Mirroring images with a bastion node

If your Red Hat® OpenShift® Container Platform cluster is air-gapped, you must mirror the software images that you need to a private container registry that is accessible from the cluster. You can use a bastion node that is connected to the internet and to the private container registry to mirror the images from the IBM® Entitled Registry.

To obtain fixes, security updates, and new functionality, you must install the latest refresh of the software images, such as the control plane, shared cluster components, and services. The steps in this task assume that you are mirroring the latest software images. If you need older versions of the software, see Operator and operand versions.

Important: Use a Linux x86-64 system with Red Hat Enterprise Linux® to mirror the images.

The system must be able to access the following sites:

Red Hat Quay.io (https://quay.io:443)
GitHub (https://github.com)
If your company does not permit access to GitHub, contact IBM Support for assistance.
IBM Entitled Registry (http://icr.io:443)
To validate that you can connect, run the following command:
```
curl -v https://icr.io
```
The command should return the following message:
```
* Connected to icr.io (169.60.98.86) port 443 (#0)
```

Before you begin

Best practice: You can run the commands in this task exactly as written if you set up environment variables for your installation. For instructions, see Best practice: Setting up install variables.

Ensure that you run the environment variable script before you run the commands in this task.

Procedure

Complete the following tasks to mirror the images to your container registry:

1. Downloading and installing the software needed to mirror images
2. Setting up your environment to download CASE packages
3. Downloading the IBM Cloud Pak® for Data platform operator package
4. Configuring credentials for mirroring images
5. Downloading shared cluster component CASE packages
6. Downloading service CASE packages
7. Mirroring the images to the private container registry
8. Storing the CASE packages

1. Downloading and installing the software needed to mirror images

To use a connected bastion node, you must install the following software on the system:

Prerequisite	Purpose
OpenShift CLI	Required to interact with your Red Hat OpenShift Container Platform cluster.
IBM Cloud Pak CLI (cloudctl)	Required to download images from the IBM Entitled Registry.
`httpd-tools`	Required to run the IBM Cloud Pak CLI (cloudctl).
`skopeo` Version 1.2.0 or later	Required to run the IBM Cloud Pak CLI (cloudctl).

To install the prerequisite software:

To install the OpenShift CLI, see Getting started with the OpenShift CLI in the Red Hat documentation.
To install the IBM Cloud Pak CLI (cloudctl):
1. Download the cloudctl software from the IBM/cloud-pak-cli repository on GitHub. Ensure that you download the appropriate package for your workstation:
```
cloudctl-operating-system-architecture.tar.gz
```
2. Extract the contents of the archive file:
```
tar -xzf archive-name
```
3. Change to the directory where you extracted the file and make the file executable:
```
chmod 775 cloudctl-architecture
```
4. Move the file to the /usr/local/bin directory:
```
mv cloudctl-architecture /usr/local/bin/cloudctl
```
5. Confirm that the IBM Cloud Pak CLI (cloudctl) is installed:
```
cloudctl --help
```
Tip: Additional guidance for validating the archive file is available in the IBM/cloud-pak-cli repository.
To install httpd-tools, run the following command:
```
yum install httpd-tools
```
To install skopeo, see Installing from packages in the skopeo repository on GitHub.

2. Setting up your environment to download CASE packages

To set up your environment:

Ensure that the directories specified in the environment variable script exist on the workstation where you are running the commands to mirror the images:
1. Confirm that the directory specified by OFFLINEDIR_CPD exists:
```
echo $OFFLINEDIR_CPD
```
2. If you need to mirror the images for IBM Cloud Pak foundational services, confirm that the directory specified by OFFLINEDIR_CPFS exists:
```
echo $OFFLINEDIR_CPFS
```

3. Downloading the IBM Cloud Pak for Data platform operator CASE package

Run the following command to download the IBM Cloud Pak for Data platform operator package:

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-cp-datacore \
--version 2.0.13+05022022 \
--outputdir ${OFFLINEDIR_CPD} \
--no-dependency

Tip: If you encounter a timeout error when you try to download CASE packages, you can increase the request timeout. The default is 10 seconds. On a slower network, you might need to increase the timeout to 60 seconds. To change the request timeout to 60 seconds, run:

export CLOUDCTL_HTTP_TIMEOUT=60

4. Configuring credentials for mirroring images

The IBM Cloud Pak CLI (cloudctl) includes an action called configure-cred-airgap. Run the appropriate commands to store the credentials that you will need to mirror images to the private container registry. The command stores the credentials to the following file on your local file system: $HOME/.airgap/secrets.

To configure the credentials that you need to mirror software images:

Store the IBM Entitled Registry credentials by running the following command:

cloudctl case launch \
--case ${OFFLINEDIR_CPD}/ibm-cp-datacore-2.0.13+05022022.tgz \
--inventory cpdPlatformOperator \
--action configure-creds-airgap \
--args "--registry cp.icr.io --user ${IBM_ENTITLEMENT_USER} --pass ${IBM_ENTITLEMENT_KEY} --inputDir ${OFFLINEDIR_CPD}"

Store the private container registry credentials.

cloudctl case launch \
  --case ${OFFLINEDIR_CPD}/ibm-cp-datacore-2.0.13+05022022.tgz \
  --inventory cpdPlatformOperator \
  --action configure-creds-airgap \
  --args "--registry ${PRIVATE_REGISTRY_LOCATION} --user ${PRIVATE_REGISTRY_PUSH_USER} --pass ${PRIVATE_REGISTRY_PUSH_PASSWORD}"

5. Downloading shared cluster component CASE packages

Determine which shared cluster components you need to install on your cluster and download the appropriate CASE packages.

Shared cluster component	CASE download command
IBM Cloud Pak foundational services Download this package if IBM Cloud Pak foundational services Version 3.18.0 or later is not installed on the cluster.	`cloudctl case save \ --repo ${PATH_CASE_REPO} \ --case ibm-cp-common-services \ --version 1.14.0 \ --outputdir ${OFFLINEDIR_CPFS}`
Scheduling service Download this package if you plan to install Watson™ Machine Learning Accelerator or if you want to use the quota enforcement feature.	`cloudctl case save \ --repo ${PATH_CASE_REPO} \ --case ibm-cpd-scheduling \ --version 1.3.5 \ --outputdir ${OFFLINEDIR_CPD}`

6. Downloading service CASE packages

Decide which services you plan to install on your cluster and download the appropriate CASE packages.

Anaconda Repository for IBM Cloud Pak for Data

Not applicable. For details, see Installing Anaconda Repository for IBM Cloud Pak for Data.

Analytics Engine Powered by Apache Spark

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-analyticsengine \
--version 4.0.9 \
--outputdir ${OFFLINEDIR_CPD}

Cognos Analytics

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-cognos-analytics-prod \
--version 4.0.10 \
--outputdir ${OFFLINEDIR_CPD}

Cognos Dashboards

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-cde \
--version 2.0.9 \
--outputdir ${OFFLINEDIR_CPD}

Data Privacy

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-dp \
--version 4.0.9 \
--outputdir ${OFFLINEDIR_CPD}

Data Refinery

The Data Refinery CASE package is automatically downloaded when you download the CASE package for either Watson Knowledge Catalog or Watson Studio.

Data Virtualization

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-dv-case \
--version 1.7.8 \
--outputdir ${OFFLINEDIR_CPD}

DataStage

Download the appropriate package based on your license:

DataStage Enterprise

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-datastage-enterprise \
--version 4.0.10 \
--outputdir ${OFFLINEDIR_CPD}

DataStage Enterprise Plus

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-datastage \
--version 4.0.10 \
--outputdir ${OFFLINEDIR_CPD}

Db2

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-db2oltp \
--version 4.0.10 \
--outputdir ${OFFLINEDIR_CPD}

Db2 Big SQL

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-bigsql-case \
--version 7.2.8 \
--outputdir ${OFFLINEDIR_CPD}

Db2 Data Gate

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-datagate-prod \
--version 4.0.8 \
--outputdir ${OFFLINEDIR_CPD}

Db2 Data Management Console

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-dmc \
--version 4.0.8 \
--outputdir ${OFFLINEDIR_CPD}

Db2 Event Store

Not applicable. Contact IBM Software support if you plan to install this service.

Db2 Warehouse

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-db2wh \
--version 4.0.10 \
--outputdir ${OFFLINEDIR_CPD}

Decision Optimization

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-dods \
--version 4.0.9 \
--outputdir ${OFFLINEDIR_CPD}

EDB Postgres

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-cpd-edb \
--version 4.0.8 \
--outputdir ${OFFLINEDIR_CPD}

Execution Engine for Apache Hadoop

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-hadoop \
--version 4.0.10 \
--outputdir ${OFFLINEDIR_CPD}

Financial Services Workbench

Not applicable. For details, see the Financial Services Workbench documentation.

Guardium External S-TAP

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-estap \
--version 1.0.0 \
--outputdir ${OFFLINEDIR_CPD}

IBM Match 360 with Watson

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-mdm \
--version 1.0.209 \
--outputdir ${OFFLINEDIR_CPD}

Informix

Download both of the following CASE packages:

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-informix-operator \
--version 4.0.6 \
--outputdir ${OFFLINEDIR_CPD}

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-informix-cp4d-operator \
--version 4.0.6 \
--outputdir ${OFFLINEDIR_CPD}

MongoDB

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-cpd-mongodb \
--version 4.0.8 \
--outputdir ${OFFLINEDIR_CPD}

Open Data for Industries

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-osdu \
--version 3.0.0 \
--outputdir ${OFFLINEDIR_CPD}

OpenPages

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-openpages \
--version 2.1.5+20220414.030441.82040426 \
--outputdir ${OFFLINEDIR_CPD}

If you want OpenPages to automatically provision a Db2 database, you must also download the following package: :

Db2 as a service

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-db2aaservice \
--version 4.0.10 \
--outputdir ${OFFLINEDIR_CPD}

Planning Analytics

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-planning-analytics \
--version 4.0.90573 \
--outputdir ${OFFLINEDIR_CPD}

Product Master

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-productmaster \
--version 1.0.4+20220511.175530.3 \
--outputdir ${OFFLINEDIR_CPD}

RStudio Server with R 3.6

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-rstudio \
--version 1.0.9 \
--outputdir ${OFFLINEDIR_CPD}

SPSS Modeler

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-spss \
--version 1.0.9 \
--outputdir ${OFFLINEDIR_CPD}

Virtual Data Pipeline

Not applicable. For details, see Installing Virtual Data Pipeline for Cloud Pak for Data.

Voice Gateway

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-voice-gateway \
--version 1.0.6 \
--outputdir ${OFFLINEDIR_CPD}

Watson Assistant

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-watson-assistant \
--version 4.0.8 \
--outputdir ${OFFLINEDIR_CPD}

Watson Assistant for Voice Interaction

Watson Assistant for Voice Interaction is comprised of the following services:

Voice Gateway
Watson Assistant
Watson Speech to Text
Watson Text to Speech

Download the appropriate services for your use case.

Watson Discovery

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-watson-discovery \
--version 4.0.9 \
--outputdir ${OFFLINEDIR_CPD}

Watson Knowledge Catalog

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-wkc \
--version 4.0.9 \
--outputdir ${OFFLINEDIR_CPD}

Watson Knowledge Studio

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-watson-ks \
--version 4.0.9 \
--outputdir ${OFFLINEDIR_CPD}

Watson Machine Learning

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-wml-cpd \
--version 4.0.10 \
--outputdir ${OFFLINEDIR_CPD}

Watson Machine Learning Accelerator

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-wml-accelerator \
--version 2.3.9 \
--outputdir ${OFFLINEDIR_CPD}

Watson OpenScale

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-watson-openscale \
--version 2.5.4 \
--outputdir ${OFFLINEDIR_CPD}

Watson Speech to Text

The same package is used for the Watson Speech to Text service and the Watson Text to Speech service. You only need to download the package once.

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-watson-speech \
--version 4.0.10 \
--outputdir ${OFFLINEDIR_CPD}

Watson Studio

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-wsl \
--version 2.0.9 \
--outputdir ${OFFLINEDIR_CPD}

Watson Studio Runtimes

The Watson Studio Runtimes CASE package is automatically downloaded when you download the CASE package for Watson Studio.

Watson Text to Speech

The same package is used for the Watson Speech to Text service and the Watson Text to Speech service. You only need to download the package once.

cloudctl case save \
--repo ${PATH_CASE_REPO} \
--case ibm-watson-speech \
--version 4.0.10 \
--outputdir ${OFFLINEDIR_CPD}

7. Mirroring the images to the private container registry

To mirror the images:

Some CASE packages include images that require entitlement. If you are not entitled to use those images, you must delete the images:
1. If you did not purchase a license for EDB Postgres Enterprise, run the following command to remove any edb-postgres-advanced images from the list of images to mirror.
  If you purchased a license for EDB Postgres Enterprise, skip this step.
```
sed -i -e '/edb-postgres-advanced/d' ${OFFLINEDIR_CPD}/ibm-cloud-native-postgresql-4.0.*-images.csv
```
2. If you downloaded the Informix CASE packages, delete the images that you are not entitled to.
  By default, the ibm-informix-operator CASE package includes the images for the following editions of Informix:
  - Developer Edition (free)
  - Workgroup Edition
  - Enterprise Edition
  - Advanced Enterprise Edition
  Run the appropriate commands to delete the images for any editions that you are not entitled to:
  Advanced Enterprise Edition
  If you did not purchase a license for Informix Advanced Enterprise Edition, run the following command to delete the Advanced Enterprise Edition images:
```
sed -i -e '/informix-edition-aee/d' ${OFFLINEDIR_CPD}/ibm-informix-operator-4.0.*-images.csv
```
  Enterprise Edition
  If you did not purchase a license for Informix Enterprise Edition, run the following command to delete the Enterprise Edition images:
```
sed -i -e '/informix-edition-ee/d' ${OFFLINEDIR_CPD}/ibm-informix-operator-4.0.*-images.csv
```
  Workgroup Edition
  If you did not purchase a license for Informix Workgroup Edition, run the following command to delete the Workgroup Edition images:
```
sed -i -e '/informix-edition-we/d' ${OFFLINEDIR_CPD}/ibm-informix-operator-4.0.*-images.csv
```

Use the Cloud Pak for Data platform CASE package to mirror all of the images to the private container registry:

cloudctl case launch \
  --case ${OFFLINEDIR_CPD}/ibm-cp-datacore-2.0.13+05022022.tgz \
  --inventory cpdPlatformOperator \
  --action mirror-images \
  --args "--registry ${PRIVATE_REGISTRY_LOCATION} --user ${PRIVATE_REGISTRY_PUSH_USER} --pass ${PRIVATE_REGISTRY_PUSH_PASSWORD} --inputDir ${OFFLINEDIR_CPD}"

Remember: The mirror-images command mirrors any changed images in the ${OFFLINEDIR_CPD} directory.

If you downloaded the IBM Cloud Pak foundational services CASE package, run the following command to mirror the images to the private container registry:

cloudctl case launch \
  --case ${OFFLINEDIR_CPFS}/ibm-cp-common-services-1.14.0.tgz \
  --inventory ibmCommonServiceOperatorSetup \
  --action mirror-images \
  --args "--registry ${PRIVATE_REGISTRY_LOCATION} --user ${PRIVATE_REGISTRY_PUSH_USER} --pass ${PRIVATE_REGISTRY_PUSH_PASSWORD} --inputDir ${OFFLINEDIR_CPFS}"

8. Storing the CASE packages

Best practice: Save the CASE packages in a dedicated location to ensure that you can replicate the configuration at any time or on any cluster.

CASE packages specify dependencies as a range, so it is possible to get a later version of the dependencies if you download the CASE package on different dates.

Saving the downloaded CASE packages prevents any discrepancies.

What's next Now that you've mirrored the images to your private container registry, you are ready to complete Configuring your cluster to pull Cloud Pak for Data images.