Install Che in a restricted environment on Kubernetes

To provide cloud development environments on an air-gapped Kubernetes cluster, mirror the required images and operator catalogs to a registry within the restricted network, then deploy Che.

On a restricted network, deploying Che and running workspaces requires the following public resources:

Operator catalog
Container images
Sample projects

To make these resources available, you can replace them with their copy in a registry accessible by the Kubernetes cluster.

Prerequisites

The OpenShift cluster has at least 64 GB of disk space.
The OpenShift cluster is ready to operate on a restricted network. See About disconnected installation mirroring and Using Operator Lifecycle Manager on restricted networks.

An active oc session with administrative permissions to the OpenShift cluster. See Getting started with the OpenShift CLI.
An active oc registry session to the registry.redhat.io Red Hat Ecosystem Catalog. See: Red Hat Container Registry authentication.

opm. See Installing the opm CLI.
jq. See Downloading jq.
podman. See Podman Installation Instructions.
skopeo version 1.6 or higher. See Installing Skopeo.
An active skopeo session with administrative access to the private Docker registry. Authenticating to a registry, and Mirroring images for a disconnected installation.
chectl for Che version 7.117. See Installing the chectl management tool.

Procedure

Download and execute the mirroring script to install a custom Operator catalog and mirror the related images: prepare-restricted-environment.sh.

$ bash prepare-restricted-environment.sh \
  --devworkspace_operator_index quay.io/devfile/devworkspace-operator-index:release-digest\
  --devworkspace_operator_version "v0.40.1" \
  --prod_operator_index "registry.access.redhat.com/redhat/community-operator-index:v4.18" \
  --prod_operator_package_name "eclipse-che" \
  --prod_operator_bundle_name "eclipse-che" \
  --prod_operator_version "v7.117.0" \
  --my_registry "<my_registry>" (1)

1	The private Docker registry where the images will be mirrored

Procedure

Install Che with the configuration set in the che-operator-cr-patch.yaml during the previous step:

$ chectl server:deploy \
  --platform=openshift \
  --olm-channel stable \
  --catalog-source-name=eclipse-che-disconnected-install \
  --catalog-source-namespace=openshift-marketplace \
  --skip-devworkspace-operator \
  --che-operator-cr-patch-yaml=che-operator-cr-patch.yaml

Allow incoming traffic from the Che namespace to all Pods in the user namespaces. See: Configuring network policies.

Verification

Verify that the Che instance is running:
```
$ chectl server:status
```

Additional resources