Installing the server software in an air-gapped environment

You might have an environment that has a high level of security and is isolated from the internet. In such a scenario, you can install Rational® Test Automation Server on the Red Hat OpenShift platform in an air-gapped environment.

Before you begin

You must have performed the following tasks:

Completed the tasks provided in the Prerequisites section. See Prerequisites for installing the server software in an air-gapped environment.
Configured the Bastion host. See Configuring the Bastion host.
Copied the Entitlement key from the Container software library.

Procedure

Log in to your OCP cluster as a cluster administrator by running the oc login command.
Create a namespace in which you want to install the server software by running the following command:
```
oc new-project test-system
```
Remember: The test-system is the name of the namespace. If you created a namespace by using a different value, then you must use that value in place of test-system in all the instances in this procedure.
Perform one of the following steps to enable certificates as trusted certificates:

You must go to Step 3.b if you use OpenShift Service Mesh service virtualization, a Tech Preview feature.
1. Perform the following steps to add the Certificate Authority (CA) into a Secret:
  1. Run the following command to verify whether an additional CA is required:
```
curl -sw'%{http_code}' -o/dev/null \
"https://wildcard.$(oc get -n openshift-ingress-operator ingresscontroller default -ojsonpath='{.status.domain}')"
```
    If the result of the command is displayed as 503, the CA is already trusted. You must continue with 4.b.i.
    
    If the result of the command is displayed as 000, then CA must be added into a Secret. You must continue with step 3.a.ii.
  2. Run the following command to get the default CA in a PEM format:
```
oc get -n openshift-ingress-operator secret router-ca -ojsonpath='{.data.tls\.crt}' | base64 --decode > ca.crt
```
  3. Run the following command to validate that the CA used to sign the certificate is the same for ingress:
```
curl -sw'%{http_code}' -o/dev/null --cacert ca.crt \
"https://wildcard.$(oc get -n openshift-ingress-operator ingresscontroller default -ojsonpath='{.status.domain}')"
```
    If the result of the command is displayed as 503, then you must continue with the next step.
    
    If the result of the command is displayed as 000, then the configuration of the certificate has been customized. You must find the signer of the certificate to continue with the next step.
  4. Run the following command to create an ingress Secret to store the CA:
```
oc create secret generic -n test-system ingress --from-file=ca.crt=ca.crt
```
2. Perform the following steps to add the CA into a Secret if you use OpenShift Service Mesh service virtualization, a Tech Preview feature:
  1. Run the following script from the ibm-rtas-prod/files directory:
```
./files/certificate.sh -n istio-system -s istio-ingressgateway-certs {openshift-cluster-dns-name}
```
    You must replace the {openshift-cluster-dns-name} with the ingress DNS name that you selected for the server. You can run the following command to obtain the default value of openshift-cluster-dns-name:
    oc get --namespace=openshift-ingress-operator ingresscontroller/default -ojsonpath='{.status.domain}'
  2. Run the following command to create an ingress Secret:
    oc create secret generic -n test-system ingress \ "--from-literal=ca.crt=$(oc get -n istio-system secret istio-ingressgateway-certs -ojsonpath='{.data.ca\.crt}' | base64 --decode)"
  3. Run the following commands to enable an OpenShift route that the product creates for the Istio gateway:
    cat <<EOF | oc apply -n istio-system -f - >/dev/null apiVersion: maistra.io/v1 kind: ServiceMeshMemberRoll metadata: name: default spec: members: - test-system EOF
When some components such as static agents or Docker agents want to communicate with Rational® Test Automation Server, the component presents its certificate to the server to verify its identity. Rational® Test Automation Server trusts the component only if it is signed by a recognized and trusted CA. Therefore, you must add the signed CA into a trust by placing it in a Secret to enable certificates as trusted certificates.

Perform the following steps to install the server software:

Run the following commands to update the runAsUser and fsGroup to match the Security Context Constraints (SCCs):
```
sed -i -e "s/runAsUser: 1001/runAsUser: $(oc get project test-system -oyaml \
  | sed -r -n 's# *openshift.io/sa.scc.uid-range: *([0-9]*)/.*#\1#p')/g;
           s/fsGroup: 1001/fsGroup: $(oc get project test-system -oyaml \
  | sed -r -n 's# *openshift.io/sa.scc.supplemental-groups: *([0-9]*)/.*#\1#p')/g" ibm-rtas-prod/values-openshift.yaml
```
Rational® Test Automation Server is compatible with the restricted SCC. You must run this command to ensure that the runAsUser and fsGroup strategies match with the SCC policy.

Perform one of the steps described in the following table to install the server software based on your requirement:

Step description	Step no
To install the server software	Perform 4.b.i
To install the server software and enable the OpenShift Service Mesh service virtualization through Istio, a Tech Preview feature	Perform 4.b.ii and 4.b.iv
To install the server software, enable the OpenShift Service Mesh service virtualization through Istio, a Tech Preview feature, and enable Jaeger for performance and Web UI tests logs	Perform 4.b.iii and 4.b.iv
To install the server software and enable Jaeger for performance and Web UI tests logs	Perform 4.b.v

Remember:

If you upgrade the product from the previous version, then you must use the same value for global.persistence.rwxStorageClass parameter that you used in the previous installation.
You can run the following command to obtain the value that you used for global.persistence.rwxStorageClass:
```
oc get pvc -n test-system data-{my-rtas}-userlibs-0 \
   -ojsonpath='{.spec.storageClassName}' && echo
```
The default certificate that terminates TLS connections has a single wildcard. Therefore, you must prefix a single hostname segment for the global.ibmRtasIngressDomain parameter.

For example, --set global.ibmRtasIngressDomain=rtas.{dns name of the openshift cluster}

Run the following command to install the server software:

helm install {my-rtas} ./ibm-rtas-prod -n test-system \
--set license=true \
-f ibm-rtas-prod/values-openshift.yaml \
--set global.persistence.rwxStorageClass=ibmc-file-gold \
--set global.ibmRtasIngressDomain=rtas.{openshift-cluster-dns-name} \
--set global.ibmRtasPasswordAutoGenSeed={password-seed} \
--set global.rationalLicenseKeyServer=@{rlks-ip-address}

Note: You must use the --set global.ibmRtasCertSecretOptional=false parameter in the helm install command only if you performed step 3.a.iv to create an ingress Secret to store the CA.

Run the following command to install the server software and to enable OpenShift Service Mesh service virtualization, a Tech Preview feature:

helm install {my-rtas} ./ibm-rtas-prod -n test-system \
--set license=true \
-f ibm-rtas-prod/values-openshift.yaml \
-f ibm-rtas-prod/values-openshift-demo.yaml \
--set global.persistence.rwxStorageClass=ibmc-file-gold \
--set global.ibmRtasIngressDomain=rtas.{openshift-cluster-dns-name} \
--set global.ibmRtasPasswordAutoGenSeed={password-seed} \
--set global.rationalLicenseKeyServer=@{rlks-ip-address}

Run the following command to install the server software, to enable OpenShift Service Mesh service virtualization, a Tech Preview feature, and to enable Jaeger for performance and Web UI tests logs:

helm install {my-rtas} ./ibm-rtas-prod -n test-system \
--set license=true \
-f ibm-rtas-prod/values-openshift.yaml \
--set global.persistence.rwxStorageClass=ibmc-file-gold \
--set global.ibmRtasIngressDomain=rtas.{openshift-cluster-dns-name} \
--set global.ibmRtasPasswordAutoGenSeed={password-seed} \
--set global.ibmRtasRegistryPullSecret=cp.icr.io \
--set global.rationalLicenseKeyServer=@{rlks-ip-address} \
-f ibm-rtas-prod/values-openshift-demo.yaml \
--set-string execution.annotations.sidecar\\.jaegertracing\\.io/inject=true \
--set global.jaegerAgent.internalHostName=localhost \
--set global.jaegerDashboard.externalURL={my-jaeger-dashboard-url}

Run the following command to enable service virtualization through Istio, a Tech Preview feature in the specific namespace:
```
oc create rolebinding istio-virtualization-enabled -n bookinfo --clusterrole={my-rtas}-execution-istio-test-system --serviceaccount=test-system:{my-rtas}-execution
```
Where, {my-rtas} is the name of the release that you provided during the installation of the server software.
Note: When you uninstall the chart, the manually created role bindings are not deleted from the namespace. You can run the following command to delete the role bindings:
```
oc delete rolebinding istio-virtualization-enabled -n bookinfo
```

Run the following command to install the server software and to enable Jaeger for performance and Web UI tests logs:

helm install {my-rtas} ./ibm-rtas-prod -n test-system \
--set license=true \
-f ibm-rtas-prod/values-openshift.yaml \
--set global.persistence.rwxStorageClass=ibmc-file-gold \
--set global.ibmRtasIngressDomain=rtas.{openshift-cluster-dns-name} \
--set global.ibmRtasPasswordAutoGenSeed={password-seed} \
--set global.rationalLicenseKeyServer=@{rlks-ip-address} \
--set-string execution.annotations.sidecar\\.jaegertracing\\.io/inject=true \
--set global.jaegerAgent.internalHostName=localhost \
--set global.jaegerDashboard.externalURL={my-jaeger-dashboard-url}

Note: You must use the --set global.ibmRtasCertSecretOptional=false parameter in the helm install command only if you performed step 3.a.iv to create an ingress Secret to store the CA.

You must replace the value of the variables in the helm install command with the actual value:

{my-rtas} with the release name of your choice.
Note: The release name must consist of alphanumeric characters that are in lowercase or - (hyphen). The release name must also start with an alphabetic character and end with an alphanumeric character. For example, my-org or abc-123.
{openshift-cluster-dns-name} with the ingress DNS name that you selected for the server.
Remember: You must provide the value that consists of alphanumeric characters that are in lowercase, -(hyphen) or .(period). The value must also start and end with an alphanumeric character.
Note: You can run the following command to obtain the default value of openshift-cluster-dns-name:
```
oc get --namespace=openshift-ingress-operator ingresscontroller/default -ojsonpath='{.status.domain}'
```
{password-seed} with a value of your choice.

Important: This password seed is used to create several default passwords for the server. You must store the password seed securely. When you install the server software by using the backup of the user data, you can reuse the password seed. You can use this seed to restore the backed-up files either on the current or later versions of the server software.
Optional: {rlks-ip-address} with the IP address of Rational License Key Server, if you want to set the license value for the first time.

Important: If you upgrade the product from the previous version, you must configure the value of Rational License Key Server in the Team Space License Configuration window when the installation of the server is complete.
{my-jaeger-dashboard-url} with the URL of the Jaeger server.

Optional: Run the following command to remove a job that is used to initialize the PostgresQL database during the installation of the server software:
```
oc delete job {my-rtas}-postgresql-init -n test-system
```
Run the following command to verify and test the installed server software:
```
$ helm test {my-rtas} -n test-system
```
where {my-rtas} is the name of the release that was provided during the installation of the server software.

Results

You have installed the server software. The command line displays the following information:

Keycloak URL to manage and authenticate users.
A URL to access the Rational® Test Automation Server UI.

What to do next

You can perform certain tasks as a Server Administrator. See Configuration of the server software.