Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-244

Serve OpenShift release signatures via Cincinnati for restricted network

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • OCPSTRAT-10Install and update OpenShift on Infrastructure Providers
    • 77
    • 77% 77%
    • 0
    • 0

      Feature Overview (aka. Goal Summary)  

      Support Serving OpenShift release signatures via Cincinnati. This can serve mostly disconnected use case.
      Currently for disconnected OCP image mirroring we need to create and configure a configmap as mentioned here

       

      Goals (aka. expected user outcomes)

      • Remove the need of creating configmap by mirroring signatures from their upstream locations
      • Restricted-network/disconnected Cincinnati can construct the graph-data tarball via a request to Cincinnati instance that already has signature access (e.g. because it's a connected Cincinnati). 

       

      Use Cases (Optional):

      Connected/disconnected Cincinnati can mirror signatures from their upstream locations without creating configmap using oc-mirror command.
      Also, load signatures from a graph-data container image, for the restricted/disconnected-network case.

       

      Background

      In the process of mirroring images for a disconnected installation using the "oc-mirror" command, currently signature files located in the release-signatures folder are missing. Currently the files are manually applied to the "openshift-config-managed" namespace. Without this manual step any cluster trying to upgrade  fails due to the error the versions are not signed/verified.

      Serving OpenShift release signatures via Cincinnati would allow us to have a single service for update related metadata, namely a Cincinnati deployment on the local network, which the CVO will be configured to poll.  This would make restricted/disconnected-network updates easier, by reducing the amount of pre-update cluster adjustments (no more need to create signature ConfigMaps in each cluster being updated).

      Connected Cincinnati can mirror signatures from their upstream locations
      Cincinnati can also be taught to load signatures from a graph-data container image, for the restricted/disconnected-network case.

       

      Documentation Considerations

      Update documentation to remove the need for configmaps

       

      Interoperability Considerations

      This impacts oc mirror . There are 2 ways to mirror images as mentioned here .

            rh-ee-smodeel Subin MM
            lmohanty@redhat.com Lalatendu Mohanty
            Lalatendu Mohanty
            Jia Liu, Lalatendu Mohanty, Scott Dodson, Sebastian Kopacz, Subin MM
            Lalatendu Mohanty Lalatendu Mohanty
            Jia Liu Jia Liu
            Sebastian Kopacz Sebastian Kopacz
            Scott Dodson Scott Dodson
            Lalatendu Mohanty Lalatendu Mohanty
            Subin MM Subin MM
            Eric Rich Eric Rich
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: