DEV Community

Baptiste Mille-Mathias
Baptiste Mille-Mathias

Posted on • Updated on

Openshift Z-patch upgrade in restricted environment without mirroring

Since version 4.2 Openshift features a disconnected installation method that permits to setup and upgrade a cluster that is not connected to internet.

This methods implies you prior copy the artifacts from the release you will install into your internal registry and to declare using an imagecontentsourcepolicy manifest the mirror so all url from will substitute on-the-fly by your internal.

On the day to day management this is not very convenient because it requires you to monitor and to copy when necessary, or to have a script regularly running and that will copy (even if you'll never use it) the latest release available.

However if you have a reverse-cache (or even a registry with reverse-cache like JFrog Artifactory setup for you can upgrade directly through it without having to mirror.

I assume you already setup for the remote-mirror so the following works

podman pull

Create/Update an imagecontentsourcepolicy to point to your artifactory

kind: ImageContentSourcePolicy
  name: artifactory-remote
  - mirrors:

Now generate a digest of the images from a node that has access to internet.

# TARGET_VERSION should be in format x.y.z, for example 4.3.28
export DIGEST="$(oc adm release info${OCP_RELEASE_NUMBER}-x86_64 | sed -n 's/Pull From: .*@//p')"
export SIGNATURE_BASE64=$(curl -s "$(echo $DIGEST | cut -d: -f1)=$(echo $DIGEST | cut -d: -f2)/signature-1" | base64 -w0 && echo)
export DIGEST_ALGO=$(echo $DIGEST | cut -d: -f1)
export DIGEST_SIGNATURE=$(echo $DIGEST | cut -d: -f2)

cat <<EOF | oc apply -f -
apiVersion: v1
kind: ConfigMap
    name: release-image-${OCP_RELEASE_NUMBER}
    namespace: openshift-config-managed
    labels: ""

Now you are ready to use the upgrade procedure from redhat as if you had mirrored

Top comments (0)