Bug 1898474

Summary: Compliance operator installation for disconnected environments
Product: OpenShift Container Platform Reporter: David Hernández Fernández <dahernan>
Component: DocumentationAssignee: Ashley Hardin <ahardin>
Status: CLOSED CURRENTRELEASE QA Contact: Xiaoli Tian <xtian>
Severity: low Docs Contact: Vikram Goyal <vigoyal>
Priority: low    
Version: 4.6CC: ahardin, alchan, aos-bugs, jokerman, josorior, mrogers, nkinder, xiyuan
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-09 21:38:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Hernández Fernández 2020-11-17 09:14:02 UTC 
Description of problem: Document officially how to install Openshift Compliance operator in disconnected environments. (please move to Doc component if needed once it is verified by compliance team.)

https://docs.openshift.com/container-platform/4.6/security/compliance_operator/compliance-operator-understanding.html

Version-Release number of selected component (if applicable): 4.6

Possible example for reference
Create a pull secret from /root/deploy/secrets/docker/config.json and quay.json on the registry node.

Refer to your local registry configuration to acquire your pull secret
Mirror Images to local registry
The following steps are for mirroring your images if you have a system that can access the internet and your offline registry. (e.g. a bastion node in AWS)

Set environmental var for docker pull secret for local registry i.e. “~/.docker/config.json”
# export REG_CREDS=’<path/to/pull/secret>’

Set environmental var for your offline registry URL i.e. “myregistry.mydomain.io:5000”
# export REG_URL=’<offline-registry-url-include-port>’

# oc image mirror --force --keep-manifest-list=true --registry-config $REG_CREDS --insecure=true 'quay.io/compliance-operator/compliance-operator:latest' "$REG_URL/compliance-operator/compliance-operator:latest"

# oc image mirror --force --keep-manifest-list=true --registry-config $REG_CREDS --insecure=true 'quay.io/complianceascode/ocp4:latest' "$REG_URL/complianceascode/ocp4:latest"

# oc image mirror --force --keep-manifest-list=true --registry-config $REG_CREDS --insecure=true 'quay.io/compliance-operator/openscap-ocp:1.3.3' "$REG_URL/compliance-operator/openscap-ocp:1.3.3"
Pull git repo

Clone the git repository on an internet connected system:

# git clone https://github.com/openshift/compliance-operator.git

Apply templates

The manual offline installation requires changing all the values that point to the container images in Quay to your local offline registry.

# cd compliance-operator

# sed -i 's/quay.io/registry.<cluster>.<domain>:5000/g' *

# oc create -f deploy/ns.yaml

# oc project openshift-compliance

# for f in $(ls -1 deploy/crds/*crd.yaml); do oc apply -f $f -n openshift-compliance; done

# oc apply -n openshift-compliance -f deploy/

Using the operator is now possible

https://github.com/openshift/compliance-operator

*Thanks to Dean Lystra*
Comment 1 xiyuan 2020-11-19 15:24:15 UTC 
Hi David,
I just followed the official doc[1] about "Using Operator Lifecycle Manager on restricted networks" to do it:
1. #Pruning an index image
opm index prune -p compliance-operator -f registry.redhat.io/redhat/redhat-operator-index:v4.6 -t ${MIRROR_REGISTRY}/openshift/redhat-operator-index:v4.6 -c docker
docker push  ${MIRROR_REGISTRY}/openshift/redhat-operator-index:v4.6
2. Mirror necessary images(I think this step could be simplified):
oc adm catalog mirror registry.redhat.io/redhat/redhat-operator-index:v4.6 ${MIRROR_REGISTRY}/openshift/redhat-operator-index:v4.6 --manifests-only   --to-manifests=mirror
# sed -i 's/redhat-operator-index:v4.6-//g' mirror/mapping.txt
# grep "compliance" mirror/mapping.txt > m1.txt
# cat m1.txt 
registry.redhat.io/openshift4/compliance-rhel8-operator@sha256:ae603ffbaf213d9f46823277b4a4ef83a8395857447281dc0ef471d5b8ef4e0c=ec2-3-15-27-25.us-east-2.compute.amazonaws.com:5000/openshift/openshift4-compliance-rhel8-operator:2ba1857e
registry.redhat.io/openshift4/compliance-rhel8-operator-metadata@sha256:161f9e93d5bd2de2e34d42c39f21c3f3ca0fc9de86988fe0385dea269f9f03a8=ec2-3-15-27-25.us-east-2.compute.amazonaws.com:5000/openshift/openshift4-compliance-rhel8-operator-metadata:59ba3fd7
registry.redhat.io/openshift4/compliance-content-rhel8@sha256:9ef0fb26ad62131c6e755fc7e9d1bdecdc941eea36aae4eddad4fbe310650148=ec2-3-15-27-25.us-east-2.compute.amazonaws.com:5000/openshift/openshift4-compliance-content-rhel8:c1de0b3d
registry.redhat.io/openshift4/compliance-openscap-rhel8@sha256:b69d2fe19b3950d87b1e13c943cbcf739a2a25763cb3557f185dd693928d0317=ec2-3-15-27-25.us-east-2.compute.amazonaws.com:5000/openshift/openshift4-compliance-openscap-rhel8:46e5a9c2
# for line in $(cat m1.txt); do oc image mirror $line --insecure=true  --filter-by-os='.*' --keep-manifest-list=true;done
3. create imageContentSourcePolicy.yaml
cat <<EOF | oc apply -f -
apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
  name: oc-operator-index
spec:
  repositoryDigestMirrors:
  - mirrors:
    - ${MIRROR_REGISTRY}/openshift/openshift4-compliance-rhel8-operator-metadata
    source: registry.redhat.io/openshift4/compliance-rhel8-operator-metadata
  - mirrors:
    - ${MIRROR_REGISTRY}/openshift/openshift4-compliance-openscap-rhel8
    source: registry.redhat.io/openshift4/compliance-openscap-rhel8
  - mirrors:
    - ${MIRROR_REGISTRY}/openshift/openshift4-compliance-content-rhel8
    source: registry.redhat.io/openshift4/compliance-content-rhel8
  - mirrors:
    - ${MIRROR_REGISTRY}/openshift/openshift4-compliance-rhel8-operator
    source: registry.redhat.io/openshift4/compliance-rhel8-operator
EOF
4. wait until the reboot finished, create catalogsource, namespace, namegroup and subscription to install the cluster.
the catalogsource looks like below:
cat <<EOF | oc apply -f -
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: compliance1
  namespace: openshift-marketplace
spec:
  sourceType: grpc
  image: e${MIRROR_REGISTRY}/openshift/redhat-operator-index:v4.6
EOF

That's all steps. Is it enough for you? Thanks.

[1] https://docs.openshift.com/container-platform/4.6/operators/admin/olm-restricted-networks.html
Comment 2 David Hernández Fernández 2020-12-07 13:18:02 UTC 
LGTM. I used it as well and it works.
Comment 3 Nathan Kinder 2020-12-11 19:22:58 UTC 
We should add a reference to the OLM restricted networks document in the Compliance Operator docs.  The Compliance Operator is a feature of interest for customers who use disconnected environments, so I think this would be helpful for users.

Moving to Documentation component.
Comment 4 Ashley Hardin 2021-04-08 21:03:12 UTC 
Addressed in https://github.com/openshift/openshift-docs/pull/29673
Comment 5 Ashley Hardin 2021-04-09 21:38:59 UTC 
These links are now included in the documentation:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/security_and_compliance/compliance-operator#additional-resources-installing-the-compliance-operator

https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/security_and_compliance/compliance-operator#additional-resources_managing-the-compliance-operator