Description of problem: Document officially how to install Openshift Compliance operator in disconnected environments. (please move to Doc component if needed once it is verified by compliance team.) https://docs.openshift.com/container-platform/4.6/security/compliance_operator/compliance-operator-understanding.html Version-Release number of selected component (if applicable): 4.6 Possible example for reference Create a pull secret from /root/deploy/secrets/docker/config.json and quay.json on the registry node. Refer to your local registry configuration to acquire your pull secret Mirror Images to local registry The following steps are for mirroring your images if you have a system that can access the internet and your offline registry. (e.g. a bastion node in AWS) Set environmental var for docker pull secret for local registry i.e. “~/.docker/config.json” # export REG_CREDS=’<path/to/pull/secret>’ Set environmental var for your offline registry URL i.e. “myregistry.mydomain.io:5000” # export REG_URL=’<offline-registry-url-include-port>’ # oc image mirror --force --keep-manifest-list=true --registry-config $REG_CREDS --insecure=true 'quay.io/compliance-operator/compliance-operator:latest' "$REG_URL/compliance-operator/compliance-operator:latest" # oc image mirror --force --keep-manifest-list=true --registry-config $REG_CREDS --insecure=true 'quay.io/complianceascode/ocp4:latest' "$REG_URL/complianceascode/ocp4:latest" # oc image mirror --force --keep-manifest-list=true --registry-config $REG_CREDS --insecure=true 'quay.io/compliance-operator/openscap-ocp:1.3.3' "$REG_URL/compliance-operator/openscap-ocp:1.3.3" Pull git repo Clone the git repository on an internet connected system: # git clone https://github.com/openshift/compliance-operator.git Apply templates The manual offline installation requires changing all the values that point to the container images in Quay to your local offline registry. # cd compliance-operator # sed -i 's/quay.io/registry.<cluster>.<domain>:5000/g' * # oc create -f deploy/ns.yaml # oc project openshift-compliance # for f in $(ls -1 deploy/crds/*crd.yaml); do oc apply -f $f -n openshift-compliance; done # oc apply -n openshift-compliance -f deploy/ Using the operator is now possible https://github.com/openshift/compliance-operator *Thanks to Dean Lystra*
Hi David, I just followed the official doc[1] about "Using Operator Lifecycle Manager on restricted networks" to do it: 1. #Pruning an index image opm index prune -p compliance-operator -f registry.redhat.io/redhat/redhat-operator-index:v4.6 -t ${MIRROR_REGISTRY}/openshift/redhat-operator-index:v4.6 -c docker docker push ${MIRROR_REGISTRY}/openshift/redhat-operator-index:v4.6 2. Mirror necessary images(I think this step could be simplified): oc adm catalog mirror registry.redhat.io/redhat/redhat-operator-index:v4.6 ${MIRROR_REGISTRY}/openshift/redhat-operator-index:v4.6 --manifests-only --to-manifests=mirror # sed -i 's/redhat-operator-index:v4.6-//g' mirror/mapping.txt # grep "compliance" mirror/mapping.txt > m1.txt # cat m1.txt registry.redhat.io/openshift4/compliance-rhel8-operator@sha256:ae603ffbaf213d9f46823277b4a4ef83a8395857447281dc0ef471d5b8ef4e0c=ec2-3-15-27-25.us-east-2.compute.amazonaws.com:5000/openshift/openshift4-compliance-rhel8-operator:2ba1857e registry.redhat.io/openshift4/compliance-rhel8-operator-metadata@sha256:161f9e93d5bd2de2e34d42c39f21c3f3ca0fc9de86988fe0385dea269f9f03a8=ec2-3-15-27-25.us-east-2.compute.amazonaws.com:5000/openshift/openshift4-compliance-rhel8-operator-metadata:59ba3fd7 registry.redhat.io/openshift4/compliance-content-rhel8@sha256:9ef0fb26ad62131c6e755fc7e9d1bdecdc941eea36aae4eddad4fbe310650148=ec2-3-15-27-25.us-east-2.compute.amazonaws.com:5000/openshift/openshift4-compliance-content-rhel8:c1de0b3d registry.redhat.io/openshift4/compliance-openscap-rhel8@sha256:b69d2fe19b3950d87b1e13c943cbcf739a2a25763cb3557f185dd693928d0317=ec2-3-15-27-25.us-east-2.compute.amazonaws.com:5000/openshift/openshift4-compliance-openscap-rhel8:46e5a9c2 # for line in $(cat m1.txt); do oc image mirror $line --insecure=true --filter-by-os='.*' --keep-manifest-list=true;done 3. create imageContentSourcePolicy.yaml cat <<EOF | oc apply -f - apiVersion: operator.openshift.io/v1alpha1 kind: ImageContentSourcePolicy metadata: name: oc-operator-index spec: repositoryDigestMirrors: - mirrors: - ${MIRROR_REGISTRY}/openshift/openshift4-compliance-rhel8-operator-metadata source: registry.redhat.io/openshift4/compliance-rhel8-operator-metadata - mirrors: - ${MIRROR_REGISTRY}/openshift/openshift4-compliance-openscap-rhel8 source: registry.redhat.io/openshift4/compliance-openscap-rhel8 - mirrors: - ${MIRROR_REGISTRY}/openshift/openshift4-compliance-content-rhel8 source: registry.redhat.io/openshift4/compliance-content-rhel8 - mirrors: - ${MIRROR_REGISTRY}/openshift/openshift4-compliance-rhel8-operator source: registry.redhat.io/openshift4/compliance-rhel8-operator EOF 4. wait until the reboot finished, create catalogsource, namespace, namegroup and subscription to install the cluster. the catalogsource looks like below: cat <<EOF | oc apply -f - apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: name: compliance1 namespace: openshift-marketplace spec: sourceType: grpc image: e${MIRROR_REGISTRY}/openshift/redhat-operator-index:v4.6 EOF That's all steps. Is it enough for you? Thanks. [1] https://docs.openshift.com/container-platform/4.6/operators/admin/olm-restricted-networks.html
LGTM. I used it as well and it works.
We should add a reference to the OLM restricted networks document in the Compliance Operator docs. The Compliance Operator is a feature of interest for customers who use disconnected environments, so I think this would be helpful for users. Moving to Documentation component.
Addressed in https://github.com/openshift/openshift-docs/pull/29673
These links are now included in the documentation: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/security_and_compliance/compliance-operator#additional-resources-installing-the-compliance-operator https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/security_and_compliance/compliance-operator#additional-resources_managing-the-compliance-operator