To get an update experience similar to connected clusters, you can use the following procedures to install and configure the OpenShift Update Service (OSUS) in a disconnected environment.
The following steps outline the high-level workflow on how to update a cluster in a disconnected environment using OSUS:
-
Configure access to a secured registry.
-
Update the global cluster pull secret to access your mirror registry.
-
Install the OSUS Operator.
-
Create a graph data container image for the OpenShift Update Service.
-
Install the OSUS application and configure your clusters to use the local OpenShift Update Service.
-
Perform a supported update procedure from the documentation as you would with a connected cluster.
-
You must have the
occommand-line interface (CLI) tool installed. -
You must provision a local container image registry with the container images for your update, as described in Mirroring the {product-title} image repository.
If the release images are contained in a registry whose HTTPS X.509 certificate is signed by a custom certificate authority, complete the steps in Configuring additional trust stores for image registry access along with following changes for the update service.
The OpenShift Update Service Operator needs the config map key name updateservice-registry in the registry CA cert.
apiVersion: v1
kind: ConfigMap
metadata:
name: my-registry-ca
data:
updateservice-registry: | (1)
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
registry-with-port.example.com..5000: | (2)
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE------
The OpenShift Update Service Operator requires the config map key name updateservice-registry in the registry CA cert.
-
If the registry has the port, such as
registry-with-port.example.com:5000,:should be replaced with...
To install the OpenShift Update Service, you must first install the OpenShift Update Service Operator by using the {product-title} web console or CLI.
|
Note
|
For clusters that are installed in disconnected environments, also known as disconnected clusters, Operator Lifecycle Manager by default cannot access the Red Hat-provided OperatorHub sources hosted on remote registries because those remote sources require full internet connectivity. For more information, see Using Operator Lifecycle Manager on restricted networks. |
You can create an OpenShift Update Service application by using the {product-title} web console or CLI.
|
Note
|
The policy engine route name must not be more than 63 characters based on RFC-1123. If you see |
|
Note
|
See Enabling the cluster-wide proxy to configure the CA to trust the update server. |
Before updating your cluster, confirm that the following conditions are met:
-
The Cluster Version Operator (CVO) is configured to use your locally-installed OpenShift Update Service application.
-
The release image signature config map for the new release is applied to your cluster.
NoteThe release image signature config map allows the Cluster Version Operator (CVO) to ensure the integrity of release images by verifying that the actual image signatures match the expected signatures.
-
The current release and update target release images are mirrored to a locally accessible registry.
-
A recent graph data container image has been mirrored to your local registry.
After you configure your cluster to use the locally-installed OpenShift Update Service and local mirror registry, you can use any of the following update methods: