Upgrading remote workers in an air-gapped environment

If your remote worker’s current version is 1.1.4, you can upgrade it on air-gapped Kubernetes clusters by using a private container registry that the cluster can access. You first mirror the required container images to the private registry, then run a script that upgrades the application.

Note:
  • You must have cluster administration permissions to perform the upgrade.
  • This information describes how to upgrade a remote worker from version 1.1.4. For information about how to upgrade remote workers from 1.1.3 or earlier versions, see Upgrading remote workers from 1.1.3 or earlier versions.

For upgrades in air-gapped (disconnected) environments, use a bastion host can access the internet and the air-gapped environment where the cluster and the private container registry are located.

Overview

Upgrade IBM® Rapid Infrastructure Automation® in an air-gapped environment by completing these steps:
  1. Set up your mirroring environment.
  2. Set environment variables and download the CASE files.
  3. Mirror the images to your private container registry.
  4. Install IBM Rapid Infrastructure Automation®.

1. Set up your mirroring environment

Before you can upgrade IBM Rapid Infrastructure Automation®, you must complete these tasks:
1.1 Set up your air-gapped environment
In your air-gapped environment, you must perform these tasks:
  • Set up a private container registry.
  • Configure your network firewall to allow access to some external sites and ports.
Set up a local Docker V2 container registry to store your images in your air-gapped environment. Make sure that it is accessible from the cluster nodes. This registry is the private registry that you will mirror images to and that you will use as the image source when you upgrade IBM Rapid Infrastructure Automation®. The registry must meet these requirements:
  • Supports Docker Manifest V2, Schema 2.
  • Is accessible from both the bastion host and your cluster nodes.
  • Allows path separators in image names.
  • Has the credentials of a user who can write to the target registry from the bastion host.
  • Has the credentials of a user who can read from the target registry that is on the cluster nodes.
  • Has sufficient storage to hold all the software images that are transferred to the local registry.
For more information about creating a private registry for use with Red Hat® OpenShift® clusters, see Creating a mirror registry with mirror registry for Red Hat OpenShift.
Tip: Do not use the Red Hat OpenShift image registry as your local registry. The registry is not compliant with Docker Manifest V2, Schema 2.
In your air-gapped network, you must also configure the firewall to allow access to the following sites and ports:
  • *.docker.io and *.docker.com. For more information about specific sites to allow access to, see Whitelisting Docker Hub Hosts for Firewalls and HTTP Proxy Servers.
  • icr.io, cp.icr.io, dd0.icr.io, dd2.icr.io, dd4.icr.io, and dd6.icr.io for IBM Container Registry, CASE OCI artifact, and IBM Cloud Pak®® foundational services catalog sources. If you're located in China, you must also allow the following hosts: dd1-icr.ibm-zh.com, dd3-icr.ibm-zh.com, dd5-icr.ibm-zh.com, and dd7-icr.ibm-zh.com.
  • *.quay.io and quay.io or all of quay.io, cdn.quay.io, cdn01.quay.io, cdn02.quay.io, and cdn03.quay.io ports 443 and 80 for IBM Cloud Pak foundational services catalog and images.
  • github.com for CASE files and tools.
  • If your cluster is a Red Hat OpenShift cluster, allow access to redhat.com for Red Hat OpenShift Container Platform upgrades.
1.2 Set up your bastion host for mirroring images

Prepare a bastion host that can access the cluster, the private container registry, and the internet.

The bastion host must be on a Linux® x86_64 platform and the host’s language locale must be set to English.

Complete these steps to set up the host:
  1. Install Docker or Podman.
    • To install Docker (for example, on Red Hat Enterprise Linux®), run these commands:
      yum check-update
yum install docker
    • To install Podman, see Podman Installation Instructions.
  2. Install the oc CLI tool. For more information, see Installing the OpenShift CLI.
  3. Install Helm 3.x. For installation steps, see Installing Helm.
  4. Install the IBM Catalog Management plug-in (also known as ibm-pak).
    1. Download the latest version from this location: IBM Catalog Management plug-in.
    2. Install the plug-in by running these commands:
      tar -xf oc-ibm_pak-linux-amd64.tar.gz
mv oc-ibm_pak-linux-amd64 /usr/local/bin/oc-ibm_pak
    3. To confirm that the plug-in is installed, connect to the air-gapped cluster and run the following command:
      oc ibm-pak

2. Set environment variables and download CASE files

Container Application Software for Enterprises (CASE) files are used in air-gapped installations to mirror content from a source to a target. CASE is a specification that defines metadata and structure for packaging, managing, and unpacking containerized applications. CASE files contain metadata about the application, including metadata about the container images that are needed to deploy it and information about its dependencies.

Each CASE file also contains the scripts that are needed to mirror images to a private registry, and to configure the air-gapped cluster to use the private registry as a mirror. Before you can mirror the images to your private registry, you must download the CASE files for IBM Rapid Infrastructure Automation®.

On your bastion host, complete these steps:
  1. Set the required environment variables by running these commands:
    export CASE_NAME=ibm-rapid-infrastructure-automation
export CASE_VERSION=1.1.5
  2. Connect your host to the internet and disconnect it from the local air-gapped network.
  3. Optional: Customize language and color output settings for the ibm-pak plugin.
    1. The plug-in can detect the locale of your environment and provide textual helps and messages. Set the language locale for the plug-in by running this command:
      oc ibm-pak config locale -l <language_locale>
      Replace <language_locale> with one of the locale names that are shown in this table:
      Locale name Associated language
      de_DE German
      en_US English
      es_ES Spanish
      fr_FR French
      it_IT Italian
      ja_JP Japanese
      ko_KR Korean
      pt_BR Portuguese
      zh_Hans Chinese (simplified)
      zh_Hant Chinese (traditional)
    2. Enable colored output for the plugin by running this command:
      oc ibm-pak config color --enable true
  4. Configure the plug-in to download CASEs as OCI artifacts from IBM Container Registry by running this command:
    oc ibm-pak config repo 'IBM Cloud-Pak OCI registry' --url=oci:cp.icr.io/cpopen --enable
  5. Optional: Override the default download location for the CASE file.
    • The default root directory that ibm-pak uses for downloads is ~/.ibm-pak, which means that the default download location for the CASE file is: ~/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION
    • To override the first part of this default root directory path, that is, ~/, run this command:
      export IBMPAK_HOME=<custom_root_directory>
      Replace <custom_root_directory> with the root directory that you want the file to be downloaded to. When you download the CASE file, it will be downloaded to this location: $IBMPAK_HOME/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION
  6. Download the CASE file by running this command:
    oc ibm-pak get $CASE_NAME --version $CASE_VERSION --skip-verify
    • If the download is unsuccessful, use the IBMPAK_HTTP_TIMEOUT and IBMPAK_HTTP_RETRY options to override the default HTTP timeout and retry values, then try the download again. For more information about these options, see oc ibm-pak get.
    • To see the download log files, view the /.ibm-pak/logs/oc-ibm_pak.log file.
  7. Verify that the CASE files are downloaded successfully by running this command:
    oc ibm-pak list --downloaded

    If the images are downloaded successfully, a message like this is shown:

    * Downloaded CASEs * 

CASE                                   Current Version          Latest Version
ibm-rapid-infrastructure-automation    1.1.5                    1.1.5

Your host is now configured and you are ready to mirror your images.

3. Mirror the images to your private container registry

On your bastion host, complete the following steps to mirror the images from the source registry (IBM Container Registry) to the target registry (your private container registry).
3.1. Generate mirror manifests
Generate the manifests of the images that will be mirrored by completing these steps:
  1. Set the environment variables for your private container registry and its connection credentials by running these commands:
    export TARGET_REGISTRY=<target-registry>
export TARGET_REGISTRY_REPO=${TARGET_REGISTRY}$"/cp/pliant"
export TARGET_REGISTRY_USER=<registry-username>
export TARGET_REGISTRY_PASSWD=<registry-password>
    • Replace <target-registry> with the name of the private container registry (hostname and port). For example:
      export TARGET_REGISTRY=myregistry.com:5000
    • Replace <registry-username> and <registry-password> with the username and password of a user account that has write permissions to the private registry.
  2. Generate the mirror manifests by running this command:
    oc ibm-pak generate mirror-manifests $CASE_NAME $TARGET_REGISTRY --version $CASE_VERSION
    If the mirror manifests are generated successfully, output similar to this message is shown:
    Generating mirror manifests of CASE: ibm-rapid-infrastructure-automation, version: 1.1.5 is complete
  3. Optional: Verify and, if required, modify the list of images that will be mirrored to your private registry.
    1. Edit the /.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/images-mapping.txt file.
    2. If required, update the list of images and save your changes.
3.2 Authenticate to the registries and store the authentication details

IBM Container Registry (also known as cp.icr.io) is the source registry, which stores the container images for IBM Rapid Infrastructure Automation®. The target registry is your private container registry.

Before you mirror the images, you must authenticate to these registries and specify which file you want to use to store the authentication details. When you authenticate to the registries, your authentication credentials will be automatically stored in the specified file.

Complete these steps:

  1. Export the name and location of the file that stores the authentication credentials to the REGISTRY_AUTH_FILE environment variable. For example, if the credentials file is /.ibm-pak/auth.json, run this command:
    export REGISTRY_AUTH_FILE=~/.ibm-pak/auth.json
  2. Authenticate to the source registry, that is, IBM Container Registry (cp.icr.io), by running this command:
    podman login cp.icr.io
    • The username is cp and the password is your entitlement key for IBM Container Registry.
    • For more information about how to get an entitlement key, see Software requirements.
  3. Authenticate to the target registry, that is, your private container registry, by running this command:
    podman login $TARGET_REGISTRY -u $TARGET_REGISTRY_USER -p $TARGET_REGISTRY_PASSWD
  4. Verify that your credentials are stored in the credentials file by running this command:
    cat $REGISTRY_AUTH_FILE
    If your credentials are added, the command output is similar to the following:
    {
        "auths": {
                "cp.icr.io": {
                        "auth": "xxx"
                },
                "my-local-registry": {
                        "auth": "yyy"
                }
        }
}
3.3 Mirror the images
Complete the following steps to copy the images from IBM Container Registry to your private container registry:
  1. Go to the parent directory of the /.ibm-pak directory.
  2. Mirror the images to your air-gapped cluster by running this command:
    oc image mirror \
 -f ./.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/images-mapping.txt \
 --filter-by-os '.*' \
 -a $REGISTRY_AUTH_FILE \
 --insecure \
 --skip-multiple-scopes \
 --max-per-registry=1 \
 --continue-on-error=true > my-mirror-progress.txt  2>&1 &
    • Depending on the speed of your network connection, it might take several hours to mirror all the images. The time can vary depending on conditions in the registry's network.
    • The --continue-on-error parameter ensures that the command continues to mirror the images even when an error occurs.
    • Optional: Use the --help parameter to see all the command options.
  3. Optional: Monitor the progress of the image mirroring and check for errors by running this command:
    tail -f my-mirror-progress.txt

    If you see errors that indicate a network or bandwidth problem, you can run the image mirroring command again. When you run it again, the command attempts to copy only those images that are not already copied.

3.4 Configure the cluster
Enable your cluster to pull the mirrored images from your private container registry by completing these steps:
  1. Log in to your cluster by using the cluster CLI tool.
  2. Update the global image pull secret for your cluster to include the registry authentication credentials.
    • For Red Hat OpenShift clusters, to configure your cluster with the authentication credentials to pull images from the private container registry, follow the steps in Updating the global cluster pull secret.
    • For Kubernetes clusters, follow the steps in Pull an Image from a Private Registry.
    • The registry authentication credentials are specified in the /.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/image-content-source-policy.yaml file. Verify that this file contains credentials for each of the mirrors that are specified in the following example configuration. In this example, myregistry.com:5000 is the hostname and port of the private container registry.
      apiVersion: operator.openshift.io/v1alpha1 kind: ImageContentSourcePolicy 
metadata:
  name: ibm-rapid-infrastructure-automation 
spec:   
  repositoryDigestMirrors:
  - mirrors:     
    - myregistry.com:5000/cp     
    source: cp.icr.io/cp
  - mirrors:     
    - myregistry.com:5000/cpopen     
    source: icr.io/cpopen   
  3. Create an ImageContentSourcePolicy for the images that are listed in the CASE files.
    • Go to the parent directory of the .ibm-pak directory.
    • For Red Hat OpenShift clusters, run this command:
      oc apply -f ./.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/image-content-source-policy.yaml
    • For Kubernetes clusters, run this command:
      kubectl apply -f ./.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/image-content-source-policy.yaml
  4. Verify that the ImageContentSourcePolicy is created.
    • For Red Hat OpenShift clusters, run this command:
      oc get imageContentSourcePolicy
    • For Kubernetes clusters, run this command:
      kubectl get imageContentSourcePolicy
  5. Verify your cluster node status and wait for all nodes to be restarted.
    • For Red Hat OpenShift clusters, run this command:
      oc get MachineConfigPool -w
    • For Kubernetes clusters, run this command:
      kubectl get MachineConfigPool -w
    • After the ImageContentsourcePolicy and the global image pull secret are applied, the configuration of your nodes is updated sequentially. Wait until all MachineConfigPools resources are in the UPDATED=True status before proceeding.
  6. Create the cluster area where you will upgrade IBM Rapid Infrastructure Automation®.
    • For Red Hat OpenShift clusters, use commands like the following example commands that create a namespace that is called ria.
      export NAMESPACE="ria"
oc new-project ${NAMESPACE}
    • For Kubernetes clusters, use commands like the following example commands that create a namespace that is called ria.
      export NAMESPACE="ria"
kubectl new-project ${NAMESPACE}

4. Upgrade the remote worker

Before you begin
If your cluster is a Red Hat OpenShift cluster, create a trusted certificate to connect to the target registry by completing these steps:
  1. If the private container registry is insecure, add it to the insecureRegistries list for your cluster by running this command:
    oc patch image.config.openshift.io/cluster --type=merge \
   -p '{"spec":{"registrySources":{"insecureRegistries":["'${TARGET_REGISTRY}'"]}}}'
  2. If the private container registry is secure, create the certificate and add it to the trusted certificate list for the cluster.
    1. Create the certificate by using a certificate generation tool, such as OpenSSL. For example:
      openssl req -x509 -newkey rsa:4096 -keyout airgap.key -out airgap.crt -days 365 -nodes -subj "/CN=$TARGET_REGISTRY_REPO"
    2. Creaete a ConfigMap from the contents of the generated certificate by running this command:
      oc create configmap airgap-ca \
  --from-file=ca-bundle.crt=airgap.crt \
  -n openshift-config
    3. Add the certificate to the trusted certificate list for the cluster by running this command:
      oc patch image.config.openshift.io/cluster \
  --type='merge' \
  -p '{"spec":{"additionalTrustedCA":{"name":"airgap-ca"}}}'
  3. Verify that the insecure registry and trusted certificate are added to the cluster by running this command:
    oc get image.config.openshift.io -o yaml
    In the command output, if the registry and certificate are added successfully, the details are included in the items.spec section, as shown in this example:
    apiVersion: v1
items:
- apiVersion: config.openshift.io/v1
  kind: Image
  metadata:
    annotations:
      include.release.openshift.io/ibm-cloud-managed: "true"
      include.release.openshift.io/self-managed-high-availability: "true"
      release.openshift.io/create-only: "true"
    creationTimestamp: "2025-03-03T16:15:00Z"
    generation: 3
    name: cluster
    ownerReferences:
    - apiVersion: config.openshift.io/v1
      kind: ClusterVersion
      name: version
      uid: 35b75984-af3a-42e1-b79a-9eb9cf64a139
    resourceVersion: "1460593"
    uid: bb1c6aaa-a098-40bb-8c28-830c08e3e2e2
  spec:
    additionalTrustedCA:
      name: airgap-ca
    registrySources:
      insecureRegistries:
      - pliant-airgap1.fyre.ibm.com:5000
  status:
    internalRegistryHostname: image-registry.openshift-image-registry.svc:5000
kind: List
metadata:
  resourceVersion: ""
Procedure
Complete these steps to upgrade the remote worker:
  1. On your upgrade host, add the IBM Helm repository to your local Helm installation by running this command:
    helm repo add ibm-helm https://raw.githubusercontent.com/IBM/charts/master/repo/ibm-helm

    This repository contains the required Helm charts that the upgrade script uses to deploy the remote worker pods, services, and volumes on the cluster. If the following message is shown, the repository is successfully added:

    "ibm-helm" has been added to your repositories
  2. Set an environment variable for the public IP address of the host where IBM Rapid Infrastructure Automation® runs by using this command:
    export RIA_IP=<IP-or-domain-name>
    Replace <IP-or-domain-name> with the IP address or domain name.
  3. Set an environment variable to the value of your IBM entitlement key by running this command:
    export IBM_REG_PASS=<entitlement-key>

    Replace <entitlement-key> with your entitlement key.

  4. Set environment variables to the name and secret of the worker group that you created by running these commands:
    export WORKER_GROUP_NAME=<group-name>
export WORKER_GROUP_SECRET=<group-secret>

    Replace <group_name> and <group_secret> with the name and secret of the worker group that you want the remote worker to be a member of.

  5. If your cluster is a K3s cluster, set an environment variable for the Kubernetes configuration file that Helm uses to authenticate to the cluster by running this command:
    export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
  6. Go to the parent directory of the /.ibm-pak directory.
  7. Upgrade the remote worker by running these commands:
    export INSTALL_SCRIPTS=$(pwd)
tar -xvzf ./.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION/$CASE_NAME-$CASE_VERSION.tgz 
$INSTALL_SCRIPTS/ibm-rapid-infrastructure-automation/inventory/ria/files/install_rw.sh --license-acceptance=y --namespace=$NAMESPACE --server-hostname=$RIA_IP --registry=$TARGET_REGISTRY --registry-user=$TARGET_REGISTRY_USER --registry-password=$TARGET_REGISTRY_PASSWD --worker-group-name=$WORKER_GROUP_NAME --worker-group-secret-key=$WORKER_GROUP_SECRET
    Note: If you want to use the Chromium integration in your workflows, include the --optional-addons=addon-puppeteer option when you run the install_rw.sh script.
    Allow at least five minutes for the upgrade to complete.
  8. Verify that the upgrade was completed successfully.
    • For Red Hat OpenShift clusters, run this command:
      oc get pods -n rna-rw
    • For Kubernetes clusters, run this command:
      kubectl get pods -n rna-rw
    • When all pods are ready and are in a status of Running or Completed, the upgrade is successful.