Option 2: Installing the Cloud Pak catalog and operator instances by using ibm-pak

After you set up everything and mirrored the container images, you can then install the Cloud Pak for Business Automation catalogs in your air gap environment by using the ibm-pak tool.

Before you begin

When you mirrored your environment, you created a parallel offline version of everything that you needed to install an operator into the OpenShift Container Platform. Your deployment in an air gap environment also needs IBM Cloud® Pak foundational services, so make sure that your cluster has the capacity to install these services, see Hardware requirements and recommendations for foundational services.

All the installation and upgrade artifacts are contained in the cert-kubernetes repository. It is recommended to use the latest interim fix of the release, but if you do need a previous version then you can find them all in the Cloud Pak for Business Automation download document.
Tip: Use the move right arrow Move right arrow below the 24.0.0 release to find all the available interim fixes.
To download the cert-kubernetes repository.
  1. Open the Cloud Pak for Business Automation download document, find the card for the latest 24.0.0 interim fix, click Cert Kubernetes, and then select and copy the displayed command.
  2. Run the copied git clone command to download the files.

About this task

You must prepare the storage of an operator before you create an instance of an operator.

Tip: When you run the deployment script, you must have storage classes on your cluster. If you use static storage, make sure that you grant group write permission to the path on the host or your shared volume.

To install the operators, complete the following steps.

Procedure

  1. Go to the namespace for the operator.
    oc project ${NAMESPACE}
  2. Set the environment variable of the --inventory parameter:
    export CASE_INVENTORY_SETUP=cp4aOperatorSetup
  3. Create and configure a catalog source.
    Note: If the IBMPAK_HOME environment variable is set, the downloaded CASE is located in $IBMPAK_HOME/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/catalog-sources.yaml.

    If you want to change the namespace from the global catalog namespace (GCN) to your target CP4BA namespace (cp4ba-project), replace “openshift-marketplace” with the “<CP4BA_namespace>” in the generated catalog-sources.yaml file for all catalogs, except “ibm-cert-manager-catalog” and “ibm-licensing-catalog”. For the Certificate Manager and License Manager catalogs you can use the defaults for separate private catalogs or change the namespace to a global catalog openshift-marketplace.

  4. Run the generated catalog-sources.yaml based on the catalog namespace.

    Option 1: Global catalog namespace

    1. Run the following command.
      cat $IBMPAK_HOME/.ibm-pak/data/mirror/ibm-cp-automation/24.0.0/catalog-sources.yaml | sed '0,/ibm-cs-install-catalog/s//ibm-cs-install-catalog-v4-6-2/g' | oc apply -f -
    2. Run the following command to verify that the pods are in the Running state.
      oc get pods -n openshift-marketplace

    Option 2: Target CP4BA namespace (private catalog)

    1. Run the following commands.
      sed -i "s/openshift-marketplace/$NAMESPACE/g" $IBMPAK_HOME/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/catalog-sources.yaml
      sed -i '0,/ibm-cs-install-catalog/s//ibm-cs-install-catalog-v4-6-2/g' $IBMPAK_HOME/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/catalog-sources.yaml
    2. Edit $IBMPAK_HOME/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/catalog-sources.yaml, and do the following steps:
      Note: IBM Cert Manager catalog and IBM Licensing catalog cannot be deployed to the same namespace as the CP4BA catalog namespace when you want to deploy as a private catalog. This is due to the operator functionality, IBM Licensing and IBM Cert Manager are cluster singleton services, although they are in a namespace. Both IBM Licensing and IBM Cert Manager watch and manage the resources for the entire cluster. This is different from a CP4BA instance in one namespace. Each CP4BA instance has its own tenant scope (one or several namespaces), and you can have multiple CP4BA instances per cluster.
      1. Run the following command to modify the namespace value of ibm-cert-manager-catalog from openshift-marketplace to ibm-cert-manager.
        sed -i '/name: ibm-cert-manager-catalog/{N;s/namespace: .*/namespace: ibm-cert-manager/}' $IBMPAK_HOME/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/catalog-sources.yaml
      2. Run the following command to modify the namespace value of ibm-licensing-catalog from openshift-marketplace to ibm-licensing.
        sed -i '/name: ibm-licensing-catalog/{N;s/namespace: .*/namespace: ibm-licensing/}' $IBMPAK_HOME/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/catalog-sources.yaml
    3. Run the following commands to create the ibm-licensing and ibm-cert-manager namespaces.
      oc new-project ibm-licensing
      oc new-project ibm-cert-manager
    4. Run the following command to apply the modified CatalogSource.
      oc apply -f $IBMPAK_HOME/.ibm-pak/data/mirror/ibm-cp-automation/24.0.0/catalog-sources.yaml
    5. Run the following commands to verify that the pods are in the Running state.
      oc get pods -n <CP4BA_namespace>
      oc get pods -n ibm-cert-manager
      oc get pods -n ibm-licensing

      Check that the following pods are recently created:

      pods

      Check that the catalog sources are recently created.

  5. Go to your downloaded cert-kubernetes folder.
    cd cert-kubernetes/scripts/cpfs/installer_scripts/cp3pt0-deployment
  6. Log in to the target cluster from a client.
    oc login https://<CLUSTERIP>:<port> -u <ADMINISTRATOR>
  7. Run the following command based on the catalog namespace.
    Option 1: For Global catalog namespace.
    ./setup_singleton.sh --license-accept --enable-licensing -v 1 -c v4.2
    Option 2: For target CP4BA namespace (private catalog).
    ./scripts/cpfs/installer_scripts/cp3pt0-deployment/setup_singleton.sh --enable-licensing --cert-manager-source ibm-cert-manager-catalog --licensing-source ibm-licensing-catalog --license-accept -v 1 -c v4.2 --enable-private-catalog
  8. Run the following commands to create a namespace to install CP4BA.
    export CASE_NAME=ibm-cp-automation
    export CASE_VERSION=24.0.0
    export CASE_INVENTORY_SETUP=cp4aOperatorSetup
    export NAMESPACE=cp4ba
  9. Install the Cloud Pak operator.

    Option 1: Global catalog namespace.

    Run the following command:
    oc ibm-pak launch $CASE_NAME \
    --version $CASE_VERSION \
    --inventory $CASE_INVENTORY_SETUP \
    --action install-operator \
    --namespace $NAMESPACE 
    Option 2: Target CP4BA namespace (private catalog).
    Create a CP4BA subscription in the target CP4BA namespace.
    1. In the OCP console, go to Operators > OperatorHub.
    2. From the Project menu, select the target CP4BA namespace (private catalog).
    3. Under All Items, select Business Automation and click the IBM Cloud Pak for Business Automation (CP4BA) multi-pattern tile.
    4. Set the Channel to v24.0.

      If you set any subscriptions to manual, then you must approve any pending operator updates. It is not recommended to set subscriptions to manual because it can make the installation error prone when some of the dependency operators are not approved. By default, all subscriptions are set to automatic.

    5. Set the Installation Mode to A specific namespace on the cluster.
    6. From the drop-down menu, select the target CP4BA namespace and click Install.
    7. Go to Operators > Installed Operators and verify that the status of IBM Cloud Pak for Business Automation (CP4BA) multi-pattern shows as Succeeded.
  10. Verify that the operators are installed.

    Using the oc login command, log in to the Red Hat OpenShift Container Platform cluster where you plan to pull the mirrored images. You can identify your specific oc login by clicking the user drop-down menu in the Red Hat OpenShift Container Platform console, then clicking Copy Login Command.

    Run the following commands to check your cluster:

    1. oc get pods -n $NAMESPACE

      It might take up to 10 minutes or so for all the pods to show the Running status.

      Tip: If ibm-cp4a-operator is inactive for some time, you can delete the operator pod and wait for it to reconcile.

      To confirm that the operator is stuck, check to see whether the log is providing an output.

      oc logs <operator pod> -f

      If you see the following issues when the image is pulled, verify the global pull secret and confirm that the docker registry username and password are correct.

      Warning Failed <invalid> (x2 over <invalid>) kubelet Error: ImagePullBackOff
      Normal Pulling <invalid> (x2 over <invalid>) kubelet Pulling image

      The following command verifies the global pull secrets.

      oc -n openshift-config get secret/pull-secret -o jsonpath='{.data.\.dockerconfigjson}' | base64 --decode | tr -d "\r|\n| " > dockerconfig.json

      To change the credentials, you can edit the dockerconfig.json file, delete the registry entries for the registry, and then apply the changes.

      oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=dockerconfig.json
    2. oc get subscriptions.operators.coreos.com -n $NAMESPACE

      If you set any subscriptions to manual, then you must approve any pending operator updates. It is not recommended to set subscriptions to manual because it can make the installation error prone when some of the dependency operators are not approved. By default, all subscriptions are set to automatic.

      Tip: Subscriptions for the Cloud Pak foundational services operators are created when they are "needed". Some subscriptions are created during the installation of the operators. If other subscriptions are needed, they are created during the installation of the CP4BA deployment. Business Teams Service, for example, is installed only "if it is needed". To check for subscriptions that are waiting for approval, get the installation plans by running the following command.
      oc get installPlan
    3. oc get csv -n $NAMESPACE

    It might take up to 15 minutes for all the pods to show the Running status.

  11. Optional: If you plan to include Business Automation Insights as an option in your CP4BA deployment and you want to use an external certificate instead of the default CP4BA root CA, then create an Issuer resource with the name cp4ba-tls-issuer.

    For the CP4BA deployment to connect to Kafka and OpenSearch securely, it must have a certificate. An Issuer identifies which certificate authority (CA) in the namespace to issue a certificate, so you must create an Issuer for cert-manager to use an external certificate before you install a CP4BA deployment.

    1. Use the following YAML to set the namespace and secret name for the Issuer.
      apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: cp4ba-tls-issuer
        namespace: <project_name>
      spec:
        ca:
          secretName: <secret_name> 
    2. Run the following command to create the Secret.
      oc create secret generic <secret_name>  \
      --from-file=tls.crt=custom_ca_crt.pem \
      --from-file=ca.crt=custom_ca_crt.pem \
      --from-file=tls.key=custom_ca_key.pem 
      Note: The secret contains the actual TLS certificate. For more information about certificates, see Managing certificates.

    The CP4BA operator checks the namespace for the cp4ba-tls-issuer resource, and if it exists, it then creates the necessary certificates for Kafka and OpenSearch.

Results

When started, you can monitor the operator logs with the following command.

oc logs -f deployment/ibm-cp4a-operator -c operator

What to do next

Use the instructions on how to prepare your cluster for the capabilities that you want to install. For more information, see Preparing your chosen capabilities.