Upgrading IBM Cloud Pak foundational services in an airgap environment by using a portable compute device

Upgrade IBM Cloud Pak foundational services in your cluster that has no internet connectivity by using a portable device.

Overview

You can store the product code and images to a portable device, such as a laptop, and transfer them to a local, airgap network.

1. Create environment variables for the installer and image inventory
2. Connect the portable host to the internet
3. Download the IBM Cloud Pak foundational services installer and image inventory
4. Mirror the images to the portable host
5. Connect the portable host to the airgap network
6. Log in to the OpenShift Container Platform as a cluster administrator
7. Create an environment variable for the IBM Cloud Pak foundational services namespace
8. Mirror the images and configure the cluster

Create environment variables for the installer and image inventory

On your portable host, create the following environment variables with the installer image name and the image inventory.

• To upgrade to IBM Cloud Pak foundational services version 3.6.2, use the ibm-cp-common-services-1.8.0.tgz CASE archive.

  export CASE_NAME=ibm-cp-common-services
  export CASE_VERSION=1.8.0
  export CASE_ARCHIVE=${CASE_NAME}-${CASE_VERSION}.tgz
  export CASE_INVENTORY_SETUP=ibmCommonServiceOperatorSetup
  

Connect the portable host to the internet

Connect the portable host to the internet and disconnect it from the local, airgap network.

Download the IBM Cloud Pak foundational services installer and image inventory

Download the IBM Cloud Pak foundational services installer and image inventory to the external registry host.

cloudctl case save \
  --case https://github.com/IBM/cloud-pak/raw/master/repo/case/${CASE_ARCHIVE} \
  --outputdir $HOME/offline/

Mirror the images to the portable host

Complete these steps to mirror the images from the internet to the portable host:

Note: Don't use the tilde within double quotation marks in any command. For example, don't use args "--registry <registry> --user <registry userid> --pass {registry password} --inputDir ~/offline". The tilde does not expand and your commands might fail.

1. Store authentication credentials for all source Docker registries.

   All IBM Cloud Pak foundational services are stored in public registries that don't require authentication. However, other products and third-party components require one or more authenticated registries. The following registries require authentication:

   • cp.icr.io
   • registry.redhat.io
   • registry.access.redhat.com For more information about these registries, see Create registry namespaces. You must run the following command to configure credentials for all registries that require authentication. Run the command separately for each such registry:

     cloudctl case launch \
       --case $HOME/offline/${CASE_ARCHIVE} \
       --inventory ${CASE_INVENTORY_SETUP} \
       --action configure-creds-airgap \
       --args "--registry <registry> --user <registry userid> --pass <registry password>"
     

   The command stores and caches the registry credentials in a file on your file system in the $HOME/.airgap/secrets location.

2. Create environment variables with the portable Docker registry connection information.

   export PORTABLE_DOCKER_REGISTRY_HOST=localhost
   export PORTABLE_DOCKER_REGISTRY_PORT=5000
   export PORTABLE_DOCKER_REGISTRY=${PORTABLE_DOCKER_REGISTRY_HOST}:${PORTABLE_DOCKER_REGISTRY_PORT}
   export PORTABLE_DOCKER_REGISTRY_USER=localuser
   export PORTABLE_DOCKER_REGISTRY_PASSWORD=l0calPassword!
   export PORTABLE_DOCKER_REGISTRY_PATH=${HOME}/offline/imageregistry
   

3. Store authentication credentials of the portable Docker registry.

   cloudctl case launch \
     --case $HOME/offline/${CASE_ARCHIVE} \
     --inventory ${CASE_INVENTORY_SETUP} \
     --action configure-creds-airgap \
     --args "--registry ${PORTABLE_DOCKER_REGISTRY} --user ${PORTABLE_DOCKER_REGISTRY_USER} --pass ${PORTABLE_DOCKER_REGISTRY_PASSWORD}"
   

   The command stores and caches the registry credentials in a file on your file system in the $HOME/.airgap/secrets location.

4. Run a Docker registry service on localhost.
   a. Initialize the Docker registry.

   cloudctl case launch \
    --case $HOME/offline/${CASE_ARCHIVE} \
    --inventory ${CASE_INVENTORY_SETUP} \
    --action init-registry \
    --args "--registry ${PORTABLE_DOCKER_REGISTRY_HOST} --user ${PORTABLE_DOCKER_REGISTRY_USER}  --pass ${PORTABLE_DOCKER_REGISTRY_PASSWORD} --dir ${PORTABLE_DOCKER_REGISTRY_PATH}"
   

   b. Start the Docker registry.

   cloudctl case launch \
    --case $HOME/offline/${CASE_ARCHIVE} \
    --inventory ${CASE_INVENTORY_SETUP} \
    --action start-registry \
    --args "--registry ${PORTABLE_DOCKER_REGISTRY_HOST} --port ${PORTABLE_DOCKER_REGISTRY_PORT} --user ${PORTABLE_DOCKER_REGISTRY_USER} --pass ${PORTABLE_DOCKER_REGISTRY_PASSWORD} --dir ${PORTABLE_DOCKER_REGISTRY_PATH}"
   

5. Mirror the images to the registry on the portable host.

   cloudctl case launch \
     --case $HOME/offline/${CASE_ARCHIVE} \
     --inventory ${CASE_INVENTORY_SETUP} \
     --action mirror-images \
     --args "--registry ${PORTABLE_DOCKER_REGISTRY} --inputDir $HOME/offline"
   

Connect the portable host to the airgap network

Connect the portable host to the airgap network and disconnect it from the internet.

Log in to the OpenShift Container Platform cluster as a cluster administrator

Following is an example command to log in to the OpenShift Container Platform cluster:

oc login <cluster host:port> --username=<cluster admin user> --password=<cluster admin password>

Create an environment variable for the IBM Cloud Pak foundational services namespace

Create an environment variable with a namespace to install IBM Cloud Pak foundational services.

export NAMESPACE=common-service

Mirror the images and configure the cluster

Complete these steps on your portable host that is connected to both the local docker registry and the OpenShift Container Platform cluster:

Note: Don't use the tilde within double quotation marks in any command. For example, don’t use args "--registry <registry> --user <registry userid> --pass {registry password} --inputDir ~/offline". The tilde doesn’t expand and your commands might fail.

1. Create environment variables with the local Docker registry connection information.

   export LOCAL_DOCKER_REGISTRY_HOST=<IP_or_FQDN_of_local_docker_registry>
   export LOCAL_DOCKER_REGISTRY_PORT=443
   export LOCAL_DOCKER_REGISTRY=${LOCAL_DOCKER_REGISTRY_HOST}:${LOCAL_DOCKER_REGISTRY_PORT}
   export LOCAL_DOCKER_USER=<username>
   export LOCAL_DOCKER_PASSWORD=<password>
   

2. Configure an authentication secret for the external Docker registry.
   Note: This step needs to be done only one time.

   cloudctl case launch \
     --case $HOME/offline/${CASE_ARCHIVE} \
     --inventory ${CASE_INVENTORY_SETUP} \
     --action configure-creds-airgap \
     --args "--registry ${LOCAL_DOCKER_REGISTRY} --user ${LOCAL_DOCKER_USER} --pass ${LOCAL_DOCKER_PASSWORD}"
   

   The command stores and caches the registry credentials in a file on your file system in the $HOME/.airgap/secrets location.

3. Configure a global image pull secret and ImageContentSourcePolicy.

   cloudctl case launch \
     --case $HOME/offline/${CASE_ARCHIVE} \
     --inventory ${CASE_INVENTORY_SETUP} \
     --action configure-cluster-airgap \
     --namespace ${NAMESPACE} \
     --args "--registry ${LOCAL_DOCKER_REGISTRY} --user ${LOCAL_DOCKER_USER} --pass ${LOCAL_DOCKER_PASSWORD} --inputDir $HOME/offline"
   

   Note: In OpenShift Container Platform version 4.4, this step restarts all cluster nodes. The cluster resources might be unavailable until the time the new pull secret is applied.

4. Verify that the ImageContentSourcePolicy resource is created.

   oc get imageContentSourcePolicy
   

5. Optional: If you’re using an insecure registry, you must add the local registry to the cluster insecureRegistries list.

   oc patch image.config.openshift.io/cluster --type=merge -p '{"spec":{"registrySources":{"insecureRegistries":["'${LOCAL_DOCKER_REGISTRY_HOST}':'${LOCAL_DOCKER_REGISTRY_PORT}']}}}'
   

6. Verify your cluster node status.

   oc get nodes
   

   After the imageContentsourcePolicy and global image pull secret are applied, you might see the node status as Ready, Scheduling, or Disabled. Wait until all the nodes show a Ready status.

7. Mirror the images from the portable host registry to the local registry.

   cloudctl case launch \
     --case $HOME/offline/${CASE_ARCHIVE} \
     --inventory ${CASE_INVENTORY_SETUP} \
     --action mirror-images \
     --args "--fromRegistry ${PORTABLE_DOCKER_REGISTRY} --registry ${LOCAL_DOCKER_REGISTRY} --inputDir $HOME/offline"