Installing containers on Red Hat OpenShift by using CLIs

Before you deploy an automation container on IBM Cloud, you must configure your client environment, create an OpenShift cluster, prepare your container environment, and set up where to get the container images.

Before you begin

As an administrator of the cluster you must be able to interact with your environment.

1. Create an account on IBM Cloud.

   Log in to IBM Cloud if you already have an account.

2. If you do not already have a cluster, then create one. From the IBM Cloud Overview page, in the OpenShift Cluster tile, click Create Cluster.

   Refer to the IBM Cloud documentation to create a Kubernetes cluster.

   The cluster that you create includes attached storage.

Make sure that you have the following list of software on your computer so you can use the command line interfaces (CLIs) you need to interact with the cluster.

• IBM Cloud CLI
• OpenShift Container Platform CL
• Kubernetes CLI
• Docker CLI (Mac) or Docker CLI (Linux)
•  For 19.0.2  Helm 2.9.1

The command line tools provide granular control of the various components of IBM Cloud.

To install IBM certified software for production purposes (production charts) on IBM Cloud Public, you must prepare your environment in 1 of 2 ways before you run the installation commands.

Note: Evaluation charts are accessible on public docker registries so you do not need to create an image pull secret to use these images.

• Option 1: Create a secret to the IBM Cloud Entitled Registry. The IBM Cloud Entitled Registry is the container library that is associated with your IBM® account (MyIBM). You can pull the container images in your library directly from the command line.
• Option 2: Download the software packages from IBM Passport Advantage® (PPA), extract the images, upload the images to the IBM Cloud Container Registry, and create a secret to be able to pull the images.

1. Log in to your IBM Cloud account and select Kubernetes from the menu icon.
2. Select the cluster that you created and from the cluster details page, click OpenShift web console.
3. In the OpenShift web console menu bar, click your profile IAM#user.name@email.com > Copy Login Command and paste the copied command into your command line.

   oc login https://<CLUSTERNAME>:<CLUSTERPORT> --token=<GENERATED_TOKEN>

4. Create a project for each release you want to install by running the following commands.

   oc new-project <project_name> --description="<description>" --display-name="<display_name>"
   

5. Add privileges to the projects. Grant ibm-anyuid-scc privileges to any authenticated user and grant ibm-privileged-scc privileges to any authenticated user.

   oc project <project_name>
   oc adm policy add-scc-to-user privileged -z default
   oc adm policy add-scc-to-group ibm-anyuid-scc system:authenticated
   oc adm policy add-scc-to-user ibm-privileged-scc system:authenticated

   Note: You need a privileged account to run the oc adm policy command. The <project_name> must have pull request privileges to the registry where the images are loaded. The <project_name> must also have pull request privileges to push the images into another namespace.
6. Make sure that your entitled container images are available and accessible in one of the IBM docker registries.
   • Option 1: Create a pull secret for the IBM Cloud Entitled Registry
     1. Log in to MyIBM Container Software Library with the IBMid and password that is associated with the entitled software.
     2. In the Container software library tile, click View library and then click Copy key to copy the entitlement_key to the clipboard.
     3. Create a pull secret by running a kubectl create secret command.

        kubectl create secret docker-registry <my_pull_secret> -n "<namespace>"
          --docker-server=cp.icr.io 
          --docker-username=cp 
          --docker-password="<entitlement_key>" 
          --docker-email=user@foo.com
        

        Note: The cp.icr.io and cp values for the docker-server and docker-username parameters must be used. Take a note of the pull secret and the server values so that you can set them to the pullSecrets and repository parameters when you run the installation for your containers.
     4. Install the Container Registry plug-in.

        ibmcloud plugin install container-registry -r 'IBM Cloud'

     5. Log in to your IBM Cloud account.

        ibmcloud login -a https://cloud.ibm.com

     6. Set the region as global.

        ibmcloud cr region-set global

     7. List the available images by using the following command.

        ibmcloud cr image-list --include-ibm | grep -i cp4a

   • Option 2: Download the packages from PPA and load the images
     1. If you do not already have the Certified Kubernetes eAssembly images that you want to install, go to IBM Passport Advantage and find the part numbers in the download document. Download all the Certified Kubernetes Multiplatform parts that you want to install.
     2. Log in to your IBM Cloud account in the IBM Cloud CLI.

        ibmcloud login --sso

        Then, enter the one time code that is sent to your computer.

     3. Log your local Docker daemon into the IBM Cloud Container Registry, create the project namespaces, list the new namespaces, and check that you can run docker.

        ibmcloud cr login
        ibmcloud cr namespace-add <project_name>
        ibmcloud cr namespace-list
        docker ps

        Run a kubectl command to make sure that you can use the Kubernetes CLI.

        kubectl cluster-info
        

     4. Download the loadimages.sh script. Select the version that you are interested in from the Branch menu. Change the permissions so that you can run the script.

        chmod +x loadimages.sh

     5. Use the loadimages.sh script to push the images into the IBM Cloud Container Registry.

        ./loadimages.sh -p <PPA-ARCHIVE>.tgz -r <registry_domain_name>/<project_name>

        Note: A registry domain name is associated with your cluster location. The name us.icr.io for example, is for the region us-south. The region and registry domain names are listed on the https://cloud.ibm.com/docs/services/Registry.

        For more information about how to use the script, see the GitHub README.md.

     6. After you push the images to the registry, check whether they are pushed correctly by running the following command.

        ibmcloud cr images --restrict <project_name>

     7. Create a pull secret to be able to pull images from the IBM Cloud Container Registry.

        kubectl --namespace <project_name> create secret docker-registry <my_pull_secret> \
           --docker-server=<registry_domain_name> --docker-username=iamapikey \
           --docker-password="<APIKEY>" --docker-email=<IBMID>

        To generate an API KEY, go to Security > Manage > Identity and Access > IBM Cloud API Keys in the IBM Cloud menu and select Generate an IBM Cloud API key.

     8. Take a note of the secret names so that you can set them to the pullSecrets parameter when you run the installation for your containers.