2.4. Using odo in a restricted environment
2.4.1. About odo in a restricted environment
To run odo in a disconnected cluster or a cluster provisioned in a restricted environment, you must ensure that a cluster administrator has created a cluster with a mirrored registry.
To start working in a disconnected cluster, you must first push the odo init image to the registry of the cluster and then overwrite the odo init image path using the ODO_BOOTSTRAPPER_IMAGE environment variable.
After you push the odo init image, you must mirror a supported builder image from the registry, overwrite a mirror registry and then create your application. A builder image is necessary to configure a runtime environment for your application and also contains the build tool needed to build your application, for example npm for Node.js or Maven for Java. A mirror registry contains all the necessary dependencies for your application.
Additional resources
2.4.2. Pushing the odo init image to the restricted cluster registry
Depending on the configuration of your cluster and your operating system you can either push the odo init image to a mirror registry or directly to an internal registry.
2.4.2.1. Prerequisites
-
Install
ocon the client operating system. -
Install
odoon the client operating system. - Access to a restricted cluster with a configured internal registry or a mirror registry.
2.4.2.2. Pushing the odo init image to a mirror registry
Depending on your operating system, you can push the odo init image to a cluster with a mirror registry as follows:
2.4.2.2.1. Pushing the init image to a mirror registry on Linux
Procedure
Use
base64to encode the root certification authority (CA) content of your mirror registry:$ echo <content_of_additional_ca> | base64 --decode > disconnect-ca.crt
Copy the encoded root CA certificate to the appropriate location:
$ sudo cp ./disconnect-ca.crt /etc/pki/ca-trust/source/anchors/<mirror-registry>.crt
Trust a CA in your client platform and log into the OpenShift Container Platform mirror registry:
$ sudo update-ca-trust enable && sudo systemctl daemon-reload && sudo systemctl restart / docker && docker login <mirror-registry>:5000 -u <username> -p <password>
Mirror the
odoinit image:$ oc image mirror registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> <mirror-registry>:5000/openshiftdo/odo-init-image-rhel7:<tag>
Override the default
odoinit image path by setting theODO_BOOTSTRAPPER_IMAGEenvironment variable:$ export ODO_BOOTSTRAPPER_IMAGE=<mirror-registry>:5000/openshiftdo/odo-init-image-rhel7:<tag>
2.4.2.2.2. Pushing the init image to a mirror registry on MacOS
Procedure
Use
base64to encode the root certification authority (CA) content of your mirror registry:$ echo <content_of_additional_ca> | base64 --decode > disconnect-ca.crt
Copy the encoded root CA certificate to the appropriate location:
- Restart Docker using the Docker UI.
Run the following command:
$ docker login <mirror-registry>:5000 -u <username> -p <password>
Mirror the
odoinit image:$ oc image mirror registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> <mirror-registry>:5000/openshiftdo/odo-init-image-rhel7:<tag>
Override the default
odoinit image path by setting theODO_BOOTSTRAPPER_IMAGEenvironment variable:$ export ODO_BOOTSTRAPPER_IMAGE=<mirror-registry>:5000/openshiftdo/odo-init-image-rhel7:<tag>
2.4.2.2.3. Pushing the init image to a mirror registry on Windows
Procedure
Use
base64to encode the root certification authority (CA) content of your mirror registry:PS C:\> echo <content_of_additional_ca> | base64 --decode > disconnect-ca.crt
As an administrator, copy the encoded root CA certificate to the appropriate location by executing the following command:
PS C:\WINDOWS\system32> certutil -addstore -f "ROOT" disconnect-ca.crt
Trust a CA in your client platform and log into the OpenShift Container Platform mirror registry:
- Restart Docker using the Docker UI.
Run the following command:
PS C:\WINDOWS\system32> docker login <mirror-registry>:5000 -u <username> -p <password>
Mirror the
odoinit image:PS C:\> oc image mirror registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> <mirror-registry>:5000/openshiftdo/odo-init-image-rhel7:<tag>
Override the default
odoinit image path by setting theODO_BOOTSTRAPPER_IMAGEenvironment variable:PS C:\> $env:ODO_BOOTSTRAPPER_IMAGE="<mirror-registry>:5000/openshiftdo/odo-init-image-rhel7:<tag>"
2.4.2.3. Pushing the odo init image to an internal registry directly
If your cluster allows images to be pushed to the internal registry directly, push the odo init image to the registry as follows:
2.4.2.3.1. Pushing the init image directly on Linux
Procedure
Enable the default route:
$ oc patch configs.imageregistry.operator.openshift.io cluster -p '{"spec":{"defaultRoute":true}}' --type='merge' -n openshift-image-registryGet a wildcard route CA:
$ oc get secret router-certs-default -n openshift-ingress -o yaml
Example output
apiVersion: v1 data: tls.crt: ************************** tls.key: ################## kind: Secret metadata: [...] type: kubernetes.io/tls
Use
base64to encode the root certification authority (CA) content of your mirror registry:$ echo <tls.crt> | base64 --decode > ca.crt
Trust a CA in your client platform:
$ sudo cp ca.crt /etc/pki/ca-trust/source/anchors/externalroute.crt && sudo update-ca-trust enable && sudo systemctl daemon-reload && sudo systemctl restart docker
Log into the internal registry:
$ oc get route -n openshift-image-registry NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD default-route <registry_path> image-registry <all> reencrypt None $ docker login <registry_path> -u kubeadmin -p $(oc whoami -t)
Push the
odoinit image:$ docker pull registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> $ docker tag registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> <registry_path>/openshiftdo/odo-init-image-rhel7:<tag> $ docker push <registry_path>/openshiftdo/odo-init-image-rhel7:<tag>
Override the default
odoinit image path by setting theODO_BOOTSTRAPPER_IMAGEenvironment variable:$ export ODO_BOOTSTRAPPER_IMAGE=<registry_path>/openshiftdo/odo-init-image-rhel7:1.0.1
2.4.2.3.2. Pushing the init image directly on MacOS
Procedure
Enable the default route:
$ oc patch configs.imageregistry.operator.openshift.io cluster -p '{"spec":{"defaultRoute":true}}' --type='merge' -n openshift-image-registryGet a wildcard route CA:
$ oc get secret router-certs-default -n openshift-ingress -o yaml
Example output
apiVersion: v1 data: tls.crt: ************************** tls.key: ################## kind: Secret metadata: [...] type: kubernetes.io/tls
Use
base64to encode the root certification authority (CA) content of your mirror registry:$ echo <tls.crt> | base64 --decode > ca.crt
Trust a CA in your client platform:
$ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.crt
Log into the internal registry:
$ oc get route -n openshift-image-registry NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD default-route <registry_path> image-registry <all> reencrypt None $ docker login <registry_path> -u kubeadmin -p $(oc whoami -t)
Push the
odoinit image:$ docker pull registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> $ docker tag registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> <registry_path>/openshiftdo/odo-init-image-rhel7:<tag> $ docker push <registry_path>/openshiftdo/odo-init-image-rhel7:<tag>
Override the default
odoinit image path by setting theODO_BOOTSTRAPPER_IMAGEenvironment variable:$ export ODO_BOOTSTRAPPER_IMAGE=<registry_path>/openshiftdo/odo-init-image-rhel7:1.0.1
2.4.2.3.3. Pushing the init image directly on Windows
Procedure
Enable the default route:
PS C:\> oc patch configs.imageregistry.operator.openshift.io cluster -p '{"spec":{"defaultRoute":true}}' --type='merge' -n openshift-image-registryGet a wildcard route CA:
PS C:\> oc get secret router-certs-default -n openshift-ingress -o yaml
Example output
apiVersion: v1 data: tls.crt: ************************** tls.key: ################## kind: Secret metadata: [...] type: kubernetes.io/tls
Use
base64to encode the root certification authority (CA) content of your mirror registry:PS C:\> echo <tls.crt> | base64 --decode > ca.crt
As an administrator, trust a CA in your client platform by executing the following command:
PS C:\WINDOWS\system32> certutil -addstore -f "ROOT" ca.crt
Log into the internal registry:
PS C:\> oc get route -n openshift-image-registry NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD default-route <registry_path> image-registry <all> reencrypt None PS C:\> docker login <registry_path> -u kubeadmin -p $(oc whoami -t)
Push the
odoinit image:PS C:\> docker pull registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> PS C:\> docker tag registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> <registry_path>/openshiftdo/odo-init-image-rhel7:<tag> PS C:\> docker push <registry_path>/openshiftdo/odo-init-image-rhel7:<tag>
Override the default
odoinit image path by setting theODO_BOOTSTRAPPER_IMAGEenvironment variable:PS C:\> $env:ODO_BOOTSTRAPPER_IMAGE="<registry_path>/openshiftdo/odo-init-image-rhel7:<tag>"
2.4.3. Creating and deploying a component to the disconnected cluster
After you push the init image to a cluster with a mirrored registry, you must mirror a supported builder image for your application with the oc tool, overwrite the mirror registry using the environment variable, and then create your component.
2.4.3.1. Prerequisites
-
Install
ocon the client operating system. -
Install
odoon the client operating system. - Access to an restricted cluster with a configured internal registry or a mirror registry.
-
Push the
odoinit image to your cluster registry.
2.4.3.2. Mirroring a supported builder image
To use npm packages for Node.js dependencies and Maven packages for Java dependencies and configure a runtime environment for your application, you must mirror a respective builder image from the mirror registry.
Procedure
Verify that the required images tag is not imported:
$ oc describe is nodejs -n openshift
Example output
Name: nodejs Namespace: openshift [...] 10 tagged from <mirror-registry>:<port>/rhoar-nodejs/nodejs-10 prefer registry pullthrough when referencing this tag Build and run Node.js 10 applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/nodeshift/centos7-s2i-nodejs. Tags: builder, nodejs, hidden Example Repo: https://github.com/sclorg/nodejs-ex.git ! error: Import failed (NotFound): dockerimage.image.openshift.io "<mirror-registry>:<port>/rhoar-nodejs/nodejs-10:latest" not found About an hour ago 10-SCL (latest) tagged from <mirror-registry>:<port>/rhscl/nodejs-10-rhel7 prefer registry pullthrough when referencing this tag Build and run Node.js 10 applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/nodeshift/centos7-s2i-nodejs. Tags: builder, nodejs Example Repo: https://github.com/sclorg/nodejs-ex.git ! error: Import failed (NotFound): dockerimage.image.openshift.io "<mirror-registry>:<port>/rhscl/nodejs-10-rhel7:latest" not found About an hour ago [...]Mirror the supported image tag to the private registry:
$ oc image mirror registry.access.redhat.com/rhscl/nodejs-10-rhel7:<tag> <private_registry>/rhscl/nodejs-10-rhel7:<tag>
Import the image:
$ oc tag <mirror-registry>:<port>/rhscl/nodejs-10-rhel7:<tag> nodejs-10-rhel7:latest --scheduled
You must periodically re-import the image. The
--scheduledflag enables automatic re-import of the image.Verify that the images with the given tag have been imported:
$ oc describe is nodejs -n openshift
Example output
Name: nodejs [...] 10-SCL (latest) tagged from <mirror-registry>:<port>/rhscl/nodejs-10-rhel7 prefer registry pullthrough when referencing this tag Build and run Node.js 10 applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/nodeshift/centos7-s2i-nodejs. Tags: builder, nodejs Example Repo: https://github.com/sclorg/nodejs-ex.git * <mirror-registry>:<port>/rhscl/nodejs-10-rhel7@sha256:d669ecbc11ac88293de50219dae8619832c6a0f5b04883b480e073590fab7c54 3 minutes ago [...]
2.4.3.3. Overwriting the mirror registry
To download npm packages for Node.js dependencies and Maven packages for Java dependencies from a private mirror registry, you must create and configure a mirror npm or Maven registry on the cluster. You can then overwrite the mirror registry on an existing component or when you create a new component.
Procedure
To overwrite the mirror registry on an existing component:
$ odo config set --env NPM_MIRROR=<npm_mirror_registry>
To overwrite the mirror registry when creating a component:
$ odo component create nodejs --env NPM_MIRROR=<npm_mirror_registry>
2.4.3.4. Creating a Node.js application with odo
To create a Node.js component, download the Node.js application and push the source code to your cluster with odo.
Procedure
Change the current directory to the directory with your application:
$ cd <directory_name>
Add a component of the type Node.js to your application:
$ odo create nodejs
注意By default, the latest image is used. You can also explicitly specify an image version by using
odo create openshift/nodejs:8.Push the initial source code to the component:
$ odo push
Your component is now deployed to OpenShift Container Platform.
Create a URL and add an entry in the local configuration file as follows:
$ odo url create --port 8080
Push the changes. This creates a URL on the cluster.
$ odo push
List the URLs to check the desired URL for the component.
$ odo url list
View your deployed application using the generated URL.
$ curl <url>
