Changes of the OCP4 upgrade on restricted network from OCP 4.4

As of OCP 4.4, the target upgrade image can verify it using ConfigMap which is included signature resource for that, even though the OCP4 cannot access to Internet. So you need not to use “ — force” option when you run the upgrade command. I will demonstrate it around the new changes of the upgrade in the restricted network environment.

Demonstration Summary

You should create a the release images signature ConfigMap manually for verifying release images by Cluster Version Operator. If you use greater than oc CLI 4.4.8, you can create the ConfigMap automatically using “ — apply-release-image-signature” option.

In this demonstration, upgrade version from 4.5.3 to 4.5.4 on the restricted network environment.

Set prerequisite environment variables

Mirror the release images for upgrade

Run the upgrade command

As you see, the upgrade command can run without “ — force” option.

You can compare this difference with previous version(OCP4.3) at here, “How to upgrade OCP4 in the restricted network ?”.

Upgrade states on Web console

For your information, let’s look at the upgrade states at the Web console before and after the upgrade.

Before the upgrade, the current image hash string is for OCP 4.5.3.

After running the upgrade, the image hash string is changed as OCP 4.5.4.

Thank you for reading.