Installing the server software in an air-gapped environment

You might have an environment that has a high level of security and is isolated from the internet. In such a scenario, you can install Rational® Test Automation Server on the Red Hat OpenShift platform in an air-gapped environment.

Before you begin

About this task

The following table lists the variables that you must replace with the actual value in the command.

Variables Description
{openshift-cluster-dns-name}

The ingress DNS name that you selected for the server.

Remember: You must provide the value that consists of alphanumeric characters that are in lowercase, -(hyphen) or .(period). The value must also start and end with an alphanumeric character.
You can run the following command to obtain the default value of {openshift-cluster-dns-name}:
oc get --namespace=openshift-ingress-operator ingresscontroller/default -ojsonpath='{.status.domain}'
{my-rtas}
The release name of your choice.
Note: The release name must consist of alphanumeric characters that are in lowercase or - (hyphen). The release name must also start with an alphabetic character and end with an alphanumeric character. For example, my-org or abc-123.
{password-seed}

A value of your choice for the password.

Important: This password seed is used to create several default passwords for the server. You must store the password seed securely. When you install the server software by using the backup of the user data, you can reuse the password seed. You can use this seed to restore the backed-up files either on the current or later versions of the server software.
{rlks-ip-address}

The IP address of License Key Server, if you want to set the license value for the first time.

Important: When you upgrade the product from the previous version, you must configure the value of License Key Server in the Team Space License Configuration window when the installation of the server is complete.
{my-jaeger-dashboard-url}

The URL of the Jaeger server.

Procedure

  1. Log in to your OCP cluster as a cluster administrator by running the oc login command.
  2. Create a namespace in which you want to install the server software by running the following command: 
    oc new-project test-system
    Remember: The test-system is the name of the namespace. If you created a namespace by using a different value, then you must use that value in place of test-system in all the instances in this procedure.
  3. Perform the following steps to add the Certificate Authority (CA) into a Secret and enable certificates as trusted certificates:
    1. Run the following command to verify whether an additional CA is required: 
      curl -sw'%{http_code}' -o/dev/null \
"https://wildcard.$(oc get -n openshift-ingress-operator ingresscontroller default -ojsonpath='{.status.domain}')"

      If the result of the command is displayed as 503, the CA is already trusted. You must continue with 4.b.i.

      If the result of the command is displayed as 000, then CA must be added into a Secret. You must continue with step 3.b.

    2. Run the following command to get the default CA in a PEM format: 
      oc get -n openshift-ingress-operator secret router-ca -ojsonpath='{.data.tls\.crt}' | base64 --decode > ca.crt
    3. Run the following command to validate that the CA used to sign the certificate is the same for ingress: 
      curl -sw'%{http_code}' -o/dev/null --cacert ca.crt \
"https://wildcard.$(oc get -n openshift-ingress-operator ingresscontroller default -ojsonpath='{.status.domain}')"

      If the result of the command is displayed as 503, then you must continue with the next step.

      If the result of the command is displayed as 000, then the configuration of the certificate has been customized. You must find the signer of the certificate to continue with the next step.

    4. Run the following command to create an ingress Secret to store the CA: 
      oc create secret generic -n test-system ingress --from-file=ca.crt=ca.crt

    When some components such as static agents or Docker agents want to communicate with Rational® Test Automation Server, the component presents its certificate to the server to verify its identity. Rational® Test Automation Server trusts the component only if it is signed by a recognized and trusted CA. Therefore, you must add the signed CA into a trust by placing it in a Secret to enable certificates as trusted certificates.

  4. Perform the following steps to install the server software:
    1. Run the following commands to update the runAsUser and fsGroup to match the Security Context Constraints (SCCs): 
      sed -i -e "s/runAsUser: 1001/runAsUser: $(oc get project test-system -oyaml \
  | sed -r -n 's# *openshift.io/sa.scc.uid-range: *([0-9]*)/.*#\1#p')/g;
           s/fsGroup: 1001/fsGroup: $(oc get project test-system -oyaml \
  | sed -r -n 's# *openshift.io/sa.scc.supplemental-groups: *([0-9]*)/.*#\1#p')/g" ibm-rtas-prod/values-openshift.yaml

      Rational® Test Automation Server is compatible with the restricted SCC. You must run this command to ensure that the runAsUser and fsGroup strategies match with the SCC policy.

    2. Perform one of the steps described in the following table to install the server software based on your requirement:
      Step description Step no

      To install the server software

      		 Perform 4.b.i

      To install the server software and enable Jaeger for performance and Web UI tests logs

      		 Perform 4.b.ii
      Remember:

      • If you upgrade the product from the previous version, then you must use the same value for global.persistence.rwxStorageClass parameter that you used in the previous installation.

        You can run the following command to obtain the value that you used for global.persistence.rwxStorageClass:
        oc get pvc -n test-system data-{my-rtas}-userlibs-0 \
   -ojsonpath='{.spec.storageClassName}' && echo

      • The default certificate that terminates TLS connections has a single wildcard. Therefore, you must prefix a single hostname segment for the global.ibmRtasIngressDomain parameter.

        For example, --set global.ibmRtasIngressDomain=rtas.{dns name of the openshift cluster}

      1. Run the following command to install the server software:

        helm install {my-rtas} ./ibm-rtas-prod -n test-system \
--set license=true \
-f ibm-rtas-prod/values-openshift.yaml \
--set global.persistence.rwxStorageClass=ibmc-file-gold \
--set global.ibmRtasIngressDomain=rtas.{openshift-cluster-dns-name} \
--set global.ibmRtasPasswordAutoGenSeed={password-seed} \
--set global.rationalLicenseKeyServer=@{rlks-ip-address}

      2. Run the following command to install the server software and to enable Jaeger for performance and Web UI tests logs:

        helm install {my-rtas} ./ibm-rtas-prod -n test-system \
--set license=true \
-f ibm-rtas-prod/values-openshift.yaml \
--set global.persistence.rwxStorageClass=ibmc-file-gold \
--set global.ibmRtasIngressDomain=rtas.{openshift-cluster-dns-name} \
--set global.ibmRtasPasswordAutoGenSeed={password-seed} \
--set global.rationalLicenseKeyServer=@{rlks-ip-address} \
--set-string execution.annotations.sidecar\\.jaegertracing\\.io/inject=true \
--set global.jaegerAgent.internalHostName=localhost \
--set global.jaegerDashboard.externalURL={my-jaeger-dashboard-url}
  5. Optional: Run the following command to remove a job that is used to initialize the PostgresQL database during the installation of the server software: 
    oc delete job {my-rtas}-postgresql-init -n test-system
  6. Run the following script from the ibm-rtas-prod/files directory to verify and test the installed server software: 
    ibm-rtas-prod/files/helm-test-diag.sh {my-rtas} -n test-system

Results

You have installed the server software. The command line displays the following information:

  • Keycloak URL to manage and authenticate users.

  • A URL to access the Rational® Test Automation Server UI.

What to do next

You can perform the following tasks: