Merge pull request #69809 from amolnar-rh/TELCODOCS-1576

TELCODOCS-1576: Image-based upgrade with Lifecycle Agent

Author: aireilly

_attributes/common-attributes.adoc

@@ -278,3 +278,5 @@ endif::[]
 :odf-full: Red Hat OpenShift Data Foundation
 :odf-short: ODF
 :rh-dev-hub: Red Hat Developer Hub
+//IBU
+:lcao: Lifecycle Agent

_topic_maps/_topic_map.yml

@@ -2966,6 +2966,8 @@ Topics:
     File: ztp-sno-additional-worker-node
   - Name: Pre-caching images for single-node OpenShift deployments
     File: ztp-precaching-tool
+  - Name: Image-based upgrade for single-node OpenShift clusters
+    File: ztp-image-based-upgrade
 ---
 Name: Reference design specifications
 Dir: telco_ref_design_specs

modules/ztp-image-based-upgrade-generate-seed-image.adoc

@@ -0,0 +1,217 @@
+// Module included in the following assemblies:
+// * scalability_and_performance/ztp-image-based-upgrade.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="ztp-image-based-upgrade-seed-generation_{context}"]
+= Generating a seed image with the {lcao}
+
+Use the {lcao} to generate the seed image with the `SeedGenerator` CR. The Operator checks for required system configurations, performs any necessary system cleanup before generating the seed image, and launches the image generation. The seed image generation includes the following tasks:
+
+* Stopping cluster operators
+* Preparing the seed image configuration
+* Generating and pushing the seed image to the image repository specified in the `SeedGenerator` CR
+* Restoring cluster operators
+* Expiring seed cluster certificates
+* Generating new certificates for the seed cluster
+* Restoring and updates the `SeedGenerator` CR on the seed cluster
+
+[NOTE]
+====
+The generated seed image does not include any site-specific data.
+====
+
+[IMPORTANT]
+====
+During the Developer Preview of this feature, when upgrading a cluster, any custom trusted certificates configured on the cluster will be lost. As a temporary workaround, to preserve these certificates, you must use a seed image from a seed cluster that trusts the certificates.
+====
+
+.Prerequisites
+
+* Deploy a {sno} cluster with a DU profile.
+* Install the {lcao} on the seed cluster.
+* Install the OADP Operator on the seed cluster.
+* Log in as a user with `cluster-admin` privileges.
+* The seed cluster has the same CPU topology as the target cluster.
+* The seed cluster has the same IP version as the target cluster.
+
++
+[NOTE]
+====
+Dual-stack networking is not supported in this release.
+====
+
+* If the target cluster has a proxy configuration, the seed cluster must have a proxy configuration too. The proxy configuration does not have to be the same.
+* The seed cluster is registered as a managed cluster.
+* The {lcao} deployed on the target cluster is compatible with the version in the seed image.
+* The seed cluster has a separate partition for the container images that will be shared between stateroots. For more information, see _Additional resources_.
+
+[WARNING]
+====
+If the target cluster has multiple IPs and one of them belongs to the subnet that was used for creating the seed image, the upgrade fails if the target cluster's node IP does not belong to that subnet.
+====
+
+.Procedure
+
+. Detach the seed cluster from the hub cluster either manually or if using ZTP, by removing the `SiteConfig` CR from the `kustomization.yaml`.
+This deletes any cluster-specific resources from the seed cluster that must not be in the seed image.
+
+.. If you are using {rh-rhacm}, manually detach the seed cluster by running the following command:
++
+[source,terminal]
+----
+$ oc delete managedcluster sno-worker-example
+----
+
+.. Wait until the `ManagedCluster` CR is removed. Once the CR is removed, create the proper `SeedGenerator` CR. The {lcao} cleans up the {rh-rhacm} artifacts.
+
+. If you are using GitOps ZTP, detach your cluster by removing the seed cluster's `SiteConfig` CR from the `kustomization.yaml`:
+
+.. Remove your seed cluster's `SiteConfig` CR from the `kustomization.yaml`.
++
+[source,yaml]
+----
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+generators:
+#- example-seed-sno1.yaml
+- example-target-sno2.yaml
+- example-target-sno3.yaml
+----
+
+.. Commit the `kustomization.yaml` changes in your Git repository and push the changes.
++
+The ArgoCD pipeline detects the changes and removes the managed cluster.
+
+. Create the `Secret`.
+
+.. Create the authentication file by running the following command:
++
+--
+.Authentication file
+[source,terminal]
+----
+$ MY_USER=myuserid
+$ AUTHFILE=/tmp/my-auth.json
+$ podman login --authfile ${AUTHFILE} -u ${MY_USER} quay.io/${MY_USER}
+----
+
+[source,terminal]
+----
+$ base64 -w 0 ${AUTHFILE} ; echo
+----
+--
+
+.. Copy the output into the `seedAuth` field in the `Secret` YAML file named `seedgen` in the `openshift-lifecycle-agent` namespace.
++
+--
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: seedgen <1>
+  namespace: openshift-lifecycle-agent
+type: Opaque
+data:
+  seedAuth: <encoded_AUTHFILE> <2>
+----
+<1> The `Secret` resource must have the `name: seedgen` and `namespace: openshift-lifecycle-agent` fields.
+<2> Specifies a base64-encoded authfile for write-access to the registry for pushing the generated seed images.
+--
+
+.. Apply the `Secret`.
++
+[source,terminal]
+----
+$ oc apply -f secretseedgenerator.yaml
+----
+
+. Create the `SeedGenerator` CR:
++
+--
+[source,yaml]
+----
+apiVersion: lca.openshift.io/v1alpha1
+kind: SeedGenerator
+metadata:
+  name: seedimage <1>
+spec:
+  seedImage: <seed_container_image> <2>
+----
+<1> The `SeedGenerator` CR must be named `seedimage`.
+<2> Specify the container image URL, for example, `quay.io/example/seed-container-image:<tag>`. It is recommended to use the `<seed_cluster_name>:<ocp_version>` format.
+--
+
+. Generate the seed image by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f seedgenerator.yaml
+----
+
++
+[IMPORTANT]
+====
+The cluster reboots and loses API capabilities while the {lcao} generates the seed image.
+Applying the `SeedGenerator` CR stops the `kubelet` and the CRI-O operations, then it starts the image generation.
+====
+
+Once the image generation is complete, the cluster can be reattached to the hub cluster, and you can access it through the API.
+
+If you want to generate further seed images, you must provision a new seed cluster with the version you want to generate a seed image from.
+
+.Verification
+
+. Once the cluster recovers and it is available, you can check the status of the `SeedGenerator` CR:
++
+--
+[source,terminal]
+----
+$ oc get seedgenerator -oyaml
+----
+
+.Example output
+[source,yaml]
+----
+status:
+  conditions:
+  - lastTransitionTime: "2024-02-13T21:24:26Z"
+    message: Seed Generation completed
+    observedGeneration: 1
+    reason: Completed
+    status: "False"
+    type: SeedGenInProgress
+  - lastTransitionTime: "2024-02-13T21:24:26Z"
+    message: Seed Generation completed
+    observedGeneration: 1
+    reason: Completed
+    status: "True"
+    type: SeedGenCompleted <1>
+  observedGeneration: 1
+----
+<1> The seed image generation is complete.
+--
+
+. Verify that the {sno} cluster is running and is attached to the {rh-rhacm} hub cluster:
++
+--
+[source,terminal]
+----
+$ oc get managedclusters sno-worker-example
+----
+
+.Example output
+[source,terminal]
+----
+$ oc get managedclusters sno-worker-example
+NAME                 HUB ACCEPTED   MANAGED CLUSTER URLS                                  JOINED   AVAILABLE   AGE
+sno-worker-example   true           https://api.sno-worker-example.example.redhat.com     True     True        21h <1>
+----
+<1> The cluster is attached if you see that the value is `True` for both `JOINED` and `AVAILABLE`.
+
+[NOTE]
+====
+The cluster requires time to recover after restarting the `kubelet` operation.
+====
+--

modules/ztp-image-based-upgrade-installing-lifecycle-agent-using-cli.adoc

@@ -0,0 +1,111 @@
+// Module included in the following assemblies:
+// * scalability_and_performance/ztp-image-based-upgrade.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="installing-lcao-using-cli_{context}"]
+= Installing the {lcao} by using the CLI
+
+You can use the OpenShift CLI (`oc`) to install the {lcao} from the 4.15 Operator catalog on both the seed and target cluster.
+
+.Prerequisites
+
+* Install the OpenShift CLI (`oc`).
+* Log in as a user with `cluster-admin` privileges.
+
+.Procedure
+
+. Create a namespace for the {lcao}.
++
+[source,yaml]
+----
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-lifecycle-agent
+  annotations:
+    workload.openshift.io/allowed: management
+----
+
+.. Create the `Namespace` CR:
++
+[source,terminal]
+----
+$ oc create -f lcao-namespace.yaml
+----
+
+. Create an Operator group for the {lcao}.
++
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: openshift-lifecycle-agent
+  namespace: openshift-lifecycle-agent
+spec:
+  targetNamespaces:
+  - openshift-lifecycle-agent
+----
+
+.. Create the `OperatorGroup` CR:
++
+[source,terminal]
+----
+$ oc create -f lcao-operatorgroup.yaml
+----
+
+. Create a `Subscription` CR:
+
+.. Define the `Subscription` CR and save the YAML file, for example, `lcao-subscription.yaml`:
++
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: openshift-lifecycle-agent-subscription
+  namespace: openshift-lifecycle-agent
+spec:
+  channel: "alpha"
+  name: lifecycle-agent
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+----
+
+.. Create the `Subscription` CR by running the following command:
++
+[source,terminal]
+----
+$ oc create -f lcao-subscription.yaml
+----
+
+.Verification
+
+. Verify that the installation succeeded by inspecting the CSV resource:
++
+[source,terminal]
+----
+$ oc get csv -n openshift-lifecycle-agent
+----
++
+.Example output
+[source,terminal,subs="attributes+"]
+----
+NAME                              DISPLAY                     VERSION               REPLACES                           PHASE
+lifecycle-agent.v{product-version}.0           Openshift Lifecycle Agent   {product-version}.0                Succeeded
+----
+
+. Verify that the {lcao} is up and running:
++
+[source,terminal]
+----
+$ oc get deploy -n openshift-lifecycle-agent
+----
+
++
+.Example output
+[source,terminal]
+----
+NAME                                 READY   UP-TO-DATE   AVAILABLE   AGE
+lifecycle-agent-controller-manager   1/1     1            1           14s
+----

modules/ztp-image-based-upgrade-installing-lifecycle-agent-using-web-console.adoc

@@ -0,0 +1,36 @@
+// Module included in the following assemblies:
+// * scalability_and_performance/ztp-image-based-upgrade.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="installing-lifecycle-agent-using-web-console_{context}"]
+= Installing the {lcao} by using the web console
+
+You can use the {product-title} web console to install the {lcao} from the 4.15 Operator catalog on both the seed and target cluster.
+
+.Prerequisites
+
+* Log in as a user with `cluster-admin` privileges.
+
+.Procedure
+
+. In the {product-title} web console, navigate to *Operators* → *OperatorHub*.
+. Search for the *{lcao}* from the list of available Operators, and then click *Install*.
+. On the *Install Operator* page, under *A specific namespace on the cluster* select *openshift-lifecycle-agent*. Then, click Install.
+. Click *Install*.
+
+.Verification
+
+To confirm that the installation is successful:
+
+. Navigate to the *Operators* → *Installed Operators* page.
+. Ensure that the {lcao} is listed in the *openshift-lifecycle-agent* project with a *Status* of *InstallSucceeded*.
+
+[NOTE]
+====
+During installation an Operator might display a *Failed* status. If the installation later succeeds with an *InstallSucceeded* message, you can ignore the *Failed* message.
+====
+
+If the Operator is not installed successfully:
+
+. Go to the *Operators* → *Installed Operators* page and inspect the *Operator Subscriptions* and *Install Plans* tabs for any failure or errors under *Status*.
+. Go to the *Workloads* → *Pods* page and check the logs for pods in the *openshift-lifecycle-agent* project.