From b722787d010e0527bfef04bfe949e2e2bb2344b7 Mon Sep 17 00:00:00 2001 From: Justin Nixon Date: Mon, 17 May 2021 14:22:05 +0200 Subject: [PATCH] CCXDEV-4071 CCXDEV-4434 new chapter for restricted networks --- _topic_map.yml | 2 + .../insights-operator-enable-obfuscation.adoc | 35 ++++++++ modules/insights-operator-manual-upload.adoc | 72 +++++++++++++++ .../insights-operator-one-time-gather.adoc | 87 +++++++++++++++++++ ...lth-reporting-from-restricted-network.adoc | 23 +++++ 5 files changed, 219 insertions(+) create mode 100644 modules/insights-operator-enable-obfuscation.adoc create mode 100644 modules/insights-operator-manual-upload.adoc create mode 100644 modules/insights-operator-one-time-gather.adoc create mode 100644 support/remote_health_monitoring/remote-health-reporting-from-restricted-network.adoc diff --git a/_topic_map.yml b/_topic_map.yml index 02e6684528..14da01d762 100644 --- a/_topic_map.yml +++ b/_topic_map.yml @@ -415,6 +415,8 @@ Topics: File: opting-out-of-remote-health-reporting - Name: Using Insights to identify issues with your cluster File: using-insights-to-identify-issues-with-your-cluster + - Name: Using remote health reporting in a restricted network + File: remote-health-reporting-from-restricted-network - Name: Gathering data about your cluster File: gathering-cluster-data Distros: openshift-enterprise,openshift-origin diff --git a/modules/insights-operator-enable-obfuscation.adoc b/modules/insights-operator-enable-obfuscation.adoc new file mode 100644 index 0000000000..f06d954f2d --- /dev/null +++ b/modules/insights-operator-enable-obfuscation.adoc @@ -0,0 +1,35 @@ +// Module included in the following assemblies: +// +// * support/remote_health_monitoring/remote-health-reporting-from-restricted-network.adoc + + + +[id="insights-operator-enable-obfuscation_{context}"] += Enabling Insights Operator data obfuscation + +You can enable obfuscation to mask sensitive and identifiable IPv4 addresses and cluster base domains that the Insights Operator sends to link:https://cloud.redhat.com[cloud.redhat.com]. + +[WARNING] +==== +Although this feature is available, Red Hat recommends keeping obfuscation disabled for a more effective support experience. +==== + +Obfuscation assigns non-identifying values to cluster IPv4 addresses, and uses a translation table that is retained in memory to change IP addresses to their obfuscated versions throughout the Insights Operator archive before uploading the data to link:https://cloud.redhat.com[cloud.redhat.com]. + +For cluster base domains, obfuscation changes the base domain to a hardcoded substring. For example, `cluster-api.openshift.example.com` becomes `cluster-api.`. + +.Prerequisites + +* You are logged in to the {product-title} web console as `cluster-admin`. + +.Procedure + +. Navigate to *Workloads* -> *Secrets*. +. Search for the *support* secret using the *Search by name* field. If it does not exist, click *Create* -> *Key/value secret* to create it. +. Click the *Options* menu {kebab}, and then click *Edit Secret*. +. Click *Add Key/Value*. +. Create a key named `enableGlobalObfuscation` with a value of `true`, and click *Save*. +. Navigate to *Workloads* -> *Pods* +. Select the `openshift-insights` project. +. Find the `insights-operator` pod. +. To restart the `insights-operator` pod, click the *Options* menu {kebab}, and then click *Delete Pod*. diff --git a/modules/insights-operator-manual-upload.adoc b/modules/insights-operator-manual-upload.adoc new file mode 100644 index 0000000000..d715757565 --- /dev/null +++ b/modules/insights-operator-manual-upload.adoc @@ -0,0 +1,72 @@ +// Module included in the following assemblies: +// +// * support/remote_health_monitoring/remote-health-reporting-from-restricted-network.adoc + + + +[id="insights-operator-manual-upload_{context}"] += Uploading an Insights Operator archive + +You can manually upload an Insights Operator archive to link:https://cloud.redhat.com[cloud.redhat.com] to diagnose potential issues. + +.Prerequisites + +* You are logged in to {product-title} as `cluster-admin`. +* You have a workstation with unrestricted internet access. +* You have created a copy of the Insights Operator archive. + +.Procedure + +. Download the `dockerconfig.json` file: ++ +[source,terminal] +---- +$ oc extract secret/pull-secret -n openshift-config --to=. +---- +. Copy your `"cloud.openshift.com"` `"auth"` token from the `dockerconfig.json` file: ++ +[source,json,subs="+quotes"] +---- +{ + "auths": { + "cloud.openshift.com": { + "auth": "__", + "email": "asd@redhat.com" + } +} +---- + + +. Upload the archive to link:https://cloud.redhat.com[cloud.redhat.com]: ++ +[source,terminal,subs="+quotes"] +---- +$ curl -v -H "User-Agent: insights-operator/one10time200gather184a34f6a168926d93c330 cluster/__" -H "Authorization: Bearer __" -F "upload=@__; type=application/vnd.redhat.openshift.periodic+tar" https://cloud.redhat.com/api/ingress/v1/upload +---- +where `__` is your cluster ID, `__` is the token from your pull secret, and `__` is the path to the Insights Operator archive. ++ +If the operation is successful, the command returns a `"request_id"` and `"account_number"`: ++ +.Example output ++ +[source,terminal] +---- +* Connection #0 to host cloud.redhat.com left intact +{"request_id":"393a7cf1093e434ea8dd4ab3eb28884c","upload":{"account_number":"6274079"}}% +---- + +.Verification steps + +. Log in to link:https://cloud.redhat.com/openshift[]. + +. Click the *Clusters* menu in the left pane. + +. To display the details of the cluster, click the cluster name. + +. Open the *Insights Advisor* tab of the cluster. ++ +If the upload was successful, the tab displays one of the following: ++ +* *Your cluster passed all recommendations*, if Insights Advisor did not identify any issues. + +* A list of issues that Insights Advisor has detected, prioritized by risk (low, moderate, important, and critical). diff --git a/modules/insights-operator-one-time-gather.adoc b/modules/insights-operator-one-time-gather.adoc new file mode 100644 index 0000000000..f54ef2d010 --- /dev/null +++ b/modules/insights-operator-one-time-gather.adoc @@ -0,0 +1,87 @@ +// Module included in the following assemblies: +// +// * support/remote_health_monitoring/remote-health-reporting-from-restricted-network.adoc + + + +[id="insights-operator-one-time-gather_{context}"] += Running an Insights Operator gather operation + +You must run a gather operation to create an Insights Operator archive. + +.Prerequisites + +* You are logged in to {product-title} as `cluster-admin`. + +.Procedure + +. Create a file named `gather-job.yaml` using this template: ++ +[source,yaml] +---- +include::https://raw.githubusercontent.com/openshift/insights-operator/release-4.8/docs/gather-job.yaml[] +---- +. Copy your `insights-operator` image version: ++ +[source,terminal] +---- +$ oc get -n openshift-insights deployment insights-operator -o yaml +---- +. Paste your image version in `gather-job.yaml`: ++ +[source,yaml,subs="+quotes"] +---- +initContainers: + - name: insights-operator + image: __ + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: +---- +. Create the gather job: ++ +[source,terminal] +---- +$ oc apply -n openshift-insights -f gather-job.yaml +---- +. Find the name of the job pod: ++ +[source,terminal] +---- +$ oc describe -n openshift-insights job/insights-operator-job +---- ++ +.Example output +[source,terminal,subs="+quotes"] +---- +Events: + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal SuccessfulCreate 7m18s job-controller Created pod: insights-operator-job-__ +---- +where `insights-operator-job-__` is the name of the pod. + +. Verify that the operation has finished: ++ +[source,terminal,subs="+quotes"] +---- +$ oc logs -n openshift-insights insights-operator-job-__ insights-operator +---- ++ +.Example output +[source,terminal] +---- +I0407 11:55:38.192084 1 diskrecorder.go:34] Wrote 108 records to disk in 33ms +---- +. Save the created archive: ++ +[source,terminal,subs="+quotes"] +---- +$ oc cp openshift-insights/insights-operator-job-__:/var/lib/insights-operator ./insights-data +---- +. Clean up the job: ++ +[source,terminal] +---- +$ oc delete -n openshift-insights job insights-operator-job +---- + diff --git a/support/remote_health_monitoring/remote-health-reporting-from-restricted-network.adoc b/support/remote_health_monitoring/remote-health-reporting-from-restricted-network.adoc new file mode 100644 index 0000000000..e191b38dd0 --- /dev/null +++ b/support/remote_health_monitoring/remote-health-reporting-from-restricted-network.adoc @@ -0,0 +1,23 @@ +[id="remote-health-reporting-from-restricted-network"] += Using remote health reporting in a restricted network +include::modules/common-attributes.adoc[] +:context: remote-health-reporting-from-restricted-network + +toc::[] + +You can manually gather and upload Insights Operator archives to diagnose issues from a restricted network. + +To use the Insights Operator in a restricted network, you must: + +* Create a copy of your Insights Operator archive. +* Upload the Insights Operator archive to link:https://cloud.redhat.com[cloud.redhat.com]. + +Additionally, you can choose to xref:../../support/remote_health_monitoring/remote-health-reporting-from-restricted-network.adoc#insights-operator-enable-obfuscation_remote-health-reporting-from-restricted-network[obfuscate] the Insights Operator data before upload. + + +include::modules/insights-operator-one-time-gather.adoc[leveloffset=+1] + +include::modules/insights-operator-manual-upload.adoc[leveloffset=+1] + +include::modules/insights-operator-enable-obfuscation.adoc[leveloffset=+1] +