Installing in an air gap environment by using a bastion server

A cluster administrator can install WebSphere Automation in an air gap environment that has a bastion server with external internet access.

About this task

Note: The following instructions are for the original method for deploying WebSphere Automation into an airgap environment using the cloudctl utility. For the more recent method, using the ibm-pak plugin, see Installing by mirroring images to a private container registry (with ibm-pak plug-in).

Before you begin

Installation in an air gap environment has the following prerequisites:

  • A bastion server that has access to the Red Hat® OpenShift® Container Platform 4.14 or later cluster, the local container registry, and the internet. The bastion server must be on a Linux® x86_64 or Linux on IBM Z platform with a Red Hat Enterprise Linux version 8 operating system.
  • Docker 17.05 or later or Podman version 1.4 or later installed on the bastion.
  • OpenShift Container Platform CLI tool (oc).
  • A container registry that supports Docker Image Manifest V2 format, accessible by the bastion server and the Red Hat OpenShift cluster.
  • An entitlement key to the IBM® Entitled Container Fulfillment Registry.
    1. Log in to MyIBM Container Software Library with the IBMid and password that are associated with the entitled software.
    2. In the Active entitlement keys section, click Copy to copy the entitlement key to the clipboard.

Procedure

  1. Mirror WebSphere Automation images.
  2. Install the WebSphere Automation operator.
  3. Create an instance of WebSphere Automation.

Mirroring WebSphere Automation container images and configuring a cluster

  1. Install cloudctl.
    1. Follow the instructions at the IBM public IBM Cloud Pak cli repository External link icon to download and verify the cloudctl tool.
    2. After you download and verify the cloudctl binary for your operating system, move the binary to the path appropriate for your operating system. For example, for Linux, run the following command to change and move the file.
      sudo mv cloudctl-os-arch /usr/local/bin/cloudctl
  2. Download Container Application Software for Enterprises (CASE).

    Run the cloudctl case save command to download the CASE metadata.

    cloudctl case save \
 --repo https://github.com/IBM/cloud-pak/raw/master/repo/case --case $CASE_NAME --version $CASE_VERSION \
 --outputdir ./ibm-websphere-automation
    For the current release of WebSphere Automation,
    • CASE_NAME=ibm-websphere-automation
    • CASE_VERSION is the version of WebSphere Automation that you want to install, for example, 1.8.2; you can see the available versions External link icon.
  3. Create environment variables.

    Replace variables in the following example with your own information.

    export MIRROR_REGISTRY=registry
export MIRROR_REGISTRY_USERNAME=username
export MIRROR_REGISTRY_PASSWORD=password
export CASEPATH=absolute_path_to_downloaded_ibm-websphere-automation
  4. Log in to your Red Hat OpenShift Container Platform cluster.
    oc login https://your_api_cluster_url
  5. Create credentials for the mirror registry.
    cloudctl case launch \
 --case $CASEPATH \
 --inventory automationOperatorSetup \
 --action configure-creds-airgap \
 --args "--registry $MIRROR_REGISTRY --user $MIRROR_REGISTRY_USERNAME --pass $MIRROR_REGISTRY_PASSWORD"
  6. If you use a mirror registry that is insecure, configure an insecure registry.

    Configure the cluster to enable pulling images from this registry. Replace registry with the name of your registry and then run the patch command.

    oc patch image.config.openshift.io/cluster --type=merge \
 -p '{"spec":{"registrySources":{"insecureRegistries":["registry"]}}}'
  7. Create credentials for the IBM entitlement registry.

    Replace entitlement_key with your entitlement key and then run the cloudctl case launch command.

    cloudctl case launch \
 --case $CASEPATH \
 --inventory automationOperatorSetup \
 --action configure-creds-airgap \
 --args "--registry cp.icr.io --user cp --pass entitlement_key"
  8. Mirror the images.
    export OFFLINEDIR=absolute_path_to_outputdir_from_previous_cloudctl_case_save
 cloudctl case launch  \
 --case $CASEPATH    \
 --inventory automationOperatorSetup   \
 --action mirror-images  \
 --args "--registry $MIRROR_REGISTRY --inputDir $OFFLINEDIR"
  9. Configure ImageContentSourcePolicy and create a global pull secret.

    Run the following command to configure the cluster to redirect image requests to the mirrored registry and create a global pull secret for the mirrored registry.

    cloudctl case launch  \
 --case $CASEPATH    \
 --namespace default    \
 --inventory automationOperatorSetup   \
 --action configure-cluster-airgap  \
 --args "--registry $MIRROR_REGISTRY --inputDir $OFFLINEDIR"
    Tip: Deployment of the ImageContentSourcePolicy resource takes several minutes while each node is drained of its pods. Before you move to the next step, ensure that the status of all nodes is Ready. Run the oc get nodes command to get status.
  10. Wait for rollout process to finish.

    Run the following command to verify that Updated is set to true.

    oc get machineconfigpools

Installing the WebSphere Automation operator

  1. Set the WSA_OPERATOR_NAMESPACE and WSA_INSTANCE_NAMESPACE shell variables.

    For the AllNamespaces installation mode, set WSA_OPERATOR_NAMESPACE to openshift-operators. Set WSA_INSTANCE_NAMESPACE to the instance namespace, for example, websphere-automation. For SingleNamespace, use different namespace values. For OwnNamespace mode, set WSA_OPERATOR_NAMESPACE to the same value as WSA_INSTANCE_NAMESPACE.

    WSA_OPERATOR_NAMESPACE=openshift-operators
WSA_INSTANCE_NAMESPACE=websphere-automation
  2. Create the namespaces, if needed.

    For catalog namespace, openshift-marketplace exists. For AllNamespaces installation mode, the openshift-operators namespace exists.

    oc create namespace $WSA_OPERATOR_NAMESPACE
oc create namespace $WSA_INSTANCE_NAMESPACE
  3. For either OwnNamespace or SingleNamespace mode, create an OperatorGroup.
    Note: For the default AllNamespaces mode, skip this step.
    cat <<EOF | oc apply -f -
apiVersion: operators.coreos.com/v1alpha2
kind: OperatorGroup
metadata:
  name: ibm-websphere-automation
  namespace: $WSA_OPERATOR_NAMESPACE
spec:
  targetNamespaces:
  - $WSA_INSTANCE_NAMESPACE
EOF
  4. Install operator catalog for WebSphere Automation and its dependencies.
    cloudctl case launch  \
 --case $CASEPATH    \
 --namespace openshift-marketplace    \
 --inventory automationOperatorSetup   \
 --action install-catalog \
 --args "--inputDir $OFFLINEDIR --recursive --registry icr.io"
  5. Install the WebSphere Automation operator.
    cloudctl case launch  \
 --case $CASEPATH    \
 --namespace $WSA_OPERATOR_NAMESPACE    \
 --inventory automationOperatorSetup   \
 --action install-operator \
 --args "--inputDir $OFFLINEDIR"

Creating an instance of WebSphere Automation

Deploy the following configuration to create an instance of WebSphere Automation an air gap environment. 

cat <<EOF | oc apply -f -
apiVersion: automation.websphere.ibm.com/v1
kind: WebSphereSecure
metadata:
  name: wsa-secure
  namespace: $WSA_INSTANCE_NAMESPACE
spec:
  license:
    accept: false
  cveMonitor:
    suspend: true
---
apiVersion: automation.websphere.ibm.com/v1
kind: WebSphereHealth
metadata:
  name: wsa-health
  namespace: $WSA_INSTANCE_NAMESPACE
spec:
  license:
    accept: false
EOF

To install only the security capability, omit the WebSphereHealth portion from the configuration.

The .spec.cveMonitor.suspend property disables a job that runs periodically to download the most recent security bulletin information from ibm.com. If your cluster does not have internet access, set that property to true to populate WebSphere Automation with a static set of security bulletins. For more information about how to customize the WebSphere Automation instance, see WebSphereSecure resource configuration.

If your cluster has internet access through proxy server, then you can configure the WebSphereSecure custom resource with the proxy server configuration. For more information, see Configuring to use a proxy server. In the cveMonitor specification, ensure that the .spec.cveMonitor.suspend property is set with a value of false.

Set the .spec.license.accept property to true from its default value of false to indicate your agreement to the license terms at https://ibm.biz/WebSphereAutoLicense.

What to do next

Validate the installation and access the WebSphere Automation UI.

For information about changing the default password, see Changing the cluster administrator access credentials.