Installing Sandbox in a cluster with a restricted network

Edit online

Before you begin

The following tools and resources are needed:
  • A computer with internet access on which you can run the required commands. This computer must also have access to the cluster, and is referred to as a bastion host.
  • A private Docker registry that can be accessed by the cluster and the bastion host, and which will be used to store all images in your restricted network.
  • cloudctl
  • skopeo
  • oc
  • kubectl
  • OpenSSL
  • htpasswd

About this task

Use the following CASE bundle commands to install Wazi Sandbox into an air gap environment.

Procedure

  1. Create the following environment variables: 
    export CASE_NAME=ibm-wazi-developer-sandbox
export CASE_VERSION=2.4.1
export CASE_ARCHIVE=${CASE_NAME}-${CASE_VERSION}.tgz
export CASE_INVENTORY_SETUP=waziSandboxOperatorSetup
export OFFLINEDIR=$HOME/offline
export CASE_REPO_PATH=https://github.com/IBM/cloud-pak/raw/master/repo/case
export CASE_LOCAL_PATH=$OFFLINEDIR/$CASE_ARCHIVE
  2. Run the following command to save and download the Wazi Sandbox CASE and other CASE dependencies: 
    cloudctl case save \
--repo $CASE_REPO_PATH \
--case $CASE_NAME \
--version $CASE_VERSION \
--outputdir $OFFLINEDIR
  3. Set source registry credentials. Configure the credentials so that the CASE bundle can pull images from a public registry such as icr.io to your bastion host. Run the action configure-creds-airgap command to store and cache the registry credentials in a file in the $HOME/.airgap/secrets folder on your file system. To authenticate with cp.icr.io, run the following command: 
    SOURCE_REGISTRY='cp.icr.io'
SOURCE_REGISTRY_USER='cp'
SOURCE_REGISTRY_PASS='[your entitlement key]'
cloudctl case launch \
--case $OFFLINEDIR/$CASE_ARCHIVE \
--namespace openshift-marketplace \
--inventory $CASE_INVENTORY_SETUP \
--action configure-creds-airgap \
--args "--registry $SOURCE_REGISTRY --user $SOURCE_REGISTRY_USER --pass $SOURCE_REGISTRY_PASS" \
--tolerance 1
  4. Set target registry credentials. Use the following command to set credentials so that the CASE bundle can authenticate into your target bastion host docker registry. 
    TARGET_REGISTRY='[your bastion host docker registry address]'
TARGET_REGISTRY_USER='[your bastion host docker registry user]'
TARGET_REGISTRY_PASS='[your bastion host docker registry password]'
cloudctl case launch \
--case $OFFLINEDIR/$CASE_ARCHIVE \
--namespace openshift-marketplace \
--inventory $CASE_INVENTORY_SETUP \
--action configure-creds-airgap \
--args "--registry $TARGET_REGISTRY --user $TARGET_REGISTRY_USER --pass $TARGET_REGISTRY_PASS" \
--tolerance 1
  5. Mirror images to the bastion host docker registry. Use the following command to mirror images from their current location to a registry on your bastion server, using the same value TARGET_REGISTRY as the previous step. 
    cloudctl case launch \
--case $OFFLINEDIR/$CASE_ARCHIVE \
--namespace openshift-marketplace \
--inventory $CASE_INVENTORY_SETUP \
--action mirror-images \
--args "--registry $TARGET_REGISTRY --inputDir $OFFLINEDIR" \
--tolerance 1
  6. After you have mirrored your images, you can validate that they were transferred to the local registry by using a curl command like the following one.
    Note: The python command cleans up the JSON into a more readable format.
    curl -k -u ${TARGET_REGISTRY_USER}:${TARGET_REGISTRY_PASS} https://${TARGET_REGISTRY}/v2/_catalog?n=6000 |  python -m json.tool
  7. Configure the cluster. When modifying the Sandbox custom resource definition file, ensure that you use the latest version of the images found in the images.csv file that is generated from step 1. After all images are copied to the internal registry on a bastion host, update the cluster such that if there is a request to pull an image from any of the external repositories specified by the CASE bundle, the cluster will try to pull them from the internal repository instead.
    OCP includes a custom resource called ImageContentSourcePolicy that can automatically redirect image pull requests from a specified registry location to an alternative location. Additionally, create a global image pull secret so that your product can pull the images from your internal repository. Both of these actions are handled by the following command:
    cloudctl case launch \
--case $OFFLINEDIR/$CASE_ARCHIVE \
--namespace openshift-marketplace \
--inventory $CASE_INVENTORY_SETUP \
--action configure-cluster-airgap \
--args "--registry $TARGET_REGISTRY --inputDir $OFFLINEDIR --dryRun" \
--tolerance 1
    Note: Applying ImageContentSourcePolicy causes cluster nodes to recycle. This process is disruptive and takes a long time to run as it requires restarting a number of processes on each of the nodes of the cluster. Take caution when running this command.
  8. Install Sandbox catalog source using the following command: 
    cloudctl case launch \
--case $OFFLINEDIR/$CASE_ARCHIVE \
--namespace openshift-marketplace \
--inventory $CASE_INVENTORY_SETUP \
--action installCatalog \
--args "--registry $TARGET_REGISTRY --inputDir $OFFLINEDIR --recursive " \
--tolerance 1