This repository provides the IBM Catalog Management Plug-in for IBM Cloud Paks 1.0 (Tech preview) via its github releases. The plugin streamlines the deployment of IBM CloudPaks in a disconnected environment which was done earlier using [cloudctl] (https://github.com/IBM/cloud-pak-cli)
- Download the gzipped tar archive for your OS from the assets in releases
- Download the corresponding
.sigfile for verification purposes
macOS example using curl:
curl -L https://github.com/IBM/ibm-pak-plugin/releases/latest/download/oc-ibm_pak-darwin-amd64.tar.gz -o oc-ibm_pak-darwin-amd64.tar.gz
curl -L https://github.com/IBM/ibm-pak-plugin/releases/latest/download/oc-ibm_pak-darwin-amd64.tar.gz.sig -o oc-ibm_pak-darwin-amd64.tar.gz.sig
macOS example using wget:
wget https://github.com/IBM/ibm-pak-plugin/releases/latest/download/oc-ibm_pak-darwin-amd64.tar.gz
wget https://github.com/IBM/ibm-pak-plugin/releases/latest/download/oc-ibm_pak-darwin-amd64.tar.gz.sig
Linux x86-architecture example using curl:
curl -L https://github.com/IBM/ibm-pak-plugin/releases/latest/download/oc-ibm_pak-linux-amd64.tar.gz -o oc-ibm_pak-linux-amd64.tar.gz
curl -L https://github.com/IBM/ibm-pak-plugin/releases/latest/download/oc-ibm_pak-linux-amd64.tar.gz.sig -o oc-ibm_pak-linux-amd64.tar.gz.sig
Linux x86-architecture example using wget:
wget https://github.com/IBM/ibm-pak-plugin/releases/latest/download/oc-ibm_pak-linux-amd64.tar.gz
wget https://github.com/IBM/ibm-pak-plugin/releases/latest/download/oc-ibm_pak-linux-amd64.tar.gz.sig
Retrieve the latest public keys (example with wget):
wget https://raw.githubusercontent.com/IBM/ibm-pak-plugin/master/ibm-pak-plugin.pem
wget https://raw.githubusercontent.com/IBM/ibm-pak-plugin/master/ibm-pak-plugin-chain0.pem
wget https://raw.githubusercontent.com/IBM/ibm-pak-plugin/master/ibm-pak-plugin-chain1.pem
The plugin is also provided in a container image cp.icr.io/cpopen/cpfs/ibm-pak:TAG
The following table shows the mapping between container image TAG and the plugin release version
| Image tag | Plugin version |
|---|---|
| 1.0.0-alpha.0 | v1.0.0-alpha.0 |
The following command will create a container and copy the plug-ins for all the supported platforms in a directory, plugin-dir. You can specify any directory name and it will be created while copying. After copying, it will delete the temporary container. The plugin-dir will have all the binaries and other artifacts you find in a Github release and repo at IBM/ibm-pak-plugin. Choose the Image tag from the above table and use that as the value of TAG below.
id=$(docker create cp.icr.io/cpopen/cpfs/ibm-pak:TAG - )
docker cp $id:/ibm-pak-plugin plugin-dir
docker rm -v $id
cd plugin-dir
openssl x509 -inform pem -in ibm-pak-plugin.pem -noout -text
cat ibm-pak-plugin-chain0.pem > chain.pem
cat ibm-pak-plugin-chain1.pem >> chain.pem
openssl ocsp -no_nonce -issuer chain.pem -cert ibm-pak-plugin.pem -VAfile chain.pem -text -url http://ocsp.digicert.com -respout ocsptest
Should see a message that contains:
Response verify OK
openssl ocsp -no_nonce -issuer ibm-pak-plugin-chain0.pem -cert ibm-pak-plugin.pem -VAfile ibm-pak-plugin-chain0.pem -text -url http://ocsp.digicert.com -respout ocsptest
Should see a message that contains:
Response verify OK
openssl ocsp -no_nonce -issuer ibm-pak-plugin-chain1.pem -cert ibm-pak-plugin-chain0.pem -VAfile ibm-pak-plugin-chain1.pem -text -url http://ocsp.digicert.com -respout ocsptest
Should see a message that contains:
Response verify OK
After completing verification of the certificate, extract public key:
openssl x509 -pubkey -noout -in ibm-pak-plugin.pem > public.key
The public key is used to verify the tar archive:
openssl dgst -sha256 -verify public.key -signature <oc-ibm_pak_signature_file> <tar.gz_file>
e.g.
openssl dgst -sha256 -verify public.key -signature oc-ibm_pak-linux-amd64.tar.gz.sig oc-ibm_pak-linux-amd64.tar.gz
Should see a message that contains:
Verified OK
- Download and install oc.
- Download the plugin binary tgz from releases.
- Extract and copy to executable PATH.
$ tar -xvf oc-ibm_pak-darwin-amd64.tar.gz
$ cp oc-ibm_pak-darwin-amd64 /usr/local/bin/oc-ibm_pakNOTE:
- While copying, the destination name should be
oc-ibm_pakand cannot be changed. - Plugin determines the command path that it will implement based on its filename.
- If /usrlocal/bin is not accessible then place it in an accessible folder and put that folder in PATH
- See accompanying LICENSE file for the usage.
$ oc ibm-pak --help
Deploy IBM Cloud Paks in a disconnected environment or generate image mirror manifest files
Usage:
oc ibm-pak
Available Commands:
config Displays changes to configuration file used by this plugin
describe Describe command prints image lists, dependencies, registries and other information for this CASE
generate Generate command
get Download a Pak from source repository
help Help about any command
launch Launch a CASE into the targeted cluster.
Flags:
-h, --help help for ibm-pak
--log_file string If non-empty, use this log file
-v, --v Level number for the log level verbosity [0 (normal), 1 (fine), 2 (finer)or 3 (finest)]
--version print version (optional)
Use "oc ibm-pak [command] --help" for more information about a command.
Environment Variables:
IBMPAK_HOME the directory path where all plugin results will be saved (default "plugin home directory")
IBMPAK_HTTP_TIMEOUT Overrides the default HTTP timeout value used in client calls to external servers. Measured in seconds (default "10")
IBMPAK_LAUNCH_SKIP_PREREQ_CHECK when set to true, will skip checking prerequisites in the launch framework (default "false")
IBMPAK_RESOLVE_DEPENDENCIES when set to false, no CASE references will be resolved (default "true")
IBMPAK_TOLERANCE_RETRY when set to false, launch script execution failure will not be retried
when set to true, launch script execution failures will be retried without the --tolerance flag (default "true")
HTTPS_PROXY or https_proxy the URL of a HTTPS proxy (e.g. https://[user]:[pass]@[proxy_ip]:[proxy_port]) (default "")
HTTP_PROXY or http_proxy the URL of a HTTP proxy (e.g. http://[user]:[pass]@[proxy_ip]:[proxy_port]) (default "")The following illustrates the high level flow of commands used to mirror images as well as the launch function.
This example fetches the "top level" CASE and all of its direct and transitive dependencies.
export CASE_NAME=ibm-cp-common-services
export CASE_VERSION=1.13.0
oc ibm-pak get $CASE_NAME --version $CASE_VERSIONComplete the following steps to authenticate your registries:
You must run the following command to configure credentials for all target registries that require authentication. Run the command separately for each registry:
export REGISTRY_AUTH_FILE=<path to the file which will store the auth credentials generated on podman login>
podman login cp.icr.io
podman login <TARGET_REGISTRY>
For example, if you export REGISTRY_AUTH_FILE=~/.ibm-pak/auth.json, then after performing podman login, you can see that the file is populated with registry credentials.
If you use docker login, the authentication file is typically located at $HOME/.docker/config.json on Linux or %USERPROFILE%/.docker/config.json on Windows. After docker login you should export REGISTRY_AUTH_FILE to point to that location. For example in Linux you can issue the following command:
export REGISTRY_AUTH_FILE=$HOME/.docker/config.json
This example generates the images-mapping.txt file that can be used with oc image mirror.
export TARGET_REGISTRY=mytargetregistry.com
oc ibm-pak generate mirror-manifests $CASE_NAME $TARGET_REGISTRY --version $CASE_VERSION
oc image mirror -f ~/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/images-mapping.txt -a $REGISTRY_AUTH_FILE --filter-by-os=.* --insecure --skip-multiple-scopes --max-per-registry=1This example generates the images-mapping-to-filesystem.txt and images-mapping-from-filesystem.txt files that can be used with oc image mirror. This enables the ability to mirror images to the filesystem (into the v2 direrectory), manually copy the filesystem contents to another machine behind the customer's firewall, and then mirror from the filesystem into the final regsitry used by the cluster.
oc ibm-pak generate mirror-manifests $CASE_NAME file://local --version $CASE_VERSION --final-registry $TARGET_REGISTRY
oc image mirror -f ~/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/images-mapping-to-filesystem.txt -a $REGISTRY_AUTH_FILE --filter-by-os=.* --insecure --skip-multiple-scopes --max-per-registry=1
# manually copy filesystem v2 directory contents to new machine
oc image mirror -f ~/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/images-mapping-from-filesystem.txt -a $REGISTRY_AUTH_FILE --filter-by-os=.* --insecure --skip-multiple-scopes --max-per-registry=1This example uses the lauch capability to initiate the install-catalog action for the top level CASE:
oc ibm-pak launch --case ~/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION/$CASE_NAME-$CASE_VERSION.tgz --action install-catalog --inventory ibmCommonServiceOperatorSetup --namespace foo --args "--registry $TARGET_REGISTRY"Users on macOS Catalina might be prompted that oc-ibm_pak-darwin-amd64 is not a trusted application. There are two ways to get around this:
-
Open Finder, control-click the application
oc-ibm_pak-darwin-amd64, choose Open from the menu, and then click Open in the dialog that appears. Enter your admin name and password to open the app if promoted. -
Enable developer-mode for your terminal window, which will allow everything. Make sure you are OK with this approach:
- Open Terminal, and enter:
❯ spctl developer-mode enable-terminal - Go to System Preferences -> Security & Privacy -> Privacy Tab -> Developer Tools -> Terminal : Enable
- Restart all terminals
- Open Terminal, and enter:
See https://support.apple.com/en-ca/HT202491 for more information
To report an issue or get help please visit https://www.ibm.com/docs/en/cpfs?topic=support-opening-case