4.6¶

Official resources¶

Using Operator Lifecycle Manager on restricted networks

Dell CSI Operator example (Spoiler: Dell CSI Operator won't work)¶

Disable all default catalog sources¶

oc patch OperatorHub cluster --type json \
    -p '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]'

Sync ond Operator¶

Necessary environment variables:¶

export OCP_RELEASE=$(oc version -o json  --client | jq -r '.releaseClientVersion')
export LOCAL_REGISTRY='host.compute.local:5000'
export LOCAL_REPOSITORY='ocp4/openshift4'
export PRODUCT_REPO='openshift-release-dev'
export LOCAL_SECRET_JSON='/root/hetzner-ocp4/pullsecret.json'
export RELEASE_NAME="ocp-release"
export ARCHITECTURE=x86_64

Install tools¶

OPM¶

oc image extract registry.redhat.io/openshift4/ose-operator-registry:v${OCP_RELEASE%\.*} \
    -a ${LOCAL_SECRET_JSON} \
    --path /usr/bin/opm:/usr/local/bin/ \
    --confirm
chmod +x /usr/local/bin/opm

grpcurl¶

curl -# -L -o /tmp/grpcurl.tar.gz https://github.com/fullstorydev/grpcurl/releases/download/v1.7.0/grpcurl_1.7.0_linux_x86_64.tar.gz \
 && tar xzvf /tmp/grpcurl.tar.gz -C /usr/local/bin/ grpcurl \
 && chmod +x /usr/local/bin/grpcurl \
 && rm /tmp/grpcurl.tar.gz

Find out certified operator¶

podman run -p50051:50051 --authfile ${LOCAL_SECRET_JSON} -it \
  registry.redhat.io/redhat/certified-operator-index:v${OCP_RELEASE%\.*}

Second terminal:

$ grpcurl -plaintext localhost:50051 api.Registry/ListPackages | grep dell
  "name": "dell-csi-operator-certified"

Install registry cred.¶

mkdir -p /run/user/$(id -u)/containers
cp -v ${LOCAL_SECRET_JSON} /run/user/$(id -u)/containers/auth.json

Build own certified-operator-index¶

OPM is sometimes difficult: * min Podman version 2 (Bug 1894167 - OPM fails to create a pruned index image) * Work-a-round use podman directly

opm index prune \
    -f registry.redhat.io/redhat/certified-operator-index:v${OCP_RELEASE%\.*} \
    -p dell-csi-operator-certified \
    -t ${LOCAL_REGISTRY}/redhat/certified-operator-index:v${OCP_RELEASE%\.*}

podman push ${LOCAL_REGISTRY}/redhat/certified-operator-index:v${OCP_RELEASE%\.*}

Apply catalog sources¶

oc create -f - <<EOF
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: dell-csi-operator
  namespace: openshift-marketplace
spec:
  displayName: dell-csi-operator
  image: ${LOCAL_REGISTRY}/redhat/certified-operator-index:v${OCP_RELEASE%\.*}
  publisher: dell-csi-operator
  sourceType: grpc
EOF

Mirror operator images¶

Bug 1890951 - Mirror of multiarch images together with cluster logging case problems. It doesn't sync the "overall" sha it syncs only the sub arch sha.

oc adm catalog mirror \
    ${LOCAL_REGISTRY}/redhat/certified-operator-index:v${OCP_RELEASE%\.*} \
    ${LOCAL_REGISTRY} \
    -a ${LOCAL_SECRET_JSON} \
    --to-manifests=certified-operator-index/

oc apply -f certified-operator-index/imageContentSourcePolicy.yaml

Watch until imageContentSourcePolicy is rolled out¶

watch  oc get mcp,nodes

Install Dell CSI Operator via OperatorHub/OLM¶

and you got an error:

$ oc get pods -l name=dell-csi-operator -n openshift-operators
NAME                                 READY   STATUS                  RESTARTS   AGE
dell-csi-operator-74b94b7467-9mhdr   0/1     Init:ImagePullBackOff   0          26m

Because the Dell CSI Operator use images names and not full image urls:

$ oc get pods -l name=dell-csi-operator -n openshift-operators -o jsonpath="{.items[0].spec.initContainers[0].image}"
busybox@sha256:a9286defaba7b3a519d585ba0e37d0b2cbee74ebfe590960b0b1d6a5e97d1e1d
$ oc get pods -l name=dell-csi-operator -n openshift-operators -o jsonpath="{.items[0].spec.containers[0].image}"
dellemc/dell-csi-operator@sha256:113435c9d0d805a2d7f4e6b5bdd6d21a3e489cb0278a9e81b2bc142c0fd5eb0f

Last update: December 6, 2020