds>

    where:

    product-version
    Specifies the tag that corresponds to the version of OpenShift Container Platform to install, such as 4.8.
    mirror_registry
    Specifies the fully qualified domain name (FQDN) for the target registry and namespace to mirror the Operator content to, where <namespace> is any existing namespace on the registry.
    reg_creds
    Specifies the location of your modified .dockerconfigjson file.

    For example:

    $ oc adm catalog mirror registry.redhat.io/redhat/redhat-operator-index:v4.8 mirror.registry.com:443/olm -a ./.dockerconfigjson  --index-filter-by-os='.*'
  2. Mirror the content for any other Red Hat-provided Operator:

    $ oc adm catalog mirror <index_image> <mirror_registry>:<port>/<namespace> -a <reg_creds>

    where:

    index_image
    Specifies the index image for the catalog that you want to mirror.
    mirror_registry
    Specifies the FQDN for the target registry and namespace to mirror the Operator content to, where <namespace> is any existing namespace on the registry.
    reg_creds
    Optional: Specifies the location of your registry credentials file, if required.

    For example:

    $ oc adm catalog mirror registry.redhat.io/redhat/community-operator-index:v4.8 mirror.registry.com:443/olm -a ./.dockerconfigjson  --index-filter-by-os='.*'
  3. Mirror the OpenShift Container Platform image repository:

    $ oc adm release mirror -a .dockerconfigjson --from=quay.io/openshift-release-dev/ocp-release:v<product-version>-<architecture> --to=<local_registry>/<local_repository> --to-release-image=<local_registry>/<local_repository>:v<product-version>-<architecture>

    where:

    product-version
    Specifies the tag that corresponds to the version of OpenShift Container Platform to install, such as 4.8.15-x86_64.
    architecture
    Specifies the type of architecture for your server, such as x86_64.
    local_registry
    Specifies the registry domain name for your mirror repository.
    local_repository
    Specifies the name of the repository to create in your registry, such as ocp4/openshift4.

    For example:

    $ oc adm release mirror -a .dockerconfigjson --from=quay.io/openshift-release-dev/ocp-release:4.8.15-x86_64 --to=mirror.registry.com:443/ocp/release --to-release-image=mirror.registry.com:443/ocp/release:4.8.15-x86_64

    Example output

    info: Mirroring 109 images to mirror.registry.com/ocp/release ...
    mirror.registry.com:443/
      ocp/release
    	manifests:
      	sha256:086224cadce475029065a0efc5244923f43fb9bb3bb47637e0aaf1f32b9cad47 -> 4.8.15-x86_64-thanos
      	sha256:0a214f12737cb1cfbec473cc301aa2c289d4837224c9603e99d1e90fc00328db -> 4.8.15-x86_64-kuryr-controller
      	sha256:0cf5fd36ac4b95f9de506623b902118a90ff17a07b663aad5d57c425ca44038c -> 4.8.15-x86_64-pod
      	sha256:0d1c356c26d6e5945a488ab2b050b75a8b838fc948a75c0fa13a9084974680cb -> 4.8.15-x86_64-kube-client-agent
    
    …..
    sha256:66e37d2532607e6c91eedf23b9600b4db904ce68e92b43c43d5b417ca6c8e63c mirror.registry.com:443/ocp/release:4.5.41-multus-admission-controller
    sha256:d36efdbf8d5b2cbc4dcdbd64297107d88a31ef6b0ec4a39695915c10db4973f1 mirror.registry.com:443/ocp/release:4.5.41-cluster-kube-scheduler-operator
    sha256:bd1baa5c8239b23ecdf76819ddb63cd1cd6091119fecdbf1a0db1fb3760321a2 mirror.registry.com:443/ocp/release:4.5.41-aws-machine-controllers
    info: Mirroring completed in 2.02s (0B/s)
    
    Success
    Update image:  mirror.registry.com:443/ocp/release:4.5.41-x86_64
    Mirror prefix: mirror.registry.com:443/ocp/release

  4. Mirror any other registries, as needed:

    $ oc image mirror <online_registry>/my/image:latest <mirror_registry>

Additional information

12.5. Configuring the cluster for the mirror registry

After creating and mirroring the images to the mirror registry, you must modify your cluster so that pods can pull images from the mirror registry.

You must:

  • Add the mirror registry credentials to the global pull secret.
  • Add the mirror registry server certificate to the cluster.
  • Create an ImageContentSourcePolicy custom resource (ICSP), which associates the mirror registry with the source registry.

    1. Add mirror registry credential to the cluster global pull-secret:

      $ oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=<pull_secret_location> 1
      1
      Provide the path to the new pull secret file.

      For example:

      $ oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=.mirrorsecretconfigjson
    2. Add the CA-signed mirror registry server certificate to the nodes in the cluster:

      1. Create a config map that includes the server certificate for the mirror registry

        $ oc create configmap <config_map_name> --from-file=<mirror_address_host>..<port>=$path/ca.crt -n openshift-config

        For example:

        S oc create configmap registry-config --from-file=mirror.registry.com..443=/root/certs/ca-chain.cert.pem -n openshift-config
      2. Use the config map to update the image.config.openshift.io/cluster custom resource (CR). OpenShift Container Platform applies the changes to this CR to all nodes in the cluster:

        $ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"<config_map_name>"}}}' --type=merge

        For example:

        $ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-config"}}}' --type=merge
    3. Create an ICSP to redirect container pull requests from the online registries to the mirror registry:

      1. Create the ImageContentSourcePolicy custom resource:

        apiVersion: operator.openshift.io/v1alpha1
        kind: ImageContentSourcePolicy
        metadata:
          name: mirror-ocp
        spec:
          repositoryDigestMirrors:
          - mirrors:
            - mirror.registry.com:443/ocp/release 1
            source: quay.io/openshift-release-dev/ocp-release 2
          - mirrors:
            - mirror.registry.com:443/ocp/release
            source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
        1
        Specifies the name of the mirror image registry and repository.
        2
        Specifies the online registry and repository containing the content that is mirrored.
      2. Create the ICSP object:

        $ oc create -f registryrepomirror.yaml

        Example output

        imagecontentsourcepolicy.operator.openshift.io/mirror-ocp created

        OpenShift Container Platform applies the changes to this CR to all nodes in the cluster.

    4. Verify that the credentials, CA, and ICSP for mirror registry were added:

      1. Log into a node:

        $ oc debug node/<node_name>
      2. Set /host as the root directory within the debug shell:

        sh-4.4# chroot /host
      3. Check the config.json file for the credentials:

        sh-4.4# cat /var/lib/kubelet/config.json

        Example output

        {"auths":{"brew.registry.redhat.io":{"xx=="},"brewregistry.stage.redhat.io":{"auth":"xxx=="},"mirror.registry.com:443":{"auth":"xx="}}} 1

        1
        Ensure that the mirror registry and credentials are present.
      4. Change to the certs.d directory

        sh-4.4# cd /etc/docker/certs.d/
      5. List the certificates in the certs.d directory:

        sh-4.4# ls

        Example output

        image-registry.openshift-image-registry.svc.cluster.local:5000
        image-registry.openshift-image-registry.svc:5000
        mirror.registry.com:443 1

        1
        Ensure that the mirror registry is in the list.
      6. Check that the ICSP added the mirror registry to the registries.conf file:

        sh-4.4# cat /etc/containers/registries.conf

        Example output

        unqualified-search-registries = ["registry.access.redhat.com", "docker.io"]
        
        [[registry]]
          prefix = ""
          location = "quay.io/openshift-release-dev/ocp-release"
          mirror-by-digest-only = true
        
          [[registry.mirror]]
            location = "mirror.registry.com:443/ocp/release"
        
        [[registry]]
          prefix = ""
          location = "quay.io/openshift-release-dev/ocp-v4.0-art-dev"
          mirror-by-digest-only = true
        
          [[registry.mirror]]
            location = "mirror.registry.com:443/ocp/release"

        The registry.mirror parameters indicate that the mirror registry is searched before the original registry.

      7. Exit the node.

        sh-4.4# exit

12.6. Ensure applications continue to work

Before disconnecting the cluster from the network, ensure that your cluster is working as expected and all of your applications are working as expected.

Procedure

Use the following commands to check the status of your cluster:

  • Ensure your pods are running:

    $ oc get pods --all-namespaces

    Example output

    NAMESPACE                                          NAME                                                          READY   STATUS      RESTARTS   AGE
    kube-system                                        apiserver-watcher-ci-ln-47ltxtb-f76d1-mrffg-master-0          1/1     Running     0          39m
    kube-system                                        apiserver-watcher-ci-ln-47ltxtb-f76d1-mrffg-master-1          1/1     Running     0          39m
    kube-system                                        apiserver-watcher-ci-ln-47ltxtb-f76d1-mrffg-master-2          1/1     Running     0          39m
    openshift-apiserver-operator                       openshift-apiserver-operator-79c7c646fd-5rvr5                 1/1     Running     3          45m
    openshift-apiserver                                apiserver-b944c4645-q694g                                     2/2     Running     0          29m
    openshift-apiserver                                apiserver-b944c4645-shdxb                                     2/2     Running     0          31m
    openshift-apiserver                                apiserver-b944c4645-x7rf2                                     2/2     Running     0          33m
     ...

  • Ensure your nodes are in the READY status:

    $ oc get nodes

    Example output

    NAME                                       STATUS   ROLES    AGE   VERSION
    ci-ln-47ltxtb-f76d1-mrffg-master-0         Ready    master   42m   v1.24.0
    ci-ln-47ltxtb-f76d1-mrffg-master-1         Ready    master   42m   v1.24.0
    ci-ln-47ltxtb-f76d1-mrffg-master-2         Ready    master   42m   v1.24.0
    ci-ln-47ltxtb-f76d1-mrffg-worker-a-gsxbz   Ready    worker   35m   v1.24.0
    ci-ln-47ltxtb-f76d1-mrffg-worker-b-5qqdx   Ready    worker   35m   v1.24.0
    ci-ln-47ltxtb-f76d1-mrffg-worker-c-rjkpq   Ready    worker   34m   v1.24.0

12.7. Disconnect the cluster from the network

After mirroring all the required repositories and configuring your cluster to work as a disconnected cluster, you can disconnect the cluster from the network.

Note

The Insights Operator is degraded when the cluster loses its Internet connection. You can avoid this problem by temporarily disabling the Insights Operator until you can restore it.

12.8. Restoring a degraded Insights Operator

Disconnecting the cluster from the network necessarily causes the cluster to lose the Internet connection. The Insights Operator becomes degraded because it requires access to Red Hat Insights.

This topic describes how to recover from a degraded Insights Operator.

Procedure

  1. Edit your .dockerconfigjson file to remove the cloud.openshift.com entry, for example:

    "cloud.openshift.com":{"auth":"<hash>","email":"user@example.com"}
  2. Save the file.
  3. Update the cluster secret with the edited .dockerconfigjson file:

    $ oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=./.dockerconfigjson
  4. Verify that the Insights Operator is no longer degraded:

    $ oc get co insights

    Example output

    NAME       VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE
    insights   4.5.41    True        False         False      3d

12.9. Restoring the network

If you want to reconnect a disconnected cluster and pull images from online registries, delete the cluster’s ImageContentSourcePolicy (ICSP) objects. Without the ICSP, pull requests to external registries are no longer redirected to the mirror registry.

Procedure

  1. View the ICSP objects in your cluster:

    $ oc get imagecontentsourcepolicy

    Example output

    NAME                 AGE
    mirror-ocp           6d20h
    ocp4-index-0         6d18h
    qe45-index-0         6d15h

  2. Delete all the ICSP objects you created when disconnecting your cluster:

    $ oc delete imagecontentsourcepolicy <icsp_name> <icsp_name> <icsp_name>

    For example:

    $ oc delete imagecontentsourcepolicy mirror-ocp ocp4-index-0 qe45-index-0

    Example output

    imagecontentsourcepolicy.operator.openshift.io "mirror-ocp" deleted
    imagecontentsourcepolicy.operator.openshift.io "ocp4-index-0" deleted
    imagecontentsourcepolicy.operator.openshift.io "qe45-index-0" deleted

  3. Wait for all the nodes to restart and return to the READY status and verify that the registries.conf file is pointing to the original registries and not the mirror registries:

    1. Log into a node:

      $ oc debug node/<node_name>
    2. Set /host as the root directory within the debug shell:

      sh-4.4# chroot /host
    3. Examine the registries.conf file:

      sh-4.4# cat /etc/containers/registries.conf

      Example output

      unqualified-search-registries = ["registry.access.redhat.com", "docker.io"] 1

      1
      The registry and registry.mirror entries created by the ICSPs you deleted are removed.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.