Option 1: Installing the Cloud Pak catalog and operator instances by using the cluster admin script (Recommended)

After you set up everything and mirrored the container images, you can then install the Cloud Pak for Business Automation catalogs in your air gap environment by using the cluster admin script.

Before you begin

When you mirrored your environment, you created a parallel offline version of everything that you needed to install an operator into the OpenShift Container Platform. Your deployment in an air gap environment also needs IBM Cloud® Pak foundational services, so make sure that your cluster has the capacity to install these services, see Hardware requirements and recommendations for foundational services.

All the installation and upgrade artifacts are contained in the cert-kubernetes repository. It is recommended to use the latest interim fix of the release, but if you do need a previous version then you can find them all in the Cloud Pak for Business Automation download document.
Tip: Use the move right arrow Move right arrow below the 24.0.0 release to find all the available interim fixes.
To download the cert-kubernetes repository.
  1. Open the Cloud Pak for Business Automation download document, find the card for the latest 24.0.0 interim fix, click Cert Kubernetes, and then select and copy the displayed command.
  2. Run the copied git clone command to download the files.

About this task

You must prepare the storage of an operator before you create an instance of an operator.

Tip: When you run the deployment script, you must have storage classes on your cluster. If you use static storage, make sure that you grant group write permission to the path on the host or your shared volume.

To install the operators, complete the following steps.

Procedure

  1. Go to the namespace for the operator.
    oc project ${NAMESPACE}
  2. Go to your downloaded cert-kubernetes scripts folder.
    cd ${PATH_TO_EXTRACTED_FILES}/cert-kubernetes/scripts
  3. Run the cluster setup script and follow the prompts in the command window.
    ./cp4a-clusteradmin-setup.sh 
    1. Select the CP4BA deployment environment: Online (1) / Offline or Airgap (2). Select Offline or Airgap.
    2. Select the platform type: ROKS (1) or OCP (2). Select OCP.
    3. Select the deployment type production.
    4. If you plan to enable FIPS for your Cloud Pak for Business Automation deployment, select Yes to check that the worker nodes on the cluster are FIPS enabled.
      Note: If all the compute nodes are FIPS enabled, then the script creates a configMap (cp4ba-fips-status) in the target deployment namespace (cp4ba-project for example) to record that FIPS is enabled.
      kind: ConfigMap
      apiVersion: v1
      metadata:
        name: cp4ba-fips-status
        namespace: <project_name>
      data:
        all-fips-enabled: 'Yes'
    5. Select Yes if you want to install CP4BA as a private catalog rather than in the global catalog namespace (GCN). The GCN uses the openshift-marketplace namespace, the private option uses the target namespace of your CP4BA deployment. The default is No.
    6. Select Yes if you want to install the CP4BA operators and the CP4BA deployments in separate namespaces. Select No if you do not want to install the CP4BA operators and the CP4BA deployments in separate namespaces. The default is No.
    7. Enter the CP4BA target namespace to install the operators. For example, cp4ba-project.

      For more information, see Mirroring catalogs to a private registry using oc mirror. If an existing CP4BA operator is found in another namespace on your cluster, confirm that you want to deploy another CP4BA operator in the new namespace by entering Yes.

    8. Select Yes if you reviewed and confirmed that all the offline installation prerequisites are complete.
  4. Verify that the operators are installed.

    Using the oc login command, log in to the Red Hat OpenShift Container Platform cluster where you plan to pull the mirrored images. You can identify your specific oc login by clicking the user drop-down menu in the Red Hat OpenShift Container Platform console, then clicking Copy Login Command.

    Run the following commands to check your cluster:

    1. oc get pods -n $NAMESPACE

      It might take up to 10 minutes or so for all the pods to show the Running status.

      Tip: If ibm-cp4a-operator is inactive for some time, you can delete the operator pod and wait for it to reconcile.

      To confirm that the operator is stuck, check to see whether the log is providing an output.

      oc logs <operator pod> -f

      If you see the following issues when the image is pulled, verify the global pull secret and confirm that the docker registry username and password are correct.

      Warning Failed <invalid> (x2 over <invalid>) kubelet Error: ImagePullBackOff
      Normal Pulling <invalid> (x2 over <invalid>) kubelet Pulling image

      The following command verifies the global pull secrets.

      oc -n openshift-config get secret/pull-secret -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | tr -d "\r|\n| " > dockerconfig.json

      To change the credentials, you can edit the dockerconfig.json file, delete the registry entries for the registry, and then apply the changes.

      oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=dockerconfig.json
    2. oc get subscriptions.operators.coreos.com -n $NAMESPACE

      If you set any subscriptions to manual, then you must approve any pending operator updates. It is not recommended to set subscriptions to manual because it can make the installation error prone when some of the dependency operators are not approved. By default, all subscriptions are set to automatic.

      Tip: Subscriptions for the Cloud Pak foundational services operators are created when they are "needed". Some subscriptions are created during the installation of the operators. If other subscriptions are needed, they are created during the installation of the CP4BA deployment. Business Teams Service, for example, is installed only "if it is needed". To check for subscriptions that are waiting for approval, get the installation plans by running the following command.
      oc get installPlan
    3. oc get csv -n $NAMESPACE

    It might take up to 15 minutes for all the pods to show the Running status.

  5. Optional: If you plan to include Business Automation Insights as an option in your CP4BA deployment and you want to use an external certificate instead of the default CP4BA root CA, then create an Issuer resource with the name cp4ba-tls-issuer.

    For the CP4BA deployment to connect to Kafka and OpenSearch securely, it must have a certificate. An Issuer identifies which certificate authority (CA) in the namespace to issue a certificate, so you must create an Issuer for cert-manager to use an external certificate before you install a CP4BA deployment.

    1. Use the following YAML to set the namespace and secret name for the Issuer.
      apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: cp4ba-tls-issuer
        namespace: <project_name>
      spec:
        ca:
          secretName: <secret_name> 
    2. Run the following command to create the Secret.
      oc create secret generic <secret_name>  \
      --from-file=tls.crt=custom_ca_crt.pem \
      --from-file=ca.crt=custom_ca_crt.pem \
      --from-file=tls.key=custom_ca_key.pem 
      Note: The secret contains the actual TLS certificate. For more information about certificates, see Managing certificates.

    The CP4BA operator checks the namespace for the cp4ba-tls-issuer resource, and if it exists, it then creates the necessary certificates for Kafka and OpenSearch.

Results

When started, you can monitor the operator logs with the following command.

oc logs -f deployment/ibm-cp4a-operator -c operator

What to do next

Use the instructions on how to prepare your cluster for the capabilities that you want to install. For more information, see Preparing your chosen capabilities.