Installing Container Backup Support in an airgap environment

You can install Container Backup Support in an airgap cluster by using the installation package from IBM® Passport Advantage® Online.

As used in this documentation, an airgap cluster is any Kubernetes or OpenShift® cluster that does not have internet access, and therefore cannot pull container images from a Docker registry. The airgap installation package includes the container images for Container Backup Support. During the installation, the container images are loaded by the docker load command and then tagged and pushed to the Docker registry that is specified in the baas-options.sh file. As a result, the container images can be pulled during the Helm installation.

Before you begin

For the system requirements for Container Backup Support, see Container Backup Support requirements.

Ensure that prerequisites are met and preliminary tasks are completed:

Ensure that you are logged in to the target cluster as a user with cluster-admin privileges.
Ensure that you complete the installation prerequisites. For instructions, see Installation prerequisites for Container Backup Support.
Ensure that you set up the installation variables in the baas-options.sh and baas-values.yaml files. For instructions, see Setting up the installation variables.
On an OpenShift cluster, the amq-streams-cluster-operator pod is installed from OpenShift OperatorHub. In an airgap environment, ensure that you set up OperatorHub to operate in a restricted network. For instructions, see Using Operator Lifecycle Manager on restricted networks.

About this task

You must first download the Container Backup Support installation package from the IBM Passport Advantage Online website. Then, extract the package and use the script that is provided in the installation package to deploy Container Backup Support on your Kubernetes or OpenShift cluster.

By using the installation variables that you set up in the baas-options.sh and baas-values.yaml files, the provided script, baas-install-ppa.sh, automatically runs prerequisite tasks and installs Container Backup Support on your cluster.

The following tasks are performed automatically:

Checking for prerequisites.
Logging in to your Docker registry.
Removing any existing Container Backup Support resources and images.
Loading and pushing the Container Backup Support Docker images to your Docker registry.
Creating the Kubernetes product namespace or OpenShift project (baas) and secret.
Creating an image pull secret called baas-registry-secret for the namespace (or project) baas and any namespaces assigned to the PVC_NAMESPACES_TO_PROTECT variable in the baas-options.sh file.
Important: If you added PVCs in a namespace that was not initially specified by PVC_NAMESPACES_TO_PROTECT, you must manually create the pull secret in the new namespace. To create the image pull secret manually, issue the following commands:
- For Kubernetes:
```
kubectl get secret baas-registry-secret -n namepace_for_baas -o yaml > secret.yaml
sed 's/namespace: namepace_for_baas/namespace: pvc_namespace/' secret.yaml
kubectl  create -f secret.yaml 
```
- For OpenShift:
```
oc get secret baas-registry-secret -n namepace_for_baas -o yaml > secret.yaml
sed 's/namespace: namepace_for_baas/namespace: pvc_namespace/' secret.yaml
oc create -f secret.yaml 
```
where namepace_for_baas specifies the namespace that Container Backup Support is installed in, and pvc_namespace specifies the namespace for the PVC.

Procedure

Download the SPP_Vversion_for_Containers.tar.gz package from the IBM Passport Advantage Online to your home folder (~), where version specifies the version of IBM Spectrum Protect Plus that you are installing, such as 10.1.7.
For information about downloading files, see technote 6330495.

Then, validate the downloaded file by using one of the following methods:
- Verify the MD5 checksum of the downloaded installation file. Ensure that the generated checksum matches the one provided in the MD5 Checksum file, which is part of the software download.
- Verify the signed file that is associated with the installation package by issuing the following command:
```
openssl dgst -sha256 -verify IBMSPSignCertificatePublic -signature ./SPP_Vversion_for_Containers.tar.gz.sig ./SPP_Vversion_for_Containers.tar.gz
```
  where version specifies the version of IBM Spectrum Protect Plus that you are installing, such as 10.1.7.
Extract the installation package and the .tgz file that contains the Helm 3 chart by issuing the following commands:
```
tar -xvf SPP_Vversion_for_Containers.tar.gz
cd installer
tar -xvf ibm-spectrum-protect-plus-prod-chart_version.tgz
```
where:

version

Specifies the version of IBM Spectrum Protect Plus that you are installing, such as 10.1.7.

chart_version

Specifies the version of the Helm chart. For example, specify 1.1.0 for IBM Spectrum Protect Plus V10.1.7, 1.1.1 for V10.1.7.1, 1.1.2 for V10.1.7.2, and so on.

Restriction: Ensure that you do not add any large files to the installer/ibm-spectrum-protect-plus-prod directory. The size of the contents in this directory, including files and subdirectories, must not exceed the limit set by Helm (3145728 bytes).
Copy the baas-options.sh and baas-values.yaml files that you created to the Helm chart installation directory:
```
cd ibm-spectrum-protect-plus-prod/ibm_cloud_pak/pak_extensions/install
cp ~/install_vars_dir/baas-options.sh .
cp ~/install_vars_dir/baas-values.yaml .
chmod +x *.sh
```
where install_vars_dir is the directory where you saved your custom baas-options.sh and baas-values.yaml files.
Issue the following command to deploy Container Backup Support:
```
./baas-install-ppa.sh
```

Results

You can verify that Container Backup Support is installed by issuing the following command:

helm3 list -n baas

The output is similar to the following example:

NAME                           NAMESPACE REVISION UPDATED                                 STATUS   CHART                                APP VERSION
ibm-spectrum-protect-plus-prod baas      1        2020-10-28 13:15:08.154754539 -0700 MST deployed ibm-spectrum-protect-plus-prod-1.1.0 10.1.7

All of the Container Backup Support pods will load and change to the Running state after a few minutes.

When all pods are running, the deployment is completed. To verify that all pods are in the Running state and no components are missing, issue the following command:

kubectl get pods -n baas -w

For Kubernetes, the output is similar to the following example:

NAME                                           READY   STATUS      RESTARTS   AGE
baas-controller-5f75fc6c9-tmg5l                1/1     Running     0          6h15m
baas-entity-operator-c99f4c49b-p9v9c           3/3     Running     1          6h15m
baas-kafka-0                                   2/2     Running     0          6h15m
baas-minio-0                                   1/1     Running     3          6h15m
baas-scheduler-dfdcd9467-88hb5                 1/1     Running     0          6h15m
baas-spp-agent-db6b98f85-svdxz                 1/1     Running     0          6h15m
baas-strimzi-cluster-operator-7b5c4f9597-88xfn 1/1     Running     0          6h15m
baas-transaction-manager-f654f7f48-7mdxt       3/3     Running     0          6h15m
baas-zookeeper-0                               1/1     Running     0          6h15m
baas-zookeeper-1                               1/1     Running     0          6h15m
baas-zookeeper-2                               1/1     Running     0          6h15m

For OpenShift, the output is similar to the following example:

NAME                                                   READY   STATUS      RESTARTS   AGE
amq-streams-cluster-operator-v1.5.3-5b795f4c69-gdsrx   1/1     Running     0          24m
baas-controller-5f75fc6c9-tmg5l                        1/1     Running     0          24m
baas-entity-operator-c99f4c49b-p9v9c                   3/3     Running     1          24m
baas-kafka-0                                           2/2     Running     0          24m
baas-minio-0                                           1/1     Running     3          24m
baas-scheduler-dfdcd9467-88hb5                         1/1     Running     0          24m
baas-spp-agent-db6b98f85-svdxz                         1/1     Running     0          24m
baas-transaction-manager-f654f7f48-7mdxt               3/3     Running     0          24m
baas-zookeeper-0                                       1/1     Running     0          24m
baas-zookeeper-1                                       1/1     Running     0          24mm
baas-zookeeper-2                                       1/1     Running     0          24m

What to do next

After the deployment is completed, the application host for the Container Backup Support container is automatically registered upon startup of the cluster host in Kubernetes or OpenShift. However, if no clusters are displayed in the Manage Protection > Containers > Kubernetes page or the Manage Protection > Containers > OpenShift page in the IBM Spectrum Protect Plus user interface, automatic registration was unsuccessful. You must then manually register the cluster. For instructions, see Registering a Kubernetes cluster or Registering an OpenShift cluster.

Updating Container Backup Support: You can modify an existing configuration of Container Backup Support or upgrade the Helm chart. For instructions, see Updating Container Backup Support.