To install the Cloud Pak capabilities with the Cloud Pak operators, a cluster
administrator user can run a script to set up the cluster. They can also run the script in silent mode if set of environment variables are created before the
script is run. The administrator must also provide
information that they get from the script to a non-administrator user so they can run the deployment
script.
About this task
The cluster setup script is one of four core scripts (cluster setup, prerequisites, deployment,
and post-install) that are provided to help you install the Cloud Pak capabilities. You must be a
cluster administrator to run the setup script. For more information, see Targeted
role-based user archetypes.
The cluster setup script identifies or creates a namespace and applies the custom resource
definitions (CRD). It then adds the specified user to the ibm-cp4a-operator
role,
binds the role to the service account, and applies a security context constraint (SCC) for the Cloud
Pak.
The script also prompts the administrator to take note of the cluster hostname and a dynamic
storage class on the cluster. These names must be provided to the user who runs the deployment
script.
Note: You can run the scripts on an amd64/x86, a Linux on Z, or a Linux on Power machine that can
run Podman. The setup script does not set any parameters in the custom resource (CR). The cluster
administrator might be running the script on a different host than the user who later runs the
deployment script.
A new installation of Cloud Pak for Business Automation always includes a
namespace-scoped instance of foundational services when you use the scripts.
Use the following steps to complete the setup.
Procedure
-
Download the appropriate repository to a Linux® based
machine (RHEL) or a client to a linux-based machine or VM that runs Podman natively.
- Optional: If you want to run the script in silent mode, create the
environment variables that are needed for your installation. For more information, see Environment variables
for installation in silent mode.
-
Log in to the target cluster as the
<cluster-admin>
user.
Using the OpenShift CLI:
oc login https://<cluster-ip>:<port> -u <cluster-admin> -p <password>
On ROKS, if you are not already logged in:
oc login --token=<token> --server=https://<cluster-ip>:<port>
Tip: You can copy the oc login command from the console. Login to the
OCP console using valid credentials, click the user menu and then click Copy Login
command. Click Display token, and copy the token for the
oc login command.
- Change the directory to the extracted cert-kubernetes/scripts
folder.
cd ${PATH_TO_EXTRACTED_FILES}/cert-kubernetes/scripts
- Run the cluster setup script and follow the prompts in the command window.
./cp4a-clusteradmin-setup.sh
- Select the CP4BA deployment environment: Online (1) /
Offline or Airgap (2). Select Online.
- Select the platform type: ROKS (1) or OCP (2).
- Select the deployment type production.
- If you plan to enable FIPS for your Cloud Pak for Business Automation deployment, select
Yes to check that the worker nodes on the cluster are FIPS enabled.
Note: If all the compute nodes are FIPS enabled, then the script creates a configMap
(
cp4ba-fips-status
) in the target deployment namespace
(
cp4ba-project for example) to record that FIPS is enabled.
kind: ConfigMap
apiVersion: v1
metadata:
name: cp4ba-fips-status
namespace: <project_name>
data:
all-fips-enabled: 'Yes'
- Accept the default
Yes
to install CP4BA as a private catalog rather than in the
global catalog namespace (GCN). The GCN uses the openshift-marketplace
namespace,
the private option uses the target namespace of your CP4BA deployment. If an existing CP4BA
operator is found in another namespace on your cluster, confirm that you want to deploy another
CP4BA operator in the new namespace by entering Yes
.
- Select
Yes
if you want to install the CP4BA operators and the CP4BA deployments
in separate namespaces. Select No
if you do not want to install the CP4BA operators
and the CP4BA deployments in separate namespaces. The default is No
. If you
selected Yes
to separate the operators from the deployments, enter the names for
new namespaces or existing namespaces. For example, cp4a-operators
and
cp4a-operands
.
- Enter the name for a new project or an existing namespace (
cp4ba-project
) for
the target deployment. For more information, see Preparing a namespace for the operator.
- Enter Yes or No to confirm whether you want to use
the images in the IBM Entitlement Registry.
- If you replied Yes to use the IBM Entitlement Registry, enter your IBM
Entitled Registry key. For more information, see Getting access to images from the public IBM Entitled Registry.
If you want to load the container images to a local registry, then set up the cluster by
mirroring the images instead of running the cp4a-clusteradmin-setup.sh script.
For more information, see Setting up the cluster and use a local image registry.
Tip: If you ran the
cp4a-clusteradmin-setup.sh
script and you see one or more of the following messages, then make sure that you start Docker or
Podman and run the script
again.
Error saving credentials: error storing credentials
Error: unable to connect
The Entitlement Registry key failed
The following message is displayed:
[INFO] Applying the latest IBM CP4BA Operator catalog source...
[✔] IBM CP4BA Operator catalog source Updated!
[INFO] Starting to install IBM Cert Manager and IBM Licensing Operator ...
-
Monitor the operator pods until they show a STATUS of "Running".
oc get pod -w
Tip: If
ibm-cp4a-operator is inactive for some time, you can delete
the operator pod and let it reconcile.
To confirm that the operator is stuck, check to see
whether the log is providing an output.
oc project <namespace of Cloud Pak for Business Automation operator>
NAMESPACE=$(oc project -q)
oc get pod | grep ibm-cp4a-operator | awk '{print $1}'
The command returns two pod
names. The ibm-cp4a-operator-catalog
and one that has a suffix of around ten and
then five characters, for example, ibm-cp4a-operator-696d8d9555-27qrf
. Use the pod
name that is not the catalog in the following
command.
podname=$(oc get pod | grep ibm-cp4a-operator-696d8d9555-27qrf | awk '{print $1}')
oc logs $podname -c operator -n $NAMESPACE
You can also list the ClusterServiceVersion
(CSV) to verify the version of the
running operators on your cluster.
oc get csv -n $NAMESPACE
Note: The version number (24.0.0) of the installed
operators correspond to the channel for Cloud Pak for Business Automation
24.0.0.
If you set any subscriptions to manual
, then you must approve any pending
operator updates. It is not recommended to set subscriptions to manual
because it
can be error prone when some of the dependency operators are not approved. By default, all
subscriptions are set to automatic
.
Tip: Subscriptions for the
Cloud Pak foundational services operators are
created when they are "needed". Some subscriptions are created during the installation of the
operators. If other subscriptions are needed, they are created during the installation of the CP4BA
deployment. Business Teams Service, for example, is installed only "if it is needed". To check for
subscriptions that are waiting for approval, get the install plans by running the following
command.
oc get installPlan
Results
When the script is finished, all the available storage class names are displayed along with the
infrastructure node name. Take a note of the following information and provide it to the Cloud Pak
admin user as they are needed for the deployment script:
- Project name or namespace.
- Username to log in to the cluster.
What to do next
You can see the list of operators that are installed in your cluster on the page. For more information about
foundational services, see IBM Cloud Pak foundational services.
To verify the foundational services installation, check whether all the pods in the target CP4BA
deployment namespace are running. Use the following command:
oc get pods -n $NAMESPACE
Continue to prepare everything that you need for each capability that you want to install in
Preparing your chosen capabilities.