Installing Che in a restricted environment on OpenShift

On an OpenShift cluster operating in a restricted network, public resources are not available.

However, deploying Che and running workspaces requires the following public resources:

Operator catalog
Container images
Sample projects

To make these resources available, you can replace them with their copy in a registry accessible by the OpenShift cluster.

Prerequisites

The OpenShift cluster has at least 64 GB of disk space.
The OpenShift cluster is ready to operate on a restricted network, and the OpenShift control plane has access to the public internet. See About disconnected installation mirroring and Using Operator Lifecycle Manager on restricted networks.

An active oc session with administrative permissions to the OpenShift cluster. See Getting started with the OpenShift CLI.
An active oc registry session to the registry.redhat.io Red Hat Ecosystem Catalog. See: Red Hat Container Registry authentication.

opm. See Installing the opm CLI.
jq. See Downloading jq.
podman. See Podman Installation Instructions.
skopeo version 1.6 or higher. See Installing Skopeo.
An active skopeo session with administrative access to the private Docker registry. Authenticating to a registry, and Mirroring images for a disconnected installation.
chectl for Che version 7.85. See Installing the chectl management tool.

Procedure

Download and execute the mirroring script to install a custom Operator catalog and mirror the related images: prepare-restricted-environment.sh.

$ bash prepare-restricted-environment.sh \
  --devworkspace_operator_index quay.io/devfile/devworkspace-operator-index:release-digest\
  --devworkspace_operator_version "v0.27.0" \
  --prod_operator_index "registry.access.redhat.com/redhat/community-operator-index:v4.12" \
  --prod_operator_package_name "eclipse-che" \
  --prod_operator_bundle_name "eclipse-che" \
  --prod_operator_version "v7.85.0" \
  --my_registry "<my_registry>" (1)

1	The private Docker registry where the images will be mirrored

Install Che with the configuration set in the che-operator-cr-patch.yaml during the previous step:

$ chectl server:deploy \
  --platform=openshift \
  --olm-channel stable \
  --catalog-source-name=eclipse-che-disconnected-install \
  --catalog-source-namespace=openshift-marketplace \
  --skip-devworkspace-operator \
  --che-operator-cr-patch-yaml=che-operator-cr-patch.yaml

Allow incoming traffic from the Che namespace to all Pods in the user namespaces. See: Configuring network policies.

Additional resources