Installing the v10 target system on OpenShift and Cloud Pak for Integration

On the target system, configure a cluster, create the necessary secrets, and install API Connect.

Before you begin

Check that your apicv10install directory contains:

The migration scripts, as described in v10 target deployment preparation.
The data directory that contains the v2018 extracted data.

About this task

The installation of v10 for v2018 form factor migration differs from a standard installation in that you must use the v2018 encryption secret for your Management subsystem, instead of the default encryption secret that is created in a standard v10 installation. You can also use the same portal backup configuration if you want to restore your v2018 portal backup to v10 to keep your v2018 portal site customizations. This task describes the steps of the standard v10 installation that should be followed, and at which points in the process to apply the v2018 extracted data.

All operations in this task are completed from your apicv10install directory.

Note: It is recommended that you keep the console output of all python scripts that are run. On most MacOS and Linux environments, appending the following to the end of the command saves the output to the specified file:

2>&1 | tee <output filename>

Procedure

Install the API Connect operators and create your namespace. Follow the steps described on Installing operators.
Create the secrets based on your v2018 extracted data.
1. Create the secrets by running the create_secrets_in_target.py script:
  - If both Management and Portal are in the same namespace, or if Portal is not installed:
```
python3 create_secrets_in_target.py -n <namespace>
```
  - If Management and Portal are in different namespaces:
```
python3 create_secrets_in_target.py -mgmt_ns <mgmt_namespace> -ptl_ns <portal_namespace>
```
  When the script detects more than one portal subsystem, it prompts you to select the portal subsystem name that you want to create the secrets for. For the remaining portal subsystems, specify the different portal namespace and name with the -ptl_ns and -ptl_subsys_name arguments:
```
python3 create_secrets_in_target.py -skip_mgmt -ptl_ns <portal_x_namespace> -ptl_subsys_name <portal subsystem name>
```
2. Verify that the secrets were created.
  Run the oc get secrets command as in the following example:
```
# oc get secrets -n <namespace>
NAME                               TYPE                                  DATA   AGE
...
<mgmt deployment name>-enc-key     Opaque                                1      2m47s
<portal deployment name>-enc-key   Opaque                                1      2m47s
management-backup-secret           Opaque                                2      2m47s
portal-backup-secret               Opaque                                2      2m47s
```
3. Delete the v2018 Portal database encryption secret <ptl_deployment_name>-enc-key.
  Run the following command to delete the secret:
```
# oc -n <namespace> delete secret <portal deployment name>-enc-key
```
  Note: The v2018 Portal database encryption secret is not compatible with v10. After you delete the <ptl_deployment_name>-enc-key, a new secret will be generated when you apply the subsystem CR in a later step.
Cloud Pak for Integration: Install the Platform UI, as described in https://www.ibm.com/docs/en/cloud-paks/cp-integration.

Create a top-level CR YAM: file, but do not apply it: run install_apic_on_ocp.py with -no_install:

On OpenShift, run:

# python3 install_apic_on_ocp.py -name <name> -n <apic-namespace> -no_install -license "<license>" -storageclass_apic <storage class>
...
Create top level CR::
no_install flag is set to true. Not installing API Connect.
Location of API Connect top level CR file :  /root/installapic/data/top_level_cr.yaml
...
This script performed the following actions in the target cluster:
**********************************************************************
- Generated the yamls for catalog sources, subscriptions and top level CR. Check the data directory and data/temp directory.
...

Where

<name> is the name that you want for your v10 top-level CR deployment. If not specified the default is minimum.
<namespace> is the namespace that you created for your v10 API Connect.
<license> is the license ID, see API Connect licenses.
<storage class> is the name of the storage class your v10 API Connect deployment is using.

On Cloud Pak for Integration you must specify your Platform UI storage class and license:

-cp4i -storage_classs_pn
<platform ui storage class> -license_pn <platform ui
license>

# python3 install_apic_on_ocp.py -name <name> -n <namespace> -no_install -license "<license>" -storageclass_apic <storage class> -cp4i -storage_classs_pn <platform ui storage class> -license_pn <platform ui license>

The top_level_cr.yaml is created in your data directory.

Important: Save the generated Portal encryption key

Edit the generated data/top_level_cr.yaml file. You must set the management.databaseBackup section to your new location for v10 backups. You can change other settings in this file, but do not change the management.encryptionSecret. Example top_level_cr.yaml file:

apiVersion: apiconnect.ibm.com/v1beta1
kind: APIConnectCluster
metadata:
  labels:
    app.kubernetes.io/instance: apiconnect
    app.kubernetes.io/managed-by: ibm-apiconnect
    app.kubernetes.io/name: apiconnect-<name>
  name: <name>
  namespace: <namespace>
spec:
  analytics:
    storage:
      enabled: true
      type: unique
  license:
    accept: true
    license: <license>
    use: nonproduction
  management:
    customApplicationCredentials: []
    databaseBackup:
      credentials: management-backup-secret
      host: backup.ibm.com
      path: /backups/management
      port: 22
      protocol: sftp
      schedule: 0 0 1 1 *
    encryptionSecret:
      secretName: v2018source-management-enc-key
  portal:
    portalBackup:
      credentials: portal-backup-secret
      host: backup.ibm.com
      path: /backups/portal
      port: 22
      protocol: sftp
      schedule: 0 0 1 1 *
  profile: n1xc7.m48
  storageClassName: <storage class>
  version: 10.0.x.x

Apply the top_level_cr.yaml file:
```
oc apply -f top_level_cr.yaml
```
Your v10 API Connect cluster is deployed. You can monitor the progress with:
```
oc get all -n <apic-namespace>
```
Install additional Portal, Gateway, and Analytics subsystems as needed, as individual subsystem CRs.

Note: To migrate all your v2018 data, install at least as many Portal and Gateway subsystems as you have on your v2018 source deployment. If you want to do a staged migration, you can install any remaining subsystems later.

Postinstallation verification and v10 toolkit CLI download.

Log in to the Cloud Manager UI: Login to Cloud Manager UI.
Download the v10 toolkit CLI (CLI only) and credentials.json file, see Installing the v10 toolkit.
Unpack the v10 toolkit CLI, and copy the apic-slim and credentials.json files to your apicv10install directory. Rename apic-slim to apic.
Ensure that your v10 toolkit CLI apic command is in your PATH variable:
```
EXPORT PATH=<apicv10install directory>:$PATH
```

Set your toolkit CLI credentials with:

apic client-creds:set <apicv10install directory>/credentials.json

Verify you can log in to your Management subsystem with the toolkit CLI. Use the same password as you used to log in to the Cloud Manager UI.
```
apic login --server <platform_api_endpoint> --username admin --realm admin/default-idp-1
```
where <platform_api_endpoint> is the FQDN of the platform api endpoint that is defined for your v10 Management subsystem, as returned by this command:
```
oc get routes -n <apic namespace> | grep platform-api
```
For more information, see v10 toolkit CLI login.

What to do next

Restore your v2018 source data to your v10 target deployment: Restoring the v2018 data to the v10 target deployment.