Installing in an air gap environment by using physical media

A cluster administrator can install WebSphere Automation in an air gap environment when a bastion server is not present for external internet access by using physical media.

About this task

Note: The following instructions are for the original method for deploying WebSphere Automation into an airgap environment using the cloudctl utility. For the more recent method, using the ibm-pak plugin, see Installing by mirroring images to a private container registry (with ibm-pak plug-in).

Procedure

Collecting artifacts

On a system that has access to public internet, collect all necessary files that are needed for the air gap installation. The steps involve starting a local Docker registry, copying the product images to it, and creating archives of the registry contents.

Get the cloudctl tool.
Follow step 1 from https://www.ibm.com/docs/en/ws-automation?topic=installing-in-air-gap-environment.
Download Container Application Software for Enterprises (CASE).
Follow step 2 from https://www.ibm.com/docs/en/ws-automation?topic=installing-in-air-gap-environment

Create a local Docker registry.

First, export the CASEPATH variable.

export CASEPATH=absolute_path_to_downloaded_ibm-websphere-automation

Create a local Docker registry. The registry contents are stored under the /tmp/docker-registry/ path.

cloudctl case launch \
 --case $CASEPATH  \
 --inventory automationOperatorSetup \
 --action initRegistry \
 --args "--user admin --pass admin --registry localhost"

Start the local Docker registry.

cloudctl case launch \
 --case $CASEPATH  \
 --inventory automationOperatorSetup \
 --action startRegistry

Validate that you can log in to the local Docker registry.
If you are using podman, log in by using the following command.
```
podman login --tls-verify=false -u admin -p admin localhost:5000
```
If you are using docker, follow the insecure registry steps to configure your client to connect to the local registry. After it is configured, log in by using the following command.
```
docker login -u admin -p admin localhost:5000
```

Create credentials for the local Docker registry.

cloudctl case launch \
--case $CASEPATH \
--inventory automationOperatorSetup \
--action configure-creds-airgap \
--args "--registry localhost:5000 --user admin --pass admin"

Create credentials for the IBM Entitlement Registry.
Follow step 7 from https://www.ibm.com/docs/en/ws-automation?topic=installing-in-air-gap-environment.

Mirror the images.

This step is similar to step 8 from https://www.ibm.com/docs/en/ws-automation?topic=installing-in-air-gap-environment.

 cloudctl case launch  \
 --case $CASEPATH    \
 --inventory automationOperatorSetup   \
 --action mirror-images  \
 --args "--registry localhost:5000 --inputDir ./ibm-websphere-automation"

Create an archive of the registry contents.
Create an archive of the /tmp/docker-registry directory contents. For example, tar cfz docker-registry.tar.gz -C /tmp/ docker-registry
Create an archive of the CASE metadata.
Create an archive of the ibm-websphere-automation directory contents that is created by the cloudctl case save command in step 2. For example,
```
tar cfz ibm-websphere-automation.tar.gz ./ibm-websphere-automation
```

Export the registry container image.

docker save docker.io/library/registry:2.8 | gzip > registry_image.tar.gz

Copy all of the archives into the air gap environment by using a USB drive or other physical media.

Installing WebSphere Automation in the air gap environment

In the air gap environment, extract the contents of the two archives and complete the installation process. Before you proceed, ensure that the Red Hat® OpenShift® cluster is configured with a separate container registry (for example, Artifactory), and that the Red Hat OpenShift client (oc) and skopeo 1.0.0 or later are installed.

Extract the Docker registry archive (docker-registry.tar.gz). For example, tar xfz docker-registry.tar.gz -C /tmp/. Make sure that the contents are extracted to the /tmp/docker-registry directory.
Extract the ibm-websphere-automation archive file. Ensure the ibm-websphere-automation directory is created.
Import the registry container image (registry_image.tar.gz).
```
docker load -i registry_image.tar.gz
```
Verify that the imported image was tagged with docker.io/library/registry:<IMAGE-VERSION-TAG>.

Start the local Docker registry.

First, export the CASEPATH variable.

export CASEPATH=absolute_path_to_downloaded_ibm-websphere-automation

cloudctl case launch \
 --case $CASEPATH  \
 --inventory automationOperatorSetup \
 --action startRegistry
 --args "--image docker.io/library/registry:2.8"

Validate you can log in to the local Docker registry.
If you are using podman, log in by using the following command.
```
podman login --tls-verify=false -u admin -p admin localhost:5000
```
If you are using docker, follow the insecure registry steps to configure your client to connect to the local registry. After it is configured, log in by using the following command.
```
docker login -u admin -p admin localhost:5000
```

Create credentials for the local Docker registry.

cloudctl case launch \
--case $CASEPATH \
--inventory automationOperatorSetup \
--action configure-creds-airgap \
--args "--registry localhost:5000 --user admin --pass admin"

Set the MIRROR_REGISTRY, MIRROR_REGISTRY_USERNAME, and MIRROR_REGISTRY_PASSWORD properties of the container registry to use with your Red Hat OpenShift cluster.
```
export MIRROR_REGISTRY=registry
export MIRROR_REGISTRY_USERNAME=username
export MIRROR_REGISTRY_PASSWORD=password
```

Create credentials for the container registry for use with your Red Hat OpenShift cluster.

 cloudctl case launch \
  --case $CASEPATH \
  --inventory automationOperatorSetup \
  --action configure-creds-airgap \
  --args "--registry $MIRROR_REGISTRY --user $MIRROR_REGISTRY_USERNAME --pass $MIRROR_REGISTRY_PASSWORD"

Copy the images from the local registry to myRegistry.
```
cloudctl case launch \
 --case $CASEPATH  \
 --inventory automationOperatorSetup \
 --action mirror-images \
 --args "--registry  $MIRROR_REGISTRY --inputDir ./ibm-websphere-automation --fromRegistry localhost:5000"
```
If the prerequisites (oc and skopeo 1.0.0 or later) are not installed, this step fails. Also, this process might take a long time and can sometimes fail as a result of network errors or other intermittent problems. Rerun this command until all of the images are copied successfully.
Configure ImageContentSourcePolicy and create a global pull secret.
First, export the following variable:
```
export OFFLINEDIR=absolute_path_to_outputdir_from_previous_cloudctl_case_save
```
Then, follow step 9 from https://www.ibm.com/docs/en/ws-automation?topic=installing-in-air-gap-environment
If you use a mirror registry that is insecure, configure an insecure registry.
Configure the cluster to enable pulling images from this registry. Replace the word registry in the following command with the name of your registry and then run the patch command.
```
oc patch image.config.openshift.io/cluster --type=merge -p '{"spec":{"registrySources":{"insecureRegistries":["registry"]}}}'
```
Tip: Patching cluster for insecure registry configuration takes several minutes while each node is drained of its pods. Before you move to the next step, ensure that the status of all nodes is Ready. Run the oc get nodes command to get status.
Wait for rollout process to finish.
Run the following command to verify that the Updated state is set to true.
```
oc get machineconfigpools
```

Install the WebSphere Automation operator.

cloudctl case launch  \
 --case $CASEPATH    \
 --namespace $WSA_OPERATOR_NAMESPACE    \
 --inventory automationOperatorSetup   \
 --action install-operator \
 --args "--inputDir $OFFLINEDIR"

Create an instance of WebSphere Automation.

What to do next

If needed, change the default password. For more information, see Changing the cluster administrator access credentials.