After you set up everything and mirrored the container images, you can then install the
Cloud Pak for Business Automation catalogs
in your air gap environment by using the cluster admin script.
Before you begin
When you mirrored your environment, you created a parallel offline version of everything that you
needed to install an operator into the OpenShift Container Platform. Your deployment in an air gap
environment also needs IBM Cloud® Pak foundational
services, so make sure that your cluster has the capacity to install these services, see Hardware requirements and recommendations for foundational
services.
All the installation and upgrade artifacts are contained in the
cert-kubernetes
repository. It is recommended to use the latest interim fix of the release, but if you do need a
previous version then you can find them all in the
Cloud Pak for Business Automation download document.
Tip: Use the move right arrow

below the
24.0.0 release to
find all the available interim fixes.
To download the
cert-kubernetes
repository.
- Open the Cloud Pak for Business Automation
download
document, find the card for the latest 24.0.0 interim fix, click
Cert Kubernetes, and then select and copy the displayed command.
- Run the copied
git clone
command to download the files.
About this task
You must prepare the storage of an operator before you create an instance of an operator.
Tip: When you run the deployment script, you must have storage classes on your cluster.
If you use static storage, make sure that you grant group write permission to the path on the host
or your shared volume.
To install the operators, complete the following steps.
Procedure
-
Go to the namespace for the operator.
- Go to your downloaded cert-kubernetes scripts folder.
cd ${PATH_TO_EXTRACTED_FILES}/cert-kubernetes/scripts
- Run the cluster setup script and follow the prompts in the command window.
./cp4a-clusteradmin-setup.sh
- Select the CP4BA deployment environment: Online (1) /
Offline or Airgap (2). Select Offline or Airgap.
- Select the platform type: ROKS (1) or OCP (2).
Select OCP.
- Select the deployment type production.
- If you plan to enable FIPS for your Cloud Pak for Business Automation deployment, select
Yes to check that the worker nodes on the cluster are FIPS enabled.
Note: If all the compute nodes are FIPS enabled, then the script creates a configMap
(
cp4ba-fips-status
) in the target deployment namespace
(
cp4ba-project for example) to record that FIPS is enabled.
kind: ConfigMap
apiVersion: v1
metadata:
name: cp4ba-fips-status
namespace: <project_name>
data:
all-fips-enabled: 'Yes'
- Select
Yes
if you want to install CP4BA as a private catalog rather than in the
global catalog namespace (GCN). The GCN uses the openshift-marketplace
namespace,
the private option uses the target namespace of your CP4BA deployment. The default is
No
.
- Select
Yes
if you want to install the CP4BA operators and the CP4BA deployments
in separate namespaces. Select No
if you do not want to install the CP4BA operators
and the CP4BA deployments in separate namespaces. The default is No
.
- Enter the CP4BA target namespace to install the operators. For example,
cp4ba-project.
For more information, see Mirroring catalogs to a private registry using oc mirror. If an existing CP4BA operator is found in
another namespace on your cluster, confirm that you want to deploy another CP4BA operator in the new
namespace by entering Yes
.
- Select
Yes
if you reviewed and confirmed that all the offline installation
prerequisites are complete.
- Verify that the operators are installed.
Using the oc login
command, log in to the Red Hat OpenShift Container Platform
cluster where you plan to pull the mirrored images. You can identify your specific oc
login
by clicking the user drop-down menu in the Red Hat OpenShift Container Platform
console, then clicking Copy Login Command.
Run the following commands to check your cluster:
-
oc get pods -n $NAMESPACE
It might take up to 10 minutes or so for all the pods to show the Running
status.
Tip: If
ibm-cp4a-operator is inactive for some time, you can delete
the operator pod and wait for it to reconcile.
To confirm that the operator is stuck, check to
see whether the log is providing an output.
oc logs <operator pod> -f
If you see the following issues when
the image is pulled, verify the global pull secret and confirm that the docker registry username and
password are
correct.
Warning Failed <invalid> (x2 over <invalid>) kubelet Error: ImagePullBackOff
Normal Pulling <invalid> (x2 over <invalid>) kubelet Pulling image
The
following command verifies the global pull secrets.
oc -n openshift-config get secret/pull-secret -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | tr -d "\r|\n| " > dockerconfig.json
To
change the credentials, you can edit the dockerconfig.json file, delete the
registry entries for the registry, and then apply the
changes.
oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=dockerconfig.json
-
oc get subscriptions.operators.coreos.com -n $NAMESPACE
If you set any subscriptions to manual
, then you must approve any pending
operator updates. It is not recommended to set subscriptions to manual
because it
can make the installation error prone when some of the dependency operators are not approved. By
default, all subscriptions are set to automatic
.
Tip: Subscriptions for the
Cloud Pak foundational services operators are
created when they are "needed". Some subscriptions are created during the installation of the
operators. If other subscriptions are needed, they are created during the installation of the CP4BA
deployment. Business Teams Service, for example, is installed only "if it is needed". To check for
subscriptions that are waiting for approval, get the installation plans by running the following
command.
oc get installPlan
-
oc get csv -n $NAMESPACE
It might take up to 15 minutes for all the pods to show the Running
status.
- Optional: If you plan to include Business Automation Insights as an option in your
CP4BA deployment and you want to use an external certificate instead of the default CP4BA root CA,
then create an
Issuer
resource with the name cp4ba-tls-issuer
.
For the CP4BA deployment to connect to Kafka and OpenSearch securely, it must have a certificate.
An Issuer
identifies which certificate authority (CA) in the namespace to issue a
certificate, so you must create an Issuer
for cert-manager
to use
an external certificate before you install a CP4BA deployment.
- Use the following YAML to set the namespace and secret name for the
Issuer
.apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: cp4ba-tls-issuer
namespace: <project_name>
spec:
ca:
secretName: <secret_name>
- Run the following command to create the
Secret
.oc create secret generic <secret_name> \
--from-file=tls.crt=custom_ca_crt.pem \
--from-file=ca.crt=custom_ca_crt.pem \
--from-file=tls.key=custom_ca_key.pem
Note: The secret contains the actual TLS
certificate. For more information about certificates, see
Managing
certificates.
The CP4BA operator checks the namespace for the cp4ba-tls-issuer
resource, and
if it exists, it then creates the necessary certificates for Kafka and OpenSearch.
Results
When started, you can monitor the operator logs with the following command.
oc logs -f deployment/ibm-cp4a-operator -c operator
What to do next
Use the instructions on how to prepare your cluster for the capabilities that
you want to install. For more information, see Preparing your chosen capabilities.