diff --git a/installing/install_config/installing-restricted-networks-preparations.adoc b/installing/install_config/installing-restricted-networks-preparations.adoc index 58be3d3b1b17..49859dc0fed8 100644 --- a/installing/install_config/installing-restricted-networks-preparations.adoc +++ b/installing/install_config/installing-restricted-networks-preparations.adoc @@ -5,23 +5,24 @@ include::modules/common-attributes.adoc[] toc::[] -Before you install a cluster on infrastructure that you provision in a restricted network, you must create a mirror registry. Installations on a restricted network are supported on only infrastructure that you provision, not infrastructure that the installer provisions. +Before you install a cluster on infrastructure that you provision in a restricted network, you must mirror the required container images into that environment. Installations on a restricted network are supported on only infrastructure that you provision, not infrastructure that the installer provisions. [IMPORTANT] ==== -You must have access to the internet to obtain the data that populates the mirror -repository. In this procedure, you place the mirror registry on a bastion host +You must have access to the internet to obtain the necessary container images. +In this procedure, you place the mirror registry on a mirror host that has access to both your network and the internet. If you do not have access -to a bastion host, use the method that best fits your restrictions to bring the +to a mirror host, use the method that best fits your restrictions to bring the contents of the mirror registry into your restricted network. ==== include::modules/installation-about-mirror-registry.adoc[leveloffset=+1] [id="installing-preparing-bastion"] -== Preparing the bastion host +[id="installing-preparing-mirror"] +== Preparing the mirror host -Before you create the mirror registry, you must prepare the bastion host. +Before you create the mirror registry, you must prepare the mirror host. include::modules/cli-installing-cli.adoc[leveloffset=+2] diff --git a/installing/installing_aws/installing-restricted-networks-aws.adoc b/installing/installing_aws/installing-restricted-networks-aws.adoc index 92ddbe9c18f0..4b88fa15ec27 100644 --- a/installing/installing_aws/installing-restricted-networks-aws.adoc +++ b/installing/installing_aws/installing-restricted-networks-aws.adoc @@ -22,12 +22,12 @@ according to your company's policies. .Prerequisites -* xref:../../installing/install_config/installing-restricted-networks-preparations.adoc#installing-restricted-networks-preparations[Create a mirror registry on your bastion host] +* xref:../../installing/install_config/installing-restricted-networks-preparations.adoc#installing-restricted-networks-preparations[Create a mirror registry on your mirror host] and obtain the `imageContentSources` data for your version of {product-title}. + [IMPORTANT] ==== -Because the installation media is on the bastion host, use that computer +Because the installation media is on the mirror host, you can use that computer to complete all installation steps. ==== * Review details about the @@ -121,7 +121,7 @@ include::modules/installation-creating-aws-worker.adoc[leveloffset=+2] include::modules/installation-cloudformation-worker.adoc[leveloffset=+3] -//You install the CLI on the bastion host. +//You can install the CLI on the mirror host. include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] diff --git a/installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc b/installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc index e0694e1dff57..04d192aeeffb 100644 --- a/installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc +++ b/installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc @@ -19,11 +19,11 @@ before you attempt to install an {product-title} cluster in such an environment. .Prerequisites -* xref:../../installing/install_config/installing-restricted-networks-preparations.adoc#installing-restricted-networks-preparations[Create a mirror registry on your bastion host] and obtain the `imageContentSources` data for your version of {product-title}. +* xref:../../installing/install_config/installing-restricted-networks-preparations.adoc#installing-restricted-networks-preparations[Create a registry on your mirror host] and obtain the `imageContentSources` data for your version of {product-title}. + [IMPORTANT] ==== -Because the installation media is on the bastion host, use that computer +Because the installation media is on the mirror host, you can use that computer to complete all installation steps. ==== * Provision @@ -57,7 +57,7 @@ include::modules/ssh-agent-using.adoc[leveloffset=+1] //You extract the installation program from the mirrored content. -//You install the CLI on the bastion host. +//You can install the CLI on the mirror host. include::modules/installation-initializing-manual.adoc[leveloffset=+1] diff --git a/installing/installing_vsphere/installing-restricted-networks-vsphere.adoc b/installing/installing_vsphere/installing-restricted-networks-vsphere.adoc index 603d9a5d9eca..b4a35e3fbd9a 100644 --- a/installing/installing_vsphere/installing-restricted-networks-vsphere.adoc +++ b/installing/installing_vsphere/installing-restricted-networks-vsphere.adoc @@ -10,11 +10,11 @@ VMware vSphere infrastructure that you provision in a restricted network. .Prerequisites -* xref:../../installing/install_config/installing-restricted-networks-preparations.adoc#installing-restricted-networks-preparations[Create a mirror registry on your bastion host] and obtain the `imageContentSources` data for your version of {product-title}. +* xref:../../installing/install_config/installing-restricted-networks-preparations.adoc#installing-restricted-networks-preparations[Create a registry on your mirror host] and obtain the `imageContentSources` data for your version of {product-title}. + [IMPORTANT] ==== -Because the installation media is on the bastion host, use that computer +Because the installation media is on the mirror host, you can use that computer to complete all installation steps. ==== * Provision @@ -50,7 +50,7 @@ include::modules/ssh-agent-using.adoc[leveloffset=+1] //You extract the installation program from the mirrored content. -//You install the CLI on the bastion host. +//You can install the CLI on the mirror host. include::modules/installation-initializing-manual.adoc[leveloffset=+1] diff --git a/modules/installation-about-restricted-network.adoc b/modules/installation-about-restricted-network.adoc index 63940275c400..b74f9590d062 100644 --- a/modules/installation-about-restricted-network.adoc +++ b/modules/installation-about-restricted-network.adoc @@ -24,7 +24,7 @@ access for an installation on bare metal hardware or on VMware vSphere. To complete a restricted network installation, you must create a registry that mirrors the contents of the {product-title} registry and contains the -installation media. You can create this mirror on a bastion host, which can +installation media. You can create this registry on a mirror host, which can access both the internet and your closed network, or by using other methods that meet your restrictions. diff --git a/modules/installation-adding-registry-pull-secret.adoc b/modules/installation-adding-registry-pull-secret.adoc index 4c28cf5db5a5..210016aa543a 100644 --- a/modules/installation-adding-registry-pull-secret.adoc +++ b/modules/installation-adding-registry-pull-secret.adoc @@ -15,7 +15,7 @@ restricted network. .Procedure -Complete the following steps on the bastion host: +Complete the following steps on the mirror host: ifndef::openshift-origin[] . Download your `registry.redhat.io` pull secret from the @@ -71,17 +71,17 @@ The contents of the file resemble the following example: ---- "auths": { ... - ":": { <1> + "": { <1> "auth": "", <2> "email": "you@example.com" }, ... ---- -<1> For ``, specify the registry domain name -that you specified in your certificate, and for ``, -specify the port that your mirror registry uses to serve content. +<1> For ``, specify the registry domain name, and optionally the +port, that your mirror registry uses to serve content. For example, +`registry.example.com` or `registry.example.com:5000` <2> For ``, specify the base64-encoded user name and password for -the mirror registry that you generated. +the mirror registry. + The file resembles the following example: + @@ -100,7 +100,7 @@ The file resembles the following example: "auth": "NTE3Njg5Nj...", "email": "you@example.com" }, - ":": { + "": { "auth": "", "email": "you@example.com" }, diff --git a/modules/installation-bare-metal-config-yaml.adoc b/modules/installation-bare-metal-config-yaml.adoc index 22f2e3c22ab8..555e09a3d543 100644 --- a/modules/installation-bare-metal-config-yaml.adoc +++ b/modules/installation-bare-metal-config-yaml.adoc @@ -43,7 +43,7 @@ ifndef::restricted[] pullSecret: '{"auths": ...}' <12> endif::restricted[] ifdef::restricted[] -pullSecret: '{"auths":{":5000": {"auth": "","email": "you@example.com"}}}' <12> +pullSecret: '{"auths":{"": {"auth": "","email": "you@example.com"}}}' <12> endif::restricted[] sshKey: 'ssh-ed25519 AAAA...' <13> ifdef::restricted[] @@ -53,10 +53,10 @@ additionalTrustBundle: | <14> -----END CERTIFICATE----- imageContentSources: <15> - mirrors: - - :5000//release + - //release source: quay.io/openshift-release-dev/ocp-release - mirrors: - - :5000//release + - //release source: registry.svc.ci.openshift.org/ocp/release endif::restricted[] ---- @@ -112,10 +112,10 @@ provided by the included authorities, including Quay.io, which serves the container images for {product-title} components. endif::restricted[] ifdef::restricted[] -<12> For `bastion_host_name`, specify the registry domain name -that you specified in the certificate for your mirror registry, and for -``, specify the base64-encoded user name and password for -your mirror registry. +<12> For ``, specify the registry domain name, and optionally the +port, that your mirror registry uses to serve content. For example +`registry.example.com` or `registry.example.com:5000`. For ``, +specify the base64-encoded user name and password for your mirror registry. endif::restricted[] <13> The public portion of the default SSH key for the `core` user in {op-system-first}. diff --git a/modules/installation-creating-mirror-registry.adoc b/modules/installation-creating-mirror-registry.adoc index 692fa8accf0f..e49a9e483ef8 100644 --- a/modules/installation-creating-mirror-registry.adoc +++ b/modules/installation-creating-mirror-registry.adoc @@ -12,9 +12,13 @@ endif::[] Create a registry to host the mirrored content that you require for installing {product-title}. + ifdef::restricted[] -For installation in a restricted network, you must place the mirror on your -bastion host. +For installation in a restricted network, you can place the mirror +registry on a host that can be accessed from both the your network and +the internet. If you do not have access to such a host, use the +method that best fits your restrictions to bring the contents of the +mirror registry into your restricted network. endif::restricted[] [NOTE] @@ -36,7 +40,7 @@ as the registry host. .Procedure ifdef::restricted[] -On the bastion host, take the following actions: +On the mirror host, take the following actions: endif::restricted[] . Install the required packages: diff --git a/modules/installation-generate-aws-user-infra-install-config.adoc b/modules/installation-generate-aws-user-infra-install-config.adoc index 4a1647c0ed41..0b65dab659a8 100644 --- a/modules/installation-generate-aws-user-infra-install-config.adoc +++ b/modules/installation-generate-aws-user-infra-install-config.adoc @@ -18,7 +18,7 @@ installation program needs to deploy your cluster. * Obtain the {product-title} installation program and the pull secret for your cluster. ifdef::restricted[] -For a restricted network installation, these files are on your bastion host. +For a restricted network installation, these files are on your mirror host. endif::restricted[] .Procedure @@ -80,13 +80,13 @@ is required for an installation in a restricted network. your registry: + ---- -pullSecret: '{"auths":{":5000": {"auth": "","email": "you@example.com"}}}' +pullSecret: '{"auths":{"": {"auth": "","email": "you@example.com"}}}' ---- + -For `bastion_host_name`, specify the registry domain name -that you specified in the certificate for your mirror registry, and for -``, specify the base64-encoded user name and password for -your mirror registry. +For ``, specify the registry domain name, and optionally the +port, that your mirror registry uses to serve content. For example +`registry.example.com` or `registry.example.com:5000`. For ``, +specify the base64-encoded user name and password for your mirror registry. .. Add the `additionalTrustBundle` parameter and value. The value must be the contents of the certificate file that you used for your mirror registry, which can be an exiting, trusted certificate authority or the self-signed certificate that you generated for the mirror registry. + ---- @@ -100,10 +100,10 @@ additionalTrustBundle: | ---- imageContentSources: - mirrors: - - :5000//release + - //release source: quay.io/openshift-release-dev/ocp-release - mirrors: - - :5000//release + - //release source: registry.svc.ci.openshift.org/ocp/release ---- + diff --git a/modules/installation-generate-ignition-configs.adoc b/modules/installation-generate-ignition-configs.adoc index 5ae5f96fc149..3ea2bbe62702 100644 --- a/modules/installation-generate-ignition-configs.adoc +++ b/modules/installation-generate-ignition-configs.adoc @@ -27,7 +27,7 @@ to ensure that the first certificate rotation has finished. * Obtain the {product-title} installation program and the pull secret for your cluster. ifdef::restricted[] -For a restricted network installation, these files are on your bastion host. +For a restricted network installation, these files are on your mirror host. endif::restricted[] .Procedure diff --git a/modules/installation-local-registry-pull-secret.adoc b/modules/installation-local-registry-pull-secret.adoc index 837d20c25ee0..45c07ff50f4b 100644 --- a/modules/installation-local-registry-pull-secret.adoc +++ b/modules/installation-local-registry-pull-secret.adoc @@ -15,7 +15,7 @@ the information for your registry. .Procedure -. On the bastion host, generate the pull secret for your registry: +. On the mirror host, generate the pull secret for your registry: + ---- $ podman login --authfile ~/pullsecret_config.json : <1> diff --git a/modules/installation-mirror-repository.adoc b/modules/installation-mirror-repository.adoc index e739630547b9..e1f73d8358a0 100644 --- a/modules/installation-mirror-repository.adoc +++ b/modules/installation-mirror-repository.adoc @@ -23,7 +23,7 @@ endif::[] .Procedure -Complete the following steps on the bastion host: +Complete the following steps on a host that can access both quay.io and your mirror registry: . Review the link:https://access.redhat.com/downloads/content/290/[{product-title} downloads page] diff --git a/modules/installation-obtaining-installer.adoc b/modules/installation-obtaining-installer.adoc index 622a791e9503..7a814a8804cd 100644 --- a/modules/installation-obtaining-installer.adoc +++ b/modules/installation-obtaining-installer.adoc @@ -33,7 +33,7 @@ endif::[] Before you install {product-title}, download the installation file on ifdef::restricted[] - the bastion host. +the mirror host. endif::restricted[] ifndef::restricted[] ifdef::ibm-z[ your provisioning machine.] diff --git a/modules/installation-user-infra-generate-k8s-manifest-ignition.adoc b/modules/installation-user-infra-generate-k8s-manifest-ignition.adoc index 61ce2047464b..b54d333f6b08 100644 --- a/modules/installation-user-infra-generate-k8s-manifest-ignition.adoc +++ b/modules/installation-user-infra-generate-k8s-manifest-ignition.adoc @@ -64,7 +64,7 @@ to ensure that the first certificate rotation has finished. * Obtain the {product-title} installation program. ifdef::restricted,baremetal-restricted[] -For a restricted network installation, these files are on your bastion host. +For a restricted network installation, these files are on your mirror host. endif::restricted,baremetal-restricted[] * Create the `install-config.yaml` installation configuration file. diff --git a/modules/installation-vsphere-config-yaml.adoc b/modules/installation-vsphere-config-yaml.adoc index cd499ec7fead..865825667063 100644 --- a/modules/installation-vsphere-config-yaml.adoc +++ b/modules/installation-vsphere-config-yaml.adoc @@ -41,7 +41,7 @@ pullSecret: '{"auths": ...}' <13> endif::restricted[] ifdef::restricted[] fips: false <12> -pullSecret: '{"auths":{":5000": {"auth": "","email": "you@example.com"}}}' <13> +pullSecret: '{"auths":{"": {"auth": "","email": "you@example.com"}}}' <13> endif::restricted[] sshKey: 'ssh-ed25519 AAAA...' <14> ifdef::restricted[] @@ -51,10 +51,10 @@ additionalTrustBundle: | <15> -----END CERTIFICATE----- imageContentSources: <16> - mirrors: - - :5000//release + - //release source: quay.io/openshift-release-dev/ocp-release - mirrors: - - :5000//release + - //release source: registry.svc.ci.openshift.org/ocp/release endif::restricted[] ---- @@ -106,10 +106,10 @@ provided by the included authorities, including Quay.io, which serves the container images for {product-title} components. endif::restricted[] ifdef::restricted[] -<13> For `bastion_host_name`, specify the registry domain name -that you specified in the certificate for your mirror registry, and for -``, specify the base64-encoded user name and password for -your mirror registry. +<13> For ``, specify the registry domain name, and optionally the +port, that your mirror registry uses to serve content. For example +`registry.example.com` or `registry.example.com:5000`. For ``, +specify the base64-encoded user name and password for your mirror registry. endif::restricted[] <14> The public portion of the default SSH key for the `core` user in {op-system-first}. diff --git a/modules/olm-building-operator-catalog-image.adoc b/modules/olm-building-operator-catalog-image.adoc index 613fb8e40742..ab4d90c89e7b 100644 --- a/modules/olm-building-operator-catalog-image.adoc +++ b/modules/olm-building-operator-catalog-image.adoc @@ -23,8 +23,8 @@ registry because it does not support pushing without a tag, which is required during the mirroring process. ==== -For this example, the procedure assumes use of the mirror registry created on -the bastion host during a restricted network cluster installation. +For this example, the procedure assumes use of the mirror registry +that has access to both your network and the internet. .Prerequisites