Preparing for a starter deployment

An OpenShift Container Platform (OCP) administrator can run a script to set up a cluster or set up the cluster in the OpenShift console. Each core Cloud Pak capability has a corresponding pattern, which includes a list of components that can be installed.

About this task

The administrator must make sure that the target Red Hat OpenShift Kubernetes Service (ROKS) cluster on IBM Cloud® or OCP has all the necessary requirements. Make sure that the client that you connect with has all the necessary tools.
Client-side requirements
Table 1. Client-side requirements step by step
Requirement More information
Kubernetes 1.21+ CLI For more information, see https://kubernetes.io/docs/tasks/tools/install-kubectl/.

You must use a kubectl version that is within one minor version difference of your cluster. Using the latest version of kubectl helps avoid unforeseen issues.

  1. Set the required version to an environment variable:
    export KUBECTL_VERSION=`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`
  2. Download the latest release with the command for your VM/machine architecture:
    Linux on AMD x86-64 or amd64
    curl -LO "https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl"
    Linux on Power or ppc64le
    curl -LO "https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/ppc64le/kubectl"
    Linux on IBM Z or s390x
    curl -LO "https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/s390x/kubectl"

Use the chmod command to give access to kubectl and make it executable for all users.

chmod a+x kubectl

To check the version, run the following command.

kubectl version --client

Place the kubectl binary in a directory that is on your PATH. To check your PATH, run the following command.

echo $PATH
OCP CLI The OCP CLI version that matches the OCP cluster. The best way to do that is to download the CLI from the OCP console. For more information about the OCP version and compatible CLI, see the OpenShift 4.14 documentation and go to the download link.

The CLI has commands for managing your applications, and lower-level tools to interact with each component of your system.

Place the oc binary in a directory that is on your PATH. To check your PATH, run the following command.

echo $PATH

When the CLI is in your PATH, it is available by running the oc command.

cert-kubernetes All the installation artifacts are contained in the cert-kubernetes repository. It is recommended to use the latest interim fix of the release, but if you do need a previous version then you can find them all in the Cloud Pak for Business Automation download document.
Tip: Use the move right arrow Move right arrow below the 24.0.0 release to find all the available interim fixes.

To download the cert-kubernetes repository.

  1. Open the Cloud Pak for Business Automation download document, find the card for the latest 24.0.0 interim fix, click Cert Kubernetes, and then select and copy the displayed command.
  2. Run the copied git clone command to download the files.
Server-side requirements
Table 2. Server-side requirements step by step
Requirement More information
Get your IBM entitlement key
  1. Log in to MyIBM Container Software Library with the IBMid and password that is associated with the entitled software.
  2. In the Entitlement Keys tile, click Add New Key.
On ROKS classic
Note: Bare Metal Servers for classic infrastructure are not supported. ROKS VPC multi-zone region (MZR) is supported.

Before you deploy an automation container on IBM Cloud (your target cluster platform is ROKS), you must configure your client environment and create an OpenShift cluster.

Make sure that you install the IBM Cloud CLI so you can use the command-line interfaces (CLIs). As an administrator of the cluster you must be able to interact with your environment.

  1. If you do not have an account, create an account on IBM Cloud.
  2. If you do not have a cluster, then create one. From the IBM Cloud Overview page, in the OpenShift Cluster tile, click Create Cluster. Refer to the IBM Cloud documentation to create a Kubernetes cluster. The cluster that you create includes attached storage.
  3. Log in to your ROKS cluster from a Linux® VM on which you installed the OCP CLI.
    oc login --token=<token> --server=https://<cluster-ip>:<port>

    Where the <token> is your API token for your user on the cluster, and <cluster-ip>:<port> is the IP address and port number of the cluster. You can get these values by clicking Copy Login Command in the OCP console. The following example command shows that the token is an almost-unique fixed-size 256-bit (32-byte) hash.

    oc login --token=sha256~5a0GogeS4oEUfG5yFCcPE2Qf-rz5exEUiFaZ4V0Iy1Y \
    --server=https://api.ocp4616-cp4ba.cp.example.com:6443
    
Check capacity The administrator must make sure that the target cluster has the capacity for all of the capabilities that you plan to install. For more information, see System requirements.
A namespace
Warning: If you plan to use a project (namespace) that you used previously for another Cloud Pak for Business Automation deployment (starter or production), delete all the related PVCs before you install a new starter deployment.

Create a namespace for the Cloud Pak deployment on the OpenShift cluster. The Cloud Pak operator can be installed in multiple namespaces. You can create a namespace in the console or create one from the CLI.

On the left panel in your OpenShift console, click Administration > Namespaces, then click Create Namespace. In the Create Namespace dialog, specify a name for the namespace, for example cp4ba-starter. To use the default Network Policy, make sure you select "No restrictions".

On the CLI:

oc login --token=<token> --server=https://<cluster-ip>:<port>
export NAMESPACE=<CP4BA deployment namespace>
oc create namespace ${NAMESPACE} 

Where the <CP4BA deployment namespace> is the namespace where you want to create the deployment. For example, cp4ba-starter.

Note: If you plan to use the "All namespaces" option to install the Cloud Pak operator, then the openshift-operators namespace is used. You still need a namespace to create a CP4BA deployment, so go ahead and create one.
A service account
  1. Create the ibm-cp4ba-anyuid service account (SA) in a service-account-for-starter.yaml file.
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: ibm-cp4ba-anyuid
    imagePullSecrets:
    - name: "ibm-entitlement-key"
  2. Apply the service account to the target namespace.
    oc apply -f service-account-for-starter.yaml -n ${NAMESPACE}

    Where the ${NAMESPACE} is the namespace where you want to install the deployment.

  3. Bind the security context constraints (SCC) to control the actions the SA can take and what it can access.
    oc adm policy add-scc-to-user anyuid \
    -z ibm-cp4ba-anyuid -n ${NAMESPACE}
Synchronize worker nodes clocks Cloud Pak for Business Automation requires that the clocks on the worker nodes are synchronized. An OCP cluster that is installed in a restricted network is configured to use a public Network Time Protocol (NTP) server by default. To avoid clock skew, reconfigure the cluster to use a private NTP server instead. Time synchronization must be enabled on all hosts in the cluster, whether using NTP or any other method. For more information, see Configuring chrony time service.

It is also worth noting that the "starter" deployment provisions PostgreSQL and OpenLDAP with the default values, so you do not need to prepare them in advance. The database is for internal purposes only and cannot be accessed.

What else is needed before you run the setup cluster script
Table 3. Script requirements
Requirement More information
Operating system The scripts can be used on amd64/x86/ppc64le/s390x based (CentOS Stream/RHEL/MacOS) VM/machines. You can also run the scripts on an amd64/x86 machine, for example, and connect to a Linux on Z or a Linux on Power based cluster.
Users You need a cluster admin and a non-admin user in the OpenShift identity provider to run the scripts. An example non-admin user cp4a-user is used in the installation instructions. Use the following steps to add a non-admin user:
  1. Move to a directory where you want to put the temp files.
    cd /home/user
  2. Install the htpasswd command.
    yum install httpd-tools
  3. Create a user.
    htpasswd -c -B -b users.htpasswd [username] [password]

    Replace [username] with the name of the non-admin user. Replace [password] with the password for the non-admin user.

  4. Verify that it worked.
    htpasswd -b -v users.htpasswd [username] [password]
  5. Create a secret to contain the htpasswd file. You must be logged in as the admin user to the cluster.
    oc create secret generic htpass-secret --from-file=htpasswd=./users.htpasswd -n openshift-config
  6. Create a config file with the htpasswd identity provider settings.
    cat <<EOF | oc apply  -f -
        apiVersion: config.openshift.io/v1
        kind: OAuth
        metadata:
          name: cluster
        spec:
         identityProviders:
         - name: admins_htpasswd_provider
           mappingMethod: claim
           type: HTPasswd
           htpasswd:
             fileData:
               name: htpass-secret  
    EOF
  7. Verify that it worked. It might take a few minutes for the update to complete.
    oc logout
    oc login -u [username] -p [password]

For more information about users on OpenShift, see Understanding identity provider configuration.

Tip: Go to the following technote for instructions on how to create a simple identity provider for your starter environment How do I create a simple identity provider.
A dynamic storage class and a block storage class File storage keeps data as a hierarchy of files in folders. Block storage chunks data into organized and evenly sized volumes.

For more information, see Storage considerations.

Podman CLI If you plan to download the Cloud Pak images to a private registry, you must install the Podman CLI. You can install Podman by running the following command.
yum -y install podman
Note: The Podman CLI is needed on an OCP registry, as OCP does not support a Docker login. If you plan to run the scripts on macOS or you want to stick with docker, you must install the Docker CLI and add the following line to the /etc/docker/daemon.json file.
"insecure-registries":["route"]
Where route is the name of the route for your image registry. For example:
{
"insecure-registries":["default-route-openshift-image-registry.apps.<hostname>"]
}

Use this solution for isolated testing or in tightly controlled environments only. For more information, see Deploy a plain HTTP registry.

For Workforce Insights If you want to use Workforce Insights, you must create a custom secret to put in the bai configuration section under business_performance_center in the custom resource.

For more information, see Creating custom-bpc-workforce-secret.

What to do next

If you want to use the optional component Content Collector for SAP Applications in the Content pattern, you must prepare the SAP libraries (Optional: Preparing ICCSAP libraries). You can then choose between installing in the OpenShift console or by using the command line interface (CLI). Use one of the following links.