After you set up everything and mirrored the container images, you can then install the
Cloud Pak for Business Automation catalogs
in your air gap environment by using the ibm-pak tool.
Before you begin
When you mirrored your environment, you created a parallel offline version of everything that you
needed to install an operator into the OpenShift Container Platform. Your deployment in an air gap
environment also needs IBM Cloud® Pak foundational
services, so make sure that your cluster has the capacity to install these services, see Hardware requirements and recommendations for foundational
services.
All the installation and upgrade artifacts are contained in the
cert-kubernetes
repository. It is recommended to use the latest interim fix of the release, but if you do need a
previous version then you can find them all in the
Cloud Pak for Business Automation download document.
Tip: Use the move right arrow

below the
24.0.0 release to
find all the available interim fixes.
To download the
cert-kubernetes
repository.
- Open the Cloud Pak for Business Automation
download
document, find the card for the latest 24.0.0 interim fix, click
Cert Kubernetes, and then select and copy the displayed command.
- Run the copied
git clone
command to download the files.
About this task
You must prepare the storage of an operator before you create an instance of an operator.
Tip: When you run the deployment script, you must have storage classes on your cluster.
If you use static storage, make sure that you grant group write permission to the path on the host
or your shared volume.
To install the operators, complete the following steps.
Procedure
-
Go to the namespace for the operator.
- Set the environment variable of the
--inventory
parameter:
export CASE_INVENTORY_SETUP=cp4aOperatorSetup
- Create and configure a catalog source.
Note: If the IBMPAK_HOME
environment variable is
set, the downloaded CASE is located in
$IBMPAK_HOME/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/catalog-sources.yaml.
If you want to change the namespace from the global catalog namespace (GCN) to your target CP4BA
namespace (cp4ba-project
), replace “openshift-marketplace
” with
the “<CP4BA_namespace>
” in the generated
catalog-sources.yaml file for all catalogs, except
“ibm-cert-manager-catalog
” and “ibm-licensing-catalog
”. For the
Certificate Manager and License Manager catalogs you can use the defaults for separate private
catalogs or change the namespace to a global catalog openshift-marketplace
.
- Run the generated
catalog-sources.yaml
based on the catalog
namespace.
Option 1: Global catalog namespace
- Run the following
command.
cat $IBMPAK_HOME/.ibm-pak/data/mirror/ibm-cp-automation/24.0.0/catalog-sources.yaml | sed '0,/ibm-cs-install-catalog/s//ibm-cs-install-catalog-v4-6-2/g' | oc apply -f -
- Run the following command to verify that the pods are in the
Running
state.oc get pods -n openshift-marketplace
Option 2: Target CP4BA namespace (private catalog)
- Run the following
commands.
sed -i "s/openshift-marketplace/$NAMESPACE/g" $IBMPAK_HOME/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/catalog-sources.yaml
sed -i '0,/ibm-cs-install-catalog/s//ibm-cs-install-catalog-v4-6-2/g' $IBMPAK_HOME/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/catalog-sources.yaml
- Edit
$IBMPAK_HOME/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/catalog-sources.yaml
,
and do the following steps:Note: IBM Cert Manager catalog and IBM Licensing catalog cannot be
deployed to the same namespace as the CP4BA catalog namespace when you want to deploy as a private
catalog. This is due to the operator functionality, IBM Licensing and IBM Cert Manager are cluster
singleton services, although they are in a namespace. Both IBM Licensing and IBM Cert Manager watch
and manage the resources for the entire cluster. This is different from a CP4BA instance in one
namespace. Each CP4BA instance has its own tenant scope (one or several namespaces), and you can
have multiple CP4BA instances per cluster.
- Run the following command to modify the namespace value of
ibm-cert-manager-catalog
from openshift-marketplace
to
ibm-cert-manager
.sed -i '/name: ibm-cert-manager-catalog/{N;s/namespace: .*/namespace: ibm-cert-manager/}' $IBMPAK_HOME/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/catalog-sources.yaml
- Run the following command to modify the namespace value of
ibm-licensing-catalog
from openshift-marketplace
to
ibm-licensing
.sed -i '/name: ibm-licensing-catalog/{N;s/namespace: .*/namespace: ibm-licensing/}' $IBMPAK_HOME/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/catalog-sources.yaml
- Run the following commands to create the
ibm-licensing
and
ibm-cert-manager
namespaces.oc new-project ibm-licensing
oc new-project ibm-cert-manager
- Run the following command to apply the modified
CatalogSource
.oc apply -f $IBMPAK_HOME/.ibm-pak/data/mirror/ibm-cp-automation/24.0.0/catalog-sources.yaml
- Run the following commands to verify that the pods are in the
Running
state.oc get pods -n <CP4BA_namespace>
oc get pods -n ibm-cert-manager
oc get pods -n ibm-licensing
Check that the following pods are recently
created:

Check that the catalog sources are
recently created.
- Go to your downloaded cert-kubernetes folder.
cd cert-kubernetes/scripts/cpfs/installer_scripts/cp3pt0-deployment
- Log in to the target cluster from a client.
oc login https://<CLUSTERIP>:<port> -u <ADMINISTRATOR>
- Run the following command based on the catalog namespace.
Option 1: For Global catalog
namespace.
./setup_singleton.sh --license-accept --enable-licensing -v 1 -c v4.2
Option 2: For target CP4BA namespace (private
catalog).
./scripts/cpfs/installer_scripts/cp3pt0-deployment/setup_singleton.sh --enable-licensing --cert-manager-source ibm-cert-manager-catalog --licensing-source ibm-licensing-catalog --license-accept -v 1 -c v4.2 --enable-private-catalog
- Run the following commands to create a namespace to install CP4BA.
export CASE_NAME=ibm-cp-automation
export CASE_VERSION=24.0.0
export CASE_INVENTORY_SETUP=cp4aOperatorSetup
export NAMESPACE=cp4ba
- Install the Cloud Pak operator.
Option 1: Global catalog namespace.
Run the following command:
oc ibm-pak launch $CASE_NAME \
--version $CASE_VERSION \
--inventory $CASE_INVENTORY_SETUP \
--action install-operator \
--namespace $NAMESPACE
Option 2: Target CP4BA namespace (private catalog).
Create a CP4BA
subscription in the target CP4BA namespace.
- In the OCP console, go to
.
- From the Project menu, select the target CP4BA namespace (private
catalog).
- Under All Items, select Business Automation and
click the IBM Cloud Pak for Business Automation (CP4BA) multi-pattern
tile.
- Set the Channel to v24.0.
If you set any
subscriptions to manual
, then you must approve any pending operator updates. It is
not recommended to set subscriptions to manual
because it can make the installation
error prone when some of the dependency operators are not approved. By default, all subscriptions
are set to automatic
.
- Set the Installation Mode to A specific namespace on the
cluster.
- From the drop-down menu, select the target CP4BA namespace and click
Install.
- Go to and verify that the status of IBM Cloud Pak for
Business Automation (CP4BA) multi-pattern shows as
Succeeded.
- Verify that the operators are installed.
Using the oc login
command, log in to the Red Hat OpenShift Container Platform
cluster where you plan to pull the mirrored images. You can identify your specific oc login by
clicking the user drop-down menu in the Red Hat OpenShift Container Platform console, then clicking
Copy Login Command.
Run the following commands to check your cluster:
-
oc get pods -n $NAMESPACE
It might take up to 10 minutes or so for all the pods to show the Running
status.
Tip: If
ibm-cp4a-operator is inactive for some time, you can delete
the operator pod and wait for it to reconcile.
To confirm that the operator is stuck, check to
see whether the log is providing an output.
oc logs <operator pod> -f
If you see the following issues when
the image is pulled, verify the global pull secret and confirm that the docker registry username and
password are
correct.
Warning Failed <invalid> (x2 over <invalid>) kubelet Error: ImagePullBackOff
Normal Pulling <invalid> (x2 over <invalid>) kubelet Pulling image
The
following command verifies the global pull secrets.
oc -n openshift-config get secret/pull-secret -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | tr -d "\r|\n| " > dockerconfig.json
To
change the credentials, you can edit the dockerconfig.json file, delete the
registry entries for the registry, and then apply the
changes.
oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=dockerconfig.json
-
oc get subscriptions.operators.coreos.com -n $NAMESPACE
If you set any subscriptions to manual
, then you must approve any pending
operator updates. It is not recommended to set subscriptions to manual
because it
can make the installation error prone when some of the dependency operators are not approved. By
default, all subscriptions are set to automatic
.
Tip: Subscriptions for the
Cloud Pak foundational services operators are
created when they are "needed". Some subscriptions are created during the installation of the
operators. If other subscriptions are needed, they are created during the installation of the CP4BA
deployment. Business Teams Service, for example, is installed only "if it is needed". To check for
subscriptions that are waiting for approval, get the installation plans by running the following
command.
oc get installPlan
-
oc get csv -n $NAMESPACE
It might take up to 15 minutes for all the pods to show the Running
status.
- Optional: If you plan to include Business Automation Insights as an option in your
CP4BA deployment and you want to use an external certificate instead of the default CP4BA root CA,
then create an
Issuer
resource with the name cp4ba-tls-issuer
.
For the CP4BA deployment to connect to Kafka and OpenSearch securely, it must have a certificate.
An Issuer
identifies which certificate authority (CA) in the namespace to issue a
certificate, so you must create an Issuer
for cert-manager
to use
an external certificate before you install a CP4BA deployment.
- Use the following YAML to set the namespace and secret name for the
Issuer
.apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: cp4ba-tls-issuer
namespace: <project_name>
spec:
ca:
secretName: <secret_name>
- Run the following command to create the
Secret
.oc create secret generic <secret_name> \
--from-file=tls.crt=custom_ca_crt.pem \
--from-file=ca.crt=custom_ca_crt.pem \
--from-file=tls.key=custom_ca_key.pem
Note: The secret contains the actual TLS
certificate. For more information about certificates, see
Managing
certificates.
The CP4BA operator checks the namespace for the cp4ba-tls-issuer
resource, and
if it exists, it then creates the necessary certificates for Kafka and OpenSearch.
Results
When started, you can monitor the operator logs with the following command.
oc logs -f deployment/ibm-cp4a-operator -c operator
What to do next
Use the instructions on how to prepare your cluster for the capabilities that
you want to install. For more information, see Preparing your chosen capabilities.