loading...

Openshift Z-patch upgrade in restricted environment without mirroring quay.io

baptistemm profile image Baptiste Mille-Mathias Updated on ・2 min read

Since version 4.2 Openshift features a disconnected installation method that permits to setup and upgrade a cluster that is not connected to internet.

This methods implies you prior copy the artifacts from the release you will install into your internal registry and to declare using an imagecontentsourcepolicy manifest the mirror so all url from quay.io will substitute on-the-fly by your internal.

On the day to day management this is not very convenient because it requires you to monitor and to copy when necessary, or to have a script regularly running and that will copy (even if you'll never use it) the latest release available.

However if you have a reverse-cache (or even a registry with reverse-cache like JFrog Artifactory setup for quay.io you can upgrade directly through it without having to mirror.

I assume you already setup for the remote-mirror so the following works

podman pull repository.mycorp.com:5000/openshift-release-dev/ocp-release@sha256:4841bd519be0d5c533d9b4da2996a6d0d340ae1eddb8a6ea213958c7460dcdb4

Create/Update an imagecontentsourcepolicy to point to your artifactory

apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
  name: artifactory-remote
spec:
  repositoryDigestMirrors:
  - mirrors:
    - repository.mycorp.com:5000/openshift-release-dev
    source: quay.io/openshift-release-dev

Now generate a digest of the images from a node that has access to internet.

#!/bin/bash
# TARGET_VERSION should be in format x.y.z, for example 4.3.28
export OCP_RELEASE_NUMBER=${TARGET_VERSION}
export DIGEST="$(oc adm release info quay.io/openshift-release-dev/ocp-release:${OCP_RELEASE_NUMBER}-x86_64 | sed -n 's/Pull From: .*@//p')"
export SIGNATURE_BASE64=$(curl -s "https://mirror.openshift.com/pub/openshift-v4/signatures/openshift/release/$(echo $DIGEST | cut -d: -f1)=$(echo $DIGEST | cut -d: -f2)/signature-1" | base64 -w0 && echo)
export DIGEST_ALGO=$(echo $DIGEST | cut -d: -f1)
export DIGEST_SIGNATURE=$(echo $DIGEST | cut -d: -f2)

cat <<EOF | oc apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
    name: release-image-${OCP_RELEASE_NUMBER}
    namespace: openshift-config-managed
    labels:
       release.openshift.io/verification-signatures: ""
binaryData:
    ${DIGEST_ALGO}-${DIGEST_SIGNATURE}: ${SIGNATURE_BASE64}
EOF

Now you are ready to use the upgrade procedure from redhat as if you had mirrored quay.io

Discussion

pic
Editor guide