To get an update experience similar to connected clusters, you can use the following procedures to install and configure the OpenShift Update Service (OSUS) in a disconnected environment.
The following steps outline the high-level workflow on how to update a cluster in a disconnected environment using OSUS:
-
Configure access to a secured registry.
-
Update the global cluster pull secret to access your mirror registry.
-
Install the OSUS Operator.
-
Create a graph data container image for the OpenShift Update Service.
-
Install the OSUS application and configure your clusters to use the OpenShift Update Service in your environment.
-
Perform a supported update procedure from the documentation as you would with a connected cluster.
-
You must have the
occommand-line interface (CLI) tool installed. -
You must provision a container image registry in your environment with the container images for your update, as described in Mirroring {product-title} images.
If the release images are contained in a registry whose HTTPS X.509 certificate is signed by a custom certificate authority, complete the steps in Configuring additional trust stores for image registry access along with following changes for the update service.
The OpenShift Update Service Operator needs the config map key name updateservice-registry in the registry CA cert.
apiVersion: v1
kind: ConfigMap
metadata:
name: my-registry-ca
data:
updateservice-registry: | (1)
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
registry-with-port.example.com..5000: | (2)
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE------
The OpenShift Update Service Operator requires the config map key name
updateservice-registryin the registry CA cert. -
If the registry has the port, such as
registry-with-port.example.com:5000,:should be replaced with...
To install the OpenShift Update Service, you must first install the OpenShift Update Service Operator by using the {product-title} web console or CLI.
|
Note
|
For clusters that are installed in disconnected environments, also known as disconnected clusters, Operator Lifecycle Manager by default cannot access the Red Hat-provided OperatorHub sources hosted on remote registries because those remote sources require full internet connectivity. For more information, see Using Operator Lifecycle Manager in disconnected environments. |
You can create an OpenShift Update Service application by using the {product-title} web console or CLI.
|
Note
|
The policy engine route name must not be more than 63 characters based on RFC-1123. If you see |
|
Note
|
See Configuring the cluster-wide proxy to configure the CA to trust the update server. |
Before updating your cluster, confirm that the following conditions are met:
-
The Cluster Version Operator (CVO) is configured to use your installed OpenShift Update Service application.
-
The release image signature config map for the new release is applied to your cluster.
NoteThe Cluster Version Operator (CVO) uses release image signatures to ensure that release images have not been modified, by verifying that the release image signatures match the expected result.
-
The current release and update target release images are mirrored to a registry in the disconnected environment.
-
A recent graph data container image has been mirrored to your registry.
-
A recent version of the OpenShift Update Service Operator is installed.
NoteIf you have not recently installed or updated the OpenShift Update Service Operator, there might be a more recent version available. See Using Operator Lifecycle Manager in disconnected environments for more information about how to update your OLM catalog in a disconnected environment.
After you configure your cluster to use the installed OpenShift Update Service and local mirror registry, you can use any of the following update methods: