红帽全球峰会2.4. Using odo in a restricted environment
2.4.1. About odo in a restricted environment
To run odo in a disconnected cluster or a cluster provisioned in a restricted environment, you must ensure that a cluster administrator has created a cluster with a mirrored registry.
To start working in a disconnected cluster, you must first push the odo init image to the registry of the cluster and then overwrite the odo init image path using the ODO_BOOTSTRAPPER_IMAGE environment variable.
After you push the odo init image, you must mirror a supported builder image from the registry, overwrite a mirror registry and then create your application. A builder image is necessary to configure a runtime environment for your application and also contains the build tool needed to build your application, for example npm for Node.js or Maven for Java. A mirror registry contains all the necessary dependencies for your application.
Additional resources
Depending on the configuration of your cluster and your operating system you can either push the odo init image to a mirror registry or directly to an internal registry.
2.4.2.1. Prerequisites
-
Install
ocon the client operating system. -
Install
odoon the client operating system. - Access to a restricted cluster with a configured internal registry or a mirror registry.
2.4.2.2. Pushing the odo init image to a mirror registry
Depending on your operating system, you can push the odo init image to a cluster with a mirror registry as follows:
Procedure
Use
base64to encode the root certification authority (CA) content of your mirror registry:$ echo <content_of_additional_ca> | base64 --decode > disconnect-ca.crtCopy the encoded root CA certificate to the appropriate location:
$ sudo cp ./disconnect-ca.crt /etc/pki/ca-trust/source/anchors/<mirror-registry>.crtTrust a CA in your client platform and log into the OpenShift Container Platform mirror registry:
$ sudo update-ca-trust enable && sudo systemctl daemon-reload && sudo systemctl restart / docker && docker login <mirror-registry>:5000 -u <username> -p <password>Mirror the
odoinit image:$ oc image mirror registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> <mirror-registry>:5000/openshiftdo/odo-init-image-rhel7:<tag>Override the default
odoinit image path by setting theODO_BOOTSTRAPPER_IMAGEenvironment variable:$ export ODO_BOOTSTRAPPER_IMAGE=<mirror-registry>:5000/openshiftdo/odo-init-image-rhel7:<tag>
Procedure
Use
base64to encode the root certification authority (CA) content of your mirror registry:$ echo <content_of_additional_ca> | base64 --decode > disconnect-ca.crtCopy the encoded root CA certificate to the appropriate location:
- Restart Docker using the Docker UI.
Run the following command:
$ docker login <mirror-registry>:5000 -u <username> -p <password>
Mirror the
odoinit image:$ oc image mirror registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> <mirror-registry>:5000/openshiftdo/odo-init-image-rhel7:<tag>Override the default
odoinit image path by setting theODO_BOOTSTRAPPER_IMAGEenvironment variable:$ export ODO_BOOTSTRAPPER_IMAGE=<mirror-registry>:5000/openshiftdo/odo-init-image-rhel7:<tag>
Procedure
Use
base64to encode the root certification authority (CA) content of your mirror registry:PS C:\> echo <content_of_additional_ca> | base64 --decode > disconnect-ca.crtAs an administrator, copy the encoded root CA certificate to the appropriate location by executing the following command:
PS C:\WINDOWS\system32> certutil -addstore -f "ROOT" disconnect-ca.crtTrust a CA in your client platform and log into the OpenShift Container Platform mirror registry:
- Restart Docker using the Docker UI.
Run the following command:
PS C:\WINDOWS\system32> docker login <mirror-registry>:5000 -u <username> -p <password>
Mirror the
odoinit image:PS C:\> oc image mirror registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> <mirror-registry>:5000/openshiftdo/odo-init-image-rhel7:<tag>Override the default
odoinit image path by setting theODO_BOOTSTRAPPER_IMAGEenvironment variable:PS C:\> $env:ODO_BOOTSTRAPPER_IMAGE="<mirror-registry>:5000/openshiftdo/odo-init-image-rhel7:<tag>"
If your cluster allows images to be pushed to the internal registry directly, push the odo init image to the registry as follows:
2.4.2.3.1. Pushing the init image directly on Linux
Procedure
Enable the default route:
$ oc patch configs.imageregistry.operator.openshift.io cluster -p '{"spec":{"defaultRoute":true}}' --type='merge' -n openshift-image-registryGet a wildcard route CA:
$ oc get secret router-certs-default -n openshift-ingress -o yamlExample output
apiVersion: v1 data: tls.crt: ************************** tls.key: ################## kind: Secret metadata: [...] type: kubernetes.io/tlsUse
base64to encode the root certification authority (CA) content of your mirror registry:$ echo <tls.crt> | base64 --decode > ca.crtTrust a CA in your client platform:
$ sudo cp ca.crt /etc/pki/ca-trust/source/anchors/externalroute.crt && sudo update-ca-trust enable && sudo systemctl daemon-reload && sudo systemctl restart dockerLog into the internal registry:
$ oc get route -n openshift-image-registry NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD default-route <registry_path> image-registry <all> reencrypt None $ docker login <registry_path> -u kubeadmin -p $(oc whoami -t)Push the
odoinit image:$ docker pull registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> $ docker tag registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> <registry_path>/openshiftdo/odo-init-image-rhel7:<tag> $ docker push <registry_path>/openshiftdo/odo-init-image-rhel7:<tag>Override the default
odoinit image path by setting theODO_BOOTSTRAPPER_IMAGEenvironment variable:$ export ODO_BOOTSTRAPPER_IMAGE=<registry_path>/openshiftdo/odo-init-image-rhel7:1.0.1
2.4.2.3.2. Pushing the init image directly on MacOS
Procedure
Enable the default route:
$ oc patch configs.imageregistry.operator.openshift.io cluster -p '{"spec":{"defaultRoute":true}}' --type='merge' -n openshift-image-registryGet a wildcard route CA:
$ oc get secret router-certs-default -n openshift-ingress -o yamlExample output
apiVersion: v1 data: tls.crt: ************************** tls.key: ################## kind: Secret metadata: [...] type: kubernetes.io/tlsUse
base64to encode the root certification authority (CA) content of your mirror registry:$ echo <tls.crt> | base64 --decode > ca.crtTrust a CA in your client platform:
$ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.crtLog into the internal registry:
$ oc get route -n openshift-image-registry NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD default-route <registry_path> image-registry <all> reencrypt None $ docker login <registry_path> -u kubeadmin -p $(oc whoami -t)Push the
odoinit image:$ docker pull registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> $ docker tag registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> <registry_path>/openshiftdo/odo-init-image-rhel7:<tag> $ docker push <registry_path>/openshiftdo/odo-init-image-rhel7:<tag>Override the default
odoinit image path by setting theODO_BOOTSTRAPPER_IMAGEenvironment variable:$ export ODO_BOOTSTRAPPER_IMAGE=<registry_path>/openshiftdo/odo-init-image-rhel7:1.0.1
2.4.2.3.3. Pushing the init image directly on Windows
Procedure
Enable the default route:
PS C:\> oc patch configs.imageregistry.operator.openshift.io cluster -p '{"spec":{"defaultRoute":true}}' --type='merge' -n openshift-image-registryGet a wildcard route CA:
PS C:\> oc get secret router-certs-default -n openshift-ingress -o yamlExample output
apiVersion: v1 data: tls.crt: ************************** tls.key: ################## kind: Secret metadata: [...] type: kubernetes.io/tlsUse
base64to encode the root certification authority (CA) content of your mirror registry:PS C:\> echo <tls.crt> | base64 --decode > ca.crtAs an administrator, trust a CA in your client platform by executing the following command:
PS C:\WINDOWS\system32> certutil -addstore -f "ROOT" ca.crtLog into the internal registry:
PS C:\> oc get route -n openshift-image-registry NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD default-route <registry_path> image-registry <all> reencrypt None PS C:\> docker login <registry_path> -u kubeadmin -p $(oc whoami -t)Push the
odoinit image:PS C:\> docker pull registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> PS C:\> docker tag registry.access.redhat.com/openshiftdo/odo-init-image-rhel7:<tag> <registry_path>/openshiftdo/odo-init-image-rhel7:<tag> PS C:\> docker push <registry_path>/openshiftdo/odo-init-image-rhel7:<tag>Override the default
odoinit image path by setting theODO_BOOTSTRAPPER_IMAGEenvironment variable:PS C:\> $env:ODO_BOOTSTRAPPER_IMAGE="<registry_path>/openshiftdo/odo-init-image-rhel7:<tag>"
After you push the init image to a cluster with a mirrored registry, you must mirror a supported builder image for your application with the oc tool, overwrite the mirror registry using the environment variable, and then create your component.
2.4.3.1. Prerequisites
-
Install
ocon the client operating system. -
Install
odoon the client operating system. - Access to an restricted cluster with a configured internal registry or a mirror registry.
-
Push the
odoinit image to your cluster registry.
2.4.3.2. Mirroring a supported builder image
To use npm packages for Node.js dependencies and Maven packages for Java dependencies and configure a runtime environment for your application, you must mirror a respective builder image from the mirror registry.
Procedure
Verify that the required images tag is not imported:
$ oc describe is nodejs -n openshiftExample output
Name: nodejs Namespace: openshift [...] 10 tagged from <mirror-registry>:<port>/rhoar-nodejs/nodejs-10 prefer registry pullthrough when referencing this tag Build and run Node.js 10 applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/nodeshift/centos7-s2i-nodejs. Tags: builder, nodejs, hidden Example Repo: https://github.com/sclorg/nodejs-ex.git ! error: Import failed (NotFound): dockerimage.image.openshift.io "<mirror-registry>:<port>/rhoar-nodejs/nodejs-10:latest" not found About an hour ago 10-SCL (latest) tagged from <mirror-registry>:<port>/rhscl/nodejs-10-rhel7 prefer registry pullthrough when referencing this tag Build and run Node.js 10 applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/nodeshift/centos7-s2i-nodejs. Tags: builder, nodejs Example Repo: https://github.com/sclorg/nodejs-ex.git ! error: Import failed (NotFound): dockerimage.image.openshift.io "<mirror-registry>:<port>/rhscl/nodejs-10-rhel7:latest" not found About an hour ago [...]Mirror the supported image tag to the private registry:
$ oc image mirror registry.access.redhat.com/rhscl/nodejs-10-rhel7:<tag> <private_registry>/rhscl/nodejs-10-rhel7:<tag>Import the image:
$ oc tag <mirror-registry>:<port>/rhscl/nodejs-10-rhel7:<tag> nodejs-10-rhel7:latest --scheduledYou must periodically re-import the image. The
--scheduledflag enables automatic re-import of the image.Verify that the images with the given tag have been imported:
$ oc describe is nodejs -n openshiftExample output
Name: nodejs [...] 10-SCL (latest) tagged from <mirror-registry>:<port>/rhscl/nodejs-10-rhel7 prefer registry pullthrough when referencing this tag Build and run Node.js 10 applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/nodeshift/centos7-s2i-nodejs. Tags: builder, nodejs Example Repo: https://github.com/sclorg/nodejs-ex.git * <mirror-registry>:<port>/rhscl/nodejs-10-rhel7@sha256:d669ecbc11ac88293de50219dae8619832c6a0f5b04883b480e073590fab7c54 3 minutes ago [...]
2.4.3.3. Overwriting the mirror registry
To download npm packages for Node.js dependencies and Maven packages for Java dependencies from a private mirror registry, you must create and configure a mirror npm or Maven registry on the cluster. You can then overwrite the mirror registry on an existing component or when you create a new component.
Procedure
To overwrite the mirror registry on an existing component:
$ odo config set --env NPM_MIRROR=<npm_mirror_registry>To overwrite the mirror registry when creating a component:
$ odo component create nodejs --env NPM_MIRROR=<npm_mirror_registry>
2.4.3.4. Creating a Node.js application with odo
To create a Node.js component, download the Node.js application and push the source code to your cluster with odo.
Procedure
Change the current directory to the directory with your application:
$ cd <directory_name>Add a component of the type Node.js to your application:
$ odo create nodejs注意By default, the latest image is used. You can also explicitly specify an image version by using
odo create openshift/nodejs:8.Push the initial source code to the component:
$ odo pushYour component is now deployed to OpenShift Container Platform.
Create a URL and add an entry in the local configuration file as follows:
$ odo url create --port 8080Push the changes. This creates a URL on the cluster.
$ odo pushList the URLs to check the desired URL for the component.
$ odo url listView your deployed application using the generated URL.
$ curl <url>
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}