#+TITLE: Openshift disconnected security & compliance workshop
#+DATE: <2024-08-26 Mon>
#+AUTHOR: James Blair


This document captures the steps required to set up an instance of the workshop.

* Connect to the low side instance

#+begin_src tmux
ssh lab-user@18.223.153.8
#+end_src


* Install required tools low side

#+begin_src tmux
cd /mnt/low-side-data/
curl -L -o oc-mirror.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.14.19/oc-mirror.tar.gz
tar -xzf oc-mirror.tar.gz
rm -f oc-mirror.tar.gz
chmod +x oc-mirror
sudo cp -v oc-mirror /bin
curl -L -o mirror-registry.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/mirror-registry/latest/mirror-registry.tar.gz
curl -L -o openshift-install.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.14.19/openshift-install-linux.tar.gz
tar -xzf openshift-install.tar.gz openshift-install
rm -f openshift-install.tar.gz
curl -L -o oc.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.14.19/openshift-client-linux.tar.gz
tar -xzf oc.tar.gz oc
rm -f oc.tar.gz
sudo cp -v oc /bin
ls -1 /mnt/low-side-data/
#+end_src


* Mirror installation content low side

#+begin_src tmux
mkdir -v $HOME/.docker
cp -v $HOME/pull-secret-example.json $HOME/.docker/config.json
cat << EOF > /mnt/low-side-data/imageset-config.yaml
---
kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
storageConfig:
  local:
    path: ./
mirror:
  platform:
    channels:
    - name: stable-4.14
      type: ocp
      minVersion: 4.14.19
      maxVersion: 4.14.20

  operators:
  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.14
    packages:
    - name: web-terminal
      channels:
      - name: fast

  additionalImages:
  - name: registry.redhat.io/rhel8/support-tools

  helm: {}
EOF
cd /mnt/low-side-data
oc-mirror --config imageset-config.yaml file:///mnt/low-side-data
#+end_src


* Install mirror registry high side

#+begin_src tmux
rsync -avP /mnt/low-side-data/mirror-registry.tar.gz highside:/mnt/high-side-data/
ssh highside
cd /mnt/high-side-data
tar -xzvf mirror-registry.tar.gz
./mirror-registry install --initPassword discopass
#+end_src


* Trust mirror registry high side

#+begin_src tmux
sudo cp -v $HOME/quay-install/quay-rootCA/rootCA.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
podman login -u init -p discopass $(hostname):8443
#+end_src


* Transfer mirror content from low to high

#+begin_src tmux
exit
rsync -avP /mnt/low-side-data/ highside:/mnt/high-side-data/
ssh highside
sudo mv -v /mnt/high-side-data/oc /bin/
sudo mv -v /mnt/high-side-data/oc-mirror /bin/
sudo mv -v /mnt/high-side-data/openshift-install /bin/
cd /mnt/high-side-data
oc-mirror --from=/mnt/high-side-data/mirror_seq1_000000.tar docker://$(hostname):8443
#+end_src


* Install openshift high side

#+begin_src tmux
cat << EOF > /mnt/high-side-data/install-config.yaml
---
apiVersion: v1
metadata:
  name: disco
baseDomain: lab
compute:
- architecture: amd64
  hyperthreading: Enabled
  name: worker
  replicas: 0
controlPlane:
  architecture: amd64
  hyperthreading: Enabled
  name: master
  replicas: 1
networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  machineNetwork:
  - cidr: 10.0.0.0/16
  networkType: OVNKubernetes
  serviceNetwork:
  - 172.30.0.0/16
platform:
  aws:
    region: us-east-2
    subnets:
    - subnet-0fb89a66baf6e9226
publish: Internal
additionalTrustBundlePolicy: Always
EOF
ssh-keygen -C "OpenShift Debug" -N "" -f /mnt/high-side-data/id_rsa
echo "sshKey: $(cat /mnt/high-side-data/id_rsa.pub)" | tee -a /mnt/high-side-data/install-config.yaml
echo "pullSecret: '$(jq -c . $XDG_RUNTIME_DIR/containers/auth.json)'" | tee -a /mnt/high-side-data/install-config.yaml
if (test -e /mnt/high-side-data/oc-mirror-workspace/results-*/imageContentSourcePolicy.yaml)
  then
     echo -e "\n\n Looks good, go ahead! \n\n"
   else
     echo -e "\n\n Uh oh, something is wrong... \n\n"
fi
cat << EOF >> /mnt/high-side-data/install-config.yaml
imageContentSources:
$(grep "mirrors:" -A 2 --no-group-separator /mnt/high-side-data/oc-mirror-workspace/results-*/imageContentSourcePolicy.yaml)
EOF
tail -22 /mnt/high-side-data/install-config.yaml
cat << EOF >> /mnt/high-side-data/install-config.yaml
additionalTrustBundle: |
$(sed 's/^/  /' /home/lab-user/quay-install/quay-rootCA/rootCA.pem)
EOF
cat /mnt/high-side-data/install-config.yaml
cp -v /mnt/high-side-data/install-config.yaml /mnt/high-side-data/install-config.yaml.backup
openshift-install create cluster --dir /mnt/high-side-data
#+end_src


* Disable default catalog sources high side

#+begin_src tmux
oc login https://api.disco.lab:6443 --username kubeadmin -p "$(more /mnt/high-side-data/auth/kubeadmin-password)"
oc patch OperatorHub cluster --type merge -p '{"spec": {"disableAllDefaultSources": true}}'
oc create -f /mnt/high-side-data/oc-mirror-workspace/results-*/catalogSource-cs-redhat-operator-index.yaml
#+end_src