Upgrading Che using the CLI management tool in restricted environment

This section describes how to upgrade Eclipse Che using the CLI management tool in restricted environment. The upgrade path supports minor version update, from Che version 7.22 to version 7.23.

Prerequisites

  • An administrative account on an instance of Kubernetes or OpenShift.

  • A running instance version 7.22 of Eclipse Che, installed using the CLI management tool on the same instance of Kubernetes or OpenShift, with the chectl --installer operator method, in the <eclipse-che> project. See Installing Che in a restricted environment.

  • The chectl 7.23 management tool is available. See Using the chectl management tool.

Understanding network connectivity in restricted environments

Che requires that each Kubernetes Ingress or OpenShift Route created for Che is accessible from inside the Kubernetes or OpenShift cluster. These Che components have a Kubernetes Ingress or OpenShift Route: che-server, keycloak, devfile-registry, plugin-registry.

Consider the network topology of the environment to determine how best to accomplish this.

Example 1. Network owned by a company or an organization, disconnected from the public Internet

The network administrators must ensure that it is possible to route traffic bound from the cluster to Kubernetes Ingress or OpenShift Route host names.

Example 2. Private subnetwork in a cloud provider

Create a proxy configuration allowing the traffic to leave the node to reach an external-facing Load Balancer.

Building offline registry images

Building an offline devfile registry image

This section describes how to build an offline devfile registry image. Starting workspaces without relying on resources from the outside Internet requires building this image. The image contains all sample projects referenced in devfiles as zip files.

Procedure

  1. Clone the devfile registry repository and check out the version to deploy:

    $ git clone git@github.com:eclipse/che-devfile-registry.git
$ cd che-devfile-registry
$ git checkout 7.23.x

  2. Build an offline devfile registry image:

    ./build.sh --organization <my-org> \
           --registry <my-registry> \
           --tag <my-tag> \
           --offline \
           --latest-only

    To display full options for the build.sh script, use the --help parameter.

Building an offline plug-in registry image

This section describes how to build an offline plug-in registry image. Starting workspaces without relying on resources from the outside Internet requires building this image. The image contains plug-in metadata and all plug-in or extension artifacts.

Procedure

  1. Clone the plug-in registry repository and check out the version to deploy:

    $ git clone git@github.com:eclipse/che-plugin-registry.git
$ cd che-plugin-registry
$ git checkout 7.23.x

  2. Build an offline plug-in registry image:

    ./build.sh --organization <my-org> \
           --registry <my-registry> \
           --tag <my-tag> \
           --offline \
           --latest-only

    To display full options for the build.sh script, use the --help parameter.

Preparing a private registry

Che workspaces consist of Pods running in a cluster, and therefore, many images are required to support all languages and plug-ins that can be used for a workspace. In an offline deployment, these images must be made available to the Che server running in the cluster.

Essential images

Running any workspace requires these essential images:

Table 1. Images essential to starting workspaces

quay.io/eclipse/che-server

The main Che server image

quay.io/eclipse/che-postgres

The database used by Che

quay.io/eclipse/che-keycloak

Keycloak Pod for user authentication

quay.io/eclipse/che-jwtproxy

JWT proxy image for enabling authentication between services. See Che workspace JWT proxy.

quay.io/eclipse/che-plugin-artifacts-broker
quay.io/eclipse/che-plugin-metadata-broker

Images for adding plug-ins to workspaces. See Che plug-ins broker.

quay.io/eclipse/che-plugin-registry

Plug-in registry that store information about plugins and the runtime containers they require. See Building an offline plug-in registry image.

quay.io/eclipse/che-devfile-registry

Devfile registry that store descriptions of the sample projects and how to load them as workspaces via the Getting Started tab in the dashboard. See Building an offline devfile registry image.
Workspace-specific images

The images described in this section are required for running a workspace. Any one workspace uses a subset of the images below. It is only necessary to include the images that are used in workspaces created. For example, when using Che only for developing in Java, many images can be omitted.

To avoid issues when only a subset of the images described in this section is needed, remove unnecessary plug-ins and devfiles when building custom registries (see Customizing the registries for more information).

Plug-in sidecar images

Many workspace plug-ins are run in sidecar containers to ensure their dependencies are available. The offline plug-in registry (see Building an offline plug-in registry image) includes a file with the list of all images referenced in its plug-ins.

To get a list of images required for plug-ins, display this file:

$ docker run -it --rm \
  --entrypoint cat <my-offline-registry> /var/www/html/v3/external_images.txt

In the example above, substitute <my-offline-registry> for the image name and tag of the custom plug-in registry.

Devfile base images

Every Che workspace uses one or more base images, which contain the development dependencies for projects that are being built. To use the samples, Che pull these images from the references to them in the devfile registry. This is needed because the sample devfiles included in the devfile registry apply to images suited for this purpose.

An offline devfile registry (see Building an offline devfile registry image) contains a file with the list of all images referenced in its devfiles:

$ docker run -it --rm \
  --entrypoint cat <my-offline-registry> /var/www/html/devfiles/external_images.txt

In the example above, substitute <my-offline-registry> for the image name and tag of the custom devfile registry.

Upgrading Che using the CLI management tool in restricted environment

This section describes how to upgrade Eclipse Che using the CLI management tool in restricted environment.

Prerequisites

  • An administrative account on an OpenShift instance.

  • A running instance version 7.22 of Eclipse Che, installed using the CLI management tool on the same instance of Kubernetes or OpenShift, with the chectl --installer operator method, in the <eclipse-che> project. See Installing Che in a restricted environment.

  • Essential container images are available to the Che server running in the cluster. See Preparing a private registry.

  • The chectl 7.23 management tool is available. See Using the chectl management tool.

Procedure

  1. In all running workspaces in the Che 7.22 instance, save and push changes back to the Git repositories.

  2. Stop all workspaces in the Che 7.22 instance.

  3. Run the following command:

    $ chectl server:update --che-operator-image=<image-registry>/<organization>/che-operator:7.23 -n eclipse-che

    • <image-registry>: A host name and a port of the container-image registry accessible in the restricted environment.

    • <organization>: An organization of the container-image registry. See: Preparing a private registry.

Verification steps

  1. Navigate to the Che instance.

  2. The 7.23 version number is visible at the bottom of the page.

For slow systems or internet connections, add the --k8spodwaittimeout=1800000 flag option to the chectl server:update command to extend the Pod timeout period to 1800000 ms or longer.