diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index 210dcb6961..a7cda2d659 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -581,9 +581,16 @@ Topics: - Name: Updating a cluster that includes RHEL compute machines File: updating-cluster-rhel-compute Distros: openshift-enterprise -- Name: Updating a restricted network cluster - File: updating-restricted-network-cluster +- Name: Updating a disconnected environment + Dir: updating-restricted-network-cluster Distros: openshift-enterprise + Topics: + - Name: About disconnected environment updates + File: index + - Name: Updating disconnected environments using OSUS + File: restricted-network-update-OSUS + - Name: Updating disconnected environments without OSUS + File: restricted-network-update - Name: Updating hardware on nodes running on vSphere File: updating-hardware-on-nodes-running-on-vsphere # - Name: Troubleshooting an update diff --git a/getting_started/openshift-overview.adoc b/getting_started/openshift-overview.adoc index 6052dabbeb..8a9091c922 100644 --- a/getting_started/openshift-overview.adoc +++ b/getting_started/openshift-overview.adoc @@ -104,7 +104,7 @@ be reviewed by cluster administrators and xref:../operators/admin/olm-adding-ope * **xref:../scalability_and_performance/scaling-cluster-monitoring-operator.adoc#scaling-cluster-monitoring-operator[Scale] and xref:../scalability_and_performance/using-node-tuning-operator.adoc#using-node-tuning-operator[tune] clusters**: Set cluster limits, tune nodes, scale cluster monitoring, and optimize networking, storage, and routes for your environment. -* **xref:../updating/updating-restricted-network-cluster.adoc#update-service-overview_updating-restricted-network-cluster[Understanding the OpenShift Update Service]**: Learn about installing and managing a local OpenShift Update Service for recommending {product-title} updates in restricted network environments. +* **xref:../updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc#update-service-overview_updating-restricted-network-cluster-OSUS[Understanding the OpenShift Update Service]**: Learn about installing and managing a local OpenShift Update Service for recommending {product-title} updates in disconnected environments. * **xref:../monitoring/monitoring-overview.adoc#monitoring-overview[Monitor clusters]**: Learn to xref:../monitoring/configuring-the-monitoring-stack.adoc#configuring-the-monitoring-stack[configure the monitoring stack]. diff --git a/installing/disconnected_install/installing-mirroring-disconnected.adoc b/installing/disconnected_install/installing-mirroring-disconnected.adoc index 6c50f1d633..04dfe2e9b6 100644 --- a/installing/disconnected_install/installing-mirroring-disconnected.adoc +++ b/installing/disconnected_install/installing-mirroring-disconnected.adoc @@ -69,7 +69,7 @@ include::modules/oc-mirror-creating-image-set-config.adoc[leveloffset=+1] * xref:../../installing/disconnected_install/installing-mirroring-disconnected.adoc#oc-mirror-imageset-config-params_installing-mirroring-disconnected[Image set configuration parameters] * xref:../../installing/disconnected_install/installing-mirroring-disconnected.adoc#oc-mirror-image-set-examples_installing-mirroring-disconnected[Image set configuration examples] -* xref:../../updating/updating-restricted-network-cluster.adoc#update-service-overview_updating-restricted-network-cluster[About the OpenShift Update Service] +* xref:../../updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc#update-service-overview_updating-restricted-network-cluster-OSUS[About the OpenShift Update Service] [id="mirroring-image-set"] == Mirroring an image set to a mirror registry diff --git a/modules/cli-installing-cli.adoc b/modules/cli-installing-cli.adoc index d556379fa2..07fa00be81 100644 --- a/modules/cli-installing-cli.adoc +++ b/modules/cli-installing-cli.adoc @@ -46,7 +46,7 @@ // * openshift_images/samples-operator-alt-registry.adoc // * installing/installing_rhv/installing-rhv-customizations.adoc // * installing/installing_rhv/installing-rhv-default.adoc -// * updating/updating-restricted-network-cluster.adoc +// * updating/updating-restricted-network-cluster/restricted-network-update.adoc // // AMQ docs link to this; do not change anchor @@ -67,7 +67,7 @@ If you installed an earlier version of `oc`, you cannot use it to complete all of the commands in {product-title} {product-version}. Download and install the new version of `oc`. ifdef::restricted[] -If you are upgrading a cluster in a restricted network, install the `oc` version that you plan to upgrade to. +If you are upgrading a cluster in a disconnected environment, install the `oc` version that you plan to upgrade to. endif::restricted[] ==== diff --git a/modules/generating-icsp-object-scoped-to-a-registry.adoc b/modules/generating-icsp-object-scoped-to-a-registry.adoc index 82b9356f92..01d67e424b 100644 --- a/modules/generating-icsp-object-scoped-to-a-registry.adoc +++ b/modules/generating-icsp-object-scoped-to-a-registry.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * updating/updating-restricted-network-cluster.adoc +// * updating/updating-restricted-network-cluster/restricted-network-update.adoc :_content-type: PROCEDURE [id="generating-icsp-object-scoped-to-a-registry_{context}"] diff --git a/modules/images-configuration-registry-mirror.adoc b/modules/images-configuration-registry-mirror.adoc index 527ed70a70..968b6f67ae 100644 --- a/modules/images-configuration-registry-mirror.adoc +++ b/modules/images-configuration-registry-mirror.adoc @@ -2,6 +2,7 @@ // // * openshift_images/image-configuration.adoc // * post_installation_configuration/preparing-for-users.adoc +// * updating/updating-restricted-network-cluster/restricted-network-update.adoc :_content-type: PROCEDURE [id="images-configuration-registry-mirror_{context}"] @@ -15,7 +16,7 @@ Setting up container registry repository mirroring enables you to do the followi The attributes of repository mirroring in {product-title} include: * Image pulls are resilient to registry downtimes. -* Clusters in restricted networks can pull images from critical locations, such as quay.io, and have registries behind a company firewall provide the requested images. +* Clusters in disconnected environments can pull images from critical locations, such as quay.io, and have registries behind a company firewall provide the requested images. * A particular order of registries is tried when an image pull request is made, with the permanent registry typically being the last one tried. * The mirror information you enter is added to the `/etc/containers/registries.conf` file on every node in the {product-title} cluster. * When a node makes a request for an image from the source repository, it tries each mirrored repository in turn until it finds the requested content. If all mirrors fail, the cluster tries the source repository. If successful, the image is pulled to the node. @@ -24,7 +25,7 @@ Setting up repository mirroring can be done in the following ways: * At {product-title} installation: + -By pulling container images needed by {product-title} and then bringing those images behind your company's firewall, you can install {product-title} into a datacenter that is in a restricted network. +By pulling container images needed by {product-title} and then bringing those images behind your company's firewall, you can install {product-title} into a datacenter that is in a disconnected environment. * After {product-title} installation: + diff --git a/modules/images-update-global-pull-secret.adoc b/modules/images-update-global-pull-secret.adoc index 4a568b97f5..f91a612f46 100644 --- a/modules/images-update-global-pull-secret.adoc +++ b/modules/images-update-global-pull-secret.adoc @@ -2,7 +2,8 @@ // * openshift_images/managing_images/using-image-pull-secrets.adoc // * post_installation_configuration/cluster-tasks.adoc // * support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc -// * updating/updating-restricted-network-cluster.adoc +// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc +// * updating/updating-restricted-network-cluster/restricted-network-update.adoc // // Not included, but linked to from: // * operators/admin/olm-managing-custom-catalogs.adoc diff --git a/modules/installation-adding-registry-pull-secret.adoc b/modules/installation-adding-registry-pull-secret.adoc index 1cb08697b7..2916f044ca 100644 --- a/modules/installation-adding-registry-pull-secret.adoc +++ b/modules/installation-adding-registry-pull-secret.adoc @@ -4,7 +4,7 @@ // * installing/disconnected_install/installing-mirroring-disconnected.adoc // * openshift_images/samples-operator-alt-registry.adoc // * scalability_and_performance/ztp_far_edge/ztp-deploying-far-edge-clusters-at-scale.adoc -// * updating/updating-restricted-network-cluster.adoc +// * updating/updating-restricted-network-cluster/restricted-network-update.adoc ifeval::["{context}" == "updating-restricted-network-cluster"] :restricted: @@ -43,7 +43,7 @@ endif::restricted[] .Prerequisites -* You configured a mirror registry to use in your restricted network. +* You configured a mirror registry to use in your disconnected environment. ifdef::restricted[] * You identified an image repository location on your mirror registry to mirror images into. * You provisioned a mirror registry account that allows images to be uploaded to that image repository. diff --git a/modules/machine-health-checks-pausing.adoc b/modules/machine-health-checks-pausing.adoc index fbfa38be77..61b6154275 100644 --- a/modules/machine-health-checks-pausing.adoc +++ b/modules/machine-health-checks-pausing.adoc @@ -2,7 +2,7 @@ // * updating/updating-cluster-cli.adoc // * updating/updating-cluster-within-minor.adoc -// * updating/updating-restricted-network-cluster.adoc +// * updating/updating-restricted-network-cluster/restricted-network-update.adoc :_content-type: PROCEDURE [id="machine-health-checks-pausing_{context}"] diff --git a/modules/update-mirror-repository-oc-mirror.adoc b/modules/update-mirror-repository-oc-mirror.adoc index fdb81e293d..baaccc6b73 100644 --- a/modules/update-mirror-repository-oc-mirror.adoc +++ b/modules/update-mirror-repository-oc-mirror.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: -// -// * updating/updating-restricted-network-cluster.adoc +// * updating/updating-restricted-network-cluster/restricted-network-update.adoc +// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc :_content-type: PROCEDURE [id="update-mirror-repository-oc-mirror_{context}"] diff --git a/modules/update-mirror-repository.adoc b/modules/update-mirror-repository.adoc index 2cafa3c3b1..38360ec099 100644 --- a/modules/update-mirror-repository.adoc +++ b/modules/update-mirror-repository.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * updating/updating-restricted-network-cluster.adoc +// * updating/updating-restricted-network-cluster/restricted-network-update.adoc :_content-type: PROCEDURE [id="update-mirror-repository-adm-release-mirror_{context}"] @@ -103,7 +103,7 @@ $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH} ---- $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} ---- -... Take the media to the restricted network environment and upload the images to the local container registry. +... Take the media to the disconnected environment and upload the images to the local container registry. + [source,terminal] ---- diff --git a/modules/update-restricted.adoc b/modules/update-restricted.adoc index c1f96175c8..1f1704e719 100644 --- a/modules/update-restricted.adoc +++ b/modules/update-restricted.adoc @@ -1,12 +1,12 @@ // Module included in the following assemblies: // -// * updating/updating-restricted-network-cluster.adoc +// * updating/updating-restricted-network-cluster/restricted-network-update.adoc :_content-type: PROCEDURE [id="update-restricted_{context}"] -= Upgrading the restricted network cluster += Upgrading the disconnected cluster -Update the restricted network cluster to the {product-title} version that you downloaded the release images for. +Update the disconnected cluster to the {product-title} version that you downloaded the release images for. //TODO: Add xrefs in the following note when functionality is enabled. diff --git a/modules/update-service-configure-cvo.adoc b/modules/update-service-configure-cvo.adoc index d4cf9c762d..228e7c13c5 100644 --- a/modules/update-service-configure-cvo.adoc +++ b/modules/update-service-configure-cvo.adoc @@ -1,3 +1,6 @@ +// Module included in the following assemblies: +// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc + :_content-type: PROCEDURE [id="update-service-configure-cvo"] = Configuring the Cluster Version Operator (CVO) diff --git a/modules/update-service-create-service-cli.adoc b/modules/update-service-create-service-cli.adoc index f0532f4d12..788a689311 100644 --- a/modules/update-service-create-service-cli.adoc +++ b/modules/update-service-create-service-cli.adoc @@ -1,3 +1,6 @@ +// Module included in the following assemblies: +// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc + :_content-type: PROCEDURE [id="update-service-create-service-cli_{context}"] = Creating an OpenShift Update Service application by using the CLI diff --git a/modules/update-service-create-service-web-console.adoc b/modules/update-service-create-service-web-console.adoc index fba5e1b8f3..404bfe570b 100644 --- a/modules/update-service-create-service-web-console.adoc +++ b/modules/update-service-create-service-web-console.adoc @@ -1,3 +1,6 @@ +//Module included in the following assemblies: +// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc + :_content-type: PROCEDURE [id="update-service-create-service-web-console_{context}"] = Creating an OpenShift Update Service application by using the web console diff --git a/modules/update-service-delete-service-cli.adoc b/modules/update-service-delete-service-cli.adoc index 55dd92e7e1..9df9c9f348 100644 --- a/modules/update-service-delete-service-cli.adoc +++ b/modules/update-service-delete-service-cli.adoc @@ -1,3 +1,6 @@ +// Module included in the following assemblies: +// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc + :_content-type: PROCEDURE [id="update-service-delete-service-cli_{context}"] = Deleting an OpenShift Update Service application by using the CLI diff --git a/modules/update-service-delete-service-web-console.adoc b/modules/update-service-delete-service-web-console.adoc index cb3f9ef23e..a339a28b66 100644 --- a/modules/update-service-delete-service-web-console.adoc +++ b/modules/update-service-delete-service-web-console.adoc @@ -1,3 +1,6 @@ +// Module included in the following assemblies: +// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc + :_content-type: PROCEDURE [id="update-service-delete-service-web-console_{context}"] = Deleting an OpenShift Update Service application by using the web console diff --git a/modules/update-service-graph-data.adoc b/modules/update-service-graph-data.adoc index 66b7e29483..88df4e85e7 100644 --- a/modules/update-service-graph-data.adoc +++ b/modules/update-service-graph-data.adoc @@ -1,3 +1,6 @@ +// Module included in the following assemblies: +// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc + :_content-type: PROCEDURE [id="update-service-graph-data_{context}"] = Creating the OpenShift Update Service graph data container image @@ -33,5 +36,5 @@ $ podman push registry.example.com/openshift/graph-data:latest + [NOTE] ==== -To push a graph data image to a local registry in a restricted network, copy the graph-data container image created in the previous step to a repository that is accessible to the OpenShift Update Service. Run `oc image mirror --help` for available options. +To push a graph data image to a local registry in a disconnected environment, copy the graph-data container image created in the previous step to a repository that is accessible to the OpenShift Update Service. Run `oc image mirror --help` for available options. ==== diff --git a/modules/update-service-install-cli.adoc b/modules/update-service-install-cli.adoc index 25992fc22e..18f9988901 100644 --- a/modules/update-service-install-cli.adoc +++ b/modules/update-service-install-cli.adoc @@ -1,3 +1,6 @@ +// Module included in the following assemblies: +// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc + :_content-type: PROCEDURE [id="update-service-install-cli_{context}"] = Installing the OpenShift Update Service Operator by using the CLI @@ -82,7 +85,7 @@ spec: sourceNamespace: "openshift-marketplace" name: "cincinnati-operator" ---- -<1> Specify the name of the catalog source that provides the Operator. For clusters that do not use a custom Operator Lifecycle Manager (OLM), specify `redhat-operators`. If your {product-title} cluster is installed on a restricted network, also known as a disconnected cluster, specify the name of the `CatalogSource` object created when you configured Operator Lifecycle Manager (OLM). +<1> Specify the name of the catalog source that provides the Operator. For clusters that do not use a custom Operator Lifecycle Manager (OLM), specify `redhat-operators`. If your {product-title} cluster is installed in a disconnected environment, specify the name of the `CatalogSource` object created when you configured Operator Lifecycle Manager (OLM). .. Create the `Subscription` object: + diff --git a/modules/update-service-install-web-console.adoc b/modules/update-service-install-web-console.adoc index 89969fd299..90a0152da6 100644 --- a/modules/update-service-install-web-console.adoc +++ b/modules/update-service-install-web-console.adoc @@ -1,3 +1,6 @@ +// Module included in the following assemblies: +// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc + :_content-type: PROCEDURE [id="update-service-install-web-console_{context}"] = Installing the OpenShift Update Service Operator by using the web console diff --git a/modules/update-service-mirror-release.adoc b/modules/update-service-mirror-release.adoc index 75bcaae067..6d3318b364 100644 --- a/modules/update-service-mirror-release.adoc +++ b/modules/update-service-mirror-release.adoc @@ -1,9 +1,10 @@ +// Module included in the following assemblies: +// *updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc + :_content-type: PROCEDURE [id="update-service-mirror-release-adm-release-mirror_{context}"] = Mirroring images using the oc adm release mirror command -The OpenShift Update Service requires a locally accessible registry containing update release payloads. - [IMPORTANT] ==== To avoid excessive memory usage by the OpenShift Update Service application, it is recommended that you mirror release images to a separate repository, as described in the following procedure. @@ -13,7 +14,7 @@ To avoid excessive memory usage by the OpenShift Update Service application, it * You reviewed and completed the steps from "Mirroring images for a disconnected installation" up to but not including the section entitled *Mirroring the {product-title} image repository*. //TODO: Add xref to preceding step when allowed. -* You configured a mirror registry to use in your restricted network and can access the certificate and credentials that you configured. +* You configured a mirror registry to use in your disconnected environment and can access the certificate and credentials that you configured. ifndef::openshift-origin[] * You downloaded the {cluster-manager-url-pull} and modified it to include authentication to your mirror repository. endif::[] @@ -132,7 +133,7 @@ $ oc adm release mirror -a ${LOCAL_SECRET_JSON} \ ---- $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} ---- -... Take the media to the restricted network environment and upload the images to the local container registry: +... Take the media to the disconnected environment and upload the images to the local container registry: + [source,terminal] ---- diff --git a/modules/update-service-overview.adoc b/modules/update-service-overview.adoc index fb5a4648f9..6df2aa6613 100644 --- a/modules/update-service-overview.adoc +++ b/modules/update-service-overview.adoc @@ -5,13 +5,13 @@ // * updating/updating-cluster-cli.adoc // * updating/updating-cluster-rhel-compute.adoc // * updating/updating-cluster.adoc -// * updating/updating-disconnected-cluster.adoc +// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc :_content-type: CONCEPT [id="update-service-overview_{context}"] = About the OpenShift Update Service -The OpenShift Update Service (OSUS) provides over-the-air updates to {product-title}, including {op-system-first}. It provides a graph, or diagram, that contains the _vertices_ of component Operators and the _edges_ that connect them. The edges in the graph show which versions you can safely update to. The vertices are update payloads that specify the intended state of the managed cluster components. +The OpenShift Update Service (OSUS) provides updates to {product-title}, including {op-system-first}. It provides a graph, or diagram, that contains the _vertices_ of component Operators and the _edges_ that connect them. The edges in the graph show which versions you can safely update to. The vertices are update payloads that specify the intended state of the managed cluster components. The Cluster Version Operator (CVO) in your cluster checks with the OpenShift Update Service to see the valid updates and update paths based on current component versions and information in the graph. When you request an update, the CVO uses the release image for that update to update your cluster. The release artifacts are hosted in Quay as container images. //// diff --git a/modules/update-service-uninstall-cli.adoc b/modules/update-service-uninstall-cli.adoc index df38313538..334ca8465e 100644 --- a/modules/update-service-uninstall-cli.adoc +++ b/modules/update-service-uninstall-cli.adoc @@ -1,3 +1,6 @@ +// Module included in the following assemblies: +// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc + :_content-type: PROCEDURE [id="update-service-uninstall-cli_{context}"] = Uninstalling the OpenShift Update Service Operator by using the CLI diff --git a/modules/update-service-uninstall-web-console.adoc b/modules/update-service-uninstall-web-console.adoc index c3a8683426..62d44281fb 100644 --- a/modules/update-service-uninstall-web-console.adoc +++ b/modules/update-service-uninstall-web-console.adoc @@ -1,3 +1,6 @@ +// Module included in the following assemblies: +// * updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc + :_content-type: PROCEDURE [id="update-service-uninstall-web-console_{context}"] = Uninstalling the OpenShift Update Service Operator by using the web console diff --git a/security/container_security/security-hosts-vms.adoc b/security/container_security/security-hosts-vms.adoc index 245c9f4f9a..c8e122b154 100644 --- a/security/container_security/security-hosts-vms.adoc +++ b/security/container_security/security-hosts-vms.adoc @@ -31,7 +31,7 @@ ifndef::openshift-origin[] endif::[] * xref:../../installing/install_config/installing-customizing.adoc#installation-special-config-encrypt-disk_installing-customizing[Disk encryption] * xref:../../installing/install_config/installing-customizing.adoc#installation-special-config-chrony_installing-customizing[Chrony time service] -* xref:../../updating/updating-restricted-network-cluster.adoc#update-service-overview_updating-restricted-network-cluster[{product-title} cluster updates] +* xref:../../updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc#update-service-overview_updating-restricted-network-cluster-OSUS[{product-title} cluster updates] // Virtualization versus containers include::modules/security-hosts-vms-vs-containers.adoc[leveloffset=+1] diff --git a/updating/index.adoc b/updating/index.adoc index 25c10b1a28..dd4fc0fbdd 100644 --- a/updating/index.adoc +++ b/updating/index.adoc @@ -66,19 +66,19 @@ xref:../updating/updating-cluster-rhel-compute.adoc#updating-cluster-rhel-comput * xref:../updating/updating-cluster-rhel-compute.adoc#rhel-compute-updating-minor_updating-cluster-rhel-compute[Updating {op-system-base} compute machines in your cluster] [id="updating-clusters-overview-update-restricted-network-cluster"] -== Updating a restricted network cluster -xref:../updating/updating-restricted-network-cluster.adoc#updating-restricted-network-cluster[Updating a restricted network cluster]: If your mirror host cannot access both the internet and the cluster, you can mirror the images to a file system that is disconnected from that environment. You can then bring that host or removable media across that gap. If the local container registry and the cluster are connected to the mirror host of a registry, you can directly push the release images to the local registry. +== Updating a disconnected cluster +xref:../updating/updating-restricted-network-cluster/index.adoc#about-restricted-network-updates[Updating a disconnected cluster]: If your mirror host cannot access both the internet and the cluster, you can mirror the images to a file system that is disconnected from that environment. You can then bring that host or removable media across that gap. If the local container registry and the cluster are connected to the mirror host of a registry, you can directly push the release images to the local registry. -* xref:../updating/updating-restricted-network-cluster.adoc#updating-restricted-network-mirror-host[Preparing your mirror host] -* xref:../updating/updating-restricted-network-cluster.adoc#installation-adding-registry-pull-secret_updating-restricted-network-cluster[Configuring credentials that allow images to be mirrored] -* xref:../updating/updating-restricted-network-cluster.adoc#update-mirror-repository_updating-restricted-network-cluster[Mirroring the {product-title} image repository] -* xref:../updating/updating-restricted-network-cluster.adoc#update-restricted_updating-restricted-network-cluster[Updating the restricted network cluster] -* xref:../updating/updating-restricted-network-cluster.adoc#images-configuration-registry-mirror_updating-restricted-network-cluster[Configuring image registry repository mirroring] -* xref:../updating/updating-restricted-network-cluster.adoc#generating-icsp-object-scoped-to-a-registry_updating-restricted-network-cluster[Widening the scope of the mirror image catalog to reduce the frequency of cluster node reboots] -* xref:../updating/updating-restricted-network-cluster.adoc#update-service-install[Installing the OpenShift Update Service Operator] -* xref:../updating/updating-restricted-network-cluster.adoc#update-service-create-service[Creating an OpenShift Update Service application] -* xref:../updating/updating-restricted-network-cluster.adoc#update-service-delete-service[Deleting an OpenShift Update Service application] -* xref:../updating/updating-restricted-network-cluster.adoc#update-service-uninstall[Uninstalling the OpenShift Update Service Operator] +* xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#updating-restricted-network-mirror-host[Preparing your mirror host] +* xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#installation-adding-registry-pull-secret_updating-restricted-network-cluster[Configuring credentials that allow images to be mirrored] +* xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#update-mirror-repository_updating-restricted-network-cluster[Mirroring the {product-title} image repository] +* xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#update-restricted_updating-restricted-network-cluster[Updating the disconnected cluster] +* xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#images-configuration-registry-mirror_updating-restricted-network-cluster[Configuring image registry repository mirroring] +* xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#generating-icsp-object-scoped-to-a-registry_updating-restricted-network-cluster[Widening the scope of the mirror image catalog to reduce the frequency of cluster node reboots] +* xref:../updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc#update-service-install[Installing the OpenShift Update Service Operator] +* xref:../updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc#update-service-create-service[Creating an OpenShift Update Service application] +* xref:../updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc#update-service-delete-service[Deleting an OpenShift Update Service application] +* xref:../updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc#update-service-uninstall[Uninstalling the OpenShift Update Service Operator] [id="updating-clusters-overview-vsphere-updating-hardware"] == Updating hardware on nodes running in vSphere diff --git a/updating/understanding-openshift-updates.adoc b/updating/understanding-openshift-updates.adoc index d2536b15cc..6bdd95a529 100644 --- a/updating/understanding-openshift-updates.adoc +++ b/updating/understanding-openshift-updates.adoc @@ -24,6 +24,6 @@ include::modules/update-common-terms.adoc[leveloffset=+1] * xref:../post_installation_configuration/machine-configuration-tasks.adoc#machine-config-overview-post-install-machine-configuration-tasks[Machine config overview] ifdef::openshift-enterprise[] -* xref:../updating/updating-restricted-network-cluster.adoc#update-service-overview_updating-restricted-network-cluster[About the OpenShift Update Service] +* xref:../updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc#update-service-overview_updating-restricted-network-cluster-OSUS[About the OpenShift Update Service] endif::openshift-enterprise[] * xref:../updating/understanding-upgrade-channels-release.adoc#understanding-upgrade-channels_understanding-upgrade-channels-releases[Update channels and releases] diff --git a/updating/updating-restricted-network-cluster/_attributes b/updating/updating-restricted-network-cluster/_attributes new file mode 120000 index 0000000000..f27fd275ea --- /dev/null +++ b/updating/updating-restricted-network-cluster/_attributes @@ -0,0 +1 @@ +../_attributes/ \ No newline at end of file diff --git a/updating/updating-restricted-network-cluster/images b/updating/updating-restricted-network-cluster/images new file mode 120000 index 0000000000..5e67573196 --- /dev/null +++ b/updating/updating-restricted-network-cluster/images @@ -0,0 +1 @@ +../images \ No newline at end of file diff --git a/updating/updating-restricted-network-cluster/index.adoc b/updating/updating-restricted-network-cluster/index.adoc new file mode 100644 index 0000000000..7e3f2e982e --- /dev/null +++ b/updating/updating-restricted-network-cluster/index.adoc @@ -0,0 +1,23 @@ +:_content-type: ASSEMBLY +[id="about-restricted-network-updates"] += About disconnected environment updates +include::_attributes/common-attributes.adoc[] +:context: about-restricted-network-updates + +toc::[] + +A disconnected environment is one in which your cluster nodes cannot access the internet. +For this reason, you must populate a registry with the installation images. +If your registry host cannot access both the internet and the cluster, you can mirror the images to a file system that is disconnected from that environment and then bring that host or removable media across that gap. +If the local container registry and the cluster are connected to the mirror registry's host, you can directly push the release images to the local registry. + +A single container image registry is sufficient to host mirrored images for several clusters in the disconnected network. + +== Performing a disconnected environment update + +You can use one of the following procedures to update a disconnected {product-title} cluster: + +* xref:restricted-network-update-OSUS.adoc#updating-restricted-network-cluster-OSUS[Updating disconnected environments using the OpenShift Update Service] + +* xref:restricted-network-update.adoc#updating-restricted-network-cluster[Updating disconnected environments without the OpenShift Update Service] + diff --git a/updating/updating-restricted-network-cluster/modules b/updating/updating-restricted-network-cluster/modules new file mode 120000 index 0000000000..464b823aca --- /dev/null +++ b/updating/updating-restricted-network-cluster/modules @@ -0,0 +1 @@ +../modules \ No newline at end of file diff --git a/updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc b/updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc new file mode 100644 index 0000000000..1c680a7b47 --- /dev/null +++ b/updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc @@ -0,0 +1,138 @@ +:_content-type: ASSEMBLY +[id="updating-restricted-network-cluster-OSUS"] += Updating disconnected environments using the OpenShift Update Service +include::_attributes/common-attributes.adoc[] +:context: updating-restricted-network-cluster-OSUS + +toc::[] + +[id="update-restricted-network-cluster-update-service"] + +include::modules/update-service-overview.adoc[leveloffset=+1] + +.Additional resources + +* xref:../../updating/understanding-upgrade-channels-release.adoc#understanding-upgrade-channels_understanding-upgrade-channels-releases[Understanding upgrade channels and releases] + +For clusters with internet accessibility, Red Hat provides update recommendations through an {product-title} update service as a hosted service located behind public APIs. However, clusters in a disconnected environment have no way to access public APIs for update information. + +To provide a similar update experience in a disconnected environment, you can install and configure the OpenShift Update Service locally so that it is available within a disconnected environment. + +The following sections describe how to provide updates for your disconnected cluster and its underlying operating system. + +[id="update-service-prereqs"] +== Prerequisites + +* Have access to the internet to obtain the necessary container images. +* Have write access to a container registry in the disconnected environment to push and pull images. The container registry must be compatible with Docker registry API v2. +* You must have the `oc` command-line interface (CLI) tool installed. +* For more information on installing Operators, see xref:../../operators/user/olm-installing-operators-in-namespace.adoc#olm-installing-operators-in-namespace[Installing Operators in your namespace]. + +[id="registry-configuration-for-update-service"] +== Configuring access to a secured registry for the OpenShift Update Service + +If the release images are contained in a registry whose HTTPS X.509 certificate is signed by a custom certificate authority, complete the steps in xref:../../registry/configuring-registry-operator.adoc#images-configuration-cas_configuring-registry-operator[Configuring additional trust stores for image registry access] along with following changes for the update service. + +The OpenShift Update Service Operator needs the config map key name `updateservice-registry` in the registry CA cert. + +.Image registry CA config map example for the update service +[source,yaml] +---- +apiVersion: v1 +kind: ConfigMap +metadata: + name: my-registry-ca +data: + updateservice-registry: | <1> + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + registry-with-port.example.com..5000: | <2> + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- +---- +<1> The OpenShift Update Service Operator requires the config map key name updateservice-registry in the registry CA cert. +<2> If the registry has the port, such as `registry-with-port.example.com:5000`, `:` should be replaced with `..`. + +include::modules/images-update-global-pull-secret.adoc[leveloffset=+1] + +[id="update-service-install"] +== Installing the OpenShift Update Service Operator + +To install the OpenShift Update Service, you must first install the OpenShift Update Service Operator by using the {product-title} web console or CLI. + +[NOTE] +==== +For clusters that are installed in disconnected environments, also known as disconnected clusters, Operator Lifecycle Manager by default cannot access the Red Hat-provided OperatorHub sources hosted on remote registries because those remote sources require full internet connectivity. For more information, see xref:../../operators/admin/olm-restricted-networks.adoc#olm-restricted-networks[Using Operator Lifecycle Manager on restricted networks]. +==== + +include::modules/update-service-install-web-console.adoc[leveloffset=+2] + +include::modules/update-service-install-cli.adoc[leveloffset=+2] + +include::modules/update-service-graph-data.adoc[leveloffset=+1] + +[id="update-service-mirror-release_updating-restricted-network-cluster"] +== Mirroring the {product-title} image repository + +The OpenShift Update Service requires a locally accessible registry containing update release payloads. + +You must mirror container images onto a mirror registry before you can update a cluster in a disconnected environment. You can also use this procedure in connected environment to ensure your clusters only use container images that have satisfied your organizational controls on external content. + +There are two supported methods for mirroring images onto a mirror registry: + +* Using the oc-mirror OpenShift CLI (`oc`) plugin + +* Using the oc adm release mirror command + +Choose one of the following supported options. + +include::modules/update-mirror-repository-oc-mirror.adoc[leveloffset=+2] + +[role="_additional-resources"] +.Additional resources + +* xref:../../installing/disconnected_install/installing-mirroring-disconnected.adoc#installing-mirroring-disconnected[Mirroring images for a disconnected installation using the oc-mirror plugin] + +include::modules/update-service-mirror-release.adoc[leveloffset=+2] + +[id="update-service-create-service"] +== Creating an OpenShift Update Service application + +You can create an OpenShift Update Service application by using the {product-title} web console or CLI. + +include::modules/update-service-create-service-web-console.adoc[leveloffset=+2] + +include::modules/update-service-create-service-cli.adoc[leveloffset=+2] + +[NOTE] +==== +The policy engine route name must not be more than 63 characters based on RFC-1123. If you see `ReconcileCompleted` status as `false` with the reason `CreateRouteFailed` caused by `host must conform to DNS 1123 naming convention +and must be no more than 63 characters`, try creating the Update Service with a shorter name. +==== + +include::modules/update-service-configure-cvo.adoc[leveloffset=+3] + +[NOTE] +==== +See xref:../../networking/enable-cluster-wide-proxy.adoc#nw-proxy-configure-object[Enabling the cluster-wide proxy] to configure the CA to trust the update server. +==== + +[id="update-service-delete-service"] +== Deleting an OpenShift Update Service application + +You can delete an OpenShift Update Service application by using the {product-title} web console or CLI. + +include::modules/update-service-delete-service-web-console.adoc[leveloffset=+2] + +include::modules/update-service-delete-service-cli.adoc[leveloffset=+2] + +[id="update-service-uninstall"] +== Uninstalling the OpenShift Update Service Operator + +To uninstall the OpenShift Update Service, you must first delete all OpenShift Update Service applications by using the {product-title} web console or CLI. + +include::modules/update-service-uninstall-web-console.adoc[leveloffset=+2] + +include::modules/update-service-uninstall-cli.adoc[leveloffset=+2] \ No newline at end of file diff --git a/updating/updating-restricted-network-cluster/restricted-network-update.adoc b/updating/updating-restricted-network-cluster/restricted-network-update.adoc new file mode 100644 index 0000000000..dfa2074d46 --- /dev/null +++ b/updating/updating-restricted-network-cluster/restricted-network-update.adoc @@ -0,0 +1,71 @@ +:_content-type: ASSEMBLY +[id="updating-restricted-network-cluster"] += Updating disconnected environments without the OpenShift Update Service +include::_attributes/common-attributes.adoc[] +:context: updating-restricted-network-cluster + +toc::[] + +== Prerequisites + +* Have access to the internet to obtain the necessary container images. +* Have write access to a container registry in the disconnected environment to push and pull images. The container registry must be compatible with Docker registry API v2. +* You must have the `oc` command-line interface (CLI) tool installed. +* Have access to the cluster as a user with `admin` privileges. +See xref:../../authentication/using-rbac.adoc[Using RBAC to define and apply permissions]. +* Have a recent xref:../../backup_and_restore/control_plane_backup_and_restore/backing-up-etcd.adoc#backup-etcd[etcd backup] in case your update fails and you must xref:../../backup_and_restore/control_plane_backup_and_restore/disaster_recovery/scenario-2-restoring-cluster-state.adoc#dr-restoring-cluster-state[restore your cluster to a previous state]. +* Ensure that all machine config pools (MCPs) are running and not paused. Nodes associated with a paused MCP are skipped during the update process. You can pause the MCPs if you are performing a canary rollout update strategy. +* If your cluster uses manually maintained credentials, ensure that the Cloud Credential Operator (CCO) is in an upgradeable state. For more information, see _Upgrading clusters with manually maintained credentials_ for xref:../../installing/installing_aws/manually-creating-iam.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-aws[AWS], xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-azure[Azure], or xref:../../installing/installing_gcp/manually-creating-iam-gcp.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-gcp[GCP]. +//STS is not currently supported in a disconnected environment, but the following bullet can be uncommented when that changes. +//* If your cluster uses manually maintained credentials with the AWS Secure Token Service (STS), obtain a copy of the `ccoctl` utility from the release image being upgraded to and use it to process any updated credentials. For more information, see xref:../../authentication/managing_cloud_provider_credentials/cco-mode-sts.adoc#sts-mode-upgrading[_Upgrading an OpenShift Container Platform cluster configured for manual mode with STS_]. +* If you run an Operator or you have configured any application with the pod disruption budget, you might experience an interruption during the upgrade process. If `minAvailable` is set to 1 in `PodDisruptionBudget`, the nodes are drained to apply pending machine configs which might block the eviction process. If several nodes are rebooted, all the pods might run on only one node, and the `PodDisruptionBudget` field can prevent the node drain. + +[id="updating-restricted-network-mirror-host"] +== Preparing your mirror host + +Before you perform the mirror procedure, you must prepare the host to retrieve content +and push it to the remote location. + +include::modules/cli-installing-cli.adoc[leveloffset=+2] + +// this file doesn't exist, so I'm including the one that should pick up more changes from Clayton's PR - modules/installation-adding-mirror-registry-pull-secret.adoc[leveloffset=+1] + +include::modules/installation-adding-registry-pull-secret.adoc[leveloffset=+2] + +[id="update-mirror-repository_updating-restricted-network-cluster"] +== Mirroring the {product-title} image repository + +You must mirror container images onto a mirror registry before you can update a cluster in a disconnected environment. You can also use this procedure in connected environment to ensure your clusters only use container images that have satisfied your organizational controls on external content. + +There are two supported methods for mirroring images onto a mirror registry: + +* Using the oc-mirror OpenShift CLI (`oc`) plugin + +* Using the oc adm release mirror command + +Choose one of the following supported options. + +include::modules/update-mirror-repository-oc-mirror.adoc[leveloffset=+2] + +[role="_additional-resources"] +.Additional resources + +* xref:../../installing/disconnected_install/installing-mirroring-disconnected.adoc#installing-mirroring-disconnected[Mirroring images for a disconnected installation using the oc-mirror plugin] + +include::modules/update-mirror-repository.adoc[leveloffset=+2] + +include::modules/machine-health-checks-pausing.adoc[leveloffset=+1] + +include::modules/update-restricted.adoc[leveloffset=+1] + +include::modules/images-configuration-registry-mirror.adoc[leveloffset=+1] + +include::modules/generating-icsp-object-scoped-to-a-registry.adoc[leveloffset=+1] + +[id="additional-resources_security-container-signature"] +[role="_additional-resources"] +== Additional resources + +* xref:../../operators/admin/olm-restricted-networks.adoc#olm-restricted-networks[Using Operator Lifecycle Manager on restricted networks] + +* xref:../../post_installation_configuration/machine-configuration-tasks.adoc#machine-config-overview-post-install-machine-configuration-tasks[Machine Config Overview] \ No newline at end of file diff --git a/updating/updating-restricted-network-cluster/snippets b/updating/updating-restricted-network-cluster/snippets new file mode 120000 index 0000000000..9f5bc7e4dd --- /dev/null +++ b/updating/updating-restricted-network-cluster/snippets @@ -0,0 +1 @@ +../snippets \ No newline at end of file diff --git a/welcome/index.adoc b/welcome/index.adoc index be817a0fe6..8d634cbded 100644 --- a/welcome/index.adoc +++ b/welcome/index.adoc @@ -319,7 +319,7 @@ There is a separate process for xref:../updating/updating-disconnected-cluster.adoc#updating-disconnected-cluster[updating a cluster on a restricted network]. //// -- **xref:../updating/updating-restricted-network-cluster.adoc#update-service-overview_updating-restricted-network-cluster[Understanding the OpenShift Update Service]**: Learn about installing and managing a local OpenShift Update Service for recommending {product-title} updates in restricted network environments. +- **xref:../updating/updating-restricted-network-cluster/restricted-network-update-OSUS.adoc#update-service-overview_updating-restricted-network-cluster-OSUS[Understanding the OpenShift Update Service]**: Learn about installing and managing a local OpenShift Update Service for recommending {product-title} updates in disconnected environments. - **xref:../nodes/clusters/nodes-cluster-worker-latency-profiles.adoc#nodes-cluster-worker-latency-profiles[Improving cluster stability in high latency environments using worker latency profiles]**: If your network has latency issues, you can use one of three _worker latency profiles_ to help ensure that your control plane does not accidentally evict pods in case it cannot reach a worker node. You can configure or modify the profile at any time during the life of the cluster.