openshift · adellape · Feb 10, 2021 · Feb 3, 2021
diff --git a/cicd/pipelines/creating-applications-with-cicd-pipelines.adoc b/cicd/pipelines/creating-applications-with-cicd-pipelines.adoc
@@ -38,6 +38,16 @@ include::modules/op-creating-pipeline-tasks.adoc[leveloffset=+1]
 
 include::modules/op-assembling-a-pipeline.adoc[leveloffset=+1]
 
+include::modules/op-mirroring-images-to-run-pipelines-in-restricted-environment.adoc[leveloffset=+1]
+
+.Additional resources
+
+* xref:../../openshift_images/configuring-samples-operator.adoc#samples-operator-restricted-network-install[Configuring Samples Operator for a restricted cluster]
+
+* xref:../../installing/install_config/installing-restricted-networks-preparations.adoc#installation-about-mirror-registry_installing-restricted-networks-preparations[Creating a cluster with a mirrored registry]
+
+* xref:../../cli_reference/developer_cli_odo/using_odo_in_a_restricted_environment/creating-and-deploying-a-component-to-the-disconnected-cluster.adoc#mirroring-a-supported-builder-image_creating-and-deploying-a-component-to-the-disconnected-cluster[Mirroring a supported builder image]
+
 include::modules/op-running-a-pipeline.adoc[leveloffset=+1]
 
 include::modules/op-adding-triggers.adoc[leveloffset=+1]

diff --git a/modules/op-creating-pipeline-tasks.adoc b/modules/op-creating-pipeline-tasks.adoc
@@ -8,7 +8,7 @@
 [discrete]
 .Procedure
 
-. Install the `apply-manifests` and `update-deployment` `Task` resources from the `pipelines-tutorial` repository, which contains a list of reusable tasks for pipelines:
+. Install the `apply-manifests` and `update-deployment` task resources from the `pipelines-tutorial` repository, which contains a list of reusable tasks for pipelines:
 +
 [source,terminal,subs="attributes+"]
 ----
@@ -18,31 +18,35 @@ $ oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/{p
 
 . Use the `tkn task list` command to list the tasks you created:
 +
+[source,terminal]
 ----
 $ tkn task list
 ----
 +
-The output verifies that the `apply-manifests` and `update-deployment` `Task` resources were created:
+The output verifies that the `apply-manifests` and `update-deployment` task resources were created:
 +
+[source,terminal]
 ----
 NAME                DESCRIPTION   AGE
 apply-manifests                   1 minute ago
 update-deployment                 48 seconds ago
 ----
 
-. Use the `tkn clustertasks list` command to list the Operator-installed additional `ClusterTask` resources, for example --`buildah` and `s2i-python-3`:
+. Use the `tkn clustertasks list` command to list the Operator-installed additional cluster tasks, for example, `buildah` and `s2i-python-3`:
 +
 [NOTE]
 ====
-You must use a privileged pod container to run the `buildah` `ClusterTask` resource because it requires a privileged security context. To learn more about security context constraints (SCC) for pods, see the Additional resources section.
+To use the `buildah` cluster task in a restricted environment, you must ensure that the Dockerfile uses an internal image stream as the base image.
 ====
 +
+[source,terminal]
 ----
 $ tkn clustertasks list
 ----
 +
 The output lists the Operator-installed `ClusterTask` resources:
 +
+[source,terminal]
 ----
 NAME                       DESCRIPTION   AGE
 buildah                                  1 day ago

diff --git a/modules/op-mirroring-images-to-run-pipelines-in-restricted-environment.adoc b/modules/op-mirroring-images-to-run-pipelines-in-restricted-environment.adoc
@@ -0,0 +1,204 @@
+// Module included in the following assemblies:
+//
+// pipelines/creating-applications-with-cicd-pipelines
+
+[id="op-mirroring-images-to-run-pipelines-in-restricted-environment_{context}"]
+=  Mirroring images to run pipelines in a restricted environment
+
+
+To run OpenShift Pipelines in a disconnected cluster or a cluster provisioned in a restricted environment, you must ensure that either the Samples Operator is configured for a restricted network, or a cluster administrator has created a cluster with a mirrored registry.
+
+The following procedure uses the `pipelines-tutorial` example to create a pipeline for an application in a restricted environment using a cluster with a mirrored registry. To ensure that the `pipelines-tutorial` example works in a restricted environment, you must mirror the respective builder images from the mirror registry for the front-end interface, `vote-ui`; back-end interface, `vote-api`; and the `cli`.
+
+.Procedure
+
+. Mirror the builder image from the mirror registry for the front-end interface, `vote-ui`.
+.. Verify that the required images tag is not imported:
++
+[source,terminal]
+----
+$ oc describe imagestream python -n openshift
+----
++
+.Example output
+[source,terminal]
+----
+Name:			python
+Namespace:		openshift
+[...]
+
+3.8-ubi8 (latest)
+  tagged from registry.redhat.io/ubi8/python-38:latest
+    prefer registry pullthrough when referencing this tag
+
+  Build and run Python 3.8 applications on UBI 8. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-python-container/blob/master/3.8/README.md.
+  Tags: builder, python
+  Supports: python:3.8, python
+  Example Repo: https://github.com/sclorg/django-ex.git
+
+[...]
+----
+
+.. Mirror the supported image tag to the private registry:
++
+[source,terminal]
+----
+$ oc image mirror registry.redhat.io/ubi8/python-38:latest <mirror-registry>:<port>/ubi8/python-38
+----
+
+.. Import the image:
++
+[source,terminal]
+----
+$ oc tag <mirror-registry>:<port>/ubi8/python-38 python:latest --scheduled -n openshift
+----
++
+You must periodically re-import the image. The `--scheduled` flag enables automatic re-import of the image.
+
+.. Verify that the images with the given tag have been imported:
++
+[source,terminal]
+----
+$ oc describe imagestream python -n openshift
+----
++
+.Example output
+[source,terminal]
+----
+Name:			python
+Namespace:		openshift
+[...]
+
+latest
+  updates automatically from registry <mirror-registry>:<port>/ubi8/python-38
+
+  * <mirror-registry>:<port>/ubi8/python-38@sha256:3ee3c2e70251e75bfeac25c0c33356add9cc4abcbc9c51d858f39e4dc29c5f58
+
+[...]
+----
+
+. Mirror the builder image from the mirror registry for the back-end interface, `vote-api`.
+.. Verify that the required images tag is not imported:
++
+[source,terminal]
+----
+$ oc describe imagestream golang -n openshift
+----
++
+.Example output
+[source,terminal]
+----
+Name:			golang
+Namespace:		openshift
+[...]
+
+1.14.7-ubi8 (latest)
+  tagged from registry.redhat.io/ubi8/go-toolset:1.14.7
+    prefer registry pullthrough when referencing this tag
+
+  Build and run Go applications on UBI 8. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/golang-container/blob/master/README.md.
+  Tags: builder, golang, go
+  Supports: golang
+  Example Repo: https://github.com/sclorg/golang-ex.git
+
+[...]
+----
+
+.. Mirror the supported image tag to the private registry:
++
+[source,terminal]
+----
+$ oc image mirror registry.redhat.io/ubi8/go-toolset:1.14.7 <mirror-registry>:<port>/ubi8/go-toolset
+----
+
+.. Import the image:
++
+[source,terminal]
+----
+$ oc tag <mirror-registry>:<port>/ubi8/go-toolset golang:latest --scheduled -n openshift
+----
++
+You must periodically re-import the image. The `--scheduled` flag enables automatic re-import of the image.
+
+.. Verify that the images with the given tag have been imported:
++
+[source,terminal]
+----
+$ oc describe imagestream golang -n openshift
+----
++
+.Example output
+[source,terminal]
+----
+Name:			golang
+Namespace:		openshift
+[...]
+
+latest
+  updates automatically from registry <mirror-registry>:<port>/ubi8/go-toolset
+
+  * <mirror-registry>:<port>/ubi8/go-toolset@sha256:59a74d581df3a2bd63ab55f7ac106677694bf612a1fe9e7e3e1487f55c421b37
+
+[...]
+----
+
+. Mirror the builder image from the mirror registry for the `cli`.
+.. Verify that the required images tag is not imported:
++
+[source,terminal]
+----
+$ oc describe imagestream cli -n openshift
+----
++
+.Example output
+[source,terminal]
+----
+Name:                   cli
+Namespace:              openshift
+[...]
+
+latest
+  updates automatically from registry quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:65c68e8c22487375c4c6ce6f18ed5485915f2bf612e41fef6d41cbfcdb143551
+
+  * quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:65c68e8c22487375c4c6ce6f18ed5485915f2bf612e41fef6d41cbfcdb143551
+
+[...]
+----
+
+.. Mirror the supported image tag to the private registry:
++
+[source,terminal]
+----
+$ oc image mirror quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:65c68e8c22487375c4c6ce6f18ed5485915f2bf612e41fef6d41cbfcdb143551 <mirror-registry>:<port>/openshift-release-dev/ocp-v4.0-art-dev:latest
+----
+
+.. Import the image:
++
+[source,terminal]
+----
+$ oc tag <mirror-registry>:<port>/openshift-release-dev/ocp-v4.0-art-dev cli:latest --scheduled -n openshift
+----
++
+You must periodically re-import the image. The `--scheduled` flag enables automatic re-import of the image.
+
+.. Verify that the images with the given tag have been imported:
++
+[source,terminal]
+----
+$ oc describe imagestream cli -n openshift
+----
++
+.Example output
+[source,terminal]
+----
+Name:                   cli
+Namespace:              openshift
+[...]
+
+latest
+  updates automatically from registry <mirror-registry>:<port>/openshift-release-dev/ocp-v4.0-art-dev
+
+  * <mirror-registry>:<port>/openshift-release-dev/ocp-v4.0-art-dev@sha256:65c68e8c22487375c4c6ce6f18ed5485915f2bf612e41fef6d41cbfcdb143551
+
+[...]
+----