openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/hcp-ibm-z-adding-reg-ca-hostedcluster.adoc

48 lines
2.5 KiB
Plaintext
Raw Permalink Blame History

:_mod-docs-content-type: PROCEDURE
[id="hcp-ibm-z-adding-registry-ca-hostedcluster_{context}"]
= Adding the registry certificate authority to the hosted cluster
When you are deploying {hcp} on {ibm-z-title} in a disconnected environment, include the `additional-trust-bundle` and `image-content-sources` resources. Those resources allow the hosted cluster to inject the certificate authority into the data plane workers so that the images are pulled from the registry.
. Create the `icsp.yaml` file with the `image-content-sources` information.
+
The `image-content-sources` information is available in the `ImageContentSourcePolicy` YAML file that is generated after you mirror the images by using `oc-mirror`.
+
.Example ImageContentSourcePolicy file
[source,terminal]
----
# cat icsp.yaml
- mirrors:
- <mirror_registry>/openshift/release
source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
- mirrors:
- <mirror_registry>/openshift/release-images
source: quay.io/openshift-release-dev/ocp-release
----
. Create a hosted cluster and provide the `additional-trust-bundle` certificate to update the compute nodes with the certificates as in the following example:
+
[source,terminal]
----
$ hcp create cluster agent \
--name=<hosted_cluster_name> \ // <1>
--pull-secret=<path_to_pull_secret> \ // <2>
--agent-namespace=<hosted_control_plane_namespace> \ // <3>
--base-domain=<basedomain> \ // <4>
--api-server-address=api.<hosted_cluster_name>.<basedomain> \
--etcd-storage-class=<etcd_storage_class> \ // <5>
--ssh-key <path_to_ssh_public_key> \ // <6>
--namespace <hosted_cluster_namespace> \ // <7>
--control-plane-availability-policy SingleReplica \
--release-image=quay.io/openshift-release-dev/ocp-release:<ocp_release_image> \ // <7>
--additional-trust-bundle <path for cert> \ // <8>
--image-content-sources icsp.yaml
----
<1> Replace `<hosted_cluster_name>` with the name of your hosted cluster.
<2> Replace the path to your pull secret, for example, `/user/name/pullsecret`.
<3> Replace `<hosted_control_plane_namespace>` with the name of the hosted control plane namespace, for example, `clusters-hosted`.
<4> Replace the name with your base domain, for example, `example.com`.
<5> Replace the etcd storage class name, for example, `lvm-storageclass`.
<6> Replace the path to your SSH public key. The default file path is `~/.ssh/id_rsa.pub`.
<7> Replace with the supported {product-title} version that you want to use, for example, `4.21.0-multi`.
<8> Replace the path to Certificate Authority of mirror registry.
View Git Blame Copy Permalink