Downloading the Certified Container Software for Offline Cluster
Since, air gap environments do not have access to the public internet. We must have a bastion
host. Ensure that the bastion host can access:
- The public internet to download the CASE and images.
- The target (air gap) image registry where all the images will be mirrored to.
- The OpenShift cluster where deployment will be performed.
Follow the below steps:
- Prepare the Bastion host: Ensure you have the following tools installed on the Bastion host:
- Docker CLI (docker) or Podman CLI (podman)
- IBM Cloud Pak CLI (cloudctl)
- OpenShift Container Platform CLI (oc)
- Download the CASE:
- Save the CASE.
cloudctl case save --case https://github.com/IBM/cloud-pak/raw/master/repo/case/ibm-sccm/<version>/ibm-sccm-<version>.tgz --outputdir <Download_Dir>/ && tar -xf <Download_Dir>/ibm-sccm-<version>.tgz- <version> should be desired version of the case to be downloaded
- <Download_Dir> should be the path where case is to be downloaded
Downloading and extracting the CASE ... - Success Retrieving CASE version ... - Success Validating the CASE ... - Success Creating inventory ... - Success Finding inventory items - Success Resolving inventory items ... Parsing inventory items - Success - Verify the CASE (.tgz) file and images (.csv) file have been downloaded:
ls <Download_Dir> charts ibm-sccm-<version>-charts.csv ibm-sccm-<version>-images.csv ibm-sccm-<version>.tgz- <version> is the CASE version
- Save the CASE.
- Log into the cluster: Login to the OpenShift cluster as a cluster administrator using below
command
oc login -u <cluster user> -p <user password>Note: Login as Cluster admin. - Get the Entitled registry key by following steps a1, a2 and a3 as mentioned under Create the entitled registry secret section.
- Configure Registry Authentication Secret.
- Create authentication secret for source image registry: The images are available on Entitled
Registry and it is a private registry. So, credentials are needed to access this registry. Execute
the following command to create the authentication
secret:
cloudctl case launch --case ibm-sccm --inventory ibmSccm --action configure-creds-airgap --args "--registry cp.icr.io --user cp --pass <Entitled registry key>" -t 1 - Create authentication secret for target image registry: This step is optional if the registry
is not a secure registry which means the registry can be accessed without authentication. The target
registry is OpenShift cluster accessible registry from where images could be pulled in to the
registry when a chart is deployed. Execute the following command to create the authentication
secret:
cloudctl case launch --case ibm-sccm --inventory ibmSccm --action configure-creds-airgap --args "--registry <Local_Docker_Registry URL> --user <Local_Docker_Registry username> --pass <Local_Docker_Registry password>" -t 1Note: The credentials are now saved to ~/.airgap/secrets/<registry-name>.json.
- Create authentication secret for source image registry: The images are available on Entitled
Registry and it is a private registry. So, credentials are needed to access this registry. Execute
the following command to create the authentication
secret:
- Mirror images to target registry: This step would mirror the image present on the Source
registry to the Target using the secrets created in the previous step. Execute the following command
to mirror the
images:
cloudctl case launch --case ibm-sccm --ibmSccm --namespace <namespace name> --action mirror-images --args "--registry <Local_Docker_Registry URL> --inputDir <Download_Dir>/" -t 1 - Configure cluster for Air gap: This step does the following:
- creates a global image pull secret for the target registry (skipped if target registry is unauthenticated)
- creates a
imagesourcecontentpolicyWarning:- Cluster resources must adjust to the new pull secret, which can temporarily limit the usability of the cluster. Authorization credentials are stored in $HOME/.airgap/secrets and /tmp/airgap* to support this action.
- Applying
imagesourcecontentpolicycauses cluster nodes to recycle. This might take 20 minutes to complete.
- Configure a global image pull secret and ImageContentSourcePolicy resource by running following
command:
cloudctl case launch --case ibm-sccm --inventory ibmSccm --namespace <namespace name> --action configure-cluster-airgap --args "--registry <Local_Docker_Registry URL> --inputDir <Download_Dir>/" -t 1 - Optional: If you are using an insecure target registry, you must add the target registry to the
cluster insecureRegistries list by executing the following
command:
oc patch image.config.openshift.io/cluster --type=merge \ -p '{"spec":{"registrySources":{"insecureRegistries":["'<Local_Docker_Registry URL>'"]}}}'
At this point your cluster is ready for IBM Connect:Direct for UNIX deployment. The helm chart is present in <Download_Dir>/charts directory. Use it for deployment.
- Configuration required in Helm chart: To use the image mirroring in OpenShift cluster, helm
chart should be configured to use the digest value for referring to container image. Set
image.digest.enabledto true invalues.yamlfile or pass this parameter using Helm CLI.