To install the Cloud Pak capabilities with the Cloud Pak operator, a cluster
administrator user must run a script to set up the cluster. They also need to provide a
non-administrator user the information that they need to be able to run the deployment script. Each
Cloud Pak capability can be installed with extra components. Db2® and OpenLDAP are always installed.
Before you begin
Make sure you prepared your cluster with the necessary infrastructure and software. For more
information, see Preparing for a Demo deployment.
Important: The Cloud Pak cannot be installed on a cluster with an existing installation
of IBM Automation foundational that used the All namespaces on the cluster
option. Check the openshift-operators
namespace to find installed operators. The
Cloud Pak supports installation on a single namespace and not on all namespaces. To install more
than one deployment of the Cloud Pak, each deployment must be installed in a different namespace and
the operator needs to be installed for each namespace.
About this task
The cluster setup script is one of several scripts that are provided to help you install the
Cloud Pak capabilities. You must be a cluster administrator to run the setup script. For more
information, see user
archetypes.
The cluster setup script identifies or creates a namespace and applies the custom resource
definitions (CRD). The script provides the administrator with the cluster hostname on the cluster
and available storage classes. This information must be provided to the user who runs the deployment
script.
Note: The admin setup script does not set any parameters in the custom resource (CR) because the
administrator might not be using the same host as the user who runs the deployment script.
Use the following steps to complete the setup.
Procedure
-
Log in to the target cluster as the
<cluster-admin>
user.
If you are not already logged in on OpenShift (OCP), then log in using the
oc
CLI:
oc login https://<cluster-ip>:<port> -u <cluster-admin> -p <password>
On
IBM Cloud (ROKS), if you are not already logged in use the following
command:
oc login --token=<token> --server=https://<cluster-ip>:<port>
-
For
21.0.1 Set the
ClusterRole
for the operator to the target namespace.
-
Change directory to the cert-kubernetes/descriptors folder.
-
Open the cluster_role_binding.yaml file and replace the placeholder string
<NAMESPACE> with the target namespace where you want to install the Cloud
Pak.
For example, cp4a-demo
.
-
Apply the cluster_role_binding.yaml and
cluster_role.yaml files.
oc apply -f cluster_role.yaml
oc apply -f cluster_role_binding.yaml
-
For
21.0.1-IF001 or later
interim fixes. Create the ibm-cp4ba-privileged service account (SA), and bind
the security context constraints (SCC) to control the actions the SA can take and what it can
access.
Note: For
21.0.1 You do not need
to create these service accounts.
oc apply -f service-account-for-privileged.yaml -n ${NAMESPACE}
Where the content of the service-account-for-privileged.yaml file includes
the following service accounts:
apiVersion: v1
kind: ServiceAccount
metadata:
name: ibm-cp4ba-privileged
imagePullSecrets:
- name: "admin.registrykey"
Bind the SCC to the service account:
oc adm policy add-scc-to-user privileged -z ibm-cp4ba-privileged -n ${NAMESPACE}
-
Create the ibm-cp4ba-anyuid service account (SA), and bind the security
context constraints (SCC) to control the actions the SA can take and what it can access.
oc apply -f service-account-for-anyuid.yaml -n ${NAMESPACE}
Where the content of the service-account-for-anyuid.yaml file includes the
following service accounts:
apiVersion: v1
kind: ServiceAccount
metadata:
name: ibm-cp4ba-anyuid
imagePullSecrets:
- name: "admin.registrykey"
Bind the SCC to the service account:
oc adm policy add-scc-to-user anyuid -z ibm-cp4ba-anyuid -n ${NAMESPACE}
-
Change directory to the scripts folder.
-
Run the cluster setup script and follow the prompts in the command window.
./cp4a-clusteradmin-setup.sh
- Select the platform type: ROKS (1) or OCP (2).
Option 3 is not supported for a demo deployment.
- Select the deployment type demo.
- Enter the name for a new project or an existing project (namespace). For example,
cp4a-demo
.
- Select a username from the list of eligible users by entering the number associated with that
user.
- Enter your IBM Entitled Registry key and login credentials (user and password). For more
information, see Setting up the cluster.
- Enter a dynamic storage class name.
Note: The following message appears on OCP 4.6, but the warning does not have any functional
impact.
Creating the custom resource definition (CRD) and a service account that has the permissions to manage the resources...
W1102 26405 warnings.go:67] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
-
If you intend to install Content Collector for SAP as an optional component of the Content
Manager pattern, then you must download the necessary libraries and put them in the operator pod.
-
Make a saplibs directory.
Give read and write permissions to the directory by running the chmod
command.
-
Download the SAP Netweaver SDK 7.50 library from the SAP Service Marketplace.
-
Download the SAP JCo Release 3.0.x from the SAP Service Marketplace.
-
Extract all of the content of the packages to the saplibs directory.
-
Check you have all of the following libraries.
saplibs/
├── libicudata.so.50
├── libicudecnumber.so
├── libicui18n.so.50
├── libicuuc.so.50
├── libsapcrypto.so
├── libsapjco3.so
├── libsapnwrfc.so
├── libsapucum.so
└── sapjco3.jar
-
Copy the saplibs directory that you created to the operator pod.
podname=$(oc get pod | grep ibm-cp4a-operator | awk '{print $1}')
kubectl cp $PATH_TO_SAPLIBS/saplibs <project_name>/$podname:/opt/ansible/share
Note: The $PATH_TO_SAPLIBS is the path to the driver files on your system. The
<project_name> must be set to the namespace of the installed operator.
To verify that the files are in the pod, run the following commands:
oc rsh $(oc get pod | grep ibm-cp4a-operator | awk '{print $1}')
ls -ltr /opt/ansible/share/saplibs
-
For
21.0.1 If you intend to include
Business Automation Insights as an optional component in
your deployment, create a secret with the name ibm-entitlement-key with your
<user_password> for the IBM Entitled Registry.
From the OCP CLI, run the following commands:
kubectl create secret docker-registry ibm-entitlement-key -n <project_name> \
--docker-username=cp \
--docker-password="<user_password>" \
--docker-server=cp.icr.io
Note: The <project_name> must be set to the namespace of the installed
operator.
Results
When the script is finished, all of the available storage class names are displayed along with
the infrastructure node name. Take a note of the following information and provide it to the Cloud
Pak admin user as they are needed for the deployment script:
- Project name or namespace.
- For
21.0.1 Route hostname.
- Storage class names.
- Username to log in to the cluster.
Verify the deployment to make sure that all pods, including the IBM Automation foundation
(iaf-) pods, are Running. Using the OpenShift CLI:
oc get pods
To get the operator log, run the following commands:
podname=$(oc get pod | grep ibm-cp4a-operator | awk '{print $1}')
oc logs $podname -c operator -n <project-name>