Containers:
If your
cluster is not connected to the internet, you can install Business Automation Workflow by using a bastion
server.
It is common in production to have a cluster that cannot access the internet. In these cases, you
can still install Business Automation Workflow and OpenShift® Container Platform (OCP) in an offline (otherwise known as air gap or disconnected) environment. You can use the IBM operator catalog to mimic a typical online installation except that the images are in your own registry. You first store the images to a bastion server and then transfer them to a local network. A bastion server is a device that has access to both the public internet and an internal local registry on an OCP cluster that is protected by a firewall. Using the bastion server, you can replicate your images through the bastion server directly to the local registry. The OCP cluster can then continue to use the images behind the firewall.
Before you begin
Follow all the instructions in the following topics to set up the environment:
Procedure
-
Log in to your cluster with an ID that has at least
Operator permissions for
the cluster.
-
On the bastion host, create the following environment variables with the installer image name
and the image inventory to be able to connect to the internet and download the corresponding CASE
file. Replace
ibm-cs-bawautomation-2.5.x.tgz with the latest version from https://github.com/IBM/cloud-pak/tree/master/repo/case/.
export CASE_ARCHIVE=ibm-cs-bawautomation-2.5.x.tgz
export CASE_INVENTORY_SETUP=cp4aOperatorSetup
export OFFLINEDIR=${HOME}/offline
cloudctl case save \
--case
https://github.com/IBM/cloud-pak/raw/master/repo/case/${CASE_ARCHIVE} \
--outputdir ${OFFLINEDIR}
Unpack the case file:
cd ${OFFLINEDIR}
tar -xvzf ${CASE_ARCHIVE}
cd cert-kubernetes
- Mirror all of the images that your deployment needs from the public image registries to a
private registry. Follow the instructions in Mirroring images to a private registry.
- Install the Business Automation Workflow on Containers
operator.
- Create a catalog source.
cloudctl case launch \
--case ${OFFLINEDIR}/${CASE_ARCHIVE} \
--inventory ${CASE_INVENTORY_SETUP} \
--action install-catalog \
--namespace ${NAMESPACE} \
{}args "{-}-registry ${LOCAL_REGISTRY} --inputDir ${OFFLINEDIR} --recursive
- Verify the pods for the Cloud Pak operator catalogs are created. Check that the
following pods are recently created.
(oc get pods -n openshift-marketplace):
ibm-operator-catalog
- Install the Cloud Pak operator in the specified namespace.
cloudctl case launch \
--case ${OFFLINEDIR}/${CASE_ARCHIVE} \
--inventory ${CASE_INVENTORY_SETUP} \
--action install-operator \
--namespace ${NAMESPACE} \
{}args "{-}-registry ${LOCAL_REGISTRY} --inputDir ${OFFLINEDIR}
- Verify that the operator pods are installed.
oc get pod | grep ibm-cp4a-operator
Tip: If
ibm-cp4a-operator is inactive for some time, you can delete the
operator pod and wait for it to reconcile.
To confirm that the operator is stuck, check to see
whether the log is providing an
output.
oc logs <operator pod> -f
If you see the
following issues when the image is pulled, verify the global pull secret and confirm that the Docker
registry username and password are correct.
Warning Failed <invalid> (x2 over
<invalid>) kubelet Error: ImagePullBackOffNormal Pulling <invalid> (x2 over
<invalid>) kubelet Pulling imageThe following command verifies the global pull
secrets.
oc -n openshift-config get secret/pull-secret -o
jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | tr -d
"\r|\n| " > dockerconfig.json
To change the credentials, you can edit the
dockerconfig.json file, delete the registry entries for the registry, and then
apply the changes.
oc set data secret/pull-secret -n openshift-config --from-
file=.dockerconfigjson=dockerconfig.json
Results
When the operator is started, you can monitor the operator logs with the following
command.
oc logs -f deployment/ibm-cp4a-operator -c operator