Merge pull request #36727 from adellape/mv_olm_disconnected

Author: adellape

installing/installing-mirroring-installation-images.adoc

@@ -73,12 +73,32 @@ In a disconnected environment, you must take additional steps after you install
 
 include::modules/installation-images-samples-disconnected-mirroring-assist.adoc[leveloffset=+2]
 
+include::modules/olm-mirroring-catalog.adoc[leveloffset=+1]
+.Additional resources
 
+* xref:../operators/admin/olm-restricted-networks.adoc#olm-restricted-networks[Using Operator Lifecycle Manager on restricted networks]
+
+include::modules/olm-mirroring-catalog-prereqs.adoc[leveloffset=+2]
+include::modules/olm-mirroring-catalog-extracting.adoc[leveloffset=+2]
+include::modules/olm-mirroring-catalog-colocated.adoc[leveloffset=+3]
+.Additional resources
+* xref:../operators/operator_sdk/osdk-generating-csvs.adoc#olm-arch-os-support_osdk-generating-csvs[Architecture and operating system support for Operators]
+
+include::modules/olm-mirroring-catalog-airgapped.adoc[leveloffset=+3]
+.Additional resources
+* xref:../operators/operator_sdk/osdk-generating-csvs.adoc#olm-arch-os-support_osdk-generating-csvs[Architecture and operating system support for Operators]
+
+include::modules/olm-mirroring-catalog-manifests.adoc[leveloffset=+2]
+include::modules/olm-mirroring-catalog-post.adoc[leveloffset=+2]
+.Additional resources
+
+* xref:../post_installation_configuration/preparing-for-users.adoc#post-install-mirrored-catalogs[Populating OperatorHub from mirrored Operator catalogs]
+
+[id="next-steps_installing-mirroring-installation-images"]
 == Next steps
 
 //* TODO need to add the registry secret to the machines, which is different
 
-* xref:../operators/admin/olm-restricted-networks.adoc#olm-mirror-catalog_olm-restricted-networks[Mirror] the OperatorHub images for the Operators that you want to install in your cluster.
 * Install a cluster on infrastructure that you provision in your restricted network, such as on
 xref:../installing/installing_vsphere/installing-restricted-networks-vsphere.adoc#installing-restricted-networks-vsphere[VMware vSphere],
 xref:../installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc#installing-restricted-networks-bare-metal[bare metal], or xref:../installing/installing_aws/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[Amazon Web Services].

modules/olm-catalogsource.adoc

@@ -12,7 +12,7 @@ endif::[]
 [id="olm-catalogsource_{context}"]
 = Catalog source
 
-A _catalog source_ represents a store of metadata, typically by referencing an _index image_ stored in a container registry. Operator Lifecycle Manager (OLM) queries catalog sources to discover and install Operators and their dependencies. The OperatorHub in the {product-title} web console also displays the Operators provided by catalog sources.
+A _catalog source_ represents a store of metadata, typically by referencing an _index image_ stored in a container registry. Operator Lifecycle Manager (OLM) queries catalog sources to discover and install Operators and their dependencies. OperatorHub in the {product-title} web console also displays the Operators provided by catalog sources.
 
 [TIP]
 ====

modules/olm-creating-catalog-from-index.adoc

@@ -1,5 +1,6 @@
 // Module included in the following assemblies:
 //
+// * post_installation_configuration/preparing-for-users.adoc
 // * operators/admin/olm-restricted-networks.adoc
 // * operators/admin/managing-custom-catalogs.adoc
 
@@ -13,14 +14,17 @@ ifndef::openshift-origin[]
 :tag: v{product-version}
 :namespace: openshift-marketplace
 endif::[]
+ifeval::["{context}" == "post-install-preparing-for-users"]
+:olm-restricted-networks:
+endif::[]
 ifeval::["{context}" == "olm-restricted-networks"]
 :olm-restricted-networks:
 endif::[]
 
 [id="olm-creating-catalog-from-index_{context}"]
-= Creating a catalog from an index image
+= Adding a catalog source to a cluster
 
-You can create an Operator catalog from an index image and apply it to an {product-title} cluster for use with Operator Lifecycle Manager (OLM).
+Adding a catalog source to an {product-title} cluster enables the discovery and installation of Operators for users. Cluster administrators can create a `CatalogSource` object that references an index image. OperatorHub uses catalog sources to populate the user interface.
 
 .Prerequisites
 
@@ -30,7 +34,7 @@ You can create an Operator catalog from an index image and apply it to an {produ
 
 . Create a `CatalogSource` object that references your index image.
 ifdef::olm-restricted-networks[]
-If you used the `oc adm catalog mirror` command to mirror your catalog to a target registry, you can use the generated `catalogSource.yaml` file as a starting point.
+If you used the `oc adm catalog mirror` command to mirror your catalog to a target registry, you can use the generated `catalogSource.yaml` file in your manifests directory as a starting point.
 endif::[]
 
 .. Modify the following to your specifications and save it as a `catalogSource.yaml` file:
@@ -134,6 +138,9 @@ You can now install the Operators from the *OperatorHub* page on your {product-t
 :!index-image:
 :!tag:
 :!namespace:
+ifeval::["{context}" == "post-install-preparing-for-users"]
+:!olm-restricted-networks:
+endif::[]
 ifeval::["{context}" == "olm-restricted-networks"]
 :!olm-restricted-networks:
 endif::[]

modules/olm-mirroring-catalog-airgapped.adoc

@@ -0,0 +1,87 @@
+// Module included in the following assemblies:
+//
+// * installing/installing-mirroring-installation-images.adoc
+
+ifdef::openshift-origin[]
+:index-image-pullspec: quay.io/operatorhubio/catalog:latest
+endif::[]
+ifndef::openshift-origin[]
+:index-image-pullspec: registry.redhat.io/redhat/redhat-operator-index:v{product-version}
+endif::[]
+
+[id="olm-mirror-catalog-airgapped_{context}"]
+= Mirroring catalog contents to airgapped registries
+
+If your mirror registry is on a completely disconnected, or airgapped, host, take the following actions.
+
+.Procedure
+
+. Run the following command on your workstation with unrestricted network access to mirror the content to local files:
++
+[source,terminal]
+----
+$ oc adm catalog mirror \
+    <index_image> \ <.>
+    file:///local/index \ <.>
+    -a ${REG_CREDS} \ <.>
+    --insecure \ <.>
+    --index-filter-by-os='<platform>/<arch>' <.>
+----
+<.> Specify the index image for the catalog that you want to mirror. For example, this might be a pruned index image that you created previously, or one of the source index images for the default catalogs, such as `{index-image-pullspec}`.
+<.> Specify the content to mirror to local files in your current directory.
+<.> Optional: If required, specify the location of your registry credentials file.
+<.> Optional: If you do not want to configure trust for the target registry, add the `--insecure` flag.
+<.> Optional: Specify which platform and architecture of the index image to select when multiple variants are available. Images are specified as `'<platform>/<arch>[/<variant>]'`. This does not apply to images referenced by the index. Valid values are `linux/amd64`, `linux/ppc64le`, `linux/s390x`, and `.*`
++
+.Example output
+[source,terminal]
+----
+...
+info: Mirroring completed in 5.93s (5.915MB/s)
+wrote mirroring manifests to manifests-my-index-1614985528 <1>
+
+To upload local images to a registry, run:
+
+	oc adm catalog mirror file://local/index/myrepo/my-index:v1 REGISTRY/REPOSITORY <2>
+----
+<1> Record the manifests directory name that is generated. This directory is referenced in subsequent procedures.
+<2> Record the expanded `file://` path that is based on your provided index image. This path is referenced in a subsequent step.
++
+This command creates a `v2/` directory in your current directory.
+
+. Copy the `v2/` directory to removable media.
+
+. Physically remove the media and attach it to a host in the disconnected environment that has access to the mirror registry.
+
+. If your mirror registry requires authentication, run the following command on your host in the disconnected environment to log in to the registry:
++
+[source,terminal]
+----
+$ podman login <mirror_registry>
+----
+
+. Run the following command from the parent directory containing the `v2/` directory to upload the images from local files to the mirror registry:
++
+[source,terminal]
+----
+$ oc adm catalog mirror \
+    file://local/index/<repo>/<index_image>:<tag> \ <.>
+    <mirror_registry>:<port>/<namespace> \ <.>
+    -a ${REG_CREDS} \ <.>
+    --insecure \ <.>
+    --index-filter-by-os='<platform>/<arch>' <.>
+----
+<.> Specify the `file://` path from the previous command output.
+<.> Specify the target registry and namespace to mirror the Operator contents to, where `<namespace>` is any existing namespace on the registry. For example, you might create an `olm-mirror` namespace to push all mirrored content to.
+<.> Optional: If required, specify the location of your registry credentials file.
+<.> Optional: If you do not want to configure trust for the target registry, add the `--insecure` flag.
+<.> Optional: Specify which platform and architecture of the index image to select when multiple variants are available. Images are specified as `'<platform>/<arch>[/<variant>]'`. This does not apply to images referenced by the index. Valid values are `linux/amd64`, `linux/ppc64le`, `linux/s390x`, and `.*`
++
+[NOTE]
+====
+Red Hat Quay does not support nested repositories. As a result, running the `oc adm catalog mirror` command will fail with a `401` unauthorized error. As a workaround, you can use the `--max-components=2` option when running the `oc adm catalog mirror` command to disable the creation of nested repositories. For more information on this workaround, see the link:https://access.redhat.com/solutions/5440741[Unauthorized error thrown while using catalog mirror command with Quay registry] Knowledgebase Solution.
+====
+
+After you mirror the catalog, you can continue with the remainder of your cluster installation. After your cluster installation has finished successfully, you must specify the manifests directory from this procedure to create the `ImageContentSourcePolicy` and `CatalogSource` objects. These objects are required to enable installation of Operators from OperatorHub.
+
+:!index-image-pullspec:

modules/olm-mirroring-catalog-colocated.adoc

@@ -0,0 +1,65 @@
+// Module included in the following assemblies:
+//
+// * installing/installing-mirroring-installation-images.adoc
+
+ifdef::openshift-origin[]
+:index-image-pullspec: quay.io/operatorhubio/catalog:latest
+:index-image: catalog
+endif::[]
+ifndef::openshift-origin[]
+:index-image-pullspec: registry.redhat.io/redhat/redhat-operator-index:v{product-version}
+:index-image: redhat-operator-index
+endif::[]
+
+[id="olm-mirror-catalog-colocated_{context}"]
+= Mirroring catalog contents to registries on the same network
+
+If your mirror registry is co-located on the same network as your workstation with unrestricted network access, take the following actions on your workstation.
+
+.Procedure
+
+. If your mirror registry requires authentication, run the following command to log in to the registry:
++
+[source,terminal]
+----
+$ podman login <mirror_registry>
+----
+
+. Run the following command to extract and mirror the content to the mirror registry:
++
+[source,terminal]
+----
+$ oc adm catalog mirror \
+    <index_image> \ <.>
+    <mirror_registry>:<port>/<namespace> \ <.>
+    [-a ${REG_CREDS}] \ <.>
+    [--insecure] \ <.>
+    [--index-filter-by-os='<platform>/<arch>'] \ <.>
+    [--manifests-only] <.>
+----
+<1> Specify the index image for the catalog that you want to mirror. For example, this might be a pruned index image that you created previously, or one of the source index images for the default catalogs, such as `{index-image-pullspec}`.
+<2> Specify the target registry and namespace to mirror the Operator contents to, where `<namespace>` is any existing namespace on the registry. For example, you might create an `olm-mirror` namespace to push all mirrored content to.
+<3> Optional: If required, specify the location of your registry credentials file.
+<4> Optional: If you do not want to configure trust for the target registry, add the `--insecure` flag.
+<5> Optional: Specify which platform and architecture of the index image to select when multiple variants are available. Images are passed as `'<platform>/<arch>[/<variant>]'`. This does not apply to images referenced by the index. Valid values are `linux/amd64`, `linux/ppc64le`, `linux/s390x`, and `.*`
+<6> Optional: Generate only the manifests required for mirroring, and do not actually mirror the image content to a registry. This option can be useful for reviewing what will be mirrored, and it allows you to make any changes to the mapping list if you require only a subset of packages. You can then use the `mapping.txt` file with the `oc image mirror` command to mirror the modified list of images in a later step. This flag is intended for only advanced selective mirroring of content from the catalog; the `opm index prune` command, if you used it previously to prune the index image, is suitable for most catalog management use cases.
++
+.Example output
+[source,terminal,subs="attributes+"]
+----
+src image has index label for database path: /database/index.db
+using database path mapping: /database/index.db:/tmp/153048078
+wrote database to /tmp/153048078 <1>
+...
+wrote mirroring manifests to manifests-{index-image}-1614211642 <2>
+----
+<1> Directory for the temporary `index.db` database generated by the command.
+<2> Record the manifests directory name that is generated. This directory is referenced in subsequent procedures.
++
+[NOTE]
+====
+Red Hat Quay does not support nested repositories. As a result, running the `oc adm catalog mirror` command will fail with a `401` unauthorized error. As a workaround, you can use the `--max-components=2` option when running the `oc adm catalog mirror` command to disable the creation of nested repositories. For more information on this workaround, see the link:https://access.redhat.com/solutions/5440741[Unauthorized error thrown while using catalog mirror command with Quay registry] Knowledgebase Solution.
+====
+
+:!index-image-pullspec:
+:!index-image:

modules/olm-mirroring-catalog-extracting.adoc

@@ -0,0 +1,10 @@
+// Module included in the following assemblies:
+//
+// * installing/installing-mirroring-installation-images.adoc
+
+[id="olm-mirror-catalog-extracting_{context}"]
+= Extracting and mirroring catalog contents
+
+The `oc adm catalog mirror` command extracts the contents of an index image to generate the manifests required for mirroring. The default behavior of the command generates manifests, then automatically mirrors all of the image content from the index image, as well as the index image itself, to your mirror registry.
+
+Alternatively, if your mirror registry is on a completely disconnected, or _airgapped_, host, you can first mirror the content to removable media, move the media to the disconnected environment, then mirror the content from the media to the registry.

modules/olm-mirroring-catalog-icsp.adoc

@@ -0,0 +1,26 @@
+// Module included in the following assemblies:
+//
+// * post_installation_configuration/preparing-for-users.adoc
+
+[id="olm-mirror-catalog-icsp_{context}"]
+= Creating the ImageContentSourcePolicy object
+
+After mirroring Operator catalog content to your mirror registry, create the required `ImageContentSourcePolicy` (ICSP) object. The ICSP object configures nodes to translate between the image references stored in Operator manifests and the mirrored registry.
+
+.Procedure
+
+* On a host with access to the disconnected cluster, create the ICSP by running the following command to specify the `imageContentSourcePolicy.yaml` file in your manifests directory:
++
+[source,terminal,subs="attributes+"]
+----
+$ oc create -f <path/to/manifests/dir>/imageContentSourcePolicy.yaml
+----
++
+where `<path/to/manifests/dir>` is the path to the manifests directory for your mirrored content.
++
+[NOTE]
+====
+Applying the ICSP causes all worker nodes in the cluster to restart. You must wait for this reboot process to finish cycling through each of your worker nodes before proceeding.
+====
+
+You can now create a `CatalogSource` object to reference your mirrored index image and Operator content.

modules/olm-mirroring-catalog-manifests.adoc

@@ -0,0 +1,48 @@
+// Module included in the following assemblies:
+//
+// * installing/installing-mirroring-installation-images.adoc
+
+[id="olm-mirror-catalog-manifests_{context}"]
+= Generated manifests
+
+After mirroring Operator catalog content to your mirror registry, a manifests directory is generated in your current directory.
+
+If you mirrored content to a registry on the same network, the directory name takes the following pattern:
+
+[source,text]
+----
+manifests-<index_image_name>-<random_number>
+----
+
+If you mirrored content to a registry on a disconnected host in the previous section, the directory name takes the following pattern:
+
+[source,text]
+----
+manifests-index/<namespace>/<index_image_name>-<random_number>
+----
+
+[NOTE]
+====
+The manifests directory name is referenced in subsequent procedures.
+====
+
+The manifests directory contains the following files, some of which might require further modification:
+
+* The `catalogSource.yaml` file is a basic definition for a `CatalogSource` object that is pre-populated with your index image tag and other relevant metadata. This file can be used as is or modified to add the catalog source to your cluster.
++
+[IMPORTANT]
+====
+If you mirrored the content to local files, you must modify your `catalogSource.yaml` file to remove any backslash (`/`) characters from the `metadata.name` field. Otherwise, when you attempt to create the object, it fails with an "invalid resource name" error.
+====
+* The `imageContentSourcePolicy.yaml` file defines an `ImageContentSourcePolicy` object that can configure nodes to translate between the image references stored in Operator manifests and the mirrored registry.
++
+[NOTE]
+====
+If your cluster uses an `ImageContentSourcePolicy` object to configure repository mirroring, you can use only global pull secrets for mirrored registries. You cannot add a pull secret to a project.
+====
+* The `mapping.txt` file contains all of the source images and where to map them in the target registry. This file is compatible with the `oc image mirror` command and can be used to further customize the mirroring configuration.
++
+[IMPORTANT]
+====
+If you used the `--manifests-only` flag during the mirroring process and want to further trim the subset of packages to mirror, see the steps in the link:https://docs.openshift.com/container-platform/4.7/operators/admin/olm-managing-custom-catalogs.html#olm-mirroring-package-manifest-catalog_olm-managing-custom-catalogs[Mirroring a package manifest format catalog image] procedure of the {product-title} 4.7 documentation about modifying your `mapping.txt` file and using the file with the `oc image mirror` command.
+====

modules/olm-mirroring-catalog-post.adoc

@@ -0,0 +1,8 @@
+// Module included in the following assemblies:
+//
+// * installing/installing-mirroring-installation-images.adoc
+
+[id="olm-mirror-catalog-post_{context}"]
+= Post-installation requirements
+
+After you mirror the catalog, you can continue with the remainder of your cluster installation. After your cluster installation has finished successfully, you must specify the manifests directory from this procedure to create the `ImageContentSourcePolicy` and `CatalogSource` objects. These objects are required to populate and enable installation of Operators from OperatorHub.