Author : Leela P Chitta
IBM Documentation Reference - https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=deployments-installing-cp4ba-filenet-content-manager-production-deployment
What is Separation of duties deployment: The Cloud Pak for Business Automation operators are in one namespace and the deployments (operands) are in a different namespace.
Prerequisites for the Deployment.
· Preparing for a deployment is completed (https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=deployment-preparing-production)
· Optional: Preparing Customized versions of JDBC & ICCSAP libraries is completed (https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=icfcmpd-optional-preparing-customized-versions-jdbc-drivers-iccsap-libraries)
Separation of duties deployment must be performed using deployment scripts. (https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=suc-recommended-option-1-setting-up-cluster-by-running-script)
Installing a fresh production deployment by running scripts for Separation of duties
You can install the Cloud Pak capabilities that you want by running the cluster admin script and the deployment script. The cluster admin script can be run on the command-line interface (CLI) or in silent mode.
· Setting up the cluster with the admin script
o To install the Cloud Pak capabilities with the Cloud Pak operators, a cluster administrator must run the script to set up the cluster. The administrator must also provide information that they get from the script to a non-administrator user so they can run the deployment script to install capability (operands).
o The script will prompt the user to choose this deployment is for Separation of duties.
Procedure
1. Log in to the target cluster as the <cluster-admin> user.
If you are not already logged in on OpenShift (OCP), then log in using the oc CLI:
oc login https://<cluster-ip>:<port> -u <cluster-admin> -p <password>
2. Download the cert-kubernetes from github. For this blog we are doing 25.0.0 Fresh production Deployment with separation of duties, so let’s switch to 25.0.0 branch.
Migrate to any folder in your infrastructure node of Openshift cluster and download the github repository.
git clone https://github.com/icp4a/cert-kubernetes.git -b 25.0.0 --single-branch
3. Change the directory to the extracted cert-kubernetes/scripts folder.
cd ${PATH_TO_EXTRACTED_FILES}/cert-kubernetes/scripts
4. Run the cluster setup script and follow the prompts in the command window.
./cp4a-clusteradmin-setup.sh
a. Select the CP4BA deployment environment: Online (1) / Offline or Airgap (2). Select Online.
b. Select the platform type: OCP (2).
c. Select the deployment type production (2).
d. If you plan to enable FIPS for your Cloud Pak for Business Automation deployment, select Yes to check that the worker nodes on the cluster are FIPS enabled.
e. Accept the default Yes to install CP4BA as a private catalog
f. Select Yes for the question where it asks -> if you want to install the CP4BA operators and the CP4BA deployments in separate namespaces. Select Yes
g. Enter the name for a new project or an existing project (namespace).Example – cp2500opr
When asked you must provide a namespace for operands (runtime pods)
a. Where (namespace) do you want to deploy CP4BA operands (i.e., runtime pods)? Example -- cp25oprands
i. Enter Yes to confirm that you have an IBM Entitlement Registry key.
j. Enter your IBM Entitled Registry key
Cluster admin script deployment starts...
The following message is displayed:
[INFO] Checking the IBM Cert-manager Operator ready or not
....
…
[INFO] Applying the latest IBM CP4BA Operator catalog source...
[✔] IBM CP4BA Operator catalog source Updated!
To verify, in Openshift console check under project which you have specified for operators (Example: cp2500opr) and Installed Operators to see if all operators are succeeded.
You must see “NamespaceScope Operator” as this deployment is for Separation of duties.
IBM CP4BA Operators version can be verified as 25.0.0 version.
Preparing databases and secrets for your chosen capabilities by running a script
(Reference - https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=pycc-recommended-preparing-databases-secrets-your-chosen-capabilities-by-running-script)
The cp4a-prerequisites.sh script is provided in the cert-kubernetes repository to help you prepare for an installation of Cloud Pak for Business Automation. The script generates property files for the selected capabilities in your deployment and must be run before your deployment is installed.
Procedure:
1. Make sure you are on the current project
oc project ${NAMESPACE}
2. Run ./cp4a-prerequisites.sh -m generate -n cp2500opr
3. The script will check the configmap called “ibm-cp4ba-common-config” and determines the deployment is for Separation of duties. When the script asks to provide operand namespace provide the namespace for your operands was given during cluster-admin-setup script. (For example: cp25oprands)
4. Select 1 as we are deploying FileNet Content Manager
5. Select optional components for “FileNet Content Manager”. For this blog, I am selecting 1 & 5.
6. Press Enter to proceed
7. Select LDAP type
Enter your dynamic storage classes for slow, medium, fast file storage (RWX). For this blog, I am using “nfs-client” as a storage class for all storage class requirements.
9. Select a deployment profile size from small, medium, or large [1 to 3]. The default is small (1).
10. Choose the database type that you want to use for the CP4BA deployment.
Note - By default, the databases are SSL enabled. You can disable SSL for a database when you edit the database property file
11 . Enter alias name for database
12. Select No to restrict network (Default is Yes)
13. Select No for external certificate
14. Enter the number of object stores of a FileNet P8 domain to configure for the CP4BA deployment.
15. Make sure that you are in the propertyfile folder under cp4ba-prerequisites/project/$NAMESPACE and edit the property files as indicated by the NEXT ACTIONS messages from the script. Update the (cp4ba_db_name_user.property, cp4ba_db_server.property, cp4ba_LDAP.property, cp4ba_user_profile.property
Make sure all the <Required> values in all of the property files are replaced correctly.
(Reference - https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=pycc-recommended-preparing-databases-secrets-your-chosen-capabilities-by-running-script Step 5)
16. The user needs to create the databases … If DB selected is other than Postgres EDB. They need to run the DB scripts against the database servers.
17. Navigate to cp4ba-prerequisites/project/$NAMESPACE and execute the necessary scripts to create databases and update propery files for LDAP and Database.
18. When the user property files are complete and ready, make sure that you are in the scripts folder under cert-kubernetes, and run the cp4a-prerequisites.sh script in the “generate” mode.
./cp4a-prerequsites.sh -m generate -n cp2500opr
19. The above will generate required secret files based on the values which were provided in property files.
20 .Run -> ./create_secrets.sh
21. Now validate prerequisites by executing ->
./cp4a-prerequsites.sh -m validate -n cp2500opr
22. The script will ask to provide operands namespace as this deployment is for Separation of duties.
Make sure everything passed. If not verify the data entered for database and LDAP and fix the same and re-run generate and validate command.
Installing the capabilities (operands) by running the deployment script.
(Reference -- https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=cpd-option-1-recommended-generating-custom-resource-deployment-script)
It is possible to install all the capabilities using the scripts. For this blog we have selected FileNet Content Manager and it’s optional components for which we have prepared prerequisites.
The script applies a custom resource (CR) file, which is deployed by the Cloud Pak operator. The deployment script prompts the user to enter values to get access to the container images and to select what is installed with the deployment.
Procedure:
1. Make sure you are on the operators project. (Example: cp2500opr)
oc project cp2500opr
2. Run the deployment script from the local directory where you downloaded the cert-kubernetes repository, and follow the prompts in the
command window.
cd cert-kubernetes/scripts
./cp4a-deployment.sh -n cp2500opr
3. Accept the license. You must agree to the license that is displayed. Select Yes
4. As we have not deployed a CP4BA FileNet Content Manager instance, Select No
5. Select a new installation type. - Select the production deployment type.
6. Press Enter to continue
7. Select OpenShift Container Platform (OCP)
8. If your OCP is deployed on AWS or Azure - Select No
9. Use default user, select Yes
10. Provide the URL to the ZIP file that contains the ICCSAP drivers. You can leave that as optional.
11. The script will prompt to provide the namespace the namespace for operands. (Example: cp25oprands)
12. A summary of your selection is displayed. Click "Yes" to verify that the information is correct.
13. The script will generate the CR based on the components selection with similar output like below.
14. Review the CR file to check the parameter values and make sure all required field should have a value
15. Apply the generated Content CR under ->
a. /scripts/generated-cr/project/cp2500opr
b. Run -- oc apply -f ibm_content_cr_final.yaml
The operator reconciliation loop can take some time. You must verify that the automation containers are running.
Depending on the OCP hardware capabilities, it would take couple of hours to complete the deployment
Verification of Deployment completion.
1. For this Separation of duties deployment, all the operators and the operands are in 2 different namespaces.
a. For this blog, all operators will be in -> cp2500opr
b. Operands will be in -> cp25opranfds
2. Operators namespace -> cp2500opr
3. Operands (Runtime pods) namespace -> cp25oprands
a. Notice no CP4BA related operators.
b. Notice the CPE deployment pods are inside cp25oprands namespace
c. Login to Openshift console and verify config map - content-cp4a-access-info, content-initialization-config and content-verification-config are available in operands namespace -> cp25oprands
content-cp4a-access-info
d. Access all URL’s and validate deployment.