Installing watsonx Orchestrate on HCP environment

You can install watsonx Orchestrate on Hosted Control Plane (HCP) environment.

Prerequisites

Before running the script, ensure that you have:
System requirements
  • Red Hat® OpenShift® Container Platform cluster: Red Hat OpenShift Container Platform 4.x or later with HCP (Hosted Control Plane) support
  • Namespace Access: Administrative access to the openshift-storage namespace
  • Storage Backend: Access to a remote HCP S3-compatible storage endpoint
  • Network Configuration: Ability to modify NetworkPolicy rules within the cluster
Required components
  • NooBaa Operator: Version compatible with your Red Hat OpenShift Container Platform cluster
  • Red Hat OpenShift Container Platform Data Foundation (ODF): Installed and configured
  • S3 Credentials: Valid access key and secret key for the remote HCP S3 backend
  • watsonx Orchestrate: Deployed or ready for deployment
Network requirements
  • Internal cluster networking between openshift-storage and watsonx Orchestrate namespaces
  • Outbound connectivity from NooBaa pods to the remote HCP S3 endpoint
  • DNS resolution for the HCP S3 endpoint

Prepare for installation

Step 1: Get NooBaa details from the HCP cluster
Run the command 
HCP_ACCESS_KEY_ID=$(oc get secret noobaa-admin -n openshift-storage -o jsonpath='{.data.AWS_ACCESS_KEY_ID}' | base64 -d)
HCP_SECRET_ACCESS_KEY=$(oc get secret noobaa-admin -n openshift-storage -o jsonpath='{.data.AWS_SECRET_ACCESS_KEY}' | base64 -d)
Step 2: Get the remote S3 Endpoint from the HCP cluster
Run the command 
oc get route -n openshift-storage | grep s3
HCP_ENDPOINT=<S3 ROUTE URL>
Step 3: Extract the TLS certificate from the remote S3 endpoint
Run the command 
echo | openssl s_client -servername ${HCP_ENDPOINT} \
  -connect ${HCP_ENDPOINT} -showcerts 2>/dev/null | \
  sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' > ca-certificate.crt
Verify the certificate 
openssl x509 -in ca-certificate.crt -text -noout
Step 4: Create configmap with remote S3 endpoint TLS certificate on the watsonx Orchestrate cluster
Run the command 
oc create configmap custom-ca-bundle \
  --from-file=ca-bundle.crt=ca-certificate.crt \
  -n openshift-storage
Step 5: Create secret for HCP credentials on the watsonx Orchestrate cluster
Run the command 
cat <<EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: hcp-s3-credentials
  namespace: openshift-storage
type: Opaque
stringData:
  AWS_ACCESS_KEY_ID: ${HCP_ACCESS_KEY_ID}
  AWS_SECRET_ACCESS_KEY: ${HCP_SECRET_ACCESS_KEY}
EOF
Step 6: Create the backing store Bucket on the HCP cluster
Run the command 
aws s3 mb s3://hcp-bucket-watsonx-orchestrate --endpoint-url https://${HCP_ENDPOINT} --no-verify-ssl
Step 7: Create the backing store on watsonx Orchestrate cluster
Run the command 
cat <<EOF | oc apply -f -
apiVersion: noobaa.io/v1alpha1
kind: BackingStore
metadata:
  name: hcp-backing-store-watsonx-orchestrate
  namespace: openshift-storage
spec:
  type: s3-compatible
  s3Compatible:
    endpoint: ${HCP_ENDPOINT}
    signatureVersion: v4
    secret:
      name: hcp-s3-credentials
      namespace: openshift-storage
    additionalConfig:
      # Reference the CA bundle ConfigMap
      caBundleConfigMap: custom-ca-bundle
    targetBucket: hcp-bucket-watsonx-orchestrate
EOF
Wait until the backing store is ready 
oc get backingstore hcp-backing-store-watsonx-orchestrate -n openshift-storage -w
Step 8: Create NooBaa account (If not installed)
Run the command 
cat <<EOF | oc apply -f -
apiVersion: noobaa.io/v1alpha1
kind: NooBaa
metadata:
  name: noobaa
  namespace: openshift-storage
spec:
  dbType: postgres
  dbStorageClass: ocs-storagecluster-ceph-rbd
  pvPoolDefaultStorageClass: ocs-storagecluster-ceph-rbd
  coreResources:
    requests:
      cpu: "500m"
      memory: "4Gi"
  dbResources:
    requests:
      cpu: "500m"
      memory: "2Gi"
  cleanupPolicy:
    confirmation: "yes-really-destroy-noobaa"
    allowNoobaaDeletion: true
EOF
Monitor creation 
oc get noobaa -n openshift-storage -w
Step 9: Create a Bucket class for the HCP backing store
Run the command 
cat <<EOF | oc apply -f -
apiVersion: noobaa.io/v1alpha1
kind: BucketClass
metadata:
  name: hcp-bucket-class-wxo
  namespace: openshift-storage
spec:
  placementPolicy:
    tiers:
    - backingStores:
      - hcp-backing-store-watsonx-orchestrate
EOF
Wait until the bucket class is ready 
oc get bucketclass hcp-bucket-class-wxo -n openshift-storage -w
Step 10: Set the Bucket class as default
Run the command 
oc annotate bucketclass hcp-bucket-class-wxo \
  storageclass.kubernetes.io/is-default-class="true" \
  -n openshift-storage --overwrite
Step 11: Update default Bucket class to use the new backing store
Run the command 
oc patch Bucketclass noobaa-default-bucket-class -n openshift-storage --type=json
      --patch='[{"op": "replace", "path": "/spec/placementPolicy/tiers/0/backingStores/0",
      "value": "hcp-backing-store-watsonx-orchestrate"}]'
Step 12: Confirm the configuration change
Run the command 
oc get bucketclass noobaa-default-bucket-class  -n openshift-storage -o jsonpath='{.spec.placementPolicy.tiers[*].backingStores}'

Install watsonx Orchestrate

Now the NooBaa configuration is complete, install the watsonx Orchestrate component. cpd-cli setup-mcg creates a noobaa-*-watsonx-orchestrate secrets that point to the local s3 endpoint. The default noobaa is backing store is pointing to the HCP cluster. The s3-create-bucket job creates it's bucket on the HCP cluster. The Milvus ObjectBucketClaim is pointing the backing store on the HCP cluster.