Configuring the Cluster Samples Operator

The Cluster Samples Operator, which operates in the openshift namespace, installs and updates the Red Hat Enterprise Linux (RHEL)-based OKD imagestreams and OKD templates.

Prerequisites

  • Deploy an OKD cluster.

Understanding the Cluster Samples Operator

During installation, the Operator creates the default configuration object for itself and then creates the sample image streams and templates, including quick start templates.

To facilitate image stream imports from other registries that require credentials, a cluster administrator can create any additional secrets that contain the content of a Docker config.json file in the openshift namespace needed for image import.

The Cluster Samples Operator configuration is a cluster-wide resource, and the deployment is contained within the openshift-cluster-samples-operator namespace.

The image for the Cluster Samples Operator contains image stream and template definitions for the associated OKD release. When each sample is created or updated, the Cluster Samples Operator includes an annotation that denotes the version of OKD. The Operator uses this annotation to ensure that each sample matches the release version. Samples outside of its inventory are ignored, as are skipped samples. Modifications to any samples that are managed by the Operator, where that version annotation is modified or deleted, are reverted automatically.

The Jenkins images are part of the image payload from installation and are tagged into the image streams directly.

The Cluster Samples Operator configuration resource includes a finalizer which cleans up the following upon deletion:

  • Operator managed image streams.

  • Operator managed templates.

  • Operator generated configuration resources.

  • Cluster status resources.

Upon deletion of the samples resource, the Cluster Samples Operator recreates the resource using the default configuration.

Cluster Samples Operator’s use of management state

The Cluster Samples Operator is bootstrapped as Managed by default or if global proxy is configured. In the Managed state, the Cluster Samples Operator is actively managing its resources and keeping the component active in order to pull sample image streams and images from the registry and ensure that the requisite sample templates are installed.

Certain circumstances result in the Cluster Samples Operator bootstrapping itself as Removed including:

  • If the Cluster Samples Operator cannot reach registry.redhat.io after three minutes on initial start-up after a clean installation.

  • If the Cluster Samples Operator detects it is on an IPv6 network.

However, if the Cluster Samples Operator also detects an OKD global proxy is configured, it bypasses those checks.

IPv6 installations are not currently supported by registry.redhat.io. The Cluster Samples Operator pulls most of the sample image streams and images from registry.redhat.io.

Restricted network installation

Boostrapping as Removed when unable to access registry.redhat.io facilitates restricted network installations when the network restriction is already in place. Bootstrapping as Removed when network access is restricted allows the cluster administrator more time to decide if samples are desired, because the Cluster Samples Operator does not submit alerts that sample image stream imports are failing when the management state is set to Removed. When the Cluster Samples Operator comes up as Managed and attempts to install sample image streams, it starts alerting two hours after initial installation if there are failing imports.

Restricted network installation with initial network access

Conversely, if a cluster that is intended to be a restricted network or disconnected cluster is first installed while network access exists, the Cluster Samples Operator installs the content from registry.redhat.io since it can access it. If you want the Cluster Samples Operator to still bootstrap as Removed in order to defer samples installation until you have decided which samples are desired, set up image mirrors, and so on, then follow the instructions for using the Samples Operator with an alternate registry and customizing nodes, both linked in the additional resources section, to override the Cluster Samples Operator default configuration and initially come up as Removed.

You must put the following additional YAML file in the openshift directory created by openshift-install create manifest:

Example Cluster Samples Operator YAML file with managementState: Removed

  1. apiVersion: samples.operator.openshift.io/v1
  2. kind: Config
  3. metadata:
  4. name: cluster
  5. spec:
  6. architectures:
  7. - x86_64
  8. managementState: Removed

Cluster Samples Operator’s tracking and error recovery of image stream imports

After creation or update of a samples image stream, the Cluster Samples Operator monitors the progress of each image stream tag’s image import.

If an import fails, the Cluster Samples Operator retries the import through the image stream image import API, which is the same API used by the oc import-image command, approximately every 15 minutes until it sees the import succeed, or if the Cluster Samples Operator’s configuration is changed such that either the image stream is added to the skippedImagestreams list, or the management state is changed to Removed.

Additional resources

Cluster Samples Operator configuration parameters

The samples resource offers the following configuration fields:

ParameterDescription

managementState

Managed: The Cluster Samples Operator updates the samples as the configuration dictates.

Unmanaged: The Cluster Samples Operator ignores updates to its configuration resource object and any image streams or templates in the openshift namespace.

Removed: The Cluster Samples Operator removes the set of Managed image streams and templates in the openshift namespace. It ignores new samples created by the cluster administrator or any samples in the skipped lists. After the removals are complete, the Cluster Samples Operator works like it is in the Unmanaged state and ignores any watch events on the sample resources, image streams, or templates.

samplesRegistry

Allows you to specify which registry is accessed by image streams for their image content. samplesRegistry defaults to registry.redhat.io for OKD.

Creation or update of RHEL content does not commence if the secret for pull access is not in place when either Samples Registry is not explicitly set, leaving an empty string, or when it is set to registry.redhat.io. In both cases, image imports work off of registry.redhat.io, which requires credentials.

Creation or update of RHEL content is not gated by the existence of the pull secret if the Samples Registry is overridden to a value other than the empty string or registry.redhat.io.

architectures

Placeholder to choose an architecture type.

skippedImagestreams

Image streams that are in the Cluster Samples Operator’s inventory but that the cluster administrator wants the Operator to ignore or not manage. You can add a list of image stream names to this parameter. For example, [“httpd”,”perl”].

skippedTemplates

Templates that are in the Cluster Samples Operator’s inventory, but that the cluster administrator wants the Operator to ignore or not manage.

Secret, image stream, and template watch events can come in before the initial samples resource object is created, the Cluster Samples Operator detects and re-queues the event.

Configuration restrictions

When the Cluster Samples Operator starts supporting multiple architectures, the architecture list is not allowed to be changed while in the Managed state.

In order to change the architectures values, a cluster administrator must:

  • Mark the Management State as Removed, saving the change.

  • In a subsequent change, edit the architecture and change the Management State back to Managed.

The Cluster Samples Operator still processes secrets while in Removed state. You can create the secret before switching to Removed, while in Removed before switching to Managed, or after switching to Managed state. There are delays in creating the samples until the secret event is processed if you create the secret after switching to Managed. This helps facilitate the changing of the registry, where you choose to remove all the samples before switching to insure a clean slate. Removing all samples before switching is not required.

Conditions

The samples resource maintains the following conditions in its status:

ConditionDescription

SamplesExists

Indicates the samples are created in the openshift namespace.

ImageChangesInProgress

True when image streams are created or updated, but not all of the tag spec generations and tag status generations match.

False when all of the generations match, or unrecoverable errors occurred during import, the last seen error is in the message field. The list of pending image streams is in the reason field.

ConfigurationValid

True or False based on whether any of the restricted changes noted previously are submitted.

RemovePending

Indicator that there is a Management State: Removed setting pending, but the Cluster Samples Operator is waiting for the deletions to complete.

ImportImageErrorsExist

Indicator of which image streams had errors during the image import phase for one of their tags.

True when an error has occurred. The list of image streams with an error is in the reason field. The details of each error reported are in the message field.

MigrationInProgress

True when the Cluster Samples Operator detects that the version is different than the Cluster Samples Operator version with which the current samples set are installed.

Accessing the Cluster Samples Operator configuration

You can configure the Cluster Samples Operator by editing the file with the provided parameters.

Prerequisites

  • Install the OpenShift CLI (oc).

Procedure

  • Access the Cluster Samples Operator configuration:

    1. $ oc edit configs.samples.operator.openshift.io/cluster -o yaml

    The Cluster Samples Operator configuration resembles the following example:

    1. apiVersion: samples.operator.openshift.io/v1
    2. kind: Config
    3. ...

Additional resources

For more information about configuring credentials, see Using image pull secrets.