Using remote health reporting in a restricted network

You can manually gather and upload Insights Operator archives to diagnose issues from a restricted network.

To use the Insights Operator in a restricted network, you must:

Create a copy of your Insights Operator archive.
Upload the Insights Operator archive to console.redhat.com.

Additionally, you can select to obfuscate the Insights Operator data before upload.

Running an Insights Operator gather operation

You must run a gather operation to create an Insights Operator archive.

Prerequisites

You are logged in to OpenShift Container Platform as cluster-admin.

Procedure

Create a file named gather-job.yaml using this template:

link:https://raw.githubusercontent.com/openshift/insights-operator/release-4.21/docs/gather-job.yaml[role=include]

Copy your insights-operator image version:

$ oc get -n openshift-insights deployment insights-operator -o yaml

Example output

apiVersion: apps/v1
kind: Deployment
metadata:
  name: insights-operator
  namespace: openshift-insights
# ...
spec:
  template:
# ...
    spec:
      containers:
      - args:
# ...
        image: registry.ci.openshift.org/ocp/4.15-2023-10-12-212500@sha256:a0aa581400805ad0...
# ...

The spec.template.spec.containers.image field specifies your insights-operator image version.

Paste your image version in gather-job.yaml:

apiVersion: batch/v1
kind: Job
metadata:
  name: insights-operator-job
# ...
spec:
# ...
  template:
    spec:
    initContainers:
    - name: insights-operator
      image: image: registry.ci.openshift.org/ocp/4.15-2023-10-12-212500@sha256:a0aa581400805ad0...
      terminationMessagePolicy: FallbackToLogsOnError
      volumeMounts:

where
spec.template.initContainers.image: Replace any existing value with your insights-operator image version.

Create the gather job:

$ oc apply -n openshift-insights -f gather-job.yaml

Find the name of the job pod:

$ oc describe -n openshift-insights job/insights-operator-job

Example output

Name:             insights-operator-job
Namespace:        openshift-insights
# ...
Events:
  Type    Reason            Age    From            Message
  ----    ------            ----   ----            -------
  Normal  SuccessfulCreate  7m18s  job-controller  Created pod: insights-operator-job-<your_job>

where: insights-operator-job-<your_job> is the name of the pod.

Verify that the operation has finished:

$ oc logs -n openshift-insights insights-operator-job-<your_job> insights-operator

Example output

I0407 11:55:38.192084       1 diskrecorder.go:34] Wrote 108 records to disk in 33ms

Save the created archive:

$ oc cp openshift-insights/insights-operator-job-<your_job>:/var/lib/insights-operator ./insights-data

Clean up the job:

$ oc delete -n openshift-insights job insights-operator-job

Uploading an Insights Operator archive

You can manually upload an Insights Operator archive to console.redhat.com to diagnose potential issues.

Prerequisites

You are logged in to OpenShift Container Platform as cluster-admin.
You have a workstation with unrestricted internet access.
You have created a copy of the Insights Operator archive.

Procedure

Download the dockerconfig.json file:

$ oc extract secret/pull-secret -n openshift-config --to=.

Copy your "cloud.openshift.com" "auth" token from the dockerconfig.json file:

{
  "auths": {
    "cloud.openshift.com": {
      "auth": "<your_token>",
      "email": "asd@redhat.com"
    }
}

Upload the archive to console.redhat.com:

$ curl -v -H "User-Agent: insights-operator/one10time200gather184a34f6a168926d93c330 cluster/<cluster_id>" -H "Authorization: Bearer <your_token>" -F "upload=@<path_to_archive>; type=application/vnd.redhat.openshift.periodic+tar" https://console.redhat.com/api/ingress/v1/upload

where <cluster_id> is your cluster ID, <your_token> is the token from your pull secret, and <path_to_archive> is the path to the Insights Operator archive.

If the operation is successful, the command returns a "request_id" and "account_number":

Example output

* Connection #0 to host console.redhat.com left intact
{"request_id":"393a7cf1093e434ea8dd4ab3eb28884c","upload":{"account_number":"6274079"}}%

Verification

Log in to https://console.redhat.com/openshift.
Click the Cluster List menu in the left pane.
To display the details of the cluster, click the cluster name.
Open the Red Hat Lightspeed Advisor tab of the cluster.

If the upload was successful, the tab displays one of the following:
- Your cluster passed all recommendations, if the Red Hat Lightspeed advisor service did not identify any issues.
- A list of issues that the Red Hat Lightspeed advisor service has detected, prioritized by risk (low, moderate, important, and critical).

Enabling Insights Operator data obfuscation

You can enable obfuscation to mask sensitive and identifiable IPv4 addresses and cluster base domains that the Insights Operator sends to console.redhat.com.

Warning

Although this feature is available, Red Hat recommends keeping obfuscation disabled for a more effective support experience.

Obfuscation assigns non-identifying values to cluster IPv4 addresses, and uses a translation table that is retained in memory to change IP addresses to their obfuscated versions throughout the Insights Operator archive before uploading the data to console.redhat.com.

For cluster base domains, obfuscation changes the base domain to a hardcoded substring. For example, cluster-api.openshift.example.com becomes cluster-api.<CLUSTER_BASE_DOMAIN>.

The following procedure enables obfuscation using the support secret in the openshift-config namespace.

Prerequisites

You are logged in to the OpenShift Container Platform web console as cluster-admin.

Procedure

Navigate to Workloads → Secrets.
Select the openshift-config project.
Search for the support secret using the Search by name field. If it does not exist, click Create → Key/value secret to create it.
Click the Options menu , and then click Edit Secret.
Click Add Key/Value.
Create a key named enableGlobalObfuscation with a value of true, and click Save.
Navigate to Workloads → Pods
Select the openshift-insights project.
Find the insights-operator pod.
To restart the insights-operator pod, click the Options menu , and then click Delete Pod.

Verification

Navigate to Workloads → Secrets.
Select the openshift-insights project.
Search for the obfuscation-translation-table secret using the Search by name field.

If the obfuscation-translation-table secret exists, then obfuscation is enabled and working.

Alternatively, you can inspect /insights-operator/gathers.json in your Insights Operator archive for the value "is_global_obfuscation_enabled": true.

Additional resources

Showing data collected by the Insights Operator