Note ... this will primarily invole updates to the ibm.mas_devops collection ... the goal is to ensure that those existing roles work after we have ran through the airgap setup processes that are part of this collection. The manual process is documented below for reference, no new implementation should be needed for this step, the existing isntall roles in mas_devops should all support "airgap mode", and if they do not, should be updated so that they do.

Deploying Maximo Application Suite and it's Prereqs into an OpenShift AirGap Cluster

• Log into the OpenShift AirGap cluster • Installing Service Binding Operator • Installing IBM Foundational Services • Installing IBM User Data Services • Installing MongoDB • Installing IBM TrustStore Manager • Installing IBM SLS • Installing IBM Maximo Application Suite Core • Installing IBM Manage

Log into the OpenShift AirGap cluster

oc login -u $CLUSTER_USERNAME -p $CLUSTER_PASSWORD --server=$CLUSTER_URL

Installing Service Binding Operator

See APPENDIX E Determining an image's digest

wget https://github.com/redhat-developer/service-binding-operator/releases/download/v0.8.0/release.yaml

Update image:tag in release.yaml with image: quay.io/redhat-developer/servicebinding-operator@sha256:d4395e987d0aeffc603696d0630d8ab643e32c0da739296e998a75e9cd8243ac

oc create namespace ibm-sls
oc project ibm-sls
oc apply -f ./release.yaml

Installing IBM Foundational Services

export CLOUDCTL_OUTPUTDIR=/root/offline/ibm-cp-common-services

Verify $CLOUDCTL_OUTPUTDIR/ibm-cp-common-services-1.9.0.tgz exists. If not then follow the instructions for Mirroring IBM Foundational Services Images and Configure cluster for IBM Foundational Services first.

#install the catalog and operatorgroup
oc project ibm-common-services
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/CP/ibm-cp-common-services-1.9.0.tgz --inventory
ibmCommonServiceOperatorSetup --action install-catalog --namespace ibm-common-services --args "--registry
$MIRROR_REGISTRY"
# wait for catalogsource to be READY
oc get catalogsource opencloud-operators -n openshift-marketplace -o yaml
#set up the subscription
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/CP/ibm-cp-common-services-1.9.0.tgz --inventory
ibmCommonServiceOperatorSetup --action install-operator --namespace ibm-common-services
#Delete unneccessary products installed with common services, such as
oc delete AuditLogging exampleauditlogging
#wait until all pods are either Completed or Running.
oc get pods -A -o wide | grep -v -E 'Completed|Running'
oc get pods -n ibm-common-services

Installing IBM User Data Services

Reference: https://www.ibm.com/docs/en/cpfs?topic=ifsoa-installing-user-data-services-in-air-gapped-environment Complete these steps on your bastion host that is connected to both the local image registry and the OpenShift Container Platform cluster.

export CLOUDCTL_OUTPUTDIR=/root/offline/uds

Verify $CLOUDCTL_OUTPUTDIR/ibm-uds-2.0.1.tgz exists. If not then follow the instructions for Mirroring IBM User Data Services Images and Configure cluster for IBM User Data Services first.

cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/ibm-uds-2.0.1.tgz --inventory operatorSetup --action install-catalog
--namespace ibm-common-services --args "--registry $MIRROR_REGISTRY"
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/ibm-uds-2.0.1.tgz --inventory operatorSetup --action install-operator
--namespace ibm-common-services

Storage classes in the following command must exist. See section deploying Filesystem.

oc get storageclasses

cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/ibm-uds-2.0.1.tgz --namespace ibm-common-services --inventory operator
--action apply_custom_resources --args "--accept_license true --db_archive_storage_class <localblock storageclass>
--db_storage_class <ocs ceph rbd storageclass> --event_scheduler_frequency @hourly --image_pull_secret uds-images-pull-secret
--postgres_backup_type incremental --postgres_backup_frequency @daily --airgap_enabled true"
oc patch subscription crunchy-postgres-operator --namespace ibm-common-services --type merge --patch '{"spec":
{"installPlanApproval":"Manual"}}'
oc patch subscription crunchy-postgres-operator --namespace ibm-common-services --type merge --patch '{"spec":{"source":"ibm-
udsoperator-catalog"}}'
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/ibm-uds-2.0.1.tgz --namespace ibm-common-services --inventory operator
--action generate-api-key --args "--key_name uds-api-key"

Installing MongoDB

Mongo DB is a prereq for the Maximo Application Suite. See Example Instructions for installing MongoDB CE in OpenShift AirGap cluster in APPENDIX D below.

Installing IBM TrustStore Manager

export CLOUDCTL_OUTPUTDIR=/root/offline/ibm-mas

Verify $CLOUDCTL_OUTPUTDIR/TSM/ibm-truststore-mgr-1.2.2.tgz exists. If not then follow the instructions for Mirroring IBM TrustStore Manager Images and Configure cluster for IBM TrustStore Manager first.

cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/TSM/ibm-truststore-mgr-1.2.2.tgz --inventory ibmTrustStoreMgrSetup
--action install-catalog --namespace openshift-marketplace --args "--registry $MIRROR_REGISTRY"

NOTE: Update catalogsource digest.. it is missing the @sha256

eval "$(echo oc patch catalogsource ibm-truststore-mgr-operator-catalog --namespace openshift-marketplace --type merge --patch
'{\"spec\":{\"image\":\"$MIRROR_REGISTRY/cpopen/ibm-truststore-mgr-operator-
catalog@sha256:e4a3056bd49fe581b3dd754fede6aa17f1cf7b37aefcadf5913eac618e86cd7b\"}}')"

Installing IBM SLS

export CLOUDCTL_OUTPUTDIR=/root/offline/ibm-mas
oc create namespace ibm-sls
oc project ibm-sls

Use the local mirror registry credentials for the ibm-entitlement secret

oc -n ibm-sls create secret docker-registry ibm-entitlement --docker-server=$MIRROR_HOST --docker-username=$REGISTRY_USERNAME --docker-password=$REGISTRY_USERNAME

Specify the correct Mongodb credentials for the ibm-sls-mongo-credentials secret

cat > ./mongo.yaml << EOF
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: ibm-sls-mongo-credentials
namespace: ibm-sls
stringData:
username: 'admin'
password: 'password123'
EOF
oc apply -f mongo.yaml

Verify $CLOUDCTL_OUTPUTDIR/SLS/ibm-sls-3.2.4.tgz exists. If not then follow the instructions for Mirroring IBM SLS Images and Configure cluster for IBM SLS first.

cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/SLS/ibm-sls-3.2.4.tgz --inventory ibmSlsSetup --action install-catalog
--namespace openshift-marketplace --args "--registry $MIRROR_REGISTRY"
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/SLS/ibm-sls-3.2.4.tgz --inventory ibmSlsSetup --action install-operator
--namespace ibm-sls

There are several settings in the License service file that must be correct, such as the mongo nodes and rlks storage class. Please specify the correct values.

cat > ./license.yaml << EOF
apiVersion: sls.ibm.com/v1
kind: LicenseService
metadata:
name: sls
namespace: ibm-sls
spec:
license:
accept: true
domain: ibm-sls.apps.$CLUSTER_HOSTNAME
mongo:
configDb: admin
nodes:
- host: mas-mongo-ce-0.mas-mongo-ce-svc.mongoce.svc.cluster.local
port: 27017
- host: mas-mongo-ce-1.mas-mongo-ce-svc.mongoce.svc.cluster.local
port: 27017
- host: mas-mongo-ce-2.mas-mongo-ce-svc.mongoce.svc.cluster.local
port: 27017
secretName: ibm-sls-mongo-credentials
authMechanism: DEFAULT
retryWrites: true
rlks:
storage:
class: rook-cephfs
size: 5G
EOF
oc apply -f license.yaml

cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/TSM/ibm-truststore-mgr-1.2.2.tgz --inventory ibmTrustStoreMgrSetup
--action install-operator --namespace ibm-sls --args "--registry $MIRROR_REGISTRY"
oc patch configmap ibm-truststore-mgr-image-map -n ibm-sls --type merge --patch '{"data":{"image-map.yaml": "icr.io/ibm-
truststore-mgr/worker:1.2.2: icr.io/ibm-truststore-
mgr/worker@sha256:4baa316e076dbe900ef6a17e80be1900d1f9c4e9ba89309158c6c585f14bee90\n"}}'

NOTE: You must register the entitlement.lic file with SLS after MAS is installed.

Installing IBM Maximo Application Suite

Reference:

export ENTITLEMENT_KEY=<your_key>
export CLOUDCTL_OUTPUTDIR=/root/offline/ibm-mas
oc create namespace mas-$INSTANCE-core
oc project mas-$INSTANCE-core

Specify the correct Mongodb credentials for the mas-mongo-credentials secret

cat > ./mas-mongo.yaml << EOF
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: mas-mongo-credentials
namespace: mas-$INSTANCE-core
stringData:
username: 'admin'
password: 'password123'
EOF
oc apply -f mas-mongo.yaml

cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/TSM/ibm-truststore-mgr-1.2.2.tgz --inventory ibmTrustStoreMgrSetup
--action install-operator --namespace mas-$INSTANCE-core --args "--registry $MIRROR_REGISTRY"
oc patch configmap ibm-truststore-mgr-image-map -n mas-$INSTANCE-core --type merge --patch '{"data":{"image-map.yaml":
"icr.io/ibm-truststore-mgr/worker:1.2.2: icr.io/ibm-truststore-
mgr/worker@sha256:4baa316e076dbe900ef6a17e80be1900d1f9c4e9ba89309158c6c585f14bee90\n"}}'

cat > ./catalog.yaml << EOF
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: ibm-mas-operator-catalog
namespace: openshift-marketplace
spec:
displayName: IBM MAS Catalog
publisher: IBM
description: Catalog Source for IBM Maximo Application Suite
sourceType: grpc
image: icr.io/cpopen/ibm-mas-operator-
catalog@sha256:bb5e33dc21efb7559b45d801c47dd1a9362dd4996724eaa5664605bd34cfd1ca
updateStrategy:
registryPoll:
interval: 45m
EOF
oc apply -f ./catalog.yaml

cat > ./operatorgroup.yaml << EOF
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: ibm-mas-operator-group
namespace: mas-$INSTANCE-core
spec:
targetNamespaces:
- mas-$INSTANCE-core
EOF
oc apply -f ./operatorgroup.yaml

#Create ibm-entitlement secret using the local mirror registry credentials
oc create secret --namespace mas-$INSTANCE-core docker-registry ibm-entitlement --docker-server=$MIRROR_REGISTRY
--docker-username=$REGISTRY_USERNAME --docker-password=$REGISTRY_PASSWORD
#Create config map containing image digests for AirGap deployment
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/MAS/ibm-mas-8.6.1.tgz --inventory ibmMasSetup --action install-operator
--namespace mas-$INSTANCE-core --args "--secret ibm-entitlement"

cat > ./subscription.yaml << EOF
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: ibm-mas
spec:
channel: 8.x
installPlanApproval: Automatic
name: ibm-mas
source: ibm-mas-operator-catalog
sourceNamespace: openshift-marketplace
EOF
oc apply -f ./subscription.yaml

#Wait for IBM MAS Operator to start
cat > ./suite.yaml << EOF
apiVersion: core.mas.ibm.com/v1
kind: Suite
metadata:
name: $INSTANCE
namespace: mas-$INSTANCE-core
labels:
mas.ibm.com/instanceId: $INSTANCE
spec:
certManagerNamespace: cert-manager
domain: $INSTANCE.apps.$CLUSTER_HOSTNAME
license:
accept: true
settings:
icr:
cp: cp.icr.io/cp
cpopen: icr.io/cpopen
EOF
oc apply -f suite.yaml

Wait for IBM MAS suite to become READY Log in to the MAS admin console and complete the configuration. Query the MAS API URL

echo "https://$(oc get route $INSTANCE-api -n mas-$INSTANCE-core -o custom-columns=NAME:spec.host --no-headers)/"

Then open browser and navigate to API URL and accept the self signed certificates

NOTE: after accepting the certificates you will see the execption "AIUCO1022E: The requested URL could not be found: /". This is expected.

Query the Superuser username

echo $(oc get secret $INSTANCE-credentials-superuser -n mas-$INSTANCE-core -o custom-columns=NAME:data.username --no-
headers | base64 -d)

Query the Superuser password

echo $(oc get secret $INSTANCE-credentials-superuser -n mas-$INSTANCE-core -o custom-columns=NAME:data.password --no-
headers | base64 -d)

Query the MAS Admin initialsetup URL

echo "https://$(oc get route $INSTANCE-admin -n mas-$INSTANCE-core -o custom-columns=NAME:spec.host --no-
headers)/initialsetup"

Open browser and navigate to the MAS Admin initialsetup URL and accept the self signed certificates. Log in using the Superuser username and password queried above. Follow instructions https://www.ibm.com/docs/en/mas86/8.6.0?topic=installing-setting-up-maximo-application-suite to complete MAS configuration.

Installing IBM Manage

export CLOUDCTL_OUTPUTDIR=/root/offline/ibm-mas

Verify export $CLOUDCTL_OUTPUTDIR/MNG/ibm-mas-manage-8.2.1.tgz exists. If not follow instructions for Mirroring IBM Manage Images and Configure cluster for IBM Manage.

oc create namespace mas-$INSTANCE-manage
oc project mas-$INSTANCE-manage

cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/TSM/ibm-truststore-mgr-1.2.2.tgz --inventory ibmTrustStoreMgrSetup
--action install-operator --namespace mas-$INSTANCE-manage --args "--registry $MIRROR_REGISTRY"
oc patch configmap ibm-truststore-mgr-image-map -n mas-$INåSTANCE-manage --type merge --patch '{"data":{"image-map.yaml":
"icr.io/ibm-truststore-mgr/worker:1.2.2: icr.io/ibm-truststore-
mgr/worker@sha256:4baa316e076dbe900ef6a17e80be1900d1f9c4e9ba89309158c6c585f14bee90\n"}}'
cloudctl case launch --case $CLOUDCTL_OUTPUTDIR/MNG/ibm-mas-manage-8.2.1.tgz --inventory ibmMasManageSetup --action
createImageConfigMap --namespace mas-$INSTANCE-core --args "--registry $MIRROR_REGISTRY --inputDir
$CLOUDCTL_OUTPUTDIR/MNG"
install-catalog

Follow instructions https://www.ibm.com/docs/en/maximo-manage/8.2.0?topic=suite-deploying-activating-manage to deploy and activate Manage. You must deploy with a channel subscription.

ibm-mas / ansible-airgap

Support end-to-end air gap installation #8