Deploy the runtime environment with ICP

Before beginning

1. Review the prerequisites for WebSphere Commerce and ICP.

2. Install the IBM Cloud Private (3.1+) cluster.

3. If using Centos7, change the default Docker storage driver from overlay to devicemapper.

4. Install the Cloud Private command line interface (CLI).

Task info

The following steps must be completed on the master node of the ICP cluster.

Procedure

1. Download one of the following WebSphere Commerce installation archives from Passport Advantage.

   • (CNYF7ML) HCL Commerce Enterprise for IBM Cloud Private V9.0.1.1: WC_ICP_9011_Ent.tgz

   • (CNYF4ML) HCL Commerce Professional for IBM Cloud Private V9.0.1.1: WC_Dev_9011_WinML.zip

2. Create the commerce namespace for loading WebSphere Commerce images.

   1. Log on to the ICP master node with the CLI administrator password. The default user name is admin, and the default password is admin.
      cloudctl login -a https://master_ip_address:8443 --skip-ssl-validation

      Where master_ip_address is the external IP address for the master or leading master node of the ICP cluster.

   2. Select the Default namespace.

   3. Create the commerce namespace.
      kubectl create namespace commerce

3. Switch the current namespace to use the commerce namespace.
   cloudctl target -n commerce

4. Create the Role Based Access Control (RBAC) on the commerce namespace.

   kind: Role
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
     name: commerce-deploy-support-<namespace>
     namespace: <namespace>
   rules:
   - apiGroups: [""]
     resources: ["secrets"]
     verbs: ["get", "watch", "list","create","delete","patch","update"]
   - apiGroups: [""]
     resources: ["persistentvolumeclaims"]
     verbs: ["get", "watch", "list","create","delete","patch","update"]
   - apiGroups: [""]
     resources: ["pods","pods/log"]
     verbs: ["get", "watch", "list","create","delete","patch","update"]
   - apiGroups: [""]
     resources: ["configmaps"]
     verbs: ["get", "watch", "list","create","delete","patch","update"]
   ---
   
   kind: RoleBinding
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
     name: commerce-deploy-support-<namespace>
     namespace: <namespace>
   subjects:
   - kind: ServiceAccount
     name: default
     namespace: <namespace>
   roleRef:
     kind: Role
     name: commerce-deploy-support-<namespace>
     apiGroup: rbac.authorization.k8s.io

   Note: To deploy WebSphere Commerce Version 9 on a non-default namespace, or use a non-default service account, create the RBAC on target namespace with target service account.

5. Enable pod security policy control. Your pod PodSecurityPolicy must support the following securityContext settings:

   • capabilities:

     • CHOWN

     • DAC_OVERRIDE

     • FOWNER

     • FSETID

     • KILL

     • SETGID

     • SETUID

     • SETPCAP

     • NET_BIND_SERVICE

     • NET_RAW

     • SYS_CHROOT

     • MKNOD

     • AUDIT_WRITE

     • SETFCAP

     • SYS_RESOURCE

     • IPC_OWNER

     • SYS_NICE

   • allowPrivilegeEscalation: true

   • readOnlyRootFilesystem: false

   • runAsNonRoot: false

   • runAsUser: 0

   • privileged: false

   apiVersion: extensions/v1beta1
   kind: PodSecurityPolicy
   metadata:
     name: commerce-psp
   spec:
     allowPrivilegeEscalation: true
     readOnlyRootFilesystem: false
     allowedCapabilities:
     - CHOWN
     - DAC_OVERRIDE
     - FOWNER
     - FSETID
     - KILL
     - SETGID
     - SETUID
     - SETPCAP
     - NET_BIND_SERVICE
     - NET_RAW
     - SYS_CHROOT
     - MKNOD
     - AUDIT_WRITE
     - SETFCAP
     - SYS_RESOURCE
     - IPC_OWNER
     - SYS_NICE
     seLinux:
       rule: RunAsAny
     supplementalGroups:
       rule: RunAsAny
     runAsUser:
       rule: RunAsAny
     fsGroup:
       rule: RunAsAny
     volumes:
     - configMap
     - emptyDir
     - persistentVolumeClaim
     - secret
     forbiddenSysctls:
     - '*'

6. Load the WebSphere Commerce archive into the ICP Catalog.
   # cloudctl catalog load-archive --archive archiveFile.tgz

   Where:

   archiveFile.tgz

   The full path to the archive file that you downloaded from Passport Advantage.

   Wait for the load to complete successfully, then search for the package in ICP using the commerce search term.

   

7. Optional: The WebSphere Commerce Version 9 default Docker image is uploaded to the commerce namespace.

   If we deploy WebSphere Commerce Version 9 on a different namespace or are using a non-default service account, create the imagePullSecrets.

8. Create a Docker image policy.

   1. From the navigation pane in ICP, click Manage > Resource Security.

   2. Click Image Policies. A list of available image policies is displayed.

   3. Click Create Image Policy.

   4. Provide a policy name, and set the Scope field to Cluster.

   5. Click Add Registry, then add the following registries.

      Registry URL	VA scan
      docker.io/vault:*	Not enforced
      docker.io/consul:*	Not enforced
      docker.io/python:*	Not enforced

      Note: Add these registries individually.

   6. Click Add to save and create the new image policy.

9. Deploy ibm-websphere-commerce-vaultconsul from the ICP catalog.

   To deploy by using Helm command, skip to the next step.

   1. Click Catalog in ICP.

   2. In the Release Name field, type commerce.

   3. Click ibm-websphere-commerce-vaultconsul.

   4. In the Release field, type vault-consul.

   5. Select the commerce namespace as a target.

   6. Click Install.

      The installation can take a few minutes, so the Helm release might not appear immediately. Check the status by going to the Helm Releases page and searching for vault.

      

      Note: Vault and Consul are used as the Certificate Authority (CA) to issue certificates to containers for internal communication, and as the Configuration Center to store environment related data. See Environment data structure in Consul/Vault.

10. Optional: Deploy ibm-websphere-commerce-vaultconsul by using Helm command.

    1. Log out, then back in to ICP. Your Helm chart is configured during the login process.

    2. Add the Helm repository from ICP to the Helm client..
       # helm add repo --cert-file path_to_helm /.helm/cert.pem --ca-file path_to_helm /.helm/ca.pem --key-file path_to_helm /.helm/key.pem local-chart https://yourClusterHost:8443/helm-repo/charts

       Where:

       path_to_helm

       Full path to the Helm chart.

       yourClusterName

       Host name of the cluster

       # helm repo update
       # helm search -l

    3. Deploy vaultconsul.
       ># helm install --name name --namespace namespace local-charts/ibm-websphere-commerce-vaultconsul --tls

       Where:

       name

       The name of the deployment.

       namespace

       Current namespace; for example, Commerce.

    4. Verify the deployment status.
       # helm list --tls | grep name

       Where:

       name

       The name of the deployment.

11. Deploy ibm-websphere-commerce from the ICP catalog.

    To deploy by using Helm command, skip to the next step. The WebSphere Commerce Version 9 ICP enabled package uses a quick deployment configuration set up with default configurations. . This process involves two deployments, one for authoring and one for live.

    • For authoring:

      1. Click Catalog.

      2. Search for commerce.

      3. Click ibm-websphere-commerce

      4. In the Release Name, enter demoqaauth.

         Note: To deploy to another namespace, update the NameSpace value in the Common Configuration section. Be sure to input the imagePullSecrets value that we defined previously.

      5. Select commerce namespace as the target.

      6. To pull Docker images from a Docker repository from outside of ICP cluster, update the Image Repository.

      7. Click Install.

    • For live:

      1. Click Catalog.

      2. Search for commerce.

      3. Click ibm-websphere-commerce

      4. In the Release Name, enter demoqalive.

      5. Select commerce as the Target Namespace.

      6. Set the Environment Type to live.

      7. Set the Binding CongMap to demoqalive-config.properties.

      8. Set the Database Hostname in Quick Deploy Configuration to demoqalive.

      9. Ensure that Enale Creat Sample Config is selected.

      10. Click Install.

12. Optional: Deploy ibm-websphere-commerce by using Helm command.

    1. Log out, then back in to ICP. Your Helm chart is configured during the log in process.

    2. Add the Helm repository from ICP to the Helm client..
       # helm add repo --cert-file path_to_helm /.helm/cert.pem --ca-file path_to_helm /.helm/ca.pem --key-file path_to_helm /.helm/key.pem local-chart https://yourClusterHost:8443/helm-repo/charts

       Where:

       path_to_helm

       Full path to the Helm chart.

       yourClusterName

       Host name of the cluster

       # helm repo updatee>
       # helm search -le>

    3. Retrieve the Vault token.
       # kubectl get pod -n namespace | grep vault.consule>

       Where:

       namespace

       Current namespace; for example, Commerce.

       Look for the Root token in your log.

    4. Deploy ibm-websphere-commerce.
       # helm install --name name --namespace namespace local-charts/ibm-websphere-commerce --tlse>

       Where:

       name

       The name of the deployment.

       namespace

       Current namespace; for example, Commerce.

    5. Verify the deployment status.

       # helm list --tls  | grep name 

       Where:

       name

       The name of the deployment.

13. Map the IP address and host names.

    1. Locate the Ingress_IP address.
       #kubectl get ingress

       The following is a sample output:

       NAME HOSTS ADDRESS PORTS AGE
       demoqaauth-ingress cmc.demoqaauth.ibm.com,accelerator.demoqaauth.ibm.com,\
       admin.demoqaauth.ibm.com + 4 more... 11.112.226.101 80, 443 1m
       demoqalive-ingress cmc.demoqalive.ibm.com,accelerator.demoqalive.ibm.com,\
       admin.demoqalive.ibm.com + 5 more... 11.112.226.101 80, 443 20m  

    2. Add the following mappings to the host file of the environment where we want to access the WebSphere Commerce store and tools.

       <Ingress_IP>   cmc.demoqaauth.ibm.com 
       <Ingress_IP>   cmc.demoqalive.ibm.com 
       <Ingress_IP>   accelerator.demoqaauth.ibm.com
       <Ingress_IP>   accelerator.demoqalive.ibm.com
       <Ingress_IP>   admin.demoqaauth.ibm.com 
       <Ingress_IP>   admin.demoqalive.ibm.com 
       <Ingress_IP>   org.demoqaauth.ibm.com 
       <Ingress_IP>   org.demoqalive.ibm.com 
       <Ingress_IP>   store.demoqaauth.ibm.com 
       <Ingress_IP>   store.demoqalive.ibm.com 

    3. Add the following mappings to the hosts file of the environment where we want to trigger build index.

       <Ingress_IP>   tsapp.demoqaauth.ibm.com 
       <Ingress_IP>   searchrepeater.demoqalive.ibm.com 
       <Ingress_IP>   search.demoqaauth.ibm.com  

14. Verify the deployment of the WebSphere Commerce environment.

    1. Log on to the following WebSphere Commerce tools with your wcsadmin/wcs1admin username and password. If you need to reset your wcsadmin password, see Resetting the wcsadmin user password (runtime).

       • Management Center: https://cmc.demoqaauth.ibm.com/lobtools/cmc/ManagementCenter

       • Accelerator: https://accelerator.demoqaauth.ibm.com/webapp/wcs/tools/servlet/ToolsLogon?XMLFile=common.mcLogon

       • Administration Console: https://admin.demoqaauth.ibm.com/webapp/wcs/admin/servlet/ToolsLogon?XMLFile=adminconsole.AdminConsoleLogon

       • Organization Administration Console: https://org.demoqaauth.ibm.com/webapp/wcs/orgadmin/servlet/ToolsLogon?XMLFile=buyerconsole.BuyAdminConsoleLogon

    2. Go to the following URLs to verify that the Aurora sample store is working properly.

       • Authoring: https://store.demoqaauth.ibm.com/wcs/shop/en/auroraesite

       • Live: https://store.demoqalive.ibm.com/wcs/shop/en/auroraesite

See

WebSphere Commerce on IBM Cloud Private