From f0ceaa4a37d5e53b7aa426f7e6b200b61d6e379f Mon Sep 17 00:00:00 2001 From: Brendan Shephard Date: Tue, 7 Jan 2025 14:57:17 +1000 Subject: [PATCH] Add high level documentation for disconnected envs Signed-off-by: Brendan Shephard --- ...eploying-in-disconnected-environments.adoc | 46 +++++++++++++++++++ docs/dataplane.adoc | 2 + 2 files changed, 48 insertions(+) create mode 100644 docs/assemblies/proc_deploying-in-disconnected-environments.adoc diff --git a/docs/assemblies/proc_deploying-in-disconnected-environments.adoc b/docs/assemblies/proc_deploying-in-disconnected-environments.adoc new file mode 100644 index 000000000..5ab3b82d7 --- /dev/null +++ b/docs/assemblies/proc_deploying-in-disconnected-environments.adoc @@ -0,0 +1,46 @@ +[id="proc_deploying-in-disconnected-environments"] += Deploying OpenStack in a disconnected environment + +[role="_abstract"] +Deploying in diconnected environments can be achieved largely by following the OpenShift documentation for mirroring OLM Operators: https://docs.openshift.com/container-platform/4.17/disconnected/mirroring/installing-mirroring-installation-images.html#olm-mirror-catalog_installing-mirroring-installation-images + +The `openstack-operator` contains a list of related images that will ensure all required images for the deployment are mirrored following the above OpenShift process. Once images are mirrored, the `ImageContentSourcePolicy` custom resource (CR) is created. This process results in the `machine-config-operator` rendering a `MachineConfig` called `99-master-genereted-registries`. This `MachineConfig` contains a `registries.conf` file that is applied to all of the OpenShift nodes in the cluster. + +In order to integrate cleanly with this process. The dataplane controller will check for the existence of the `ImageContentSourcePolicy`. If one is found, we will read the `registries.conf` file from the `99-master-generated-registries` `MachineConfig`. The dataplane controller will then set two variables in the Ansible inventory for the nodes. + +[,yaml] +---- + edpm_podman_disconnected_ocp + edpm_podman_registries_conf +---- + +`edpm_podman_disconnected_ocp` is used to conditionally render `registries.conf` on the dataplane nodes during the deployment. While `edpm_podman_registries_conf` is the contents of the `registries.conf` that we acquired from the `MachineConfig` in the cluster. + +This ensures that our EDPM nodes are configured in a consistent manner with the OpenShift nodes. + +These mirrors are configured to work specifically with image digests rather than tags: + +[,yaml] +---- + edpm_podman_registries_conf: | + unqualified-search-registries = ["registry.access.redhat.com", "docker.io"] + short-name-mode = "" + + [[registry]] + prefix = "" + location = "gcr.io/kubebuilder/kube-rbac-proxy" + + [[registry.mirror]] + location = "quay-mirror-registry.example.net:8443/olm/kubebuilder-kube-rbac-proxy" + pull-from-mirror = "digest-only" +---- + +We can see that the `pull-from-mirror` parameter is set to `digest-only`. This means that any attempt by podman to pull an image by a digest will result in the image being pulled from the specified mirror. + +Accordingly, we can see that image references in the `OpenStackVersion` CR are provided in the digest format, for example the multipathd image: + +[,bash] +---- +$ oc get openstackversion -o yaml | yq '.items[].status.containerImages.edpmMultipathdImage' +"quay.io/podified-antelope-centos9/openstack-multipathd@sha256:7df2e1ebe4ec6815173e49157848a63d28a64ffb0db8de6562c4633c0fbcdf3f" +---- diff --git a/docs/dataplane.adoc b/docs/dataplane.adoc index 633105aea..49a28c7e8 100644 --- a/docs/dataplane.adoc +++ b/docs/dataplane.adoc @@ -29,4 +29,6 @@ include::assemblies/design.adoc[leveloffset=+1] include::assemblies/creating-the-data-plane.adoc[leveloffset=+1] +include::assemblies/proc_deploying-in-disconnected-environments.adoc[leveloffset=+1] + include::assemblies/dataplane_resources.adoc[leveloffset=-1]