Applying the watsonx Orchestrate 5.3.0 hotfix (Hotfix 3)

Fix Readme

Abstract

Apply this hotfix after completing the watsonx Orchestrate installation for Version 5.3.0, or after upgrading from a previous release to Version 5.3.0.

Content

1) Set the operator and operand namespaces

export PROJECT_CPD_INST_OPERATORS=<enter your IBM Software Hub operator project>
export PROJECT_CPD_INST_OPERANDS=<enter your IBM Software Hub operand project>

2) Mirror images to a private Docker registry if air gapped

Install skopeo: https://github.com/containers/skopeo/blob/main/install.md

export LOCAL_REGISTRY="your_local_registry"
export LOCAL_USER="your_local_registry_username"
export LOCAL_PASS="your_local_registry_password"
export IBM_ENTITLEMENT_KEY="your_ibm_entitlement_key"
export AUTH_JSON_PATH="${HOME}/.airgap/auth.json"

mkdir -p "$(dirname "${AUTH_JSON_PATH}")"

skopeo login cp.icr.io --username cp --password "${IBM_ENTITLEMENT_KEY}" --authfile "${AUTH_JSON_PATH}"
skopeo login "${LOCAL_REGISTRY}" --username "${LOCAL_USER}" --password "${LOCAL_PASS}" --authfile "${AUTH_JSON_PATH}"

Copy operator images

# ibm-watsonx-orchestrate-operator (changed)
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://icr.io/cpopen/ibm-watsonx-orchestrate-operator@sha256:17889f93bbead938f4233e829e091f2a9379293e452ee239a2916ce16fe778cc \
  docker://$LOCAL_REGISTRY/cpopen/ibm-watsonx-orchestrate-operator@sha256:17889f93bbead938f4233e829e091f2a9379293e452ee239a2916ce16fe778cc

# ibm-wxo-component-operator (changed)
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://icr.io/cpopen/ibm-wxo-component-operator@sha256:f33df85a5cc95821b5111899a1951123048f83e69397994e20c632d4723bbc55 \
  docker://$LOCAL_REGISTRY/cpopen/ibm-wxo-component-operator@sha256:f33df85a5cc95821b5111899a1951123048f83e69397994e20c632d4723bbc55

# ibm-document-processing-operator (unchanged)
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://icr.io/cpopen/ibm-document-processing-operator@sha256:41d8a00b6d38e637fe3ba2988744313e8013d5d0d54bedb0e15ae49a9b31ae3e \
  docker://$LOCAL_REGISTRY/cpopen/ibm-document-processing-operator@sha256:41d8a00b6d38e637fe3ba2988744313e8013d5d0d54bedb0e15ae49a9b31ae3e

# ibm-watsonx-orchestrate-ads-operator-controller (unchanged)
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://icr.io/cpopen/ibm-watsonx-orchestrate-ads-operator-controller@sha256:f3400dbd2a2a0ae4afe654962199c759222af959cb08aec1849548ba57414dc5 \
  docker://$LOCAL_REGISTRY/cpopen/ibm-watsonx-orchestrate-ads-operator-controller@sha256:f3400dbd2a2a0ae4afe654962199c759222af959cb08aec1849548ba57414dc5

# ba-saas-uab-wf-operator (unchanged)
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://icr.io/cpopen/ba-saas-uab-wf-operator@sha256:22b9b477a7a0df6f5a580df1a9cd156e4da76a08bd4a9135cbf4443aced698c9 \
  docker://$LOCAL_REGISTRY/cpopen/ba-saas-uab-wf-operator@sha256:22b9b477a7a0df6f5a580df1a9cd156e4da76a08bd4a9135cbf4443aced698c9

# watson-gateway-operator (uchanged)
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://icr.io/cpopen/watson-gateway-operator@sha256:e5b8f1b5bcb770c5dfa92ed97c09961cd0747829302b17fe98e167cfff1c3fff \
  docker://$LOCAL_REGISTRY/cpopen/watson-gateway-operator@sha256:e5b8f1b5bcb770c5dfa92ed97c09961cd0747829302b17fe98e167cfff1c3fff

Copy operand images

# ads-runtime(changed)
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/ads-runtime@sha256:d9c59399d4c191ebdc3c873c884ba86c964ec39c02dc8ca286ef4ec754d3adee \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/ads-runtime@sha256:d9c59399d4c191ebdc3c873c884ba86c964ec39c02dc8ca286ef4ec754d3adee

# ads-tools
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/ads-tools@sha256:3229afbbccb3d2b48cac7dbe3e777bb386ef5f0c7ba8f069d15df5310b24319c \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/ads-tools@sha256:3229afbbccb3d2b48cac7dbe3e777bb386ef5f0c7ba8f069d15df5310b24319c

# ai-gateway(changed)
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/ai-gateway@sha256:0d1af993245a8f83edd40dd0fb1fdb6fc970b989fd57dd007c56c3d7ef5237e6 \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/ai-gateway@sha256:0d1af993245a8f83edd40dd0fb1fdb6fc970b989fd57dd007c56c3d7ef5237e6

# channel-integrations(changed)
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/channel-integrations@sha256:310b489890b92d2735121e3724a472007e68dde9d81987e52ab4142058c6304e \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/channel-integrations@sha256:310b489890b92d2735121e3724a472007e68dde9d81987e52ab4142058c6304e

# de-seeder
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/de-seeder@sha256:501759e41a49436d0fb15d7d53ca92a5946a4bfe96b8b20ee3c191a721411772 \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/de-seeder@sha256:501759e41a49436d0fb15d7d53ca92a5946a4bfe96b8b20ee3c191a721411772

# de-server
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/de-server@sha256:1dbbbd0394d599369ce16b8e93f230787a5f2acd0ffd9cb2de2c1a8648fca971 \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/de-server@sha256:1dbbbd0394d599369ce16b8e93f230787a5f2acd0ffd9cb2de2c1a8648fca971

# platformuiproxy(changed)
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/platformuiproxy@sha256:c7032ddff426d0dab1f71851bfb39726f99cecfb59e511e5cd48bff23a06d857 \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/platformuiproxy@sha256:c7032ddff426d0dab1f71851bfb39726f99cecfb59e511e5cd48bff23a06d857

# socket-handler
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/socket-handler@sha256:e38838eb73267f845286e8e69b7d5b47c0b27149a3412b85f77468879a97cfbc \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/socket-handler@sha256:e38838eb73267f845286e8e69b7d5b47c0b27149a3412b85f77468879a97cfbc

# teamsserver
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/teamsserver@sha256:b710cfa97711571a2cdd9e1bef47029da3c4a4ac002c6de9d899328cb921fcb2 \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/teamsserver@sha256:b710cfa97711571a2cdd9e1bef47029da3c4a4ac002c6de9d899328cb921fcb2

# tools-runtime
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/tools-runtime@sha256:e960534ae24eb415e88000583f0621901826c31e98f8cdba6cd77b550c6d241e \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/tools-runtime@sha256:e960534ae24eb415e88000583f0621901826c31e98f8cdba6cd77b550c6d241e
  
# tools-runtime-manager 
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/tools-runtime-manager@sha256:16c103fc1eeb143a44b862b3e3c5c84ef6c7396e0a0fc0d6bcb7d50660482e24 \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/tools-runtime-manager@sha256:16c103fc1eeb143a44b862b3e3c5c84ef6c7396e0a0fc0d6bcb7d50660482e24

# tools-runtime-scheduler
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/tools-runtime-scheduler@sha256:9e1c20da6bd047386e96cb8aa1289de55824bf01e2a0ee85a3f726dec1085aec \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/tools-runtime-scheduler@sha256:9e1c20da6bd047386e96cb8aa1289de55824bf01e2a0ee85a3f726dec1085aec

# wdu-models
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/wdu-models@sha256:d21df3bcdea3286c4c02940ecb36283d3220cd522e5b7a0969b2bcae7319740d \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/wdu-models@sha256:d21df3bcdea3286c4c02940ecb36283d3220cd522e5b7a0969b2bcae7319740d

# wdu-runtime
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/wdu-runtime@sha256:8b9f3ce1956662b985225cf847728bac101ad177a88dbbdc3fc173b56774a40b \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/wdu-runtime@sha256:8b9f3ce1956662b985225cf847728bac101ad177a88dbbdc3fc173b56774a40b

# wxo-builder
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/wxo-builder@sha256:af0d589fc0228b91d573e795fc4a7ea91bf939a2ec833c748f9f0f6ae2a0c88a \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/wxo-builder@sha256:af0d589fc0228b91d573e795fc4a7ea91bf939a2ec833c748f9f0f6ae2a0c88a

# wxo-chat
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/wxo-chat@sha256:d0fa1e9747a1706b2be83dc93ccbc5379eb4534276c0f4fd393af4c6f2433d1e \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/wxo-chat@sha256:d0fa1e9747a1706b2be83dc93ccbc5379eb4534276c0f4fd393af4c6f2433d1e

# wxo-flow-runtime
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/wxo-flow-runtime@sha256:aae96c8d8e93cb3bd741419ee2626a1570fbb572ee3b914963033661959fba02 \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/wxo-flow-runtime@sha256:aae96c8d8e93cb3bd741419ee2626a1570fbb572ee3b914963033661959fba02

# wxo-server-conversation_controller(changed)
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/wxo-server-conversation_controller@sha256:e50aa90dea156ab22c9957ff1f1b7c7defd8581fa2fbcb54efcad1872aa486de \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/wxo-server-conversation_controller@sha256:e50aa90dea156ab22c9957ff1f1b7c7defd8581fa2fbcb54efcad1872aa486de

# wxo-server-server
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/wxo-server-server@sha256:64c46fdc23f51ab027c9399f47cd64646ef9a3c25ec1ed2e4781874eb0b3ba74 \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/wxo-server-server@sha256:64c46fdc23f51ab027c9399f47cd64646ef9a3c25ec1ed2e4781874eb0b3ba74

# wxo-server-voice
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/wxo-server-voice@sha256:4703b9fc73b5709849384ed4a0d8790cb1cac8a2206111f5cc6225fd4187b49b \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/wxo-server-voice@sha256:4703b9fc73b5709849384ed4a0d8790cb1cac8a2206111f5cc6225fd4187b49b

# ba-saas-workflow-operator
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/ba-saas-workflow-operator@sha256:7c2e0083ebb4195f868a797407a04ccc94bd599b39c68bd3954035b9a1f5a7c3 \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/ba-saas-workflow-operator@sha256:7c2e0083ebb4195f868a797407a04ccc94bd599b39c68bd3954035b9a1f5a7c3

# connection-manager
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/connection-manager@sha256:52e3e9f91dba9997d253c30146848785a521d910bdeecf2ed5bc7e95bbc4746c \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/connection-manager@sha256:52e3e9f91dba9997d253c30146848785a521d910bdeecf2ed5bc7e95bbc4746c

# wo-doc-processing-infra-api
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/wo-doc-processing-infra-api@sha256:9ea2a70fadab7d8c69277bad388f339c5cfb9f4060b2a01fb781b4d89958b04f \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/wo-doc-processing-infra-api@sha256:9ea2a70fadab7d8c69277bad388f339c5cfb9f4060b2a01fb781b4d89958b04f

# wo-doc-processing-infra-commons
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/wo-doc-processing-infra-commons@sha256:a76515c7f251e5707d0c698485812d569e08724e8e3335c279e256e6a0dc8ff8 \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/wo-doc-processing-infra-commons@sha256:a76515c7f251e5707d0c698485812d569e08724e8e3335c279e256e6a0dc8ff8  

# wo-doc-processing-infra-flow
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/wo-doc-processing-infra-flow@sha256:a27ac23b07646f2131b7509c33f29e403cc888a8e50ef251a6a3e4c276abade2 \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/wo-doc-processing-infra-flow@sha256:a27ac23b07646f2131b7509c33f29e403cc888a8e50ef251a6a3e4c276abade2

# wo-doc-processing-infra-pgbouncer
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/wo-doc-processing-infra-pgbouncer@sha256:8396247e3feb1e8b4f3e98206671159e1ea2dabc6b6a68f9292953327185ad17 \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/wo-doc-processing-infra-pgbouncer@sha256:8396247e3feb1e8b4f3e98206671159e1ea2dabc6b6a68f9292953327185ad17

# wo-doc-processing-infra-scheduler
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/wo-doc-processing-infra-scheduler@sha256:1329c75f7efea5b72d177215e332d0b10711edf440d9ebebe8ef75b57d224934 \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/wo-doc-processing-infra-scheduler@sha256:1329c75f7efea5b72d177215e332d0b10711edf440d9ebebe8ef75b57d224934

# wo_doc_processing_cache_rds_init
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/wo_doc_processing_cache_rds_init@sha256:0671fdbe81b48e7a88a8e50e3f5d8179dd185bc5dd30fce7d605f57b9f36919e \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/wo_doc_processing_cache_rds_init@sha256:0671fdbe81b48e7a88a8e50e3f5d8179dd185bc5dd30fce7d605f57b9f36919e

# wo_doc_processing_rag
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/wo_doc_processing_rag@sha256:83f8b29b1fcf8557a85302966577675d0fa9f372726ad0d04acba28b05d00a22 \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/wo_doc_processing_rag@sha256:83f8b29b1fcf8557a85302966577675d0fa9f372726ad0d04acba28b05d00a22

# wo_doc_processing_service
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/wo_doc_processing_service@sha256:7ec163484f1273bfbd7354663641ea9942393d7779cc11779046a8d50f449eda \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/wo_doc_processing_service@sha256:7ec163484f1273bfbd7354663641ea9942393d7779cc11779046a8d50f449eda

# wo_tenant_event_handler
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/wo_tenant_event_handler@sha256:0f362ad6902ae6127b8acb24b39e7626dc8660254cb5a7854667993fed3e4b25 \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/wo_tenant_event_handler@sha256:0f362ad6902ae6127b8acb24b39e7626dc8660254cb5a7854667993fed3e4b25

# wxo-agent-gateway
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/wxo-agent-gateway@sha256:8f832d96052b7c91250b164b29458d7a6a4a3034cf864eb981a26919b19bd00b \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/wxo-agent-gateway@sha256:8f832d96052b7c91250b164b29458d7a6a4a3034cf864eb981a26919b19bd00b

# wxo-connections
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/wxo-connections@sha256:1f50e0566ccc9b20162c0b0fbc7770ee3462368efd9f84e48c111e2a8f22230d \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/wxo-connections@sha256:1f50e0566ccc9b20162c0b0fbc7770ee3462368efd9f84e48c111e2a8f22230d  

# agent-analytics
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/agent-analytics@sha256:e756bac3186252d331faaa9e650a326ad31bd67567a9ce7f2de136f01f24df25 \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/agent-analytics@sha256:e756bac3186252d331faaa9e650a326ad31bd67567a9ce7f2de136f01f24df25  

#wo-doc-processing-cache
skopeo copy --all --authfile "${AUTH_JSON_PATH}" --dest-tls-verify=false --src-tls-verify=false \
  docker://cp.icr.io/cp/watsonx-orchestrate/wo_doc_processing_cache@sha256:fce795dd0e8cc04252166a05c905f8215dbc9c6ae02007cc81e048f625471c2e \
  docker://${LOCAL_REGISTRY}/cp/watsonx-orchestrate/wo_doc_processing_cache@sha256:fce795dd0e8cc04252166a05c905f8215dbc9c6ae02007cc81e048f625471c2e

After copying, verify the images exist in $LOCAL_REGISTRY.

3) Apply the 5.3.0 Day 3 Hotfix

Create hotfix5303.sh with the contents below.

#!/bin/bash
# -----------------------------------------------------------------------------
# watsonx Orchestrate 5.3.0 Hotfix
# - Verifies watsonx Orchestrate version from .status.versionStatus.status.
# - Images of Operators are replaced with the image from hotfix script.
#   * HOTFIX_LABEL_VALUE for hotfix 0 is 5.3.0.0
#   * If an existing label value matches x.x.x.x and is higher than HOTFIX_LABEL_VALUE,
#     the script exits early after informing you
# - Deletes a fixed set of Jobs in the operands namespace and waits for all to reappear with
#   new UIDs and succeed
# -----------------------------------------------------------------------------
set -e  # Exit immediately if a command exits with a non-zero status


# -----------------------------
# Patch operator deployment images
# -----------------------------
ts() { date +"%Y-%m-%d %H:%M:%S"; }


OPERATOR_IMAGES="icr.io/cpopen/ibm-watsonx-orchestrate-operator@sha256:17889f93bbead938f4233e829e091f2a9379293e452ee239a2916ce16fe778cc
icr.io/cpopen/ibm-wxo-component-operator@sha256:f33df85a5cc95821b5111899a1951123048f83e69397994e20c632d4723bbc55
icr.io/cpopen/ibm-document-processing-operator@sha256:41d8a00b6d38e637fe3ba2988744313e8013d5d0d54bedb0e15ae49a9b31ae3e
icr.io/cpopen/ibm-watsonx-orchestrate-ads-operator-controller@sha256:f3400dbd2a2a0ae4afe654962199c759222af959cb08aec1849548ba57414dc5
icr.io/cpopen/ba-saas-uab-wf-operator@sha256:22b9b477a7a0df6f5a580df1a9cd156e4da76a08bd4a9135cbf4443aced698c9"

GW_SHA="sha256:e5b8f1b5bcb770c5dfa92ed97c09961cd0747829302b17fe98e167cfff1c3fff"
GW_TAG="2.0.105"

MODE="${1:-}"
if [ -z "${PROJECT_CPD_INST_OPERATORS:-}" ]; then
  echo "[ERROR] PROJECT_CPD_INST_OPERATORS is not set. Exiting."
  exit 1
fi

if [ -z "${PROJECT_CPD_INST_OPERANDS:-}" ]; then
  echo "[ERROR] PROJECT_CPD_INST_OPERANDS is not set. Exiting."
  exit 1
fi

# Hotfix label configuration
HOTFIX_LABEL_KEY="${HOTFIX_LABEL_KEY:-hotfix}"
HOTFIX_LABEL_VALUE="${HOTFIX_LABEL_VALUE:-5.3.0.3}"
WO_CR_NAME=wo

is_semver4() {
  v="$1"
  printf '%s' "$v" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
}

# STORAGE_S3_ROUTE fix when using cpd-custom domain
NOOBAA_NS="${NOOBAA_NS:-openshift-storage}"
if ! oc get ns "$NOOBAA_NS" >/dev/null 2>&1; then
  echo "[ERROR] Invalid namespace: '$NOOBAA_NS' for noobaa, please set 'NOOBAA_NS' point to the correct value where noobaa is running."
  exit 1
fi
S3_ROUTE=$(oc get route s3 -n ${NOOBAA_NS} -o jsonpath='{.spec.host}')
S3_ROUTE_B64=$(printf "%s" "$S3_ROUTE" | base64 -w 0)
#Validate secret noobaa-uri-watsonx-orchestrate in PROJECT_CPD_INST_OPERANDS
if ! oc get secret noobaa-uri-watsonx-orchestrate -n "$PROJECT_CPD_INST_OPERANDS" >/dev/null 2>&1; then
  echo "[ERROR] Secret 'noobaa-uri-watsonx-orchestrate' not found in namespace $PROJECT_CPD_INST_OPERANDS"
  exit 1
fi
echo "[$(ts)] Adding s3_route in the 'secret noobaa-uri-watsonx-orchestrate'..."
oc patch secret noobaa-uri-watsonx-orchestrate \
  -n "${PROJECT_CPD_INST_OPERANDS}" \
  --type='merge' \
  -p "{\"data\":{\"s3_route\":\"${S3_ROUTE_B64}\"}}"
if oc get secret noobaa-uri-watsonx-orchestrate -n "${PROJECT_CPD_INST_OPERANDS}" \
  -o jsonpath='{.data.s3_route}' 2>/dev/null | grep -q .; then
  echo "[$(ts)] Added s3_route key."
else
  echo "[ERROR] Failed to add s3_route key the secret noobaa-uri-watsonx-orchestrate."
  exit 1
fi
# End of STORAGE_S3_ROUTE fix when using cpd-custom domain.

# Backup dir for deployments
BACKUP_DIR="/tmp/wxo_deployment_backups"
mkdir -p "$BACKUP_DIR"

if [ -n "${OPERATOR_IMAGES:-}" ]; then
  echo "[$(ts)] Updating operator deployment images in ${PROJECT_CPD_INST_OPERATORS}"

  patched_deps=""

  # Use a here-document to avoid subshell so patched_deps is preserved
  while IFS= read -r img; do
    [ -z "$img" ] && continue

    # Extract base image name (e.g., ibm-wxo-component-operator)
    base="$(basename "$img" | cut -d'@' -f1)"

    echo "[$(ts)] Processing image: $img (base=$base)"

    dep=""

    case "$base" in
      ibm-watsonx-orchestrate-operator)
        dep="wo-operator"
        ;;

      ibm-wxo-component-operator)
        dep="ibm-wxo-componentcontroller-manager"
        ;;

      ibm-document-processing-operator)
        dep="ibm-documentprocessing-operator"
        ;;

      ibm-watsonx-orchestrate-digital-employee-operator)
        dep="digitalemployee-operator-controller-manager"
        ;;

      ba-saas-uab-wf-operator)
        # Hardcoded deployment mapping for ba-saas-uab-wf-operator
        dep="ba-saas-uab-wf-operator-controller-manager"
        ;;

      ibm-watsonx-orchestrate-ads-operator-controller)
        # Hardcoded deployment mapping for ibm-uab-ads-operator
        dep="ibm-uab-ads-operator"
        ;;

      *)
        dep="$(oc -n "$PROJECT_CPD_INST_OPERATORS" get deploy --no-headers 2>/dev/null \
               | grep "$base" | awk 'NR==1{print $1}')"
        ;;
    esac

    # Skip bundle/catalog images if they ever slip in
    if echo "$base" | grep -Eq 'bundle|catalog'; then
      echo "[$(ts)]   Skipping $base (bundle/catalog image – not tied to deployment)"
      continue
    fi

    if [ -z "$dep" ]; then
      echo "[$(ts)]   WARNING: no matching deployment found for $base — skipping"
      continue
    fi

    # -----------------------------
    # Backup deployment YAML
    # -----------------------------
    backup_file="${BACKUP_DIR}/${dep}-$(date +%Y%m%d%H%M%S).yaml"
    if oc -n "$PROJECT_CPD_INST_OPERATORS" get deploy "$dep" -o yaml > "$backup_file" 2>/dev/null; then
      echo "[$(ts)]   Backed up deployment/$dep → $backup_file"
    else
      echo "[$(ts)]   WARNING: failed to back up deployment/$dep"
    fi

    # Determine container name (assume first container is operator)
    cname="$(oc -n "$PROJECT_CPD_INST_OPERATORS" get deploy "$dep" \
             -o jsonpath='{.spec.template.spec.containers[0].name}' 2>/dev/null)"

    if [ -z "$cname" ]; then
      echo "[$(ts)]   WARNING: cannot determine container name for $dep — skipping"
      continue
    fi

    echo "[$(ts)]   Patching deployment/$dep container '$cname' → $img"

    if oc -n "$PROJECT_CPD_INST_OPERATORS" set image "deployment/$dep" "$cname=$img" >/dev/null 2>&1; then
      echo "[$(ts)]   ✓ Image updated for $dep"
      patched_deps="$patched_deps $dep"
    else
      echo "[$(ts)]   ✗ ERROR: failed to patch $dep"
    fi

  done <<EOF
$OPERATOR_IMAGES
EOF



# -----------------------------
# Label WO CR with configurable label and value
# -----------------------------
if [ -n "$WO_CR_NAME" ]; then
  current_label="$(oc -n "$PROJECT_CPD_INST_OPERANDS" get wo "$WO_CR_NAME" -o jsonpath="{.metadata.labels.${HOTFIX_LABEL_KEY}}" 2>/dev/null || true)"
  if [ "$current_label" = "$HOTFIX_LABEL_VALUE" ]; then
    echo "[$(ts)] WO CR ${WO_CR_NAME} already labeled ${HOTFIX_LABEL_KEY}=${HOTFIX_LABEL_VALUE}"
  else
    echo "[$(ts)] Setting label ${HOTFIX_LABEL_KEY}=${HOTFIX_LABEL_VALUE} on WO CR ${WO_CR_NAME} in ns ${PROJECT_CPD_INST_OPERANDS}"
    oc -n "$PROJECT_CPD_INST_OPERANDS" label wo "$WO_CR_NAME" "${HOTFIX_LABEL_KEY}=${HOTFIX_LABEL_VALUE}" --overwrite >/dev/null 2>&1 || true
    new_label="$(oc -n "$PROJECT_CPD_INST_OPERANDS" get wo "$WO_CR_NAME" -o jsonpath="{.metadata.labels.${HOTFIX_LABEL_KEY}}" 2>/dev/null || true)"
    if [ "$new_label" = "$HOTFIX_LABEL_VALUE" ]; then
      echo "[$(ts)] Label set: ${HOTFIX_LABEL_KEY}=${HOTFIX_LABEL_VALUE}"
    else
      echo "[$(ts)] WARNING: could not confirm ${HOTFIX_LABEL_KEY}=${HOTFIX_LABEL_VALUE} label was set"
    fi
  fi
else
  echo "[$(ts)] No WO CR found in ns ${PROJECT_CPD_INST_OPERANDS}, skipping label."
fi


  # -----------------------------
  # Verify patched deployments are healthy (1/1 or 2/2)
  # -----------------------------
  if [ -n "${patched_deps// /}" ]; then
    echo "[$(ts)] Verifying rollout status for patched deployments..."

    for dep in $patched_deps; do
      echo "[$(ts)] Checking deployment/$dep..."

      # Wait for rollout to complete
      if oc -n "$PROJECT_CPD_INST_OPERATORS" rollout status deploy/"$dep" --timeout=300s; then
        # Check Ready/Desired replica ratio
        ratio="$(oc -n "$PROJECT_CPD_INST_OPERATORS" get deploy "$dep" \
                 -o jsonpath='{.status.readyReplicas}/{.status.replicas}' 2>/dev/null || echo '0/0')"
        echo "[$(ts)]   Ready/Desired: $ratio"

        if [ "$ratio" = "1/1" ] || [ "$ratio" = "2/2" ]; then
          echo "[$(ts)]   ✓ Deployment $dep is healthy (pods up and running)."
        else
          echo "[$(ts)]   ⚠ WARNING: Deployment $dep is not at 1/1 or 2/2; current $ratio"
        fi
      else
        echo "[$(ts)]   ✗ ERROR: rollout status for deployment/$dep did not complete successfully."
      fi
    done
  else
    echo "[$(ts)] No deployments were patched; skipping health verification."
  fi

else
  echo "[$(ts)] No OPERATOR_IMAGES specified — skipping operator image patch."
fi

# Active active setup 

if [ "$MODE" = "active" ]; then
        echo "Enabling active mode!!!"
        oc patch crd watsonxorchestrates.wo.watsonx.ibm.com --type='json' -p='[            
        {
            "op": "add",
            "path": "/spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/activeActive",
            "value": {
            "description": "ActiveActive Configuration",
            "properties": {
                "activeActiveSeed": {
                "type": "string"
                },
                "enabled": {
                "type": "boolean"
                }
            },
            "type": "object"
            }
        }
        ]'


        #Patching the Configmap
        echo "Taking a backup of configmap olm-utils-cm and deployment gateway-operator !!!"
        DATE=$(date +%Y-%m-%d_%H%M%S)
        oc get cm olm-utils-cm -n ${PROJECT_CPD_INST_OPERANDS} -o yaml > /tmp/olm-cm-$DATE.yaml
        oc get deploy gateway-operator -n ${PROJECT_CPD_INST_OPERATORS} -o yaml > /tmp/gateway-operator-$DATE.yaml
        echo "Backup taken : /tmp/olm-cm-$DATE.yaml and /tmp/gateway-operator-$DATE.yaml"
        oc set image deployment/gateway-operator \
        manager=icr.io/cpopen/watson-gateway-operator@${GW_SHA} \
        -n ${PROJECT_CPD_INST_OPERATORS}
        oc get cm olm-utils-cm -n ${PROJECT_CPD_INST_OPERANDS} -o yaml | yq ".data.release_components_meta |= (fromyaml | .watson_gateway.cr_version = \"${GW_TAG}\" | to_yaml)" | oc apply -f -
        echo "Active mode enabled !!!"
fi

# Conditional Operand wo-license request for Agentic
CONFIGMAP_NAME="ibm-licensing-upload-config"

if [[ -z "$PROJECT_CPD_INST_OPERANDS" ]]; then
  echo "ERROR: PROJECT_CPD_INST_OPERANDS environment variable is not set"
  exit 1
fi

echo "Checking for ConfigMap '${CONFIGMAP_NAME}' in namespace '${PROJECT_CPD_INST_OPERANDS}'..."

if oc get configmap "${CONFIGMAP_NAME}" -n "${PROJECT_CPD_INST_OPERANDS}" >/dev/null 2>&1; then
  echo "ConfigMap '${CONFIGMAP_NAME}' already exists. No action required."
else
  echo "ConfigMap '${CONFIGMAP_NAME}' not found. Applying OperandRequest to create it..."

  cat <<EOF | oc apply -f -
apiVersion: operator.ibm.com/v1alpha1
kind: OperandRequest
metadata:
  annotations:
    oper8.org/internal-name: infra.operandRequestlicence
  name: wo-common-service-license
  namespace: ${PROJECT_CPD_INST_OPERANDS}
  labels:
    ${PROJECT_CPD_INST_OPERANDS}.common-service/config: 'true'
spec:
  requests:
    - operands:
        - name: ibm-licensing-operator
          bindings:
            public-api-upload:
              configmap: ibm-licensing-upload-config
              secret: ibm-licensing-upload-token
      registry: common-service
EOF

  echo "OperandRequest applied successfully."
fi

#Fix for wo-ads-runtime-service pod evict issue, replace its image in its operator
if oc get deployment ibm-uab-ads-operator -n ${PROJECT_CPD_INST_OPERATORS} &> /dev/null; then
    echo "[$(ts)] Replacing image for wo-ads-runtime-service inside ibm-uab-ads-operator..."
    oc patch deployment ibm-uab-ads-operator -n ${PROJECT_CPD_INST_OPERATORS} --type='strategic' -p='
spec:
  template:
    spec:
      containers:
      - name: manager
        env:
        - name: RELATED_IMAGE_ADS_RUNTIME
          value: "cp.icr.io/cp/watsonx-orchestrate/ads-runtime@sha256:d9c59399d4c191ebdc3c873c884ba86c964ec39c02dc8ca286ef4ec754d3adee"
' 
fi

#Refreshing the zen configmap for mustgather
echo "Refreshing the zen configmap for mustgather!!"
CONFIGMAP_NAME="wo-watson-orchestrate-zen-service"
oc patch configmap $CONFIGMAP_NAME -n ${PROJECT_CPD_INST_OPERANDS} \
  --type=merge \
  -p '{"metadata":{"labels":{"icpdata_addon_version":"5.3.0.3"}}}'
echo "Configmap refreshed."

# -----------------------------
# Final message
# -----------------------------
echo "------------------------------------------------------------------"
echo "[$(ts)] 5.3.0 Hotfix steps completed."
echo "Backups saved under ${BACKUP_DIR}"
echo "Monitor the watsonx Orchestrate CR status by running:"
echo " oc get wo -n ${PROJECT_CPD_INST_OPERANDS} -o yaml | grep -E 'watsonxOrchestrateStatus|${HOTFIX_LABEL_KEY}'"
echo "Ensure the watsonx Orchestrate CR status is 'Completed' and label ${HOTFIX_LABEL_KEY}=${HOTFIX_LABEL_VALUE} is present."
echo "------------------------------------------------------------------"

Make the script executable:

chmod 775 hotfix5303.sh

Apply hotfix in multi region active deployment mode

Run the script for applying the Day-2 hotfix in multi region active deployment environment using below command: Note: You have to run the script in both the clusters.

nohup sh hotfix5303.sh active &

Apply hotfix in Normal deployment mode

Run the script for applying the Day-2 hotfix using below command(Normal deployment mode):

nohup sh hotfix5303.sh &

Watch progress:

tail -f nohup.out

Verify CR status and label:

oc get wo -n "${PROJECT_CPD_INST_OPERANDS}" -o yaml | grep hotfix
      hotfix: 5.3.0.3

[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSVAUS","label":"IBM watsonx Orchestrate Cartridge for IBM Cloud Pak for Data"},"ARM Category":[{"code":"a8mKe0000008OVAIA2","label":"Operate-\u003EInstall"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":""}]

Tips

Applying the watsonx Orchestrate 5.3.0 hotfix (Hotfix 3)

Fix Readme

Abstract

Content

1) Set the operator and operand namespaces

2) Mirror images to a private Docker registry if air gapped

3) Apply the 5.3.0 Day 3 Hotfix

Apply hotfix in multi region active deployment mode

Apply hotfix in Normal deployment mode

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?