Chapter 3. Installing CodeReady Workspaces in a restricted enviroment
By default, Red Hat CodeReady Workspaces workspaces reference various external resources, mainly container images available in public registries.
To deploy CodeReady Workspaces in an environment where these external resources are not available (for example, on a cluster that is not exposed to the public Internet):
- Identify the image registry used by the OpenShift cluster, and ensure you can push to it.
- Push all the images needed for running CodeReady Workspaces to this registry.
- Configure CodeReady Workspaces to use the images that have been pushed to the registry.
- Proceed to the CodeReady Workspaces installation.
The procedure for installing CodeReady Workspaces in restricted environments applies to both OpenShift 3.11 and 4.x.
Notes on network connectivity in restricted environments
Restricted network environments range from a private subnet in a cloud provider to a separate network owned by a company, disconnected from the public Internet. Regardless of the network configuration, CodeReady Workspaces works provided that the Ingress and Routes that are created for CodeReady Workspaces components (codeready-workspaces-server, identity provider, devfile and plugin registries) are accessible from inside the OpenShift cluster.
Take into account the network topology of the environment to determine how best to accomplish this. For example, on a network owned by a company or an organization, the network administrators must ensure that traffic bound from the cluster can be routed to Ingress and Route hostnames. In other cases, for example, on AWS, create a proxy configuration allowing the traffic to leave the node to reach an external-facing Load Balancer.
Prerequisites
- A running OpenShift cluster. See the OpenShift Container Platform 4.2 Documentation for instructions on how to install an OpenShift cluster.
3.1. Preparing an image registry for installing CodeReady Workspaces in a restricted environment
Prerequisites
-
The
oc
tool is installed. - An image registry that is accessible from the OpenShift cluster. Ensure you can push to it from a location that has, at least temporarily, access to the Internet.
The
podman
tool is installed.NoteWhen pushing images to other registry than the OpenShift internal registry, and the
podman
tool fails to work, use thedocker
tool instead.
The following placeholders are used in this section.
| host name and port of the container-image registry accessible in the restricted environment |
| organization of the container-image registry |
For the OpenShift internal registry, the placeholder values are typically the following:
|
|
|
|
See OpenShift documentation for more details.
Procedure
Define the environment variable with the external endpoint of the image registry:
For the OpenShift internal registry, use:
$ REGISTRY_ENDPOINT=$(oc get route default-route --namespace openshift-image-registry \ --template='{{ .spec.host }}')
For other registries, use the host name and port of the image registry:
$ REGISTRY_ENDPOINT=<internal-registry>
Log into the internal image registry:
$ podman login --username <user> --password <password> <internal-registry>
NoteWhen using the OpenShift internal registry, follow the steps described in the related OpenShift documentation to first expose the internal registry through a route, and then log in to it.
Download, tag, and push the necessary images. Repeat the step for every image in the following lists:
$ podman pull <image_name>:<image_tag> $ podman tag <image_name>:<image_tag> ${REGISTRY_ENDPOINT}/<organization>/<image_name>:<image_tag> $ podman push ${REGISTRY_ENDPOINT}/<organization>/<image_name>:<image_tag>
Essential images
The following infrastructure images are included in every workspace launch:
- registry.redhat.io/codeready-workspaces/server-operator-rhel8:2.0
- registry.redhat.io/codeready-workspaces/server-rhel8:2.0
- registry.redhat.io/codeready-workspaces/pluginregistry-rhel8:2.0
- registry.redhat.io/codeready-workspaces/devfileregistry-rhel8:2.0
- registry.redhat.io/codeready-workspaces/pluginbroker-rhel8:2.0
- registry.redhat.io/codeready-workspaces/pluginbrokerinit-rhel8:2.0
- registry.redhat.io/codeready-workspaces/jwtproxy-rhel8:2.0
- registry.redhat.io/codeready-workspaces/machineexec-rhel8:2.0
- registry.redhat.io/codeready-workspaces/theia-rhel8:2.0
- registry.redhat.io/codeready-workspaces/theia-endpoint-rhel8:2.0
- registry.redhat.io/rhscl/postgresql-96-rhel7:1-47
- registry.redhat.io/redhat-sso-7/sso73-openshift:1.0-15
- registry.redhat.io/ubi8-minimal:8.0-213
Workspace-specific images
These are images that are required for running a workspace. A workspace generally uses only a subset of the images below. It is only necessary to include the images related to required technology stacks.
- registry.redhat.io/codeready-workspaces/stacks-cpp-rhel8:2.0
- registry.redhat.io/codeready-workspaces/stacks-dotnet-rhel8:2.0
- registry.redhat.io/codeready-workspaces/stacks-golang-rhel8:2.0
- registry.redhat.io/codeready-workspaces/stacks-java-rhel8:2.0
- registry.redhat.io/codeready-workspaces/stacks-node-rhel8:2.0
- registry.redhat.io/codeready-workspaces/stacks-php-rhel8:2.0
- registry.redhat.io/codeready-workspaces/stacks-python-rhel8:2.0
- registry.redhat.io/codeready-workspaces/plugin-openshift-rhel8:2.0
3.2. Preparing CodeReady Workspaces Custom Resource for restricted environment
When installing CodeReady Workspaces in a restricted environment using crwctl
or OperatorHub, provide a CodeReady WorkspacesCluster
custom resource with additional information.
3.2.1. Downloading the default CodeReady WorkspacesCluster
Custom Resource
Procedure
- Download the default custom resource YAML file.
-
Name the downloaded custom resource
org_v1_che_cr.yaml
. Keep it for further modification and usage.
3.2.2. Customizing the CodeReady WorkspacesCluster
Custom Resource for restricted environment
Prerequisites
- All required images available in an image registry that is visible to the OpenShift cluster where CodeReady Workspaces is to be deployed. This is described in Section 3.1, “Preparing an image registry for installing CodeReady Workspaces in a restricted environment”, where the placeholders used in the following examples are also defined.
Procedure
In the
CodeReady WorkspacesCluster
Custom Resource, which is managed by the CodeReady Workspaces Operator, add the fields used to facilitate deploying an instance of CodeReady Workspaces in a restricted environment:# [...] spec: server: airGapContainerRegistryHostname: '<internal-registry>' airGapContainerRegistryOrganization: '<organization>' # [...]
Setting these fields in the Custom Resource uses
<internal-registry>
and<organization>
for all images. This means, for example, that the Operator expects the offline plug-in and devfile registries to be available at:<internal-registry>/<organization>/pluginregistry-rhel8:<ver> <internal-registry>/<organization>/pluginregistry-rhel8:<ver>
For example, to use the OpenShift 4 internal registry as the image registry, define the following fields in the
CodeReady WorkspacesCluster
Custom Resource:# [...] spec: server: airGapContainerRegistryHostname: 'image-registry.openshift-image-registry.svc:5000' airGapContainerRegistryOrganization: 'openshift' # [...]
-
In the downloaded
CodeReady WorkspacesCluster
Custom Resource, add the two fields described above with the proper values according to the container-image registry with all the mirrored container images.
3.3. Starting CodeReady Workspaces installation in a restricted environment using CodeReady Workspaces CLI management tool
This sections describes how to start the CodeReady Workspaces installation in a restricted environment using the CodeReady Workspaces CLI management tool.
Prerequisites
- CodeReady Workspaces CLI management tool is installed.
-
The
oc
tool is installed. - Access to an OpenShift instance.
Procedure
Log in to OpenShift Container Platform:
$ oc login ${OPENSHIFT_API_URL} --username ${OPENSHIFT_USERNAME} \ --password ${OPENSHIFT_PASSWORD}
Install CodeReady Workspaces with the customized Custom Resource to add fields related to restricted environment:
$ crwctl server:start \ --che-operator-image=<image-registry>/<organization>/server-operator-rhel8:2.0 \ --che-operator-cr-yaml=org_v1_che_cr.yaml
3.4. Starting CodeReady Workspaces installation in a restricted environment using OperatorHub
Installing CodeReady Workspaces from OperatorHub in a restricted environment is not supported.