(Recommended) Setting up the cluster by running a script

To install the Cloud Pak capabilities with the Cloud Pak operators, a cluster administrator user can run a script to set up the cluster. They can also run the script in silent mode if set of environment variables are created before the script is run. The administrator must also provide information that they get from the script to a non-administrator user so they can run the deployment script.

Before you begin

Make sure that you prepared your cluster with the necessary infrastructure and software. For more information, see Option 1: Preparing your cluster for an online deployment.

About this task

The cluster setup script is one of four core scripts (cluster setup, prerequisites, deployment, and post-install) that are provided to help you install the Cloud Pak capabilities. You must be a cluster administrator to run the setup script. For more information, see Targeted role-based user archetypes.

The cluster setup script identifies or creates a namespace and applies the custom resource definitions (CRD). It then adds the specified user to the ibm-cp4a-operator role, binds the role to the service account, and applies a security context constraint (SCC) for the Cloud Pak.

The script also prompts the administrator to take note of the cluster hostname and a dynamic storage class on the cluster. These names must be provided to the user who runs the deployment script.

Note: You can run the scripts on an amd64/x86, a Linux on Z, or a Linux on Power machine that can run Podman. The setup script does not set any parameters in the custom resource (CR). The cluster administrator might be running the script on a different host than the user who later runs the deployment script.

A new installation of Cloud Pak for Business Automation always includes a namespace-scoped instance of foundational services when you use the scripts.

Use the following steps to complete the setup.

Procedure

  1. Download the appropriate repository to a Linux® based machine (RHEL) or a client to a linux-based machine or VM that runs Podman natively.

    For more information about downloading cert-kubernetes, see Option 1: Preparing your cluster for an online deployment.

  2. Optional: If you want to run the script in silent mode, create the environment variables that are needed for your installation. For more information, see Environment variables for installation in silent mode.
  3. Log in to the target cluster as the <cluster-admin> user.

    Using the OpenShift CLI:

    oc login https://<cluster-ip>:<port> -u <cluster-admin> -p <password>

    On ROKS, if you are not already logged in:

    oc login --token=<token> --server=https://<cluster-ip>:<port>
    Tip: You can copy the oc login command from the console. Login to the OCP console using valid credentials, click the user menu and then click Copy Login command. Click Display token, and copy the token for the oc login command.
  4. Change the directory to the extracted cert-kubernetes/scripts folder.
    cd ${PATH_TO_EXTRACTED_FILES}/cert-kubernetes/scripts
  5. Run the cluster setup script and follow the prompts in the command window.
    ./cp4a-clusteradmin-setup.sh 
    1. Select the CP4BA deployment environment: Online (1) / Offline or Airgap (2). Select Online.
    2. Select the platform type: ROKS (1) or OCP (2).
    3. Select the deployment type production.
    4. If you plan to enable FIPS for your Cloud Pak for Business Automation deployment, select Yes to check that the worker nodes on the cluster are FIPS enabled.
      Note: If all the compute nodes are FIPS enabled, then the script creates a configMap (cp4ba-fips-status) in the target deployment namespace (cp4ba-project for example) to record that FIPS is enabled.
      kind: ConfigMap
      apiVersion: v1
      metadata:
        name: cp4ba-fips-status
        namespace: <project_name>
      data:
        all-fips-enabled: 'Yes'
    5. Accept the default Yes to install CP4BA as a private catalog rather than in the global catalog namespace (GCN). The GCN uses the openshift-marketplace namespace, the private option uses the target namespace of your CP4BA deployment.

      If an existing CP4BA operator is found in another namespace on your cluster, confirm that you want to deploy another CP4BA operator in the new namespace by entering Yes.

    6. Select Yes if you want to install the CP4BA operators and the CP4BA deployments in separate namespaces. Select No if you do not want to install the CP4BA operators and the CP4BA deployments in separate namespaces. The default is No.

      If you selected Yes to separate the operators from the deployments, enter the names for new namespaces or existing namespaces. For example, cp4a-operators and cp4a-operands.

    7. Enter the name for a new project or an existing namespace (cp4ba-project) for the target deployment. For more information, see Preparing a namespace for the operator.
    8. Enter Yes or No to confirm whether you want to use the images in the IBM Entitlement Registry.
    9. If you replied Yes to use the IBM Entitlement Registry, enter your IBM Entitled Registry key. For more information, see Getting access to images from the public IBM Entitled Registry.

      If you want to load the container images to a local registry, then set up the cluster by mirroring the images instead of running the cp4a-clusteradmin-setup.sh script. For more information, see Setting up the cluster and use a local image registry.

      Tip: If you ran the cp4a-clusteradmin-setup.sh script and you see one or more of the following messages, then make sure that you start Docker or Podman and run the script again.
      Error saving credentials: error storing credentials
      Error: unable to connect
      The Entitlement Registry key failed

    The following message is displayed:

    [INFO] Applying the latest IBM CP4BA Operator catalog source...
    [✔] IBM CP4BA Operator catalog source Updated!
    [INFO] Starting to install IBM Cert Manager and IBM Licensing Operator ...
  6. Monitor the operator pods until they show a STATUS of "Running".
    oc get pod -w
    Tip: If ibm-cp4a-operator is inactive for some time, you can delete the operator pod and let it reconcile.

    To confirm that the operator is stuck, check to see whether the log is providing an output.

    oc project <namespace of Cloud Pak for Business Automation operator>
    NAMESPACE=$(oc project -q)
    oc get pod | grep ibm-cp4a-operator | awk '{print $1}'

    The command returns two pod names. The ibm-cp4a-operator-catalog and one that has a suffix of around ten and then five characters, for example, ibm-cp4a-operator-696d8d9555-27qrf. Use the pod name that is not the catalog in the following command.

    podname=$(oc get pod | grep ibm-cp4a-operator-696d8d9555-27qrf | awk '{print $1}')
    oc logs $podname -c operator -n $NAMESPACE

    You can also list the ClusterServiceVersion (CSV) to verify the version of the running operators on your cluster.

    oc get csv -n $NAMESPACE
    Note: The version number (24.0.0) of the installed operators correspond to the channel for Cloud Pak for Business Automation 24.0.0.

    If you set any subscriptions to manual, then you must approve any pending operator updates. It is not recommended to set subscriptions to manual because it can be error prone when some of the dependency operators are not approved. By default, all subscriptions are set to automatic.

    Tip: Subscriptions for the Cloud Pak foundational services operators are created when they are "needed". Some subscriptions are created during the installation of the operators. If other subscriptions are needed, they are created during the installation of the CP4BA deployment. Business Teams Service, for example, is installed only "if it is needed". To check for subscriptions that are waiting for approval, get the install plans by running the following command.
    oc get installPlan

Results

When the script is finished, all the available storage class names are displayed along with the infrastructure node name. Take a note of the following information and provide it to the Cloud Pak admin user as they are needed for the deployment script:

  1. Project name or namespace.
  2. Username to log in to the cluster.

What to do next

You can see the list of operators that are installed in your cluster on the Operators > Installed Operators page. For more information about foundational services, see IBM Cloud Pak foundational services.

To verify the foundational services installation, check whether all the pods in the target CP4BA deployment namespace are running. Use the following command:

oc get pods -n $NAMESPACE

Continue to prepare everything that you need for each capability that you want to install in Preparing your chosen capabilities.