Installing the tunnel client

To access the services or servers in a private network from the Hub cluster that is on a public cloud or an on-premises network, you need to install the tunnel client in an endpoint in the private network. For more information, see Forward network Scenarios.

To access the Hub Cluster services or servers in a private network from a public cluster or on-premises cluster, you need to install the tunnel client in a public cluster or an on-premises cluster. For more information, see Reverse network scenarios.

• Obtaining the tunnel client installation script
• Obtaining the tunnel client image
• Installing the tunnel client in the managed cluster on OpenShift
• Installing the tunnel client in a Linux® VM

Obtaining the tunnel client installation script

You can get the tunnel client installation script by using either of the following ways:

• Go to Administer > Tunnel on IBM Cloud Pak console. In the Manage networks page, check the network list to see whether the tunnel network that you need is created:

  • If the tunnel network is not created, click Start with in the Manage networks page, and create a tunnel network as in Creating a tunnel network.

  • If the tunnel network is created, locate the tunnel network from the network list, select Install in the Action column, and get the tunnel client installation scripts by clicking Download, or clicking the copy button and execute the copied commands on the system where you want to install the tunnel client.

    Notes: In this version, the tunnel client of the reverse networks is supported to be installed only on the cloud.

• If you don't have a IBM Cloud Pak console, you can use the automation script to install the tunnel client. For more information, see Installing the tunnel client.

Obtaining the tunnel client image

1. Extract the file tunnel-client-install-scripts.tar.gz that are downloaded. Then, get the image name from this file ./tunnel-client-install-scripts/image.txt. It is the image name that the tunnel server uses.

2. If the Docker image registry is an OpenShift private registry, you can get the image by accessing the tunnel server OpenShift private registry or the offline installation package.

3. If the Docker image registry is a public registry, you can pull the image directly with the registry username and password.

4. To store the tunnel image in a private registry that is local in the cluster or on the Linux® VM where you install the tunnel client, pull the image from the Docker image registry, and push the tunnel image to the local registry. You need to specify the --image parameter when you run the tunnel client installation script.

   For example, to use the OpenShift image registry as the private registry, follow the steps:

   1. Expose the image registry. First, check whether the image registry is exposed by running the command oc registry info. If the result is image-registry.openshift-image-registry.svc:5000, expose the image registry by running the following command:

      oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge`
      

      Then, get the hostname of the image registry by running the following command:

      REGISTRY=$(oc get route -n openshift-image-registry default-route -o=jsonpath={.spec.host})
      

   2. Pull the tunnel client image from the Docker registry by running the following command:

      docker pull `cat ./tunnel-client-install-scripts/image.txt`
      

   3. Tag the tunnel client image by running the following command:

      docker tag `cat ./tunnel-client-install-scripts/image.txt` $REGISTRY/<TUNNEL_NAMESPACE>/secure-tunnel:tunnel
      

      Where <TUNNEL_NAMESPACE> is the namespace where you installed the tunnel service.

   4. Push the tunnel client image by running the following commands:

      docker login -u $(oc whoami) -p $(oc whoami -t) $REGISTRY
      

      docker push $REGISTRY/<TUNNEL_NAMESPACE>/secure-tunnel:tunnel
      

   5. Run the following script to install the tunnel client.

      ./install-openshift.sh --image image-registry.openshift-image-registry.svc:5000/<TUNNEL_NAMESPACE>/secure-tunnel:tunnel --image-pull-secret <integration-pull-secret> --namespace <TUNNEL_NAMESPACE>
      

      Where <TUNNEL_NAMESPACE> is the namespace where you installed the tunnel service.

Install the tunnel client in a OpenShift cluster

1. Run oc login to log in to the OpenShift where you want to install the tunnel client.
2. Obtain the tunnel client image. For more information, see Obtaining the tunnel client image.

3. Create a Kubernetes Docker registry secret by running the following command:

   oc create secret docker-registry <any_name_for_the_secret> --docker-username=<registry username> --docker-password=<registry password> --docker-server=<Docker registry server> -n <the namespace where the tunnel client is installed>
   

4. Install the tunnel client by running the following commands:

   cd ./tunnel-client-install-scripts
   ./install-openshift.sh \
   --image <tunnel_client_image_name> \
   --image-pull-secret <Docker-registry secret that you created in step 3> \
   --namespace <the namespace of the tunnel client will be installed in> \
   --accept-license true
   

   Where <tunnel_client_image_name> is the image name that you get in Obtaining the tunnel client image.

5. Verify the tunnel client installation by using one of the following ways:

   • You can see the output Install Tunnel Client successful when it is installed successful.
   • If you use the automation script, you can check the return value of the install-openshift.sh. 0 means success, and other values mean failed.

Installing the tunnel client in a Linux® VM

Note: The Linux® VM needs to meet the following Requirements:

• Only Linux® amd64 and ppc64le is supported.
• Ensure that the Docker service is installed in the VM.
• Ensure that the VM can connect to the tunnel server's Hub Cluster, and also can access the service that you want to expose. Usually, the VM is in the same network as the service that you want to expose by using tunnel.

1. Obtain the tunnel client image. For more information, see Obtaining the tunnel client image.
2. Log in to the Docker registry where the tunnel client image is stored.

3. Install the tunnel client by running the following commands:

   cd ./tunnel-client-install-scripts
   ./install-vm.sh \
   --image <tunnel_client_image_name> \
   --accept-license true
   

   Where <tunnel_client_image_name>is the image name that you get in Obtaining the tunnel client image.

4. Verify the tunnel client installation by using one of the following ways:

   • You can see the output Install Tunnel Client successful when it is installed successful.
   • If you use the automation script, you can check the return value of the install-openshift.sh. 0 means success, and other values mean failed.

Uninstalling the tunnel client

1. To remove the tunnel client from a Linux® VM, run the following command:

   ./uninstall-vm.sh
   

2. To remove the tunnel client from a cluster, run the following command:

   uninstall-openshift.sh --namespace <the namespace of the tunnel client installed>
   

   Note: If you don't set --accept-license to true, you are asked to accept the license during installation. If you use the automation script as in Installing the tunnel client, you need to set --accept-license to true to use the silent installation.