Chapter 3. Installing Fuse on Openshift in a restricted environment

To install Fuse on OpenShift in a non-restricted environment, you pull imagestreams and templates from registry.redhat.io. In a production environment which has no or limited internet access, that is not possible. This section explains how to install Fuse on OpenShift in a restricted environment.

Note

Installing in a restricted environment is currently not supported on IBM Power Systems, IBM Z, and LinuxONE.

Prerequisites

  • You have installed and configured OpenShift server so that it can run in a restricted environment.

3.1. Setting up internal Docker registry

This section explains how to set up internal docker registry which can be used to push or pull images. You must configure an internal docker registry where you can pull or push images.

Procedure

  1. Install internal ROOT CA. 

    cd /etc/pki/ca-trust/source/anchors
sudo curl -O https://password.corp.redhat.com/RH-IT-Root-CA.crt
sudo update-ca-trust extract
sudo update-ca-trust update

    This certificate allows the system to authenticate itself to the registry.

  2. Login to registry.redhat.io. 

    docker login -u USERNAME -p PASSWORD registry.redhat.io

  3. Pull the Fuse on OpenShift images from registry.redhat.io. 

    docker pull registry.redhat.io/fuse7/fuse-java-openshift-rhel8:1.11
docker pull registry.redhat.io/fuse7/fuse-java-openshift-jdk11-rhel8:1.11
docker pull registry.redhat.io/fuse7/fuse-karaf-openshift-rhel8:1.11
docker pull registry.redhat.io/fuse7/fuse-console-rhel8:1.11
docker pull registry.redhat.io/fuse7/fuse-apicurito-rhel8:1.11
docker pull registry.redhat.io/fuse7/fuse-apicurito-generator-rhel8:1.11

  4. Tag the pulled imagestreams. 

    docker tag registry.redhat.io/fuse7/fuse-java-openshift-rhel8:1.11 docker-registry.upshift.redhat.com/fuse7/fuse-java-openshift-rhel8:1.11
docker tag registry.redhat.io/fuse7/fuse-java-openshift-jdk11-rhel8:1.11 docker-registry.upshift.redhat.com/fuse7/fuse-java-openshift-jdk11-rhel8:1.11
docker tag registry.redhat.io/fuse7/fuse-karaf-openshift-rhel8:1.11 docker-registry.upshift.redhat.com/fuse-karaf-openshift-rhel8:1.11
docker tag registry.redhat.io/fuse7/fuse-console-rhel8:1.11 docker-registry.upshift.redhat.com/fuse7-fuse-console-rhel8:1.11
docker tag registry.redhat.io/fuse7/fuse-apicurito-rhel8:1.11 docker-registry.upshift.redhat.com/fuse7-fuse-apicurito-rhel8:1.11
docker tag registry.redhat.io/fuse7/fuse-apicurito-generator-rhel8:1.11 docker-registry.upshift.redhat.com/fuse7-fuse-apicurito-generator-rhel8:1.11

  5. Push the tagged imagestreams to the internal docker registry. 

    docker push docker-registry.upshift.redhat.com/fuse7/fuse-java-openshift-rhel8:1.11
docker push docker-registry.upshift.redhat.com/fuse7/fuse-java-openshift-jdk11-rhel8:1.11
docker push docker-registry.upshift.redhat.com/fuse-karaf-openshift-rhel8:1.11
docker push docker-registry.upshift.redhat.com/fuse7-fuse-console-rhel8:1.11
docker push docker-registry.upshift.redhat.com/fuse7-fuse-apicurito-rhel8:1.11
docker push docker-registry.upshift.redhat.com/fuse7-fuse-apicurito-generator-rhel8:1.11

3.2. Configuring internal registry secrets

After setting up the restricted docker registry and pushing all the images, it is necessary to configure the restricted OpenShift server so that it can communicate with the internal registry.

Procedure

  1. Log into your OpenShift cluster as administrator: 

    oc login --user system:admin --token=my-token --server=https://my-cluster.example.com:6443

  2. Open the project in which you want to deploy Fuse: 

    oc project myproject

  3. Create a docker-registry secret using your Red Hat Customer Portal account, replacing PULL_SECRET_NAME with psi-internal-registry to create: 

    oc create secret docker-registry psi-internal-registry \
  --docker-server=docker-registry.redhat.io \
  --docker-username=CUSTOMER_PORTAL_USERNAME \
  --docker-password=CUSTOMER_PORTAL_PASSWORD \
  --docker-email=EMAIL_ADDRESS

    You should see the following output: 

    secret/psi-internal-registry created
    Important

    You must create this docker-registry secret in every OpenShift project namespace that will authenticate to registry.redhat.io.

  4. Link the secret to your service account to use the secret for pulling images. The following example uses the default service account, builder service account, and deployer service account: 

    oc secrets link default psi-internal-registry
oc secrets link default psi-internal-registry --for=pull
oc secrets link builder psi-internal-registry
oc secrets link builder psi-internal-registry --for=pull
oc secrets link deployer psi-internal-registry
oc secrets link deployer psi-internal-registry --for=pull

    The service account name must match the name that the OpenShift pod uses.

    Note

    If you do not want to use your Red Hat username and password to create the pull secret, you can create an authentication token using a registry service account.

3.3. Installing Fuse on OpenShift images in a restricted environment

The fis-image-streams.json file contains the imageStream definitions for Red Hat Fuse on OpenShift. But, all the imagestreams refer to registry.redhat.io. You must change all the registry.redhat.io references to the psi-internal-registry URL.

Procedure

  1. Download Red Hat Fuse on OpenShift imagestream json file. 

    curl -o fis-image-streams.json https://raw.githubusercontent.com/jboss-fuse/application-templates/application-templates-2.1.0.fuse-sb2-7_11_1-00016-redhat-00002/fis-image-streams.json

  2. Open the fis-image-streams.json file and locate all the references to registry.redhat.io. For example: 

    {
"name": "1.9",
"annotations": {
"description": "Red Hat Fuse 7.11 Karaf S2I images.",
"openshift.io/display-name": "Red Hat Fuse 7.11 Karaf",
"iconClass": "icon-rh-integration",
"tags": "builder,jboss-fuse,java,karaf,xpaas,hidden",
"supports":"jboss-fuse:7.11.0,java:8,xpaas:1.2",
"version": "1.9"
},
"referencePolicy": {
"type": "Local"
},
"from": {
"kind": "DockerImage",
"name": "registry.redhat.io/fuse7/fuse-karaf-openshift-rhel8:1.11"
}
},

  3. Replace all the registry.redhat.io references in the file with psi-internal-registry name. For example: 

    {
"name": "1.9",
"annotations": {
"description": "Red Hat Fuse 7.11 Karaf S2I images.",
"openshift.io/display-name": "Red Hat Fuse 7.11 Karaf",
"iconClass": "icon-rh-integration",
"tags": "builder,jboss-fuse,java,karaf,xpaas,hidden",
"supports":"jboss-fuse:7.11.0,java:8,xpaas:1.2",
"version": "1.9"
},
"referencePolicy": {
"type": "Local"
},
"from": {
"kind": "DockerImage",
"name": "docker-registry.upshift.redhat.com/fuse7/fuse-karaf-openshift-rhel8:1.11"
}
},

  4. After all the references are replaced, run the following command to install Fuse on OpenShift imagestreams: 

    oc create -f fis-image-streams.json -n {namespace}

3.4. Using an internal Maven repository

In a restricted environment, you need to use a different Maven Repository. You can specify it using a template parameter named MAVEN_MIRROR_URL. You can use this MAVEN_MIRROR_URL parameter to create a new application from command line.

3.4.1. Running a Spring Boot application with MAVEN_MIRROR_URL

This example explains how to deploy and run a Spring Boot Application using MAVEN_MIRROR_URL.

Procedure

  1. Download the Spring Boot Camel XML quickstart. 

    oc create -f ./spring-boot-2-camel-xml-template.json -n openshift

  2. Enter the following command to create the resources required for running the Spring Boot quickstart template using the MAVEN_MIRROR_URL parameter.

    In a restricted environment, you also need to specify the GIT_REPO and GIT_REF parameters for your local repository. 

    oc new-app s2i-fuse711-spring-boot-2-camel-xml -n {namespace} -p IMAGE_STREAM_NAMESPACE={namespace} -p MAVEN_MIRROR_URL={Maven mirror URL} -p GIT_REPO={Git Repo URL} -p GIT_REF={Git branch/tag name}

    This will create a deployment config and build config for the quickstart. The information about the default parameters of the quickstart and the resources created is displayed on the terminal.

3.4.2. Running a Spring Boot application with OpenShift Maven plugin

This example explains how to deploy and run a Spring Boot application with OpenShift Maven plugin using internal Maven repository.

Procedure

  1. To run the quickstart with OpenShift Maven plugin, download the Spring Boot 2 camel archetype from local repository and then deploy the quickstart. Replace {Maven Mirror URL} with the Maven mirror repository URL. 

    mvn org.apache.maven.plugins:maven-archetype-plugin:2.4:generate \
  -DarchetypeCatalog={Maven Mirror URL}/archetypes/archetypes-catalog/2.2.0.fuse-sb2-7_11_1-00018-redhat-00002/archetypes-catalog-2.2.0.fuse-sb2-7_11_1-00018-redhat-00002-archetype-catalog.xml \
  -DarchetypeGroupId=org.jboss.fuse.fis.archetypes \
  -DarchetypeArtifactId=spring-boot-camel-xml-archetype
  -DarchetypeVersion=2.2.0.fuse-sb2-7_11_1-00018-redhat-00002

  2. The archetype plug-in switches to interactive mode to prompt you for the remaining fields. 

    Define value for property 'groupId': : org.example.fis
Define value for property 'artifactId': : fuse711-spring-boot2
Define value for property 'version':  1.0-SNAPSHOT: :
Define value for property 'package':  org.example.fis: :
Confirm properties configuration:
groupId: org.example.fis
artifactId: fuse711-spring-boot
version: 1.0-SNAPSHOT
package: org.example.fis
 Y: : Y
  3. If the above command exited with the BUILD SUCCESS status, you should now have a new Fuse on OpenShift project under the fuse711-spring-boot2 subdirectory.

  4. You are now ready to build and deploy the fuse711-spring-boot2 project. Assuming you are still logged into OpenShift, change to the directory of the fuse711-spring-boot2 project, and then build and deploy the project, as follows. 

    cd fuse711-spring-boot2
mvn oc:deploy -Popenshift