Applying the updated custom resource

An upgraded custom resource must be applied to the operator.

Procedure

  1. Run the following command to remove initialize_configuration parameter. 
    oc patch icp4acluster <CP4BA_CR_name> -n <project name> --type=json -p='[{op: remove, path: /spec/initialize_configuration}]'
  2. Run the following command to remove verify_configuration parameter. 
    oc patch icp4acluster <CP4BA_CR_name> -n <project name> --type=json -p='[{op: remove, path: /spec/verify_configuration}]'
  3. Run the following command to update the annotations of the custom resource. 
    oc annotate icp4acluster <CP4BA_CR_name> kubectl.kubernetes.io/last-applied-configuration- -n <project name>
  4. Run the following command to apply the custom resource. 
    oc apply -f <path_to_cert-kubernetes>/cert-kubernetes/scripts/cp4ba-upgrade/project/<project name>/custom_resource/icp4acluster.yaml -n <project name>
  5. Scale the operator deployment back up. 
    oc scale -\-replicas=<initialReplicas> deployment ibm-cp4a-operator

    The value of <initialReplicas> is the one that you noted when you scaled down to zero.

  6. Check the status of the deployment.
    Use the cp4a-deployment.sh script in upgradeDeploymentStatus mode to check the status of the deployment. 
    ./cp4a-deployment.sh -m upgradeDeploymentStatus -n <project_name>
  7. Use the oc get pods command to confirm that the deployment scaled up successfully. 
    oc get pods -w
    Wait for the reconcilement loop to finish. All the container pods are started with the new images. If jobs are removed, the pods are eventually deleted.

    The wait time depends on how many pods that you have in your deployment.

  8. If the script timeouts in upgradeDeploymentStatus mode while it waits for the Zen Service, you can check the overall upgrade status of the upgraded Zen Service by running the following commands. 
    ZENSERVICE_CR=$(oc get zenService --no-headers --ignore-not-found -n $TARGET_PROJECT_NAME |awk '{print $1}')
oc get zenService $ZENSERVICE_CR --no-headers --ignore-not-found -n $TARGET_PROJECT_NAME -o jsonpath='{.status.currentVersion}'
oc get zenService $ZENSERVICE_CR --no-headers --ignore-not-found -n $TARGET_PROJECT_NAME -o jsonpath='{.status.zenStatus}'
oc get zenService $ZENSERVICE_CR --no-headers --ignore-not-found -n $TARGET_PROJECT_NAME -o jsonpath='{.status.Progress}'

    If the currentVersion is 5.0.2, then go to the next step.

  9. Optional: You can monitor the ICP4ACluster instance details in the custom resource status fields of the components. Wait for the status Succeeded before you consider the upgrade successful. Run the following command: 
    oc get ICP4ACluster <instance_name> -o=jsonpath='{.status.components.component_acronym}'

    Where the <instance_name> is the name of the CP4BA cluster. By default, the name is icp4adeploy. You can get the name by running the command following command:

    oc get ICP4ACluster

    The component_acronym can be any of the following IDs:

    ae-icp4adeploy-workspace-aae, viewone, gitgatewayService, css, adsMongo, contentDesignerRepoAPI, adsLtpaCreation, adsCredentialsService, workflow-authoring, graphql, adsRrRegistration, adsRuntimeService, ae-icp4adeploy-pbk, app-engine, contentProjectDeploymentService, contentDesignerService, adsGitService, cmis, adsParsingService, bastudio, ier, adsRestApi, adsBuildService, navigator, baw, odm, cpe, iccsap, tm, adsFront, adsRunService, prereq, adsRuntimeBaiRegistration, resource-registry, pfs, adsDownloadService, ca, baml, extshare

    You can expect a Failed message before the status changes to Pending, Installing, and then Succeeded.

Results

Use the following command to see the list of versions you now have on the cluster:

oc exec -it `oc get pod|grep ibm-cp4a-operator | awk '{print $1}'` -- cat /opt/ibm/version.txt
Tip: You can run the post-installation script on your cluster to validate the upgrade. For more information, see Validating your CP4BA production deployment.

All the URL paths to the capabilities change during an upgrade and you must update any existing bookmarks.

Note: If you changed the IBM Navigator plug-ins, you must restart the pod for the changes to show up.

What to do next

How to access the capability services

A ConfigMap is created in the namespace to provide the cluster-specific details to access the services and applications. Components that are successfully upgraded have the new URLs in the ConfigMap. If any components failed, the URLs are not included. The ConfigMap name is prefixed with the deployment name (default is icp4adeploy). You can find the ConfigMap containing the routes information by clicking Workloads > ConfigMaps and then searching for the string "cp4ba-access-info".

The content of the ConfigMap depends on the components that are included. Each component has one or more URLs.

<component1> URL: <RouteUrlToAccessComponent1>  
<component2> URL: <RouteUrlToAccessComponent2>
Note: If you included multiple capabilities from FileNet Content Manager (FNCM), Automation Document Processing (ADP), and Business Automation Application (BAA) in your CP4BA deployment, then use the Navigator for CP4BA heading in the cp4ba-access-info ConfigMap and the custom resource status fields to find the route URL for Business Automation Navigator.

If you included FileNet Content Manager (FNCM) without the other capabilities, then use the Navigator for FNCM heading in the cp4ba-access-info ConfigMap and the custom resource status fields to find the route URL for Business Automation Navigator.

When all the containers are running, you can access the services. For the components that are not defined in the CP4BA custom resource, like Business Teams Service, you can add the defined prefix for the UI (teamserver/ui) to the cpd_host. The full URL is https://cpd_host/teamserver/ui, where cpd_host is the result of the command oc get route cpd.

Attention: Zen context roots are not created for some components (AE\ICN\CPE\BAI)

Using some of the URLs in the cp4ba-access-info ConfigMap, you might see a 404 (Not Found) error or a message "3.5.0.0 (xxxxxxxxxx)" on the screen instead of the application user interface.

You might also see the following errors in the log of the zen-watcher-*** pod:

nginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test failed
time="2021-12-07 03:48:42" level=error msg=reload-nginx message=err pod_name=ibm-nginx-68d5877466-8dd5w
time="2021-12-07 03:48:42" level=info msg=processConfigData event="failed reloading Nginx config file. Retrying. " reason="command terminated with exit code 1" retry_count=10
time="2021-12-07 03:48:42" level=error msg=processConfigData error="command terminated with exit code 1" event="failed reloading Nginx config file for bawps-cpe-zen-extension"
time="2021-12-07 03:48:42" level=info msg=watchConfigMap event="config bawps-cpe-zen-extension added"

Workaround:

  1. Kill the zen-watcher-*** pod.
  2. Wait until the pod is re-created.
  3. Check the log of the Nginx pod (named ibm-nginx-***) to make sure that you do not have the following error "nginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test failed".
  4. Make sure that you have the configuration files for your components in the /user-home/_global/nginx-conf.d directory of the Nginx pod. For example, <namespace>-cpe-zen-extension.conf.
  5. Reopen the URLs that are in the cp4ba-access-info ConfigMap.

The IBM Cloud Pak Platform (Zen) UI is used to provide a role-based user interface for all Cloud Pak capabilities. Capabilities are dynamically available in the UI based on the role of the user that logs in. If you did not run the post-installation script on your cluster to validate the upgrade, you can find the URL for the Zen UI in the OCP console by clicking Networking > Routes and looking for the name cpd, or by running the following command.

oc get route |grep "^cpd"

Log in to the Admin Hub to configure your LDAP with the Identity Management (IM) service. You have two options to log in, Enterprise LDAP and IBM provided credentials (cpadmin only). To log in to the Admin Hub to configure the LDAP, then click IBM provided credentials (cpadmin only). You can get the details for the IBM-provided cpadmin user by getting the contents of the platform-auth-idp-credentials secret in the namespace used for the CP4BA deployment. 

oc -n <namespace> get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_username}' | base64 -d && echo

You get the password by running the following command: 

oc -n <namespace> get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_password}' | base64 -d && echo

You can change the default password at any time. For more information, see Changing the cluster administrator password.

You can then onboard users and groups to Zen for any capability that provides a route. These users and user groups can then work with business applications and business automations by using the Zen-enabled routes.

If you need to, go to and complete the extra steps in Completing post-upgrade tasks.