Setting up the cluster in an air-gapped environment

Edit online

Containers:
If your cluster is not connected to the internet, you can install Business Automation Workflow in an air gap environment by using a bastion server.

It is common in production to have a cluster that cannot access the internet. In these cases, you can still install Business Automation Workflow and OpenShift Container Platform (OCP) in an air-gapped (otherwise known as offline or disconnected) environment. An air-gapped installation uses the IBM operator catalog to mimic a typical online installation except that the images are in your own registry. You first store the images to a bastion server and then transfer them to a local air-gapped network. A bastion server is a device that has access to both the public internet and an internal local registry on an OCP cluster that is protected by a firewall. Using the bastion server, you can replicate your images through the bastion server directly to the local registry. The OCP cluster can then continue to use the images behind the firewall.

Before you begin

Follow all the instructions in the following topics to set up the air-gapped environment:

Procedure

To set the environment variables on your mirroring device and connect to the internet to download the CASE files, follow all the instructions in Setting up the CASE archive and inventory.

Important: Replace Step 2 with the following instruction:

On the bastion host, create the following environment variables with the installer image name and the image inventory to be able to connect to the internet and download the corresponding CASE file. Replace ibm-cs-bawautomation-2.2.x.tgz with the latest version from https://github.com/IBM/cloud-pak/tree/master/repo/case/.

export CASE_ARCHIVE=ibm-cs-bawautomation-2.2.x.tgz
export CASE_INVENTORY_SETUP=cp4aOperatorSetup
export OFFLINEDIR=${HOME}/offline

Results

When the operator is started, you can monitor the operator logs with the following command.

oc logs -f deployment/ibm-cp4a-operator -c operator

Use the following command to get the URL to access the foundational services user interface:

oc get route -n ibm-common-services cp-console -o jsonpath=‘{.spec.host}’

The command outputs the hostname, for example cp-console.apps.mycluster.mydomain.com. Based on the example output, your console URL can be reached from any browser.

https://cp-console.apps.mycluster.mydomain.com

The default username is admin. You can get the password for the admin username by running the following command:

oc -n ibm-common-services get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_password}' | base64 -d

You can change the default password at any time. For more information, see Delegating authentication to OpenShift.

Note: Any user with access to the ibm-common-services namespace can retrieve the password as it is stored in a secret in the ibm-common-services namespace. If you do not change the default password, it can introduce a potential security exposure. To mitigate the risk, allow only designated users to access the ibm-common-services namespace.