Planning

Below are the step by step guide to plan and install the IBM Certified Container Software (CCS) in your cluster. Go through each links one by one and perform the operations as applicable for your deployment needs.

Before you deploy the application, you must use the following information to plan the deployment:
  • Verifying system requirements
  • Application license requirements
  • IBM Licensing and Metering service
  • Certificates files for Secure Plus
  • SCC requirements
  • Hardening RedHat OpenShift cluster
  • Encrypting etcd data

User Roles

Deployment tasks can be performed by cluster administrator and project administrator. The following table illustrates the type of task that are typically associated with each administrative role. The list is not intended to be exhaustive -
Role Task
Cluster Administrator
  • Creating namespaces (projects)
  • Creating SCC and assigning them to namespace (project)
  • Configuring Storage for data persistence
  • Providing environmental details
  • Installing and configuring IBM Licensing and Metering Service
Project Administrator
  • Creating Secrets
  • Installing IBM Certified Container Software for Connect:Direct Web Services
  • Validating the install
  • Post deployment tasks

Verifying System Requirements

Before you begin the deployment process, verify that your system meets the hardware and software requirements specified for this release.

The Certified Container Software for IBM Connect:Direct Web Services has been verified on Red Hat Linux and requires the following minimum hardware and software resources:

Hardware Requirements

  • 2 GB Disk space
  • 1500m CPU core
  • 1 GB RAM
  • 500 MB for Persistent Volume
  • 2-3 GB of ephemeral storage
Note:
  • 500 MB is minimum requirement for fresh deployment.
  • For upgrade, make sure you have sufficient space on persistent volume so that backup of application data could reside on persistent volume.
  • For Production, double all of the above requirements and make Persistent Volume size at least 1000Mi.

Software Requirements

For Kubernetes cluster:
For Red Hat OpenShift cluster:
Other common requirements:
  • docker/podman to manage container images
  • If NFS is used as backed-storage for Persistent Volume, ensure version >=4.1

A certified container deployment strictly enforces the following system requirements. If any of the above requirements are not met, the deployment may fail. If the deployment fails, then review the deployment log for a list of non-compliant items.

Installing OpenShift Container platform

Note: This step is optional. It is only needed if IBM Certified Container Software for IBM® Connect:Direct® Web Service deployment is planned for deployment on Redhat OpenShift cluster.
OpenShift container platform brings together Docker and Kubernetes and provides an API to manage these services. OpenShift Container Platform allows you to create and manage containers.

It is an on-premise platform service that uses Kubernetes to manage containers built on a foundation of Red Hat Enterprise Linux. For more information on how to setup an OpenShift container platform cluster environment, see Installing OpenShift.

Brief about IBM Certified Container Software

  • A Helm chart is organized as a collection of files inside a directory by the name of the Chart itself. For more information see, Helm Charts.

    Example Helm Chart

    <Name of a Chart/> 
      Chart.yaml          # A YAML file containing information about the Chart.
      LICENSE             # OPTIONAL: A plain text file containing the license for the Chart.
      README.md           # OPTIONAL: A README file.
      requirements.yaml   # OPTIONAL: A YAML file listing dependencies for the Chart.
      values.yaml         # The default configuration values for this Chart.
      Charts/             # A directory containing any Charts upon which this Chart depends.
      templates/          # A directory of templates that, when combined with values, generates valid Kubernetes manifest files.
      templates/NOTES.txt # OPTIONAL: A plain text file containing short usage notes.
    • This Helm chart deploys IBM Connect:Direct Web Services on a container management platform with the following resource deployments:
      • statefulset pod <release-name>-ibm-cdws-0

        1 replica by default

      • configMap <release-name>-ibm-cdws

        This is used to provide default configuration in cdws_param_file.

      • service <release-name>-ibm-cdws

        This is used to expose the IBM Connect:Direct Web Services for accessing using clients.

      • service-account <release-name>-ibm-cdws-serviceaccount

        This service will not be created if serviceAccount.create is false.

      • persistence volume claim <release-name>-ibm-cdws.
        Note: If the release name is greater than 15 characters then the pod name may be truncated.
  • Certified Container Software commands

    For more information on other commands and options, see Helm Commands.

    1. To install a Chart
      $ helm install
    2. To upgrade to a new release
      $ helm upgrade
    3. To rollback a release to a previous version
      $ helm rollback
    4. To delete the release from Kubernetes.
      $ helm delete

Application license requirements

You must read the IBM Connect:Direct Web Services terms before deploying the software. The license number is 'L-FYHF-K7J2TN'.

To accept the license, set license variable to true at Helm CLI installation command. If license variable is set to false then deployment of IBM Certified Container Software for IBM Connect:Direct Web Service would not be successful. For more information see, Configuring - Understanding values.yaml.

The IBM Certified Container Software for IBM Connect:Direct Web Service is deployed as non-production by default. You can override this default behavior by changing the licenseType variable to prod. The licenseType value would be used to annotate the IBM Certified Container Software for IBM Connect:Direct Web Service, which would be eventually used by Licensing and Metering service tool.

IBM Licensing and Metering Service

The IBM Certified Container Software for IBM Connect:Direct Web Service has been integrated with IBM Licensing and Metering service using Operator. This service collects information about license usage of IBM Certified Container Software for IBM Connect:Direct Web Service.

You can use the 'ibm-licensing-operator' to install the IBM Licensing and Metering service on any Kubernetes based cluster. License Service collects information about license usage of IBM Containerized Products. You can retrieve license usage data through a dedicated API call and generate an audit snapshot on demand cluster without IBM Cloud Pak.

For the installation overview see, License Service deployment.

For retrieving the licensing information see, Track license usage .

Certificates files for Web Services

When installing IBM Certified Container Software for Connect:Direct Web Services and configuring key certificates and trusted certificates, you will require a certificate file. Ensure the use of valid certificate files during deployment. Have the certificate files readily accessible throughout the IBM Certified Container Software for Connect:Direct Web Services deployment process.

Utilize the following command to generate a secret for the certificate file to be employed during deployment:
kubectl create secret generic <certificate-secret-name> --from-file=<certificate-file-name-with-path>

For more information, refer toConfiguring-understanding Values.yaml

Security Context Constraints requirements

Security Context Constraints (SCC) is a cluster-level resource that enables administrators to manage the security aspects of pods within Red Hat OpenShift clusters.

IBM Certified Container Software for Connect Direct Web Services requires Security Context Constraints (SCC) to be tied to the target namespace prior to deployment. Given that SCC is a cluster-level resource, it is imperative to engage in a discussion with your Cluster Administrator, as their involvement is essential for creating this resource.

For more information on SCC, see Security Context Constraints for OpenShift cluster.

Hardening RedHat OpenShift Cluster

This is not a mandatory requirement for IBM CCS installation but a security aspect to be understood to make your cluster more secure.

If you are planning to deploy on OpenShift cluster then, there are certain guidelines by OpenShift. See here for more details, Hardening RedHat OpenShift cluster.

Encrypting etcd Data

This is not a mandatory requirement for IBM CCS installation but a security aspect to be understood to make your cluster more secure.

By default, etcd data is not encrypted in Kubernetes/OpenShift cluster. You can enable etcd encryption for your cluster to provide an additional layer of data security (data at rest). For example, it can help protect the loss of sensitive data if an etcd backup is exposed to the incorrect parties. For more information, refer Kubernetes and Red Hat OpenShift.