Manual cherry pick of OSDOCS 4665

_topic_maps/_topic_map.yml

@@ -581,9 +581,16 @@ Topics:
 - Name: Updating a cluster that includes RHEL compute machines
   File: updating-cluster-rhel-compute
   Distros: openshift-enterprise
-- Name: Updating a restricted network cluster
-  File: updating-restricted-network-cluster
+- Name: Updating a disconnected environment
+  Dir: updating-restricted-network-cluster
   Distros: openshift-enterprise
+  Topics:
+  - Name: About disconnected environment updates
+    File: index
+  - Name: Updating disconnected environments using OSUS
+    File: restricted-network-update-OSUS
+  - Name: Updating disconnected environments without OSUS
+    File: restricted-network-update
 - Name: Updating hardware on nodes running on vSphere
   File: updating-hardware-on-nodes-running-on-vsphere
 # - Name: Troubleshooting an update

getting_started/openshift-overview.adoc

@@ -104,7 +104,7 @@ be reviewed by cluster administrators and xref:../operators/admin/olm-adding-ope
 
 * **xref:../scalability_and_performance/scaling-cluster-monitoring-operator.adoc#scaling-cluster-monitoring-operator[Scale] and xref:../scalability_and_performance/using-node-tuning-operator.adoc#using-node-tuning-operator[tune] clusters**: Set cluster limits, tune nodes, scale cluster monitoring, and optimize networking, storage, and routes for your environment.
 
-* **xref:../updating/updating-restricted-network-cluster.adoc#update-service-overview_updating-restricted-network-cluster[Understanding the OpenShift Update Service]**: Learn about installing and managing a local OpenShift Update Service for recommending {product-title} updates in restricted network environments.
+* **xref:../updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc#update-service-overview_updating-restricted-network-cluster-OSUS[Understanding the OpenShift Update Service]**: Learn about installing and managing a local OpenShift Update Service for recommending {product-title} updates in disconnected environments.
 
 * **xref:../monitoring/monitoring-overview.adoc#monitoring-overview[Monitor clusters]**:
 Learn to  xref:../monitoring/configuring-the-monitoring-stack.adoc#configuring-the-monitoring-stack[configure the monitoring stack].

installing/disconnected_install/installing-mirroring-disconnected.adoc

@@ -69,7 +69,7 @@ include::modules/oc-mirror-creating-image-set-config.adoc[leveloffset=+1]
 
 * xref:../../installing/disconnected_install/installing-mirroring-disconnected.adoc#oc-mirror-imageset-config-params_installing-mirroring-disconnected[Image set configuration parameters]
 * xref:../../installing/disconnected_install/installing-mirroring-disconnected.adoc#oc-mirror-image-set-examples_installing-mirroring-disconnected[Image set configuration examples]
-* xref:../../updating/updating-restricted-network-cluster.adoc#update-service-overview_updating-restricted-network-cluster[About the OpenShift Update Service]
+* xref:../../updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc#update-service-overview_updating-restricted-network-cluster-OSUS[About the OpenShift Update Service]
 
 [id="mirroring-image-set"]
 == Mirroring an image set to a mirror registry

modules/cli-installing-cli.adoc

@@ -46,7 +46,7 @@
 // * openshift_images/samples-operator-alt-registry.adoc
 // * installing/installing_rhv/installing-rhv-customizations.adoc
 // * installing/installing_rhv/installing-rhv-default.adoc
-// * updating/updating-restricted-network-cluster.adoc
+// * updating/updating-restricted-network-cluster/restricted-network-update.adoc
 //
 // AMQ docs link to this; do not change anchor
 
@@ -67,7 +67,7 @@ If you installed an earlier version of `oc`, you cannot use it to complete all
 of the commands in {product-title} {product-version}. Download and
 install the new version of `oc`.
 ifdef::restricted[]
-If you are upgrading a cluster in a restricted network, install the `oc` version that you plan to upgrade to.
+If you are upgrading a cluster in a disconnected environment, install the `oc` version that you plan to upgrade to.
 endif::restricted[]
 ====
 

modules/generating-icsp-object-scoped-to-a-registry.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * updating/updating-restricted-network-cluster.adoc
+// * updating/updating-restricted-network-cluster/restricted-network-update.adoc
 
 :_content-type: PROCEDURE
 [id="generating-icsp-object-scoped-to-a-registry_{context}"]

modules/images-configuration-registry-mirror.adoc

@@ -2,6 +2,7 @@
 //
 // * openshift_images/image-configuration.adoc
 // * post_installation_configuration/preparing-for-users.adoc
+// * updating/updating-restricted-network-cluster/restricted-network-update.adoc
 
 :_content-type: PROCEDURE
 [id="images-configuration-registry-mirror_{context}"]
@@ -15,7 +16,7 @@ Setting up container registry repository mirroring enables you to do the followi
 The attributes of repository mirroring in {product-title} include:
 
 * Image pulls are resilient to registry downtimes.
-* Clusters in restricted networks can pull images from critical locations, such as quay.io, and have registries behind a company firewall provide the requested images.
+* Clusters in disconnected environments can pull images from critical locations, such as quay.io, and have registries behind a company firewall provide the requested images.
 * A particular order of registries is tried when an image pull request is made, with the permanent registry typically being the last one tried.
 * The mirror information you enter is added to the `/etc/containers/registries.conf` file on every node in the {product-title} cluster.
 * When a node makes a request for an image from the source repository, it tries each mirrored repository in turn until it finds the requested content. If all mirrors fail, the cluster tries the source repository. If successful, the image is pulled to the node.
@@ -24,7 +25,7 @@ Setting up repository mirroring can be done in the following ways:
 
 * At {product-title} installation:
 +
-By pulling container images needed by {product-title} and then bringing those images behind your company's firewall, you can install {product-title} into a datacenter that is in a restricted network.
+By pulling container images needed by {product-title} and then bringing those images behind your company's firewall, you can install {product-title} into a datacenter that is in a disconnected environment.
 
 * After {product-title} installation:
 +

modules/images-update-global-pull-secret.adoc

@@ -2,7 +2,8 @@
 // * openshift_images/managing_images/using-image-pull-secrets.adoc
 // * post_installation_configuration/cluster-tasks.adoc
 // * support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc
-// * updating/updating-restricted-network-cluster.adoc
+// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc
+// * updating/updating-restricted-network-cluster/restricted-network-update.adoc
 //
 // Not included, but linked to from:
 // * operators/admin/olm-managing-custom-catalogs.adoc

modules/installation-adding-registry-pull-secret.adoc

@@ -4,7 +4,7 @@
 // * installing/disconnected_install/installing-mirroring-disconnected.adoc
 // * openshift_images/samples-operator-alt-registry.adoc
 // * scalability_and_performance/ztp_far_edge/ztp-deploying-far-edge-clusters-at-scale.adoc
-// * updating/updating-restricted-network-cluster.adoc
+// * updating/updating-restricted-network-cluster/restricted-network-update.adoc
 
 ifeval::["{context}" == "updating-restricted-network-cluster"]
 :restricted:
@@ -43,7 +43,7 @@ endif::restricted[]
 
 .Prerequisites
 
-* You configured a mirror registry to use in your restricted network.
+* You configured a mirror registry to use in your disconnected environment.
 ifdef::restricted[]
 * You identified an image repository location on your mirror registry to mirror images into.
 * You provisioned a mirror registry account that allows images to be uploaded to that image repository.

modules/machine-health-checks-pausing.adoc

@@ -2,7 +2,7 @@
 
 // * updating/updating-cluster-cli.adoc
 // * updating/updating-cluster-within-minor.adoc
-// * updating/updating-restricted-network-cluster.adoc
+// * updating/updating-restricted-network-cluster/restricted-network-update.adoc
 
 :_content-type: PROCEDURE
 [id="machine-health-checks-pausing_{context}"]

modules/update-mirror-repository-oc-mirror.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
-//
-// * updating/updating-restricted-network-cluster.adoc
+// * updating/updating-restricted-network-cluster/restricted-network-update.adoc
+// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc
 
 :_content-type: PROCEDURE
 [id="update-mirror-repository-oc-mirror_{context}"]

modules/update-mirror-repository.adoc

@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * updating/updating-restricted-network-cluster.adoc
+// * updating/updating-restricted-network-cluster/restricted-network-update.adoc
 
 :_content-type: PROCEDURE
 [id="update-mirror-repository-adm-release-mirror_{context}"]
@@ -103,7 +103,7 @@ $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}
 ----
 $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE}
 ----
-... Take the media to the restricted network environment and upload the images to the local container registry.
+... Take the media to the disconnected environment and upload the images to the local container registry.
 +
 [source,terminal]
 ----

modules/update-restricted.adoc

@@ -1,12 +1,12 @@
 // Module included in the following assemblies:
 //
-// * updating/updating-restricted-network-cluster.adoc
+// * updating/updating-restricted-network-cluster/restricted-network-update.adoc
 
 :_content-type: PROCEDURE
 [id="update-restricted_{context}"]
-= Upgrading the restricted network cluster
+= Upgrading the disconnected cluster
 
-Update the restricted network cluster to the {product-title} version that you downloaded the release images for.
+Update the disconnected cluster to the {product-title} version that you downloaded the release images for.
 
 //TODO: Add xrefs in the following note when functionality is enabled.
 

modules/update-service-configure-cvo.adoc

@@ -1,3 +1,6 @@
+// Module included in the following assemblies:
+// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc
+
 :_content-type: PROCEDURE
 [id="update-service-configure-cvo"]
 = Configuring the Cluster Version Operator (CVO)

modules/update-service-create-service-cli.adoc

@@ -1,3 +1,6 @@
+// Module included in the following assemblies:
+// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc
+
 :_content-type: PROCEDURE
 [id="update-service-create-service-cli_{context}"]
 = Creating an OpenShift Update Service application by using the CLI

modules/update-service-create-service-web-console.adoc

@@ -1,3 +1,6 @@
+//Module included in the following assemblies:
+// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc
+
 :_content-type: PROCEDURE
 [id="update-service-create-service-web-console_{context}"]
 = Creating an OpenShift Update Service application by using the web console

modules/update-service-delete-service-cli.adoc

@@ -1,3 +1,6 @@
+// Module included in the following assemblies:
+// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc
+
 :_content-type: PROCEDURE
 [id="update-service-delete-service-cli_{context}"]
 = Deleting an OpenShift Update Service application by using the CLI

modules/update-service-delete-service-web-console.adoc

@@ -1,3 +1,6 @@
+// Module included in the following assemblies:
+// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc
+
 :_content-type: PROCEDURE
 [id="update-service-delete-service-web-console_{context}"]
 = Deleting an OpenShift Update Service application by using the web console

modules/update-service-graph-data.adoc

@@ -1,3 +1,6 @@
+// Module included in the following assemblies:
+// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc
+
 :_content-type: PROCEDURE
 [id="update-service-graph-data_{context}"]
 = Creating the OpenShift Update Service graph data container image
@@ -33,5 +36,5 @@ $ podman push registry.example.com/openshift/graph-data:latest
 +
 [NOTE]
 ====
-To push a graph data image to a local registry in a restricted network, copy the graph-data container image created in the previous step to a repository that is accessible to the OpenShift Update Service. Run `oc image mirror --help` for available options.
+To push a graph data image to a local registry in a disconnected environment, copy the graph-data container image created in the previous step to a repository that is accessible to the OpenShift Update Service. Run `oc image mirror --help` for available options.
 ====

modules/update-service-install-cli.adoc

@@ -1,3 +1,6 @@
+// Module included in the following assemblies:
+// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc
+
 :_content-type: PROCEDURE
 [id="update-service-install-cli_{context}"]
 = Installing the OpenShift Update Service Operator by using the CLI
@@ -82,7 +85,7 @@ spec:
   sourceNamespace: "openshift-marketplace"
   name: "cincinnati-operator"
 ----
-<1> Specify the name of the catalog source that provides the Operator. For clusters that do not use a custom Operator Lifecycle Manager (OLM), specify `redhat-operators`. If your {product-title} cluster is installed on a restricted network, also known as a disconnected cluster, specify the name of the `CatalogSource` object created when you configured Operator Lifecycle Manager (OLM).
+<1> Specify the name of the catalog source that provides the Operator. For clusters that do not use a custom Operator Lifecycle Manager (OLM), specify `redhat-operators`. If your {product-title} cluster is installed in a disconnected environment, specify the name of the `CatalogSource` object created when you configured Operator Lifecycle Manager (OLM).
 
 .. Create the `Subscription` object:
 +

modules/update-service-install-web-console.adoc

@@ -1,3 +1,6 @@
+// Module included in the following assemblies:
+// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc
+
 :_content-type: PROCEDURE
 [id="update-service-install-web-console_{context}"]
 = Installing the OpenShift Update Service Operator by using the web console

modules/update-service-mirror-release.adoc

@@ -1,9 +1,10 @@
+// Module included in the following assemblies:
+// *updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc
+
 :_content-type: PROCEDURE
 [id="update-service-mirror-release-adm-release-mirror_{context}"]
 = Mirroring images using the oc adm release mirror command
 
-The OpenShift Update Service requires a locally accessible registry containing update release payloads.
-
 [IMPORTANT]
 ====
 To avoid excessive memory usage by the OpenShift Update Service application, it is recommended that you mirror release images to a separate repository, as described in the following procedure.
@@ -13,7 +14,7 @@ To avoid excessive memory usage by the OpenShift Update Service application, it
 
 * You reviewed and completed the steps from "Mirroring images for a disconnected installation" up to but not including the section entitled *Mirroring the {product-title} image repository*.
 //TODO: Add xref to preceding step when allowed.
-* You configured a mirror registry to use in your restricted network and can access the certificate and credentials that you configured.
+* You configured a mirror registry to use in your disconnected environment and can access the certificate and credentials that you configured.
 ifndef::openshift-origin[]
 * You downloaded the {cluster-manager-url-pull} and modified it to include authentication to your mirror repository.
 endif::[]
@@ -132,7 +133,7 @@ $ oc adm release mirror -a ${LOCAL_SECRET_JSON}  \
 ----
 $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE}
 ----
-... Take the media to the restricted network environment and upload the images to the local container registry:
+... Take the media to the disconnected environment and upload the images to the local container registry:
 +
 [source,terminal]
 ----

modules/update-service-overview.adoc

@@ -5,13 +5,13 @@
 // * updating/updating-cluster-cli.adoc
 // * updating/updating-cluster-rhel-compute.adoc
 // * updating/updating-cluster.adoc
-// * updating/updating-disconnected-cluster.adoc
+// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc
 
 :_content-type: CONCEPT
 [id="update-service-overview_{context}"]
 = About the OpenShift Update Service
 
-The OpenShift Update Service (OSUS) provides over-the-air updates to {product-title}, including {op-system-first}. It provides a graph, or diagram, that contains the _vertices_ of component Operators and the _edges_ that connect them. The edges in the graph show which versions you can safely update to. The vertices are update payloads that specify the intended state of the managed cluster components.
+The OpenShift Update Service (OSUS) provides updates to {product-title}, including {op-system-first}. It provides a graph, or diagram, that contains the _vertices_ of component Operators and the _edges_ that connect them. The edges in the graph show which versions you can safely update to. The vertices are update payloads that specify the intended state of the managed cluster components.
 
 The Cluster Version Operator (CVO) in your cluster checks with the OpenShift Update Service to see the valid updates and update paths based on current component versions and information in the graph. When you request an update, the CVO uses the release image for that update to update your cluster. The release artifacts are hosted in Quay as container images.
 ////

modules/update-service-uninstall-cli.adoc

@@ -1,3 +1,6 @@
+// Module included in the following assemblies:
+// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc
+
 :_content-type: PROCEDURE
 [id="update-service-uninstall-cli_{context}"]
 = Uninstalling the OpenShift Update Service Operator by using the CLI

modules/update-service-uninstall-web-console.adoc

@@ -1,3 +1,6 @@
+// Module included in the following assemblies:
+// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc
+
 :_content-type: PROCEDURE
 [id="update-service-uninstall-web-console_{context}"]
 = Uninstalling the OpenShift Update Service Operator by using the web console

security/container_security/security-hosts-vms.adoc

@@ -31,7 +31,7 @@ ifndef::openshift-origin[]
 endif::[]
 * xref:../../installing/install_config/installing-customizing.adoc#installation-special-config-encrypt-disk_installing-customizing[Disk encryption]
 * xref:../../installing/install_config/installing-customizing.adoc#installation-special-config-chrony_installing-customizing[Chrony time service]
-* xref:../../updating/updating-restricted-network-cluster.adoc#update-service-overview_updating-restricted-network-cluster[{product-title} cluster updates]
+* xref:../../updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc#update-service-overview_updating-restricted-network-cluster-OSUS[{product-title} cluster updates]
 
 // Virtualization versus containers
 include::modules/security-hosts-vms-vs-containers.adoc[leveloffset=+1]

updating/index.adoc

@@ -66,19 +66,19 @@ xref:../updating/updating-cluster-rhel-compute.adoc#updating-cluster-rhel-comput
 * xref:../updating/updating-cluster-rhel-compute.adoc#rhel-compute-updating-minor_updating-cluster-rhel-compute[Updating {op-system-base} compute machines in your cluster]
 
 [id="updating-clusters-overview-update-restricted-network-cluster"]
-== Updating a restricted network cluster
-xref:../updating/updating-restricted-network-cluster.adoc#updating-restricted-network-cluster[Updating a restricted network cluster]: If your mirror host cannot access both the internet and the cluster, you can mirror the images to a file system that is disconnected from that environment. You can then bring that host or removable media across that gap. If the local container registry and the cluster are connected to the mirror host of a registry, you can directly push the release images to the local registry.
+== Updating a disconnected cluster
+xref:../updating/updating-restricted-network-cluster/index.adoc#about-restricted-network-updates[Updating a disconnected cluster]: If your mirror host cannot access both the internet and the cluster, you can mirror the images to a file system that is disconnected from that environment. You can then bring that host or removable media across that gap. If the local container registry and the cluster are connected to the mirror host of a registry, you can directly push the release images to the local registry.
 
-* xref:../updating/updating-restricted-network-cluster.adoc#updating-restricted-network-mirror-host[Preparing your mirror host]
-* xref:../updating/updating-restricted-network-cluster.adoc#installation-adding-registry-pull-secret_updating-restricted-network-cluster[Configuring credentials that allow images to be mirrored]
-* xref:../updating/updating-restricted-network-cluster.adoc#update-mirror-repository_updating-restricted-network-cluster[Mirroring the {product-title} image repository]
-* xref:../updating/updating-restricted-network-cluster.adoc#update-restricted_updating-restricted-network-cluster[Updating the restricted network cluster]
-* xref:../updating/updating-restricted-network-cluster.adoc#images-configuration-registry-mirror_updating-restricted-network-cluster[Configuring image registry repository mirroring]
-* xref:../updating/updating-restricted-network-cluster.adoc#generating-icsp-object-scoped-to-a-registry_updating-restricted-network-cluster[Widening the scope of the mirror image catalog to reduce the frequency of cluster node reboots]
-* xref:../updating/updating-restricted-network-cluster.adoc#update-service-install[Installing the OpenShift Update Service Operator]
-* xref:../updating/updating-restricted-network-cluster.adoc#update-service-create-service[Creating an OpenShift Update Service application]
-* xref:../updating/updating-restricted-network-cluster.adoc#update-service-delete-service[Deleting an OpenShift Update Service application]
-* xref:../updating/updating-restricted-network-cluster.adoc#update-service-uninstall[Uninstalling the OpenShift Update Service Operator]
+* xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#updating-restricted-network-mirror-host[Preparing your mirror host]
+* xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#installation-adding-registry-pull-secret_updating-restricted-network-cluster[Configuring credentials that allow images to be mirrored]
+* xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#update-mirror-repository_updating-restricted-network-cluster[Mirroring the {product-title} image repository]
+* xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#update-restricted_updating-restricted-network-cluster[Updating the disconnected cluster]
+* xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#images-configuration-registry-mirror_updating-restricted-network-cluster[Configuring image registry repository mirroring]
+* xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#generating-icsp-object-scoped-to-a-registry_updating-restricted-network-cluster[Widening the scope of the mirror image catalog to reduce the frequency of cluster node reboots]
+* xref:../updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc#update-service-install[Installing the OpenShift Update Service Operator]
+* xref:../updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc#update-service-create-service[Creating an OpenShift Update Service application]
+* xref:../updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc#update-service-delete-service[Deleting an OpenShift Update Service application]
+* xref:../updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc#update-service-uninstall[Uninstalling the OpenShift Update Service Operator]
 
 [id="updating-clusters-overview-vsphere-updating-hardware"]
 == Updating hardware on nodes running in vSphere

updating/understanding-openshift-updates.adoc

@@ -24,6 +24,6 @@ include::modules/update-common-terms.adoc[leveloffset=+1]
 
 * xref:../post_installation_configuration/machine-configuration-tasks.adoc#machine-config-overview-post-install-machine-configuration-tasks[Machine config overview]
 ifdef::openshift-enterprise[]
-* xref:../updating/updating-restricted-network-cluster.adoc#update-service-overview_updating-restricted-network-cluster[About the OpenShift Update Service]
+* xref:../updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc#update-service-overview_updating-restricted-network-cluster-OSUS[About the OpenShift Update Service]
 endif::openshift-enterprise[]
 * xref:../updating/understanding-upgrade-channels-release.adoc#understanding-upgrade-channels_understanding-upgrade-channels-releases[Update channels and releases]

updating/updating-restricted-network-cluster/_attributes

@@ -0,0 +1 @@
+../_attributes/

updating/updating-restricted-network-cluster/images

@@ -0,0 +1 @@
+../images

updating/updating-restricted-network-cluster/index.adoc

@@ -0,0 +1,23 @@
+:_content-type: ASSEMBLY
+[id="about-restricted-network-updates"]
+= About disconnected environment updates
+include::_attributes/common-attributes.adoc[]
+:context: about-restricted-network-updates
+
+toc::[]
+
+A disconnected environment is one in which your cluster nodes cannot access the internet. 
+For this reason, you must populate a registry with the installation images. 
+If your registry host cannot access both the internet and the cluster, you can mirror the images to a file system that is disconnected from that environment and then bring that host or removable media across that gap. 
+If the local container registry and the cluster are connected to the mirror registry's host, you can directly push the release images to the local registry.
+
+A single container image registry is sufficient to host mirrored images for several clusters in the disconnected network.
+
+== Performing a disconnected environment update
+
+You can use one of the following procedures to update a disconnected {product-title} cluster:
+
+* xref:restricted-network-update-OSUS.adoc#updating-restricted-network-cluster-OSUS[Updating disconnected environments using the OpenShift Update Service]
+
+* xref:restricted-network-update.adoc#updating-restricted-network-cluster[Updating disconnected environments without the OpenShift Update Service]
+

updating/updating-restricted-network-cluster/modules

@@ -0,0 +1 @@
+../modules

updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc

@@ -0,0 +1,138 @@
+:_content-type: ASSEMBLY
+[id="updating-restricted-network-cluster-OSUS"]
+= Updating disconnected environments using the OpenShift Update Service
+include::_attributes/common-attributes.adoc[]
+:context: updating-restricted-network-cluster-OSUS
+
+toc::[]
+
+[id="update-restricted-network-cluster-update-service"]
+
+include::modules/update-service-overview.adoc[leveloffset=+1]
+
+.Additional resources
+
+* xref:../../updating/understanding-upgrade-channels-release.adoc#understanding-upgrade-channels_understanding-upgrade-channels-releases[Understanding upgrade channels and releases]
+
+For clusters with internet accessibility, Red Hat provides update recommendations through an {product-title} update service as a hosted service located behind public APIs. However, clusters in a disconnected environment have no way to access public APIs for update information.
+
+To provide a similar update experience in a disconnected environment, you can install and configure the OpenShift Update Service locally so that it is available within a disconnected environment.
+
+The following sections describe how to provide updates for your disconnected cluster and its underlying operating system.
+
+[id="update-service-prereqs"]
+== Prerequisites
+
+* Have access to the internet to obtain the necessary container images.
+* Have write access to a container registry in the disconnected environment to push and pull images. The container registry must be compatible with Docker registry API v2.
+* You must have the `oc` command-line interface (CLI) tool installed.
+* For more information on installing Operators, see xref:../../operators/user/olm-installing-operators-in-namespace.adoc#olm-installing-operators-in-namespace[Installing Operators in your namespace].
+
+[id="registry-configuration-for-update-service"]
+== Configuring access to a secured registry for the OpenShift Update Service
+
+If the release images are contained in a registry whose HTTPS X.509 certificate is signed by a custom certificate authority, complete the steps in xref:../../registry/configuring-registry-operator.adoc#images-configuration-cas_configuring-registry-operator[Configuring additional trust stores for image registry access] along with following changes for the update service.
+
+The OpenShift Update Service Operator needs the config map key name `updateservice-registry` in the registry CA cert.
+
+.Image registry CA config map example for the update service
+[source,yaml]
+----
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: my-registry-ca
+data:
+  updateservice-registry: | <1>
+    -----BEGIN CERTIFICATE-----
+    ...
+    -----END CERTIFICATE-----
+  registry-with-port.example.com..5000: | <2>
+    -----BEGIN CERTIFICATE-----
+    ...
+    -----END CERTIFICATE-----
+----
+<1> The OpenShift Update Service Operator requires the config map key name updateservice-registry in the registry CA cert.
+<2> If the registry has the port, such as `registry-with-port.example.com:5000`, `:` should be replaced with `..`.
+
+include::modules/images-update-global-pull-secret.adoc[leveloffset=+1]
+
+[id="update-service-install"]
+== Installing the OpenShift Update Service Operator
+
+To install the OpenShift Update Service, you must first install the OpenShift Update Service Operator by using the {product-title} web console or CLI.
+
+[NOTE]
+====
+For clusters that are installed in disconnected environments, also known as disconnected clusters, Operator Lifecycle Manager by default cannot access the Red Hat-provided OperatorHub sources hosted on remote registries because those remote sources require full internet connectivity. For more information, see xref:../../operators/admin/olm-restricted-networks.adoc#olm-restricted-networks[Using Operator Lifecycle Manager on restricted networks].
+====
+
+include::modules/update-service-install-web-console.adoc[leveloffset=+2]
+
+include::modules/update-service-install-cli.adoc[leveloffset=+2]
+
+include::modules/update-service-graph-data.adoc[leveloffset=+1]
+
+[id="update-service-mirror-release_updating-restricted-network-cluster"]
+== Mirroring the {product-title} image repository
+
+The OpenShift Update Service requires a locally accessible registry containing update release payloads.
+
+You must mirror container images onto a mirror registry before you can update a cluster in a disconnected environment. You can also use this procedure in connected environment to ensure your clusters only use container images that have satisfied your organizational controls on external content.
+
+There are two supported methods for mirroring images onto a mirror registry:
+
+* Using the oc-mirror OpenShift CLI (`oc`) plugin
+
+* Using the oc adm release mirror command
+
+Choose one of the following supported options.
+
+include::modules/update-mirror-repository-oc-mirror.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../installing/disconnected_install/installing-mirroring-disconnected.adoc#installing-mirroring-disconnected[Mirroring images for a disconnected installation using the oc-mirror plugin]
+
+include::modules/update-service-mirror-release.adoc[leveloffset=+2]
+
+[id="update-service-create-service"]
+== Creating an OpenShift Update Service application
+
+You can create an OpenShift Update Service application by using the {product-title} web console or CLI.
+
+include::modules/update-service-create-service-web-console.adoc[leveloffset=+2]
+
+include::modules/update-service-create-service-cli.adoc[leveloffset=+2]
+
+[NOTE]
+====
+The policy engine route name must not be more than 63 characters based on RFC-1123. If you see `ReconcileCompleted` status as `false`  with the reason `CreateRouteFailed` caused by `host must conform to DNS 1123 naming convention
+and must be no more than 63 characters`, try creating the Update Service with a shorter name.
+====
+
+include::modules/update-service-configure-cvo.adoc[leveloffset=+3]
+
+[NOTE]
+====
+See xref:../../networking/enable-cluster-wide-proxy.adoc#nw-proxy-configure-object[Enabling the cluster-wide proxy] to configure the CA to trust the update server.
+====
+
+[id="update-service-delete-service"]
+== Deleting an OpenShift Update Service application
+
+You can delete an OpenShift Update Service application by using the {product-title} web console or CLI.
+
+include::modules/update-service-delete-service-web-console.adoc[leveloffset=+2]
+
+include::modules/update-service-delete-service-cli.adoc[leveloffset=+2]
+
+[id="update-service-uninstall"]
+== Uninstalling the OpenShift Update Service Operator
+
+To uninstall the OpenShift Update Service, you must first delete all OpenShift Update Service applications by using the {product-title} web console or CLI.
+
+include::modules/update-service-uninstall-web-console.adoc[leveloffset=+2]
+
+include::modules/update-service-uninstall-cli.adoc[leveloffset=+2]

updating/updating-restricted-network-cluster/restricted-network-update.adoc

@@ -0,0 +1,71 @@
+:_content-type: ASSEMBLY
+[id="updating-restricted-network-cluster"]
+= Updating disconnected environments without the OpenShift Update Service
+include::_attributes/common-attributes.adoc[]
+:context: updating-restricted-network-cluster
+
+toc::[]
+
+== Prerequisites
+
+* Have access to the internet to obtain the necessary container images.
+* Have write access to a container registry in the disconnected environment to push and pull images. The container registry must be compatible with Docker registry API v2.
+* You must have the `oc` command-line interface (CLI) tool installed.
+* Have access to the cluster as a user with `admin` privileges.
+See xref:../../authentication/using-rbac.adoc[Using RBAC to define and apply permissions].
+* Have a recent xref:../../backup_and_restore/control_plane_backup_and_restore/backing-up-etcd.adoc#backup-etcd[etcd backup] in case your update fails and you must xref:../../backup_and_restore/control_plane_backup_and_restore/disaster_recovery/scenario-2-restoring-cluster-state.adoc#dr-restoring-cluster-state[restore your cluster to a previous state].
+* Ensure that all machine config pools (MCPs) are running and not paused. Nodes associated with a paused MCP are skipped during the update process. You can pause the MCPs if you are performing a canary rollout update strategy.
+* If your cluster uses manually maintained credentials, ensure that the Cloud Credential Operator (CCO) is in an upgradeable state. For more information, see _Upgrading clusters with manually maintained credentials_ for xref:../../installing/installing_aws/manually-creating-iam.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-aws[AWS], xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-azure[Azure], or xref:../../installing/installing_gcp/manually-creating-iam-gcp.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-gcp[GCP].
+//STS is not currently supported in a disconnected environment, but the following bullet can be uncommented when that changes.
+//* If your cluster uses manually maintained credentials with the AWS Secure Token Service (STS), obtain a copy of the `ccoctl` utility from the release image being upgraded to and use it to process any updated credentials. For more information, see xref:../../authentication/managing_cloud_provider_credentials/cco-mode-sts.adoc#sts-mode-upgrading[_Upgrading an OpenShift Container Platform cluster configured for manual mode with STS_].
+* If you run an Operator or you have configured any application with the pod disruption budget, you might experience an interruption during the upgrade process. If `minAvailable` is set to 1 in `PodDisruptionBudget`, the nodes are drained to apply pending machine configs which might block the eviction process. If several nodes are rebooted, all the pods might run on only one node, and the `PodDisruptionBudget` field can prevent the node drain.
+
+[id="updating-restricted-network-mirror-host"]
+== Preparing your mirror host
+
+Before you perform the mirror procedure, you must prepare the host to retrieve content
+and push it to the remote location.
+
+include::modules/cli-installing-cli.adoc[leveloffset=+2]
+
+// this file doesn't exist, so I'm including the one that should pick up more changes from Clayton's PR - modules/installation-adding-mirror-registry-pull-secret.adoc[leveloffset=+1]
+
+include::modules/installation-adding-registry-pull-secret.adoc[leveloffset=+2]
+
+[id="update-mirror-repository_updating-restricted-network-cluster"]
+== Mirroring the {product-title} image repository
+
+You must mirror container images onto a mirror registry before you can update a cluster in a disconnected environment. You can also use this procedure in connected environment to ensure your clusters only use container images that have satisfied your organizational controls on external content.
+
+There are two supported methods for mirroring images onto a mirror registry:
+
+* Using the oc-mirror OpenShift CLI (`oc`) plugin
+
+* Using the oc adm release mirror command
+
+Choose one of the following supported options.
+
+include::modules/update-mirror-repository-oc-mirror.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../installing/disconnected_install/installing-mirroring-disconnected.adoc#installing-mirroring-disconnected[Mirroring images for a disconnected installation using the oc-mirror plugin]
+
+include::modules/update-mirror-repository.adoc[leveloffset=+2]
+
+include::modules/machine-health-checks-pausing.adoc[leveloffset=+1]
+
+include::modules/update-restricted.adoc[leveloffset=+1]
+
+include::modules/images-configuration-registry-mirror.adoc[leveloffset=+1]
+
+include::modules/generating-icsp-object-scoped-to-a-registry.adoc[leveloffset=+1]
+
+[id="additional-resources_security-container-signature"]
+[role="_additional-resources"]
+== Additional resources
+
+* xref:../../operators/admin/olm-restricted-networks.adoc#olm-restricted-networks[Using Operator Lifecycle Manager on restricted networks]
+
+* xref:../../post_installation_configuration/machine-configuration-tasks.adoc#machine-config-overview-post-install-machine-configuration-tasks[Machine Config Overview]

updating/updating-restricted-network-cluster/snippets

@@ -0,0 +1 @@
+../snippets

welcome/index.adoc

@@ -319,7 +319,7 @@ There is a separate process for
 xref:../updating/updating-disconnected-cluster.adoc#updating-disconnected-cluster[updating a cluster on a restricted network].
 ////
 
-- **xref:../updating/updating-restricted-network-cluster.adoc#update-service-overview_updating-restricted-network-cluster[Understanding the OpenShift Update Service]**: Learn about installing and managing a local OpenShift Update Service for recommending {product-title} updates in restricted network environments.
+- **xref:../updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc#update-service-overview_updating-restricted-network-cluster-OSUS[Understanding the OpenShift Update Service]**: Learn about installing and managing a local OpenShift Update Service for recommending {product-title} updates in disconnected environments.
 
 - **xref:../nodes/clusters/nodes-cluster-worker-latency-profiles.adoc#nodes-cluster-worker-latency-profiles[Improving cluster stability in high latency environments using worker latency profiles]**: If your network has latency issues, you can use one of three _worker latency profiles_ to help ensure that your control plane does not accidentally evict pods in case it cannot reach a worker node. You can configure or modify the profile at any time during the life of the cluster.