Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-4968

Test operator in cluster with restricted networking

    XMLWordPrintable

Details

    • Task
    • Resolution: Done
    • Major
    • None
    • None
    • 3scale Operator
    • None
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started

    Description

      Following doc: https://docs.openshift.com/container-platform/4.3/operators/olm-restricted-networks.html

      consolidated instructions 

      APP_REGISTRY="rh-verified-operators"
APP_REGISTRY_ORG="rh-verified-operators"
INTERNAL_REGISTRY="registry.internal.com:5000/images"

      Internal registry url is replaced with generic

      oc adm catalog build \
    --appregistry-endpoint https://quay.io/cnr \
    --appregistry-org ${APP_REGISTRY} \
    --to="${INTERNAL_REGISTRY}/${APP_REGISTRY_ORG}:v1"

oc adm catalog mirror \
    ${INTERNAL_REGISTRY}/${APP_REGISTRY_ORG}:v1 \
    ${INTERNAL_REGISTRY}

oc apply -f ./${APP_REGISTRY_ORG}-manifests
oc image mirror -f ${APP_REGISTRY_ORG}-manifests/mapping.txt 

oc patch OperatorHub cluster --type json \
    -p '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]'

      We only need to disable Default Sources (last command) once for the disconnected cluster . This procedure would need to be done by the operations team at setup of the cluster.
      Note: oc apply -f ./${APP_REGISTRY_ORG}-manifests command will cause recycle of the worker nodes in the OCP cluster and may take some time

      Similarly we only need to add public certificate of the internal registry ones (if it secured registry , which is recommended) 

      oc create configmap user-ca-bundle -n openshift-config \
    --from-file=ca-bundle.crt=/path/to/certificate_file.crt

oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"user-ca-bundle"}}}' --type=merge

      https://docs.openshift.com/container-platform/4.3/builds/setting-up-trusted-ca.html#configmap-adding-ca_setting-up-trusted-ca

      oc apply -f - <<EOF
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: my-operator-catalog
  namespace: openshift-marketplace
spec:
  sourceType: grpc
  image: ${INTERNAL_REGISTRY}/${APP_REGISTRY_ORG}:v1
  displayName: My Operator Catalog
  publisher: grpc
EOF

      At this point it is expected that OLM will have catalog installed and operator bundles to be available for deployment.

      Install 3scale
      ----------------------
      3scale was successfully deployed. Some smoke test were run. The smoke tests were very simple. Generate some traffic and ensure it is being validated using a 3scale valid application key. All tests passed.

      Attachments

        Issue Links

          is documented by

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) THREESCALE-5413 Document how to install 3scale in an air-gapped environment

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              eguzki Eguzki Astiz Lezaun
              eguzki Eguzki Astiz Lezaun
              Filip Čáp Filip Čáp
              Eguzki Astiz Lezaun Eguzki Astiz Lezaun
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: