Support end-to-end air gap installation
Closed this issue · 1 comments
Note ... this will primarily invole updates to the ibm.mas_devops collection ... the goal is to ensure that those existing roles work after we have ran through the airgap setup processes that are part of this collection. The manual process is documented below for reference, no new implementation should be needed for this step, the existing isntall roles in mas_devops should all support "airgap mode", and if they do not, should be updated so that they do.
Deploying Maximo Application Suite and it's Prereqs into an OpenShift AirGap Cluster
- Reference: https://www.ibm.com/docs/en/mas86/8.6.0
- Reference: https://www.ibm.com/docs/en/cloud-paks/1.0?topic=airgap-installing-foundational-services-in-air-gapped-environment
• Log into the OpenShift AirGap cluster
• Installing Service Binding Operator
• Installing IBM Foundational Services
• Installing IBM User Data Services
• Installing MongoDB
• Installing IBM TrustStore Manager
• Installing IBM SLS
• Installing IBM Maximo Application Suite Core
• Installing IBM Manage
Log into the OpenShift AirGap cluster
oc login -u $CLUSTER_USERNAME -p $CLUSTER_PASSWORD --server=$CLUSTER_URL
Installing Service Binding Operator
- REFERENCE: https://pages.github.ibm.com/maximoappsuite/deployment-guide/install/service-binding-operator
- REFERENCE: https://operatorhub.io/operator/service-binding-operator
See APPENDIX E Determining an image's digest
wget https://github.com/redhat-developer/service-binding-operator/releases/download/v0.8.0/release.yaml
Update image:tag in release.yaml with image: quay.io/redhat-developer/servicebinding-operator@sha256:d4395e987d0aeffc603696d0630d8ab643e32c0da739296e998a75e9cd8243ac
oc create namespace ibm-sls
oc project ibm-sls
oc apply -f ./release.yaml
Installing IBM Foundational Services
- Reference:https://www.ibm.com/docs/en/cpfs?topic=ifsoa-installing-cloud-pak-foundational-services-in-air-gapped-environment
- Reference: https://www.ibm.com/docs/en/cpfs?topic=environment-bastion-host
- Reference: https://github.com/IBM/cloud-pak-cli
export CLOUDCTL_OUTPUTDIR=/root/offline/ibm-cp-common-services
Verify $CLOUDCTL_OUTPUTDIR/ibm-cp-common-services-1.9.0.tgz exists. If not then follow the instructions for Mirroring IBM Foundational Services Images and Configure cluster for IBM Foundational Services first.
#install the catalog and operatorgroup
oc project ibm-common-services
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/CP/ibm-cp-common-services-1.9.0.tgz --inventory
ibmCommonServiceOperatorSetup --action install-catalog --namespace ibm-common-services --args "--registry
$MIRROR_REGISTRY"
# wait for catalogsource to be READY
oc get catalogsource opencloud-operators -n openshift-marketplace -o yaml
#set up the subscription
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/CP/ibm-cp-common-services-1.9.0.tgz --inventory
ibmCommonServiceOperatorSetup --action install-operator --namespace ibm-common-services
#Delete unneccessary products installed with common services, such as
oc delete AuditLogging exampleauditlogging
#wait until all pods are either Completed or Running.
oc get pods -A -o wide | grep -v -E 'Completed|Running'
oc get pods -n ibm-common-services
Installing IBM User Data Services
- Reference: https://www.ibm.com/docs/en/cpfs?topic=ifsoa-installing-user-data-services-in-air-gapped-environment
Complete these steps on your bastion host that is connected to both the local image registry and the OpenShift Container Platform
cluster.
export CLOUDCTL_OUTPUTDIR=/root/offline/uds
Verify $CLOUDCTL_OUTPUTDIR/ibm-uds-2.0.1.tgz exists. If not then follow the instructions for Mirroring IBM User Data Services
Images and Configure cluster for IBM User Data Services first.
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/ibm-uds-2.0.1.tgz --inventory operatorSetup --action install-catalog
--namespace ibm-common-services --args "--registry $MIRROR_REGISTRY"
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/ibm-uds-2.0.1.tgz --inventory operatorSetup --action install-operator
--namespace ibm-common-services
Storage classes in the following command must exist. See section deploying Filesystem.
oc get storageclasses
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/ibm-uds-2.0.1.tgz --namespace ibm-common-services --inventory operator
--action apply_custom_resources --args "--accept_license true --db_archive_storage_class <localblock storageclass>
--db_storage_class <ocs ceph rbd storageclass> --event_scheduler_frequency @hourly --image_pull_secret uds-images-pull-secret
--postgres_backup_type incremental --postgres_backup_frequency @daily --airgap_enabled true"
oc patch subscription crunchy-postgres-operator --namespace ibm-common-services --type merge --patch '{"spec":
{"installPlanApproval":"Manual"}}'
oc patch subscription crunchy-postgres-operator --namespace ibm-common-services --type merge --patch '{"spec":{"source":"ibm-
udsoperator-catalog"}}'
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/ibm-uds-2.0.1.tgz --namespace ibm-common-services --inventory operator
--action generate-api-key --args "--key_name uds-api-key"
Installing MongoDB
Mongo DB is a prereq for the Maximo Application Suite.
See Example Instructions for installing MongoDB CE in OpenShift AirGap cluster in APPENDIX D below.
Installing IBM TrustStore Manager
export CLOUDCTL_OUTPUTDIR=/root/offline/ibm-mas
Verify $CLOUDCTL_OUTPUTDIR/TSM/ibm-truststore-mgr-1.2.2.tgz exists. If not then follow the instructions for Mirroring IBM
TrustStore Manager Images and Configure cluster for IBM TrustStore Manager first.
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/TSM/ibm-truststore-mgr-1.2.2.tgz --inventory ibmTrustStoreMgrSetup
--action install-catalog --namespace openshift-marketplace --args "--registry $MIRROR_REGISTRY"
NOTE: Update catalogsource digest.. it is missing the @sha256
eval "$(echo oc patch catalogsource ibm-truststore-mgr-operator-catalog --namespace openshift-marketplace --type merge --patch
'{\"spec\":{\"image\":\"$MIRROR_REGISTRY/cpopen/ibm-truststore-mgr-operator-
catalog@sha256:e4a3056bd49fe581b3dd754fede6aa17f1cf7b37aefcadf5913eac618e86cd7b\"}}')"
Installing IBM SLS
export CLOUDCTL_OUTPUTDIR=/root/offline/ibm-mas
oc create namespace ibm-sls
oc project ibm-sls
Use the local mirror registry credentials for the ibm-entitlement secret
oc -n ibm-sls create secret docker-registry ibm-entitlement --docker-server=$MIRROR_HOST --docker-username=$REGISTRY_USERNAME --docker-password=$REGISTRY_USERNAME
Specify the correct Mongodb credentials for the ibm-sls-mongo-credentials secret
cat > ./mongo.yaml << EOF
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: ibm-sls-mongo-credentials
namespace: ibm-sls
stringData:
username: 'admin'
password: 'password123'
EOF
oc apply -f mongo.yaml
Verify $CLOUDCTL_OUTPUTDIR/SLS/ibm-sls-3.2.4.tgz exists. If not then follow the instructions for Mirroring IBM SLS Images and Configure cluster for IBM SLS first.
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/SLS/ibm-sls-3.2.4.tgz --inventory ibmSlsSetup --action install-catalog
--namespace openshift-marketplace --args "--registry $MIRROR_REGISTRY"
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/SLS/ibm-sls-3.2.4.tgz --inventory ibmSlsSetup --action install-operator
--namespace ibm-sls
There are several settings in the License service file that must be correct, such as the mongo nodes and rlks storage class. Please
specify the correct values.
cat > ./license.yaml << EOF
apiVersion: sls.ibm.com/v1
kind: LicenseService
metadata:
name: sls
namespace: ibm-sls
spec:
license:
accept: true
domain: ibm-sls.apps.$CLUSTER_HOSTNAME
mongo:
configDb: admin
nodes:
- host: mas-mongo-ce-0.mas-mongo-ce-svc.mongoce.svc.cluster.local
port: 27017
- host: mas-mongo-ce-1.mas-mongo-ce-svc.mongoce.svc.cluster.local
port: 27017
- host: mas-mongo-ce-2.mas-mongo-ce-svc.mongoce.svc.cluster.local
port: 27017
secretName: ibm-sls-mongo-credentials
authMechanism: DEFAULT
retryWrites: true
rlks:
storage:
class: rook-cephfs
size: 5G
EOF
oc apply -f license.yaml
Verify $CLOUDCTL_OUTPUTDIR/TSM/ibm-truststore-mgr-1.2.2.tgz exists. If not then follow the instructions for Mirroring IBM
TrustStore Manager Images and Configure cluster for IBM TrustStore Manager first.
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/TSM/ibm-truststore-mgr-1.2.2.tgz --inventory ibmTrustStoreMgrSetup
--action install-operator --namespace ibm-sls --args "--registry $MIRROR_REGISTRY"
oc patch configmap ibm-truststore-mgr-image-map -n ibm-sls --type merge --patch '{"data":{"image-map.yaml": "icr.io/ibm-
truststore-mgr/worker:1.2.2: icr.io/ibm-truststore-
mgr/worker@sha256:4baa316e076dbe900ef6a17e80be1900d1f9c4e9ba89309158c6c585f14bee90\n"}}'
NOTE: You must register the entitlement.lic file with SLS after MAS is installed.
Installing IBM Maximo Application Suite
Reference:
- https://www.ibm.com/docs/en/mas86/8.6.0?topic=installing-maximo-application-suite-from-passport-advantage
- https://www.ibm.com/docs/en/mas84/8.4.0?topic=installing-maximo-application-suite
export ENTITLEMENT_KEY=<your_key>
export CLOUDCTL_OUTPUTDIR=/root/offline/ibm-mas
oc create namespace mas-$INSTANCE-core
oc project mas-$INSTANCE-core
Specify the correct Mongodb credentials for the mas-mongo-credentials secret
cat > ./mas-mongo.yaml << EOF
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: mas-mongo-credentials
namespace: mas-$INSTANCE-core
stringData:
username: 'admin'
password: 'password123'
EOF
oc apply -f mas-mongo.yaml
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/TSM/ibm-truststore-mgr-1.2.2.tgz --inventory ibmTrustStoreMgrSetup
--action install-operator --namespace mas-$INSTANCE-core --args "--registry $MIRROR_REGISTRY"
oc patch configmap ibm-truststore-mgr-image-map -n mas-$INSTANCE-core --type merge --patch '{"data":{"image-map.yaml":
"icr.io/ibm-truststore-mgr/worker:1.2.2: icr.io/ibm-truststore-
mgr/worker@sha256:4baa316e076dbe900ef6a17e80be1900d1f9c4e9ba89309158c6c585f14bee90\n"}}'
cat > ./catalog.yaml << EOF
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: ibm-mas-operator-catalog
namespace: openshift-marketplace
spec:
displayName: IBM MAS Catalog
publisher: IBM
description: Catalog Source for IBM Maximo Application Suite
sourceType: grpc
image: icr.io/cpopen/ibm-mas-operator-
catalog@sha256:bb5e33dc21efb7559b45d801c47dd1a9362dd4996724eaa5664605bd34cfd1ca
updateStrategy:
registryPoll:
interval: 45m
EOF
oc apply -f ./catalog.yaml
cat > ./operatorgroup.yaml << EOF
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: ibm-mas-operator-group
namespace: mas-$INSTANCE-core
spec:
targetNamespaces:
- mas-$INSTANCE-core
EOF
oc apply -f ./operatorgroup.yaml
#Create ibm-entitlement secret using the local mirror registry credentials
oc create secret --namespace mas-$INSTANCE-core docker-registry ibm-entitlement --docker-server=$MIRROR_REGISTRY
--docker-username=$REGISTRY_USERNAME --docker-password=$REGISTRY_PASSWORD
#Create config map containing image digests for AirGap deployment
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/MAS/ibm-mas-8.6.1.tgz --inventory ibmMasSetup --action install-operator
--namespace mas-$INSTANCE-core --args "--secret ibm-entitlement"
cat > ./subscription.yaml << EOF
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: ibm-mas
spec:
channel: 8.x
installPlanApproval: Automatic
name: ibm-mas
source: ibm-mas-operator-catalog
sourceNamespace: openshift-marketplace
EOF
oc apply -f ./subscription.yaml
#Wait for IBM MAS Operator to start
cat > ./suite.yaml << EOF
apiVersion: core.mas.ibm.com/v1
kind: Suite
metadata:
name: $INSTANCE
namespace: mas-$INSTANCE-core
labels:
mas.ibm.com/instanceId: $INSTANCE
spec:
certManagerNamespace: cert-manager
domain: $INSTANCE.apps.$CLUSTER_HOSTNAME
license:
accept: true
settings:
icr:
cp: cp.icr.io/cp
cpopen: icr.io/cpopen
EOF
oc apply -f suite.yaml
Wait for IBM MAS suite to become READY
Log in to the MAS admin console and complete the configuration.
Query the MAS API URL
echo "https://$(oc get route $INSTANCE-api -n mas-$INSTANCE-core -o custom-columns=NAME:spec.host --no-headers)/"
Then open browser and navigate to API URL and accept the self signed certificates
NOTE: after accepting the certificates you will see the execption "AIUCO1022E: The requested URL could not be found: /". This is
expected.
Query the Superuser username
echo $(oc get secret $INSTANCE-credentials-superuser -n mas-$INSTANCE-core -o custom-columns=NAME:data.username --no-
headers | base64 -d)
Query the Superuser password
echo $(oc get secret $INSTANCE-credentials-superuser -n mas-$INSTANCE-core -o custom-columns=NAME:data.password --no-
headers | base64 -d)
Query the MAS Admin initialsetup URL
echo "https://$(oc get route $INSTANCE-admin -n mas-$INSTANCE-core -o custom-columns=NAME:spec.host --no-
headers)/initialsetup"
Open browser and navigate to the MAS Admin initialsetup URL and accept the self signed certificates.
Log in using the Superuser username and password queried above.
Follow instructions https://www.ibm.com/docs/en/mas86/8.6.0?topic=installing-setting-up-maximo-application-suite to complete
MAS configuration.
Installing IBM Manage
export CLOUDCTL_OUTPUTDIR=/root/offline/ibm-mas
Verify export $CLOUDCTL_OUTPUTDIR/MNG/ibm-mas-manage-8.2.1.tgz exists. If not follow instructions for Mirroring IBM
Manage Images and Configure cluster for IBM Manage.
oc create namespace mas-$INSTANCE-manage
oc project mas-$INSTANCE-manage
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/TSM/ibm-truststore-mgr-1.2.2.tgz --inventory ibmTrustStoreMgrSetup
--action install-operator --namespace mas-$INSTANCE-manage --args "--registry $MIRROR_REGISTRY"
oc patch configmap ibm-truststore-mgr-image-map -n mas-$INåSTANCE-manage --type merge --patch '{"data":{"image-map.yaml":
"icr.io/ibm-truststore-mgr/worker:1.2.2: icr.io/ibm-truststore-
mgr/worker@sha256:4baa316e076dbe900ef6a17e80be1900d1f9c4e9ba89309158c6c585f14bee90\n"}}'
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/MNG/ibm-mas-manage-8.2.1.tgz --inventory ibmMasManageSetup --action
createImageConfigMap --namespace mas-$INSTANCE-core --args "--registry $MIRROR_REGISTRY --inputDir
$CLOUDCTL_OUTPUTDIR/MNG"
install-catalog
Follow instructions https://www.ibm.com/docs/en/maximo-manage/8.2.0?topic=suite-deploying-activating-manage to deploy and
activate Manage. You must deploy with a channel subscription.
This has been done (apart from the manage bit, but I will open specific issues for the remaining working, including this)