Planning
Below are the step by step guide to plan and install the IBM Certified Container Software (CCS) in your cluster. Go through each links one by one and perform the operations as applicable for your deployment needs.
- Verifying system requirements
- Application license requirements
- IBM Licensing and Metering service
- Certificates files for Secure Plus
- SCC requirements
- Hardening RedHat OpenShift cluster
- Encrypting etcd data
User Roles
Role | Task |
---|---|
Cluster Administrator |
|
Project Administrator |
|
Verifying System Requirements
Before you begin the deployment process, verify that your system meets the hardware and software requirements specified for this release.
The Certified Container Software for IBM Connect:Direct Web Services has been verified on Red Hat Linux and requires the following minimum hardware and software resources:
Hardware Requirements
- 2 GB Disk space
- 1500m CPU core
- 1 GB RAM
- 500 MB for Persistent Volume
- 2-3 GB of ephemeral storage
- 500 MB is minimum requirement for fresh deployment.
- For upgrade, make sure you have sufficient space on persistent volume so that backup of application data could reside on persistent volume.
- For Production, double all of the above requirements and make Persistent Volume size at least 1000Mi.
Software Requirements
- Kubernetes >= 1.27 and < 1.31
- helm >=3.2
- compatible kubectl client tool
- Red Hat OpenShift Container Platform (OCP) >= 4.14 and <=4.17
- helm >=3.2
- compatible oc client tool
A certified container deployment strictly enforces the following system requirements. If any of the above requirements are not met, the deployment may fail. If the deployment fails, then review the deployment log for a list of non-compliant items.
Installing OpenShift Container platform
It is an on-premise platform service that uses Kubernetes to manage containers built on a foundation of Red Hat Enterprise Linux. For more information on how to setup an OpenShift container platform cluster environment, see Installing OpenShift.
Brief about IBM Certified Container Software
- A Helm chart is organized as a collection of files inside a directory by the
name of the Chart itself. For more information see, Helm Charts.
Example Helm Chart
<Name of a Chart/> Chart.yaml # A YAML file containing information about the Chart. LICENSE # OPTIONAL: A plain text file containing the license for the Chart. README.md # OPTIONAL: A README file. requirements.yaml # OPTIONAL: A YAML file listing dependencies for the Chart. values.yaml # The default configuration values for this Chart. Charts/ # A directory containing any Charts upon which this Chart depends. templates/ # A directory of templates that, when combined with values, generates valid Kubernetes manifest files. templates/NOTES.txt # OPTIONAL: A plain text file containing short usage notes.
- This Helm chart deploys IBM Connect:Direct Web Services on a container
management platform with the following resource deployments:
- statefulset pod <release-name>-ibm-cdws-0
1 replica by default
- configMap <release-name>-ibm-cdws
This is used to provide default configuration in cdws_param_file.
- service <release-name>-ibm-cdws
This is used to expose the IBM Connect:Direct Web Services for accessing using clients.
- service-account <release-name>-ibm-cdws-serviceaccount
This service will not be created if serviceAccount.create is false.
- persistence volume claim <release-name>-ibm-cdws.Note: If the release name is greater than 15 characters then the pod name may be truncated.
- statefulset pod <release-name>-ibm-cdws-0
- This Helm chart deploys IBM Connect:Direct Web Services on a container
management platform with the following resource deployments:
- Certified Container Software commands
For more information on other commands and options, see Helm Commands.
- To install a Chart
$ helm install
- To upgrade to a new release
$ helm upgrade
- To rollback a release to a previous
version
$ helm rollback
- To delete the release from
Kubernetes.
$ helm delete
- To install a Chart
Application license requirements
You must read the IBM Connect:Direct Web Services terms before deploying the software. The license number is 'L-FYHF-K7J2TN'.
To accept the license, set license
variable to true
at Helm CLI
installation command. If license
variable is set to
false
then deployment of IBM Certified Container Software for IBM
Connect:Direct Web Service would
not be successful. For more information see, Configuring - Understanding
values.yaml.
The IBM Certified Container Software for IBM Connect:Direct Web Service is deployed as non-production by default. You can override this default behavior by changing the licenseType variable to prod. The licenseType value would be used to annotate the IBM Certified Container Software for IBM Connect:Direct Web Service, which would be eventually used by Licensing and Metering service tool.
IBM Licensing and Metering Service
The IBM Certified Container Software for IBM Connect:Direct Web Service has been integrated with IBM Licensing and Metering service using Operator. This service collects information about license usage of IBM Certified Container Software for IBM Connect:Direct Web Service.
You can use the 'ibm-licensing-operator
' to install the IBM Licensing and
Metering service on any Kubernetes based cluster. License Service collects information
about license usage of IBM Containerized Products. You can retrieve license usage data
through a dedicated API call and generate an audit snapshot on demand cluster without
IBM Cloud Pak.
For the installation overview see, License Service deployment.
For retrieving the licensing information see, Track license usage .
Certificates files for Web Services
When installing IBM Certified Container Software for Connect:Direct Web Services and configuring key certificates and trusted certificates, you will require a certificate file. Ensure the use of valid certificate files during deployment. Have the certificate files readily accessible throughout the IBM Certified Container Software for Connect:Direct Web Services deployment process.
kubectl create secret generic <certificate-secret-name> --from-file=<certificate-file-name-with-path>
For more information, refer toConfiguring-understanding Values.yaml
Security Context Constraints requirements
Security Context Constraints (SCC) is a cluster-level resource that enables administrators to manage the security aspects of pods within Red Hat OpenShift clusters.
IBM Certified Container Software for Connect Direct Web Services requires Security Context Constraints (SCC) to be tied to the target namespace prior to deployment. Given that SCC is a cluster-level resource, it is imperative to engage in a discussion with your Cluster Administrator, as their involvement is essential for creating this resource.
For more information on SCC, see Security Context Constraints for OpenShift cluster.
Hardening RedHat OpenShift Cluster
This is not a mandatory requirement for IBM CCS installation but a security aspect to be understood to make your cluster more secure.
If you are planning to deploy on OpenShift cluster then, there are certain guidelines by OpenShift. See here for more details, Hardening RedHat OpenShift cluster.
Encrypting etcd Data
This is not a mandatory requirement for IBM CCS installation but a security aspect to be understood to make your cluster more secure.
By default, etcd data is not encrypted in Kubernetes/OpenShift cluster. You can enable etcd encryption for your cluster to provide an additional layer of data security (data at rest). For example, it can help protect the loss of sensitive data if an etcd backup is exposed to the incorrect parties. For more information, refer Kubernetes and Red Hat OpenShift.