diff --git a/cicd/pipelines/creating-applications-with-cicd-pipelines.adoc b/cicd/pipelines/creating-applications-with-cicd-pipelines.adoc index 26e9d8253e69..cf006eb98436 100644 --- a/cicd/pipelines/creating-applications-with-cicd-pipelines.adoc +++ b/cicd/pipelines/creating-applications-with-cicd-pipelines.adoc @@ -38,6 +38,16 @@ include::modules/op-creating-pipeline-tasks.adoc[leveloffset=+1] include::modules/op-assembling-a-pipeline.adoc[leveloffset=+1] +include::modules/op-mirroring-images-to-run-pipelines-in-restricted-environment.adoc[leveloffset=+1] + +.Additional resources + +* xref:../../openshift_images/configuring-samples-operator.adoc#samples-operator-restricted-network-install[Configuring Samples Operator for a restricted cluster] + +* xref:../../installing/install_config/installing-restricted-networks-preparations.adoc#installation-about-mirror-registry_installing-restricted-networks-preparations[Creating a cluster with a mirrored registry] + +* xref:../../cli_reference/developer_cli_odo/using_odo_in_a_restricted_environment/creating-and-deploying-a-component-to-the-disconnected-cluster.adoc#mirroring-a-supported-builder-image_creating-and-deploying-a-component-to-the-disconnected-cluster[Mirroring a supported builder image] + include::modules/op-running-a-pipeline.adoc[leveloffset=+1] include::modules/op-adding-triggers.adoc[leveloffset=+1] diff --git a/modules/op-creating-pipeline-tasks.adoc b/modules/op-creating-pipeline-tasks.adoc index 00ce12e5a6b7..2f9fa30afe1b 100644 --- a/modules/op-creating-pipeline-tasks.adoc +++ b/modules/op-creating-pipeline-tasks.adoc @@ -8,7 +8,7 @@ [discrete] .Procedure -. Install the `apply-manifests` and `update-deployment` `Task` resources from the `pipelines-tutorial` repository, which contains a list of reusable tasks for pipelines: +. Install the `apply-manifests` and `update-deployment` task resources from the `pipelines-tutorial` repository, which contains a list of reusable tasks for pipelines: + [source,terminal,subs="attributes+"] ---- @@ -18,31 +18,35 @@ $ oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/{p . Use the `tkn task list` command to list the tasks you created: + +[source,terminal] ---- $ tkn task list ---- + -The output verifies that the `apply-manifests` and `update-deployment` `Task` resources were created: +The output verifies that the `apply-manifests` and `update-deployment` task resources were created: + +[source,terminal] ---- NAME DESCRIPTION AGE apply-manifests 1 minute ago update-deployment 48 seconds ago ---- -. Use the `tkn clustertasks list` command to list the Operator-installed additional `ClusterTask` resources, for example --`buildah` and `s2i-python-3`: +. Use the `tkn clustertasks list` command to list the Operator-installed additional cluster tasks, for example, `buildah` and `s2i-python-3`: + [NOTE] ==== -You must use a privileged pod container to run the `buildah` `ClusterTask` resource because it requires a privileged security context. To learn more about security context constraints (SCC) for pods, see the Additional resources section. +To use the `buildah` cluster task in a restricted environment, you must ensure that the Dockerfile uses an internal image stream as the base image. ==== + +[source,terminal] ---- $ tkn clustertasks list ---- + The output lists the Operator-installed `ClusterTask` resources: + +[source,terminal] ---- NAME DESCRIPTION AGE buildah 1 day ago diff --git a/modules/op-mirroring-images-to-run-pipelines-in-restricted-environment.adoc b/modules/op-mirroring-images-to-run-pipelines-in-restricted-environment.adoc new file mode 100644 index 000000000000..25c4e016ee1d --- /dev/null +++ b/modules/op-mirroring-images-to-run-pipelines-in-restricted-environment.adoc @@ -0,0 +1,204 @@ +// Module included in the following assemblies: +// +// pipelines/creating-applications-with-cicd-pipelines + +[id="op-mirroring-images-to-run-pipelines-in-restricted-environment_{context}"] += Mirroring images to run pipelines in a restricted environment + + +To run OpenShift Pipelines in a disconnected cluster or a cluster provisioned in a restricted environment, you must ensure that either the Samples Operator is configured for a restricted network, or a cluster administrator has created a cluster with a mirrored registry. + +The following procedure uses the `pipelines-tutorial` example to create a pipeline for an application in a restricted environment using a cluster with a mirrored registry. To ensure that the `pipelines-tutorial` example works in a restricted environment, you must mirror the respective builder images from the mirror registry for the front-end interface, `vote-ui`; back-end interface, `vote-api`; and the `cli`. + +.Procedure + +. Mirror the builder image from the mirror registry for the front-end interface, `vote-ui`. +.. Verify that the required images tag is not imported: ++ +[source,terminal] +---- +$ oc describe imagestream python -n openshift +---- ++ +.Example output +[source,terminal] +---- +Name: python +Namespace: openshift +[...] + +3.8-ubi8 (latest) + tagged from registry.redhat.io/ubi8/python-38:latest + prefer registry pullthrough when referencing this tag + + Build and run Python 3.8 applications on UBI 8. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-python-container/blob/master/3.8/README.md. + Tags: builder, python + Supports: python:3.8, python + Example Repo: https://github.com/sclorg/django-ex.git + +[...] +---- + +.. Mirror the supported image tag to the private registry: ++ +[source,terminal] +---- +$ oc image mirror registry.redhat.io/ubi8/python-38:latest :/ubi8/python-38 +---- + +.. Import the image: ++ +[source,terminal] +---- +$ oc tag :/ubi8/python-38 python:latest --scheduled -n openshift +---- ++ +You must periodically re-import the image. The `--scheduled` flag enables automatic re-import of the image. + +.. Verify that the images with the given tag have been imported: ++ +[source,terminal] +---- +$ oc describe imagestream python -n openshift +---- ++ +.Example output +[source,terminal] +---- +Name: python +Namespace: openshift +[...] + +latest + updates automatically from registry :/ubi8/python-38 + + * :/ubi8/python-38@sha256:3ee3c2e70251e75bfeac25c0c33356add9cc4abcbc9c51d858f39e4dc29c5f58 + +[...] +---- + +. Mirror the builder image from the mirror registry for the back-end interface, `vote-api`. +.. Verify that the required images tag is not imported: ++ +[source,terminal] +---- +$ oc describe imagestream golang -n openshift +---- ++ +.Example output +[source,terminal] +---- +Name: golang +Namespace: openshift +[...] + +1.14.7-ubi8 (latest) + tagged from registry.redhat.io/ubi8/go-toolset:1.14.7 + prefer registry pullthrough when referencing this tag + + Build and run Go applications on UBI 8. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/golang-container/blob/master/README.md. + Tags: builder, golang, go + Supports: golang + Example Repo: https://github.com/sclorg/golang-ex.git + +[...] +---- + +.. Mirror the supported image tag to the private registry: ++ +[source,terminal] +---- +$ oc image mirror registry.redhat.io/ubi8/go-toolset:1.14.7 :/ubi8/go-toolset +---- + +.. Import the image: ++ +[source,terminal] +---- +$ oc tag :/ubi8/go-toolset golang:latest --scheduled -n openshift +---- ++ +You must periodically re-import the image. The `--scheduled` flag enables automatic re-import of the image. + +.. Verify that the images with the given tag have been imported: ++ +[source,terminal] +---- +$ oc describe imagestream golang -n openshift +---- ++ +.Example output +[source,terminal] +---- +Name: golang +Namespace: openshift +[...] + +latest + updates automatically from registry :/ubi8/go-toolset + + * :/ubi8/go-toolset@sha256:59a74d581df3a2bd63ab55f7ac106677694bf612a1fe9e7e3e1487f55c421b37 + +[...] +---- + +. Mirror the builder image from the mirror registry for the `cli`. +.. Verify that the required images tag is not imported: ++ +[source,terminal] +---- +$ oc describe imagestream cli -n openshift +---- ++ +.Example output +[source,terminal] +---- +Name: cli +Namespace: openshift +[...] + +latest + updates automatically from registry quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:65c68e8c22487375c4c6ce6f18ed5485915f2bf612e41fef6d41cbfcdb143551 + + * quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:65c68e8c22487375c4c6ce6f18ed5485915f2bf612e41fef6d41cbfcdb143551 + +[...] +---- + +.. Mirror the supported image tag to the private registry: ++ +[source,terminal] +---- +$ oc image mirror quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:65c68e8c22487375c4c6ce6f18ed5485915f2bf612e41fef6d41cbfcdb143551 :/openshift-release-dev/ocp-v4.0-art-dev:latest +---- + +.. Import the image: ++ +[source,terminal] +---- +$ oc tag :/openshift-release-dev/ocp-v4.0-art-dev cli:latest --scheduled -n openshift +---- ++ +You must periodically re-import the image. The `--scheduled` flag enables automatic re-import of the image. + +.. Verify that the images with the given tag have been imported: ++ +[source,terminal] +---- +$ oc describe imagestream cli -n openshift +---- ++ +.Example output +[source,terminal] +---- +Name: cli +Namespace: openshift +[...] + +latest + updates automatically from registry :/openshift-release-dev/ocp-v4.0-art-dev + + * :/openshift-release-dev/ocp-v4.0-art-dev@sha256:65c68e8c22487375c4c6ce6f18ed5485915f2bf612e41fef6d41cbfcdb143551 + +[...] +----