You can manually gather and upload Insights Operator archives to diagnose issues from a restricted network.

To use the Insights Operator in a restricted network, you must:

  • Create a copy of your Insights Operator archive.

  • Upload the Insights Operator archive to console.redhat.com.

Additionally, you can choose to obfuscate the Insights Operator data before upload.

Running an Insights Operator gather operation

You must run a gather operation to create an Insights Operator archive.

  • You are logged in to OKD as cluster-admin.

  1. Create a file named gather-job.yaml using this template:

    apiVersion: batch/v1
    kind: Job
      name: insights-operator-job
        config.openshift.io/inject-proxy: insights-operator
      backoffLimit: 6
      ttlSecondsAfterFinished: 600
          restartPolicy: OnFailure
          serviceAccountName: operator
            beta.kubernetes.io/os: linux
            node-role.kubernetes.io/master: ""
          - effect: NoSchedule
            key: node-role.kubernetes.io/master
            operator: Exists
          - effect: NoExecute
            key: node.kubernetes.io/unreachable
            operator: Exists
            tolerationSeconds: 900
          - effect: NoExecute
            key: node.kubernetes.io/not-ready
            operator: Exists
            tolerationSeconds: 900
          - name: snapshots
            emptyDir: {}
          - name: service-ca-bundle
              name: service-ca-bundle
              optional: true
          - name: insights-operator
            image: quay.io/openshift/origin-insights-operator:latest
            terminationMessagePolicy: FallbackToLogsOnError
            - name: snapshots
              mountPath: /var/lib/insights-operator
            - name: service-ca-bundle
              mountPath: /var/run/configmaps/service-ca-bundle
              readOnly: true
            - containerPort: 8443
              name: https
                cpu: 10m
                memory: 70Mi
            - gather
            - -v=4
            - --config=/etc/insights-operator/server.yaml
            - name: sleepy
              image: quay.io/openshift/origin-base:latest
                - /bin/sh
                - -c
                - sleep 10m
              volumeMounts: [{name: snapshots, mountPath: /var/lib/insights-operator}]
  2. Copy your insights-operator image version:

    $ oc get -n openshift-insights deployment insights-operator -o yaml
  3. Paste your image version in gather-job.yaml:

          - name: insights-operator
            image: <your_insights_operator_image_version>
            terminationMessagePolicy: FallbackToLogsOnError
  4. Create the gather job:

    $ oc apply -n openshift-insights -f gather-job.yaml
  5. Find the name of the job pod:

    $ oc describe -n openshift-insights job/insights-operator-job
    Example output
      Type    Reason            Age    From            Message
      ----    ------            ----   ----            -------
      Normal  SuccessfulCreate  7m18s  job-controller  Created pod: insights-operator-job-<your_job>

    where insights-operator-job-<your_job> is the name of the pod.

  6. Verify that the operation has finished:

    $ oc logs -n openshift-insights insights-operator-job-<your_job> insights-operator
    Example output
    I0407 11:55:38.192084       1 diskrecorder.go:34] Wrote 108 records to disk in 33ms
  7. Save the created archive:

    $ oc cp openshift-insights/insights-operator-job-<your_job>:/var/lib/insights-operator ./insights-data
  8. Clean up the job:

    $ oc delete -n openshift-insights job insights-operator-job

Uploading an Insights Operator archive

You can manually upload an Insights Operator archive to console.redhat.com to diagnose potential issues.

  • You are logged in to OKD as cluster-admin.

  • You have a workstation with unrestricted internet access.

  • You have created a copy of the Insights Operator archive.

  1. Download the dockerconfig.json file:

    $ oc extract secret/pull-secret -n openshift-config --to=.
  2. Copy your "cloud.openshift.com" "auth" token from the dockerconfig.json file:

      "auths": {
        "cloud.openshift.com": {
          "auth": "<your_token>",
          "email": "asd@redhat.com"
  3. Upload the archive to console.redhat.com:

    $ curl -v -H "User-Agent: insights-operator/one10time200gather184a34f6a168926d93c330 cluster/<cluster_id>" -H "Authorization: Bearer <your_token>" -F "upload=@<path_to_archive>; type=application/vnd.redhat.openshift.periodic+tar" https://console.redhat.com/api/ingress/v1/upload

    where <cluster_id> is your cluster ID, <your_token> is the token from your pull secret, and <path_to_archive> is the path to the Insights Operator archive.

    If the operation is successful, the command returns a "request_id" and "account_number":

    Example output
    * Connection #0 to host console.redhat.com left intact
Verification steps
  1. Log in to https://console.redhat.com/openshift.

  2. Click the Clusters menu in the left pane.

  3. To display the details of the cluster, click the cluster name.

  4. Open the Insights Advisor tab of the cluster.

    If the upload was successful, the tab displays one of the following:

    • Your cluster passed all recommendations, if Insights Advisor did not identify any issues.

    • A list of issues that Insights Advisor has detected, prioritized by risk (low, moderate, important, and critical).

Enabling Insights Operator data obfuscation

You can enable obfuscation to mask sensitive and identifiable IPv4 addresses and cluster base domains that the Insights Operator sends to console.redhat.com.

Although this feature is available, Red Hat recommends keeping obfuscation disabled for a more effective support experience.

Obfuscation assigns non-identifying values to cluster IPv4 addresses, and uses a translation table that is retained in memory to change IP addresses to their obfuscated versions throughout the Insights Operator archive before uploading the data to console.redhat.com.

For cluster base domains, obfuscation changes the base domain to a hardcoded substring. For example, cluster-api.openshift.example.com becomes cluster-api.<CLUSTER_BASE_DOMAIN>.

The following procedure enables obfuscation using the support secret in the openshift-config namespace.

  • You are logged in to the OKD web console as cluster-admin.

  1. Navigate to WorkloadsSecrets.

  2. Select the openshift-config project.

  3. Search for the support secret using the Search by name field. If it does not exist, click CreateKey/value secret to create it.

  4. Click the Options menu kebab, and then click Edit Secret.

  5. Click Add Key/Value.

  6. Create a key named enableGlobalObfuscation with a value of true, and click Save.

  7. Navigate to WorkloadsPods

  8. Select the openshift-insights project.

  9. Find the insights-operator pod.

  10. To restart the insights-operator pod, click the Options menu kebab, and then click Delete Pod.

  1. Navigate to WorkloadsSecrets.

  2. Select the openshift-insights project.

  3. Search for the obfuscation-translation-table secret using the Search by name field.

If the obfuscation-translation-table secret exists, then obfuscation is enabled and working.

Alternatively, you can inspect /insights-operator/gathers.json in your Insights Operator archive for the value "is_global_obfuscation_enabled": true.

Additional resources