Soon, all Red Hat OpenShift documentation will only be available on docs.redhat.com, the official location of all Red Hat product documentation. Get familiar with the updated experience today!
  1. Documentation
    2. history
×

Deploying and upgrading the Cluster Application Migration tool

You can install the Cluster Application Migration Operator on an OpenShift Container Platform 4.4 target cluster and an OpenShift Container Platform 3 source cluster. The Cluster Application Migration Operator installs the Cluster Application Migration (CAM) tool on the target cluster by default.

Optional: You can configure the Cluster Application Migration Operator to install the CAM tool on an OpenShift Container Platform 3 cluster or on a remote cluster.

In a restricted environment, you can install the Cluster Application Migration Operator from a local mirror registry.

After you have installed the Cluster Application Migration Operator on your clusters, you can launch the CAM tool.

Installing the Cluster Application Migration Operator

You can install the Cluster Application Migration Operator with the Operator Lifecycle Manager (OLM) on an OpenShift Container Platform 4.4 target cluster and manually on an OpenShift Container Platform 3 source cluster.

Installing the Cluster Application Migration Operator on an OpenShift Container Platform 4.4 target cluster

You can install the Cluster Application Migration Operator on an OpenShift Container Platform 4.4 target cluster with the Operator Lifecycle Manager (OLM).

The Cluster Application Migration Operator installs the Cluster Application Migration tool on the target cluster by default.

Procedure

  1. In the OpenShift Container Platform web console, click OperatorsOperatorHub.

  2. Use the Filter by keyword field (in this case, Migration) to find the Cluster Application Migration Operator.

  3. Select the Cluster Application Migration Operator and click Install.

  4. On the Create Operator Subscription page, click Subscribe.

    On the Installed Operators page, the Cluster Application Migration Operator appears in the openshift-migration project with the status Succeeded.

  5. Click Cluster Application Migration Operator.

  6. Under Provided APIs, locate the Migration Controller tile, and click Create Instance.

  7. Click Create.

  8. Click WorkloadsPods to verify that the Controller Manager, Migration UI, Restic, and Velero pods are running.

Installing the Cluster Application Migration Operator on an OpenShift Container Platform 3 source cluster

You can install the Cluster Application Migration Operator manually on an OpenShift Container Platform 3 source cluster.

Prerequisites

  • Access to registry.redhat.io

  • OpenShift Container Platform 3 cluster configured to pull images from registry.redhat.io

    To pull images, you must create an imagestreamsecret and copy it to each node in your cluster.

Procedure

  1. Log in to registry.redhat.io with your Red Hat Customer Portal credentials:

    $ sudo podman login registry.redhat.io

    If your system is configured for rootless Podman containers, sudo is not required for this procedure.

  2. Download the operator.yml file:

    $ sudo podman cp $(sudo podman create registry.redhat.io/rhcam-1-2/openshift-migration-rhel7-operator:v1.2):/operator.yml ./

  3. Download the controller-3.yml file:

    $ sudo podman cp $(sudo podman create registry.redhat.io/rhcam-1-2/openshift-migration-rhel7-operator:v1.2):/controller-3.yml ./

  4. Log in to your OpenShift Container Platform 3 cluster.

  5. Verify that the cluster can authenticate with registry.redhat.io:

    $ oc run test --image registry.redhat.io/ubi8 --command sleep infinity

  6. Create the Cluster Application Migration Operator CR object:

    $ oc create -f operator.yml

    The output resembles the following:

    namespace/openshift-migration created
rolebinding.rbac.authorization.k8s.io/system:deployers created
serviceaccount/migration-operator created
customresourcedefinition.apiextensions.k8s.io/migrationcontrollers.migration.openshift.io created
role.rbac.authorization.k8s.io/migration-operator created
rolebinding.rbac.authorization.k8s.io/migration-operator created
clusterrolebinding.rbac.authorization.k8s.io/migration-operator created
deployment.apps/migration-operator created
Error from server (AlreadyExists): error when creating "./operator.yml":
rolebindings.rbac.authorization.k8s.io "system:image-builders" already exists (1)
Error from server (AlreadyExists): error when creating "./operator.yml":
rolebindings.rbac.authorization.k8s.io "system:image-pullers" already exists
    1 You can ignore Error from server (AlreadyExists) messages. They are caused by the Cluster Application Migration Operator creating resources for earlier versions of OpenShift Container Platform 3 that are provided in later releases.

  7. Create the Migration controller CR object:

    $ oc create -f controller-3.yml

  8. Verify that the Velero and Restic pods are running:

    $ oc get pods -n openshift-migration

Installing the Cluster Application Migration Operator in a restricted environment

You can install the Cluster Application Migration Operator with the Operator Lifecycle Manager (OLM) on an OpenShift Container Platform 4.4 target cluster and manually on an OpenShift Container Platform 3 source cluster.

For OpenShift Container Platform 4.4, you can build a custom Operator catalog image, push it to a local mirror image registry, and configure OLM to install the Cluster Application Migration Operator from the local registry. A mapping.txt file is created when you run the oc adm catalog mirror command.

On the OpenShift Container Platform 3 cluster, you can create a manifest file based on the Operator image and edit the file to point to your local image registry. The image value in the manifest file uses the sha256 value from the mapping.txt file. Then, you can use the local image to create the Cluster Application Migration Operator.

Additional resources

Building an Operator catalog image

Cluster administrators can build a custom Operator catalog image to be used by Operator Lifecycle Manager (OLM) and push the image to a container image registry that supports Docker v2-2. For a cluster on a restricted network, this registry can be a registry that the cluster has network access to, such as the mirror registry created during the restricted network installation.

The OpenShift Container Platform cluster’s internal registry cannot be used as the target registry because it does not support pushing without a tag, which is required during the mirroring process.

For this example, the procedure assumes use of the mirror registry that has access to both your network and the internet.

Prerequisites

  • A Linux workstation with unrestricted network access

  • oc version 4.3.5+

  • podman version 1.4.4+

  • Access to mirror registry that supports Docker v2-2

  • If you are working with private registries, set the REG_CREDS environment variable to the file path of your registry credentials for use in later steps. For example, for the podman CLI:

    $ REG_CREDS=${XDG_RUNTIME_DIR}/containers/auth.json

  • If you are working with private namespaces that your quay.io account has access to, you must set a Quay authentication token. Set the AUTH_TOKEN environment variable for use with the --auth-token flag by making a request against the login API using your quay.io credentials:

    $ AUTH_TOKEN=$(curl -sH "Content-Type: application/json" \
    -XPOST https://quay.io/cnr/api/v1/users/login -d '
    {
        "user": {
            "username": "'"<quay_username>"'",
            "password": "'"<quay_password>"'"
        }
    }' | jq -r '.token')
Procedure

  1. On the workstation with unrestricted network access, authenticate with the target mirror registry:

    $ podman login <registry_host_name>

    Also authenticate with registry.redhat.io so that the base image can be pulled during the build:

    $ podman login registry.redhat.io

  2. Build a catalog image based on the redhat-operators catalog from quay.io, tagging and pushing it to your mirror registry:

    $ oc adm catalog build \
    --appregistry-org redhat-operators \(1)
    --from=registry.redhat.io/openshift4/ose-operator-registry:v4.4 \(2)
    --filter-by-os="linux/amd64" \(3)
    --to=<registry_host_name>:<port>/olm/redhat-operators:v1 \(4)
    [-a ${REG_CREDS}] \(5)
    [--insecure] \(6)
    [--auth-token "${AUTH_TOKEN}"] (7)

INFO[0013] loading Bundles                               dir=/var/folders/st/9cskxqs53ll3wdn434vw4cd80000gn/T/300666084/manifests-829192605
...
Pushed sha256:f73d42950021f9240389f99ddc5b0c7f1b533c054ba344654ff1edaf6bf827e3 to example_registry:5000/olm/redhat-operators:v1
    1 Organization (namespace) to pull from an App Registry instance.
    2 Set --from to the ose-operator-registry base image using the tag that matches the target OpenShift Container Platform cluster major and minor version.
    3 Set --filter-by-os to the operating system and architecture to use for the base image, which must match the target OpenShift Container Platform cluster. Valid values are linux/amd64, linux/ppc64le, and linux/s390x.
    4 Name your catalog image and include a tag, for example, v1.
    5 Optional: If required, specify the location of your registry credentials file.
    6 Optional: If you do not want to configure trust for the target registry, add the --insecure flag.
    7 Optional: If other application registry catalogs are used that are not public, specify a Quay authentication token.

    Sometimes invalid manifests are accidentally introduced into Red Hat’s catalogs; when this happens, you might see some errors:

    ...
INFO[0014] directory                                     dir=/var/folders/st/9cskxqs53ll3wdn434vw4cd80000gn/T/300666084/manifests-829192605 file=4.2 load=package
W1114 19:42:37.876180   34665 builder.go:141] error building database: error loading package into db: fuse-camel-k-operator.v7.5.0 specifies replacement that couldn't be found
Uploading ... 244.9kB/s

    These errors are usually non-fatal, and if the Operator package mentioned does not contain an Operator you plan to install or a dependency of one, then they can be ignored.

Configuring OperatorHub for restricted networks

Cluster administrators can configure OLM and OperatorHub to use local content in a restricted network environment using a custom Operator catalog image. For this example, the procedure uses a custom redhat-operators catalog image previously built and pushed to a supported registry.

Prerequisites

  • A Linux workstation with unrestricted network access

  • A custom Operator catalog image pushed to a supported registry

  • oc version 4.3.5+

  • podman version 1.4.4+

  • Access to mirror registry that supports Docker v2-2

  • If you are working with private registries, set the REG_CREDS environment variable to the file path of your registry credentials for use in later steps. For example, for the podman CLI:

    $ REG_CREDS=${XDG_RUNTIME_DIR}/containers/auth.json
Procedure

  1. Disable the default OperatorSources by adding disableAllDefaultSources: true to the spec:

    $ oc patch OperatorHub cluster --type json \
    -p '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]'

    This disables the default OperatorSources that are configured by default during an OpenShift Container Platform installation.

  2. The oc adm catalog mirror command extracts the contents of your custom Operator catalog image to generate the manifests required for mirroring. You can choose to either:

    • Allow the default behavior of the command to automatically mirror all of the image content to your mirror registry after generating manifests, or

    • Add the --manifests-only flag to only generate the manifests required for mirroring, but do not actually mirror the image content to a registry yet. This can be useful for reviewing what will be mirrored, and it allows you to make any changes to the mapping list if you only require a subset of the content. You can then use that file with the oc image mirror command to mirror the modified list of images in a later step.

    On your workstation with unrestricted network access, run the following command:

    $ oc adm catalog mirror \
    <registry_host_name>:<port>/olm/redhat-operators:v1 \(1)
    <registry_host_name>:<port> \
    [-a ${REG_CREDS}] \(2)
    [--insecure] \(3)
    [--filter-by-os="<os>/<arch>"] \(4)
    [--manifests-only] (5)
    1 Specify your Operator catalog image.
    2 Optional: If required, specify the location of your registry credentials file.
    3 Optional: If you do not want to configure trust for the target registry, add the --insecure flag.
    4 Optional: Because the catalog might reference images that support multiple architectures and operating systems, you can filter by architecture and operating system to mirror only the images that match. Valid values are linux/amd64, linux/ppc64le, and linux/s390x.
    5 Optional: Only generate the manifests required for mirroring and do not actually mirror the image content to a registry.
    Example output
    using database path mapping: /:/tmp/190214037
wrote database to /tmp/190214037
using database at: /tmp/190214037/bundles.db (1)
...
    1 Temporary database generated by the command.

    After running the command, a <image_name>-manifests/ directory is created in the current directory and generates the following files:

    • The imageContentSourcePolicy.yaml file defines an ImageContentSourcePolicy object that can configure nodes to translate between the image references stored in Operator manifests and the mirrored registry.

    • The mapping.txt file contains all of the source images and where to map them in the target registry. This file is compatible with the oc image mirror command and can be used to further customize the mirroring configuration.

  3. If you used the --manifests-only flag in the previous step and want to mirror only a subset of the content:

    1. Modify the list of images in your mapping.txt file to your specifications. If you are unsure of the exact names and versions of the subset of images you want to mirror, use the following steps to find them:

      1. Run the sqlite3 tool against the temporary database that was generated by the oc adm catalog mirror command to retrieve a list of images matching a general search query. The output helps inform how you will later edit your mapping.txt file.

        For example, to retrieve a list of images that are similar to the string clusterlogging.4.3:

        $ echo "select * from related_image \
    where operatorbundle_name like 'clusterlogging.4.3%';" \
    | sqlite3 -line /tmp/190214037/bundles.db (1)
        1 Refer to the previous output of the oc adm catalog mirror command to find the path of the database file.
        Example output
        image = registry.redhat.io/openshift4/ose-logging-kibana5@sha256:aa4a8b2a00836d0e28aa6497ad90a3c116f135f382d8211e3c55f34fb36dfe61
operatorbundle_name = clusterlogging.4.3.33-202008111029.p0

image = registry.redhat.io/openshift4/ose-oauth-proxy@sha256:6b4db07f6e6c962fc96473d86c44532c93b146bbefe311d0c348117bf759c506
operatorbundle_name = clusterlogging.4.3.33-202008111029.p0
...

      2. Use the results from the previous step to edit the mapping.txt file to only include the subset of images you want to mirror.

        For example, you can use the image values from the previous example output to find that the following matching lines exist in your mapping.txt file:

        Matching image mappings in mapping.txt
        registry.redhat.io/openshift4/ose-logging-kibana5@sha256:aa4a8b2a00836d0e28aa6497ad90a3c116f135f382d8211e3c55f34fb36dfe61=<registry_host_name>:<port>/openshift4-ose-logging-kibana5:a767c8f0
registry.redhat.io/openshift4/ose-oauth-proxy@sha256:6b4db07f6e6c962fc96473d86c44532c93b146bbefe311d0c348117bf759c506=<registry_host_name>:<port>/openshift4-ose-oauth-proxy:3754ea2b

        In this example, if you only want to mirror these images, you would then remove all other entries in the mapping.txt file and leave only the above two lines.

    2. Still on your workstation with unrestricted network access, use your modified mapping.txt file to mirror the images to your registry using the oc image mirror command:

      $ oc image mirror \
    [-a ${REG_CREDS}] \
    -f ./redhat-operators-manifests/mapping.txt

  4. Apply the ImageContentSourcePolicy:

    $ oc apply -f ./redhat-operators-manifests/imageContentSourcePolicy.yaml

  5. Create a CatalogSource object that references your catalog image.

    1. Modify the following to your specifications and save it as a catalogsource.yaml file:

      apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: my-operator-catalog
  namespace: openshift-marketplace
spec:
  sourceType: grpc
  image: <registry_host_name>:<port>/olm/redhat-operators:v1 (1)
  displayName: My Operator Catalog
  publisher: grpc
      1 Specify your custom Operator catalog image.

    2. Use the file to create the CatalogSource object:

      $ oc create -f catalogsource.yaml

  6. Verify the following resources are created successfully.

    1. Check the Pods:

      $ oc get pods -n openshift-marketplace
      Example output
      NAME                                    READY   STATUS    RESTARTS  AGE
my-operator-catalog-6njx6               1/1     Running   0         28s
marketplace-operator-d9f549946-96sgr    1/1     Running   0         26h

    2. Check the CatalogSource:

      $ oc get catalogsource -n openshift-marketplace
      Example output
      NAME                  DISPLAY               TYPE PUBLISHER  AGE
my-operator-catalog   My Operator Catalog   grpc            5s

    3. Check the PackageManifest:

      $ oc get packagemanifest -n openshift-marketplace
      Example output
      NAME    CATALOG              AGE
etcd    My Operator Catalog  34s

You can now install the Operators from the OperatorHub page on your restricted network OpenShift Container Platform cluster web console.

Installing the Cluster Application Migration Operator on an OpenShift Container Platform 4.4 target cluster in a restricted environment

You can install the Cluster Application Migration Operator on an OpenShift Container Platform 4.4 target cluster with the Operator Lifecycle Manager (OLM).

The Cluster Application Migration Operator installs the Cluster Application Migration tool on the target cluster by default.

Prerequisites

  • You created a custom Operator catalog and pushed it to a mirror registry.

  • You configured OLM to install the Cluster Application Migration Operator from the mirror registry.

Procedure

  1. In the OpenShift Container Platform web console, click OperatorsOperatorHub.

  2. Use the Filter by keyword field (in this case, Migration) to find the Cluster Application Migration Operator.

  3. Select the Cluster Application Migration Operator and click Install.

  4. On the Create Operator Subscription page, click Subscribe.

    On the Installed Operators page, the Cluster Application Migration Operator appears in the openshift-migration project with the status Succeeded.

  5. Click Cluster Application Migration Operator.

  6. Under Provided APIs, locate the Migration Controller tile, and click Create Instance.

  7. Click Create.

  8. Click WorkloadsPods to verify that the Controller Manager, Migration UI, Restic, and Velero pods are running.

Installing the Cluster Application Migration Operator on an OpenShift Container Platform 3 source cluster in a restricted environment

You can create a manifest file based on the Cluster Application Migration Operator image and edit the manifest to point to your local image registry. Then, you can use the local image to create the Cluster Application Migration Operator on an OpenShift Container Platform 3 source cluster.

Prerequisites

  • Access to registry.redhat.io

  • Linux workstation with unrestricted network access

  • Mirror registry that supports Docker v2-2

  • Custom Operator catalog pushed to a mirror registry

Procedure

  1. On the workstation with unrestricted network access, log in to registry.redhat.io with your Red Hat Customer Portal credentials:

    $ sudo podman login registry.redhat.io

    If your system is configured for rootless Podman containers, sudo is not required for this procedure.

  2. Download the operator.yml file:

    $ sudo podman cp $(sudo podman create registry.redhat.io/rhcam-1-2/openshift-migration-rhel7-operator:v1.2):/operator.yml ./

  3. Download the controller-3.yml file:

    $ sudo podman cp $(sudo podman create registry.redhat.io/rhcam-1-2/openshift-migration-rhel7-operator:v1.2):/controller-3.yml ./

  4. Obtain the Operator image value from the mapping.txt file that was created when you ran the oc adm catalog mirror on the OpenShift Container Platform 4 cluster:

    $ grep openshift-migration-rhel7-operator ./mapping.txt | grep rhcam-1-2

    The output shows the mapping between the registry.redhat.io image and your mirror registry image:

    registry.redhat.io/rhcam-1-2/openshift-migration-rhel7-operator@sha256:468a6126f73b1ee12085ca53a312d1f96ef5a2ca03442bcb63724af5e2614e8a=<registry.apps.example.com>/rhcam-1-2/openshift-migration-rhel7-operator

  5. Update the image and REGISTRY values in the operator.yml file:

    containers:
  - name: ansible
    image: <registry.apps.example.com>/rhcam-1-2/openshift-migration-rhel7-operator@sha256:<468a6126f73b1ee12085ca53a312d1f96ef5a2ca03442bcb63724af5e2614e8a> (1)
...
  - name: operator
    image: <registry.apps.example.com>/rhcam-1-2/openshift-migration-rhel7-operator@sha256:<468a6126f73b1ee12085ca53a312d1f96ef5a2ca03442bcb63724af5e2614e8a> (1)
...
    env:
    - name: REGISTRY
      value: <registry.apps.example.com> (3)
    1 Specify your mirror registry and the sha256 value of the Operator image in the mapping.txt file.
    2 Specify your mirror registry.

  6. Log in to your OpenShift Container Platform 3 cluster.

  7. Create the Cluster Application Migration Operator CR object:

    $ oc create -f operator.yml

    The output resembles the following:

    namespace/openshift-migration created
rolebinding.rbac.authorization.k8s.io/system:deployers created
serviceaccount/migration-operator created
customresourcedefinition.apiextensions.k8s.io/migrationcontrollers.migration.openshift.io created
role.rbac.authorization.k8s.io/migration-operator created
rolebinding.rbac.authorization.k8s.io/migration-operator created
clusterrolebinding.rbac.authorization.k8s.io/migration-operator created
deployment.apps/migration-operator created
Error from server (AlreadyExists): error when creating "./operator.yml":
rolebindings.rbac.authorization.k8s.io "system:image-builders" already exists (1)
Error from server (AlreadyExists): error when creating "./operator.yml":
rolebindings.rbac.authorization.k8s.io "system:image-pullers" already exists
    1 You can ignore Error from server (AlreadyExists) messages. They are caused by the Cluster Application Migration Operator creating resources for earlier versions of OpenShift Container Platform 3 that are provided in later releases.

  8. Create the Migration controller CR object:

    $ oc create -f controller-3.yml

  9. Verify that the Velero and Restic pods are running:

    $ oc get pods -n openshift-migration

Launching the CAM web console

You can launch the CAM web console in a browser.

Procedure

  1. Log in to the OpenShift Container Platform cluster on which you have installed the CAM tool.

  2. Obtain the CAM web console URL by entering the following command:

    $ oc get -n openshift-migration route/migration -o go-template='https://{{ .spec.host }}'

    The output resembles the following: https://migration-openshift-migration.apps.cluster.openshift.com.

  3. Launch a browser and navigate to the CAM web console.

    If you try to access the CAM web console immediately after installing the Cluster Application Migration Operator, the console may not load because the Operator is still configuring the cluster. Wait a few minutes and retry.

  4. If you are using self-signed CA certificates, you will be prompted to accept the CA certificate of the source cluster’s API server. The web page guides you through the process of accepting the remaining certificates.

  5. Log in with your OpenShift Container Platform username and password.

Upgrading the Cluster Application Migration Tool

You can upgrade your Cluster Application Migration (CAM) tool on your source and target clusters.

If you are upgrading from CAM 1.1 to 1.2, you must update the service account token in the CAM web console.

Upgrading the CAM tool on an OpenShift Container Platform 4 cluster

You can upgrade the CAM tool on an OpenShift Container Platform 4 cluster with the Operator Lifecycle Manager.

If you selected the Automatic approval option when you subscribed to the Cluster Application Migration Operator, the CAM tool is updated automatically.

The following procedure enables you to change the Manual approval option to Automatic or to change the release channel.

Procedure

  1. In the OpenShift Container Platform console, navigate to Operators > Installed Operators.

  2. Click Cluster Application Migration Operator.

  3. In the Subscription tab, change the Approval option to Automatic.

  4. Optional: Edit the Channel.

    Updating the subscription deploys the updated Cluster Application Migration Operator and updates the CAM tool components.

Upgrading the CAM tool on an OpenShift Container Platform 3 cluster

You can upgrade the CAM tool on an OpenShift Container Platform 3 cluster by downloading the latest operator.yml file and replacing the existing Cluster Application Migration Operator CR object.

If you remove and re-create the namespace, you must update the cluster’s service account token in the CAM web console.
Procedure

  1. Log in to registry.redhat.io with your Red Hat Customer Portal credentials:

    $ sudo podman login registry.redhat.io

  2. Download the latest operator.yml file:

    $ sudo podman cp $(sudo podman create registry.redhat.io/rhcam-1-2/openshift-migration-rhel7-operator:v1.2):/operator.yml ./

  3. Log in to your OpenShift Container Platform 3 cluster.

  4. Deploy the updated Cluster Application Migration Operator CR object:

    $ oc replace -f operator.yml

  5. Get the Restic Pod:

    $ oc get pod -n openshift-migration | grep restic

  6. Delete the Restic Pod so that the upgrade is applied when it restarts:

    $ oc delete pod <restic_pod>

Updating the service account token

If you are upgrading from CAM 1.1 to 1.2, you must update the service account token in the CAM web console.

CAM 1.1 uses the mig service account, while CAM 1.2 uses the migration-controller service account.

Procedure

  1. Log in to a cluster and obtain the migration-controller service account token:

    $ oc sa get-token -n openshift-migration migration-controller

  2. Log in to the CAM web console and click Clusters.

  3. Click the Options menu kebab of the cluster and select Edit.

  4. Copy the new token to the Service account token field.

  5. Click Update cluster and then click Close.

    The service account token is updated for the cluster.