3. IBM Cloud Pak for Integration
Cluster Node types
OpenShift
Master
Worker
IBM Cloud Pak for Integration
Theoretical minimum cluster
Master
Worker +
Services
A kubernetes Node is a VM or bare metal machine which is part of a
Kubernetes cluster.
OpenShift Nodes
• Master Nodes run the services that control the cluster including the
etcd database that stores the current state of the cluster.
• Worker Nodes run OpenShift Platform Services, Common Services,
and Integration Services. If the IBM Cloud Pak for Integration is
running in a cluster with other workloads then these also run on the
worker nodes.
Common Services
The common services run on OpenShift worker nodes. They are grouped
into Master, Proxy, and Management services, and can all be run on the
same node, run on separate nodes, and run on multiple nodes for HA.
• Master services IAM, Catalog, helm/tiller
• Proxy services ingress controller for app compatibility with OpenShift
• Management services Metering, Logging, Monitoring
The minimum theoretical configuration is one Master node and one
Worker node. This would not be Highly available and is unlikely to have
enough CPU to be usable for more than limited demos.
Note: There are other more obscure types such as dedicated etcd nodes and vulnerability advisor nodes
services but these are beyond the scope of this presentation
OpenShift
Platform
Services
Common
Services
Logical Architecture
4. Master
• To make the solution fully Highly Available, each component
must be deployed in HA topology.
• Master Nodes contain software that uses a quorum* paradigm
for high availability and so these must be deployed as an odd
number of nodes. Typically either 3 or 5 masters are used in a HA
cluster depending on the size of the cluster and the type of load.
• Common services do not require a quorum so each group of
common services needs to be assigned to 2 or more worker
nodes for HA.
• Worker Nodes run Integration Services. Depending on the
integration services required 2 or more worker nodes may be
needed for HA. (More detail in subsequent slides)
• A topology that is often used is:
• 3 Master nodes
• 2 Worker nodes for Common Services
• 3(+) Worker nodes for Integration Services
Master Master
Common
Services
Node
Common
Services
Node
Worker Worker
IBM Cloud Pak for Integration HA Cluster
Master
IBM Cloud Pak for Integration minimal HA
Cluster
Master Master
Services
+
Worker
Services
+
Worker
Logical Architecture
8. File System Requirements
The following recommended storage providers that have been validated across all the components of IBM
Cloud Pak for Integration:
•OpenShift Container Storage version 4.x from version 4.2 or higher
•IBM Cloud Block storage and IBM Cloud File storage
Other storage providers are also recommended for specific components. Refer to the notes for that
component in the following table.
9. Integration Component Sizing Reference
For individual integration component sizing reference, you may refer to the lab performance benchmark as
guidance based on your design requirements:
For App Connect Enterprise:
https://www.ibm.com/support/pages/ibm-app-connect-enterprise-v11-performance-reports
For MQ:
https://ibm-messaging.github.io/mqperf/MQ_for_xLinux_V910_Performance.pdf
For Virtual DataPower:
https://www.slideshare.net/ibmdatapower/datapower-api-gateway-performance-benchmarks-135724582
10. Part#2:
Installation
Adding online catalog sources to a cluster
Mirroring operators to a restricted environment
IBM Entitled Registry entitlement keys
Platform Navigator deployment
11. Adding online catalog sources to a cluster
When your cluster is connected to the internet, The IBM Cloud Pak for Integration (CP4I) can be installed
by adding the IBM Operator Catalog and the IBM Common Services Catalog to your cluster and using the
Operator Lifecycle Manager (OLM) to install the operators.
Note: This information only applies to clusters that are connected to the internet.
You must be a cluster administrator to add CatalogSource objects to a cluster.
You can add CatalogSource objects to your cluster using the Red Hat OpenShift web console, or by using
the oc command-line tool.
12. Adding online catalog sources to a cluster
To add CatalogSource objects using the OpenShift web console:
1. Add the IBM Common Services operators to the list of installable operators
Click the plus icon. You see the Import YAML dialog box.
Paste the following resource definition in the dialog box.
Click Create
13. Adding online catalog sources to a cluster
2. Add the IBM operators to the list of installable operators
Click the plus icon. You see the Import YAML dialog box.
Paste the following resource definition in the dialog box:
Click Create
14. Adding online catalog sources to a cluster
2. Add the IBM operators to the list of installable operators
Click the plus icon. You see the Import YAML dialog box.
Paste the following resource definition in the dialog box:
Click Create
15. Adding online catalog sources to a cluster
If not using Web Console, you may add CatalogSource objects using the CLI:
Copy the resource definitions from above into local files on your computer.
Run oc apply -f <filename> for each resource definition.
16. Mirroring operators to a restricted environment
When you cluster is in a restricted environment that is not connected to the internet, The IBM Cloud Pak for
Integration (CP4I) can be installed by mirroring the CP4I operators to a registry within the restricted environment.
Mirroring is performed using the IBM CASE packages for each operator.
What is a CASE?
There is one CASE package for each component and dependent component of CP4I. The CASE packages contain
metadata about each component, including the container images required to deploy the component and information
about their dependencies. Each CASE package also contains the required scripts to mirror images to a private registry,
and to configure the target cluster to use the private registry as a mirror.
For more information on the CASE packaging format, see https://github.com/IBM/case.
17. Mirroring operators to a restricted environment
When you cluster is in a restricted environment that is not connected to the internet, The IBM Cloud Pak for
Integration (CP4I) can be installed by mirroring the CP4I operators to a registry within the restricted environment.
Mirroring is performed using the IBM CASE packages for each operator.
What is a CASE?
There is one CASE package for each component and dependent component of CP4I. The CASE packages contain
metadata about each component, including the container images required to deploy the component and information
about their dependencies. Each CASE package also contains the required scripts to mirror images to a private registry,
and to configure the target cluster to use the private registry as a mirror.
For more information on the CASE packaging format, see https://github.com/IBM/case.
18. Mirroring operators to a restricted environment
After the images are mirrored to the target registry, CatalogSource objects can be added to the cluster for the mirrored
operators.
Prerequisites
Prepare a Docker registry
Prepare a bastion host
Create environment variables for the installer and image inventory
Download the installer and image inventory
Log in to OpenShift as a cluster administrator
Create a Kubernetes namespace
Mirror the images and configure the cluster
Create the catalog source
19. Mirroring operators to a restricted environment
Prerequisites
An OpenShift 4.4 cluster must be installed.
A Docker registry must be available.
A bastion server must be configured
20. Mirroring operators to a restricted environment
Prepare a Docker registry
A local Docker registry is used to store all images in your restricted environment. You must create such a registry and
must ensure that it meets the following requirements:
Supports Docker Manifest V2, Schema 2.
Is accessible from both the bastion server and your OpenShift cluster nodes.
Has the username and password of a user who can write to the target registry from the bastion host.
Has the username and password of a user who can read from the target registry that is on the OpenShift cluster nodes.
Allows path separators in the image name.
An example of a simple registry is included in Creating a mirror registry for installation in a restricted network in the
OpenShift documentation.
Note: The internal Red Hat OpenShift registry is not compliant with Docker Manifest V2, Schema 2, and therefore is not
suitable for use as a private registry for restricted environments.
Verify that you:
Have credentials of a user who can write and create repositories. The bastion host uses these credentials.
Have credentials of a user who can read all repositories. The OpenShift cluster uses these credentials.
21. Mirroring operators to a restricted environment
Prepare a bastion host
Prepare a bastion host that can access the OpenShift cluster, the local Docker registry, and the internet.
The bastion host must be on a Linux x86_64 platform with any operating system that the IBM Cloud Pak CLI and the
OpenShift CLI support.
Complete these steps on your bastion node:
Install OpenSSL version 1.11.1 or higher.
Install Docker or Podman on the bastion node.
22. Mirroring operators to a restricted environment
To install Docker, run these commands:
To install Podman, see Podman Installation Instructions.
Example:
23. Mirroring operators to a restricted environment
1. To Install the IBM Cloud Pak CLI. Install the latest version of the binary file for your platform.
a. Download the binary file.
b. Extract the binary file.
c. Run the following commands to modify and move the file.
d. Confirm that cloudctl is installed:
e. Install the oc OpenShift CLI tool. Create a directory that serves as the offline store.
Following is an example directory. This example is used in the subsequent steps.
24. Mirroring operators to a restricted environment
Create environment variables for the installer and image inventory
Create the following environment variables with the installer image name and the image inventory.
Using this CASE archive will mirror the whole Cloud Pak for Integration. To mirror part of the Cloud Pak, use the CASE
archive and inventory item for an individual component, and repeat the process for each component you want to be
available in your restricted environment.
25. Mirroring operators to a restricted environment
CASE files for IBM components can be found in the IBM CASE repository.
The CP4I component CASEs available for mirroring are:
26. Mirroring operators to a restricted environment
Download the installer and image inventory
Download the installer and image inventory to the bastion host.
This step will download the selected CASE file and its dependecies to the local machine. It will also produce CSV files
listing the images and helm charts included in each CASE file. The CP4I components do not include any helm charts.
Note: The CSV files listing the images, combined with your IBM Entitled Registry entitlement key, can be used to
download or mirror the images manually for performing security scans before deployment on a cluster.
One CSV file is created for each component and required dependency. After logging in your container tool to the
entitled registry using the username cp and your entitlement key, a shell script can be used to process all images from
all components:
27. Mirroring operators to a restricted environment
Log in to OpenShift cluster as a cluster administrator
Following is an example command to log in to the OpenShift cluster:
Create a Kubernetes namespace
Create an environment variable with a namespace to install, then create the namespace.
Mirror the images and configure the cluster
Complete these steps to mirror the images and configure your cluster:
Store authentication credentials for the IBM Entitled Registry.
See IBM Entitled Registry entitlement keys for how to obtain your entitlement key.
After obtaining your entitlement key, run the following command to configure credentials for the IBM Entitled Registry:
The command stores and caches the registry credentials in a file on your file system in the $HOME/.airgap/secrets location.
28. Mirroring operators to a restricted environment
Create environment variables with the local Docker registry connection information.
Configure a global image pull secret and ImageContentSourcePolicy.
To enable your disconnected cluster to access images from your private registry, it must be configured to use your
private registry as a mirror of the images hosted in the online registries, and to be able to access those images.
This step configures an ImageContentSourcePolicy for the images listed in the component CASEs. See Configuring image registry repository mirroring in the Red Hat OpenShift
documentation for more details.
This step also configures the global cluster pull secret for the cluster to allow it to access the private registry. See Adding the registry to your pull secret in the Red Hat OpenShift
documentation for more details.
Note: In OpenShift version 4.4, this step performs a rolling restart of all cluster nodes. The cluster resources might be unavailable until the time the
new ImageContentSourcePolicy and global cluster pull secret is applied.
29. Mirroring operators to a restricted environment
Verify that the ImageContentSourcePolicy resource is created.
Verify your cluster node status.
After the ImageContentsourcePolicy and global image pull secret are applied, you might see the node status
as Ready, Scheduling, or Disabled. Wait until all the nodes show a Ready status.
Configure an authentication secret for the local Docker registry.
Note: This step needs to be done only one time.
The command stores and caches the registry credentials in a file on your file system in
the $HOME/.airgap/secrets location.
30. Mirroring operators to a restricted environment
Mirror the images to the local registry.
This command calls the oc image mirror command to mirror images from the online registry to the private registry.
Note: If you are using an insecure registry, you must also add the local registry to the insecureRegistries list for your
cluster.
31. Mirroring operators to a restricted environment
Create the CatalogSource
CP4I can be installed by adding the CatalogSource for the mirrored operators to your cluster and using OLM to install
the operators.
Create a catalog source.
This command adds the CatalogSource for the components to your cluster, so the cluster can access them from the
private registry.
Verify that the CatalogSource for common services installer operator is created.
32. IBM Entitled Registry entitlement keys
To run software from the IBM Entitled Registry, you must supply your entitlement key as a Kubernetes pull secret. If
you use the secret name ibm-entitlement-key, CP4I operators will automatically use it to pull images from the IBM
Entitled Registry.
Obtaining an entitlement key
Obtain an Entitlement key from IBM Container Library.
Click Get an entitlement key.
Copy the entitlement key presented to a safe place for use later.
(Optional) Verify the validity of the key by logging in to the IBM Entitled Registry using a container tool.
33. IBM Entitled Registry entitlement keys
Adding an entitlement key to a namespace
Note: This information applies to clusters using the IBM Entitled Registry only, if you are mirroring the operators to a
private registry (for example, in restricted environments), a global pull secret will be used for registry access,
configured by the mirroring process.
Use standard Kubernetes tools to add a pull secret containing your entitlement key to the installation namespace of
your components. You will need to create the secret in every namespace you want to install CP4I components.
Create a docker registry secret using the following command:
You can also use the kubectl tool instead of the oc tool to create the secret.
34. Platform Navigator deployment
The IBM Cloud Pak for Integration can be deployed using the Red Hat OpenShift web console, or the Red Hat OpenShift
CLI.
Requirements
You must meet the following dependencies before you deploy the Platform Navigator. A Cluster Administrator should
carry out these tasks.
A project must exist for this instance.
The IBM Cloud Pak for Integration Platform Navigator operator must be installed either at a Cluster scope or in the
project you want to deploy the platform navigator into. See Installation for more information.
If you are using the IBM Entitled Registry, a pull secret must exist in the namespace containing an entitlement key.
See IBM Entitled Registry entitlement keys.
Before deploying the Platform Navigator you must install the operator. See Installation.
35. Installing Operator
The IBM Cloud Pak for Integration (CP4I) is delivered as operators that are installed and managed using the Operator
Lifecycle Manager (OLM) within Red Hat OpenShift. To install CP4I, add the OLM Catalog Sources for IBM components,
install the operators using OLM, and then create a Platform Navigator custom resource.
What is an operator?
An operator extends a Kubernetes cluster by adding and managing additional resource types to the Kubernetes API.
This allows for the installation and management of software using standard Kubernetes tools
Making CP4I operators available to a cluster
To make the CP4I operators available to a cluster, use OLM catalog sources to refer to the location of the CP4I
operators.
The OLM catalog sources from IBM components can be added directly to clusters connected to the internet. Follow
the steps in Adding online catalog sources to a cluster.
For clusters not connected to the internet, the software must be mirrored to a registry within the restricted
network. Follow the steps in Mirroring operators to a restricted environment.
36. Installing Operator
Installing the CP4I operators
You can install all of the CP4I operators at once by using the Cloud Pak for Integration operator, or install a subset of
operators by selecting and installing only the operators you want to use on your cluster. When installing an operator,
OLM will automatically install any required dependencies.
Install CP4I operators using the Red Hat OpenShift Operator Hub, located in the left hand menu of the OpenShift
console under the Operators menu item, or the oc command-line tool.
For detailed instructions on how to install an operator, see Adding Operators to a cluster in the Red Hat OpenShift
documentation.
37. Installing Operator
The operators available to install are:
IBM App Connect
Provides application integration capabilities and a means to easily create and export flows that run in an App Connect
instance.
IBM Aspera HSTS
Provides high speed transfer integration capabilities.
IBM Datapower Gateway
Provides gateway capabilities.
IBM Event Streams
Provides IBM Event Streams capabilities.
IBM MQ
Provides messaging capabilities.
38. Installing Operator
The operators available to install are:
Cloud Pak for Integration
Top level CP4I operator that will install all other CP4I operators automatically. Use this to install the whole Cloud Pak in
one operation.
IBM Cloud Pak for Integration Platform Navigator
Provides a dashboard and central services for other CP4I capabilities. Should be installed for most CP4I installations.
IBM Cloud Pak for Integration Asset Repository
Stores, manages, retrieves and searches for integration assets for use within the IBM Cloud Pak for Integration and its
capabilities.
IBM Cloud Pak for Integration Operations Dashboard
Cross-component transaction tracing to allow troubleshooting and investigation of errors and latency issues across
integration capabilities to ensure applications meet service level agreements.
IBM API Connect
Provides API management capabilities.
39. Installing Operator
The operators available to install are:
Cloud Pak for Integration
Top level CP4I operator that will install all other CP4I operators automatically. Use this to install the whole Cloud Pak in
one operation.
IBM Cloud Pak for Integration Platform Navigator
Provides a dashboard and central services for other CP4I capabilities. Should be installed for most CP4I installations.
IBM Cloud Pak for Integration Asset Repository
Stores, manages, retrieves and searches for integration assets for use within the IBM Cloud Pak for Integration and its
capabilities.
IBM Cloud Pak for Integration Operations Dashboard
Cross-component transaction tracing to allow troubleshooting and investigation of errors and latency issues across
integration capabilities to ensure applications meet service level agreements.
IBM API Connect
Provides API management capabilities.