Using remote health reporting in a restricted network
You can manually gather and upload Insights Operator archives to diagnose issues from a restricted network.
To use the Insights Operator in a restricted network, you must:
Create a copy of your Insights Operator archive.
Upload the Insights Operator archive to console.redhat.com.
Additionally, you can choose to obfuscate the Insights Operator data before upload.
Running an Insights Operator gather operation
You must run a gather operation to create an Insights Operator archive.
Prerequisites
- You are logged in to OKD as
cluster-admin
.
Procedure
Create a file named
gather-job.yaml
using this template:apiVersion: batch/v1
kind: Job
metadata:
name: insights-operator-job
annotations:
config.openshift.io/inject-proxy: insights-operator
spec:
backoffLimit: 6
ttlSecondsAfterFinished: 600
template:
spec:
restartPolicy: OnFailure
serviceAccountName: operator
nodeSelector:
beta.kubernetes.io/os: linux
node-role.kubernetes.io/master: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 900
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 900
volumes:
- name: snapshots
emptyDir: {}
- name: service-ca-bundle
configMap:
name: service-ca-bundle
optional: true
initContainers:
- name: insights-operator
image: quay.io/openshift/origin-insights-operator:latest
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- name: snapshots
mountPath: /var/lib/insights-operator
- name: service-ca-bundle
mountPath: /var/run/configmaps/service-ca-bundle
readOnly: true
ports:
- containerPort: 8443
name: https
resources:
requests:
cpu: 10m
memory: 70Mi
args:
- gather
- -v=4
- --config=/etc/insights-operator/server.yaml
containers:
- name: sleepy
image: quay.io/openshift/origin-base:latest
args:
- /bin/sh
- -c
- sleep 10m
volumeMounts: [{name: snapshots, mountPath: /var/lib/insights-operator}]
Copy your
insights-operator
image version:$ oc get -n openshift-insights deployment insights-operator -o yaml
Paste your image version in
gather-job.yaml
:initContainers:
- name: insights-operator
image: <your_insights_operator_image_version>
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
Create the gather job:
$ oc apply -n openshift-insights -f gather-job.yaml
Find the name of the job pod:
$ oc describe -n openshift-insights job/insights-operator-job
Example output
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal SuccessfulCreate 7m18s job-controller Created pod: insights-operator-job-<your_job>
where
insights-operator-job-*<your_job>*
is the name of the pod.Verify that the operation has finished:
$ oc logs -n openshift-insights insights-operator-job-<your_job> insights-operator
Example output
I0407 11:55:38.192084 1 diskrecorder.go:34] Wrote 108 records to disk in 33ms
Save the created archive:
$ oc cp openshift-insights/insights-operator-job-<your_job>:/var/lib/insights-operator ./insights-data
Clean up the job:
$ oc delete -n openshift-insights job insights-operator-job
Uploading an Insights Operator archive
You can manually upload an Insights Operator archive to console.redhat.com to diagnose potential issues.
Prerequisites
You are logged in to OKD as
cluster-admin
.You have a workstation with unrestricted internet access.
You have created a copy of the Insights Operator archive.
Procedure
Download the
dockerconfig.json
file:$ oc extract secret/pull-secret -n openshift-config --to=.
Copy your
"cloud.openshift.com"
"auth"
token from thedockerconfig.json
file:{
"auths": {
"cloud.openshift.com": {
"auth": "<your_token>",
"email": "asd@redhat.com"
}
}
Upload the archive to console.redhat.com:
$ curl -v -H "User-Agent: insights-operator/one10time200gather184a34f6a168926d93c330 cluster/<cluster_id>" -H "Authorization: Bearer <your_token>" -F "upload=@<path_to_archive>; type=application/vnd.redhat.openshift.periodic+tar" https://console.redhat.com/api/ingress/v1/upload
where
*<cluster_id>*
is your cluster ID,*<your_token>*
is the token from your pull secret, and*<path_to_archive>*
is the path to the Insights Operator archive.If the operation is successful, the command returns a
"request_id"
and"account_number"
:Example output
* Connection #0 to host console.redhat.com left intact
{"request_id":"393a7cf1093e434ea8dd4ab3eb28884c","upload":{"account_number":"6274079"}}%
Verification steps
Log in to https://console.redhat.com/openshift.
Click the Clusters menu in the left pane.
To display the details of the cluster, click the cluster name.
Open the Insights Advisor tab of the cluster.
If the upload was successful, the tab displays one of the following:
Your cluster passed all recommendations, if Insights Advisor did not identify any issues.
A list of issues that Insights Advisor has detected, prioritized by risk (low, moderate, important, and critical).
Enabling Insights Operator data obfuscation
You can enable obfuscation to mask sensitive and identifiable IPv4 addresses and cluster base domains that the Insights Operator sends to console.redhat.com.
Although this feature is available, Red Hat recommends keeping obfuscation disabled for a more effective support experience. |
Obfuscation assigns non-identifying values to cluster IPv4 addresses, and uses a translation table that is retained in memory to change IP addresses to their obfuscated versions throughout the Insights Operator archive before uploading the data to console.redhat.com.
For cluster base domains, obfuscation changes the base domain to a hardcoded substring. For example, cluster-api.openshift.example.com
becomes cluster-api.<CLUSTER_BASE_DOMAIN>
.
The following procedure enables obfuscation using the support
secret in the openshift-config
namespace.
Prerequisites
- You are logged in to the OKD web console as
cluster-admin
.
Procedure
Navigate to Workloads → Secrets.
Select the openshift-config project.
Search for the support secret using the Search by name field. If it does not exist, click Create → Key/value secret to create it.
Click the Options menu , and then click Edit Secret.
Click Add Key/Value.
Create a key named
enableGlobalObfuscation
with a value oftrue
, and click Save.Navigate to Workloads → Pods
Select the
openshift-insights
project.Find the
insights-operator
pod.To restart the
insights-operator
pod, click the Options menu , and then click Delete Pod.
Verification
Navigate to Workloads → Secrets.
Select the openshift-insights project.
Search for the obfuscation-translation-table secret using the Search by name field.
If the obfuscation-translation-table
secret exists, then obfuscation is enabled and working.
Alternatively, you can inspect /insights-operator/gathers.json
in your Insights Operator archive for the value "is_global_obfuscation_enabled": true
.
Additional resources
- For more information on how to download your Insights Operator archive, see Showing data collected by the Insights Operator.