HCL Commerce Version 9.0.1.0 or later

Preparing and deploying your runtime environment with IBM Cloud Private

For a convenient way of setting up a runtime environment, use the IBM Cloud Private (ICP) application platform.

Important:

Starting from HCL Commerce Version 9.1, HCL Commerce does not provide IBM Cloud Private offline package as part of the provided eAssemblies. However, HCL Commerce can still be deployed on ICP by treating ICP as a kind of Kubernetes cluster. All updated HCL Commerce docker images can be downloaded from the HCL License and Delivery portal, and pushed to a private docker registry accessible by the ICP cluster. A helm upgrade command can be used to upgrade HCL Commerce with new images.

Before you begin

  1. Review the prerequisites for HCL Commerce and IBM Cloud Private.
  2. Install the IBM Cloud Private (3.1+) cluster.
  3. If you are using Centos7, ensure that you have changed the default Docker storage driver from overlay to devicemapper.
  4. Install the Cloud Private command line interface (CLI).

About this task

The following steps must be completed on the master node of your IBM Cloud Private cluster.

Procedure

  1. Download the IBM Cloud Private HCL Commerce installation archives from the HCL License and Delivery portal.

    See HCL Commerce releases to review and obtain the appropriate IBM Cloud Private package. Note, again, that these images were discontinued for HCL Commerce Version 9.1.

  2. Create the commerce namespace for loading HCL Commerce images.
    1. Log in to your IBM Cloud Private master node with your CLI administrator password by using the following command. The default user name is admin, and the default password is admin.
      cloudctl login -a https://master_ip_address:8443 --skip-ssl-validation
      Where master_ip_address is the external IP address for your master or leading master node of your IBM Cloud Private cluster.
    2. Select the Default namespace.
    3. Run the following command to create the commerce namespace.
      kubectl create namespace commerce
  3. Switch your current namespace to use the commerce namespace by running the following command.
    cloudctl target -n commerce
  4. Create the Role Based Access Control (RBAC) on the commerce namespace.
    1. Create an rbac.yaml file, and add the following file contents.
      kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: commerce-deploy-support-<namespace>
  namespace: <namespace>
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list","create","delete","patch","update"]
- apiGroups: [""]
  resources: ["persistentvolumeclaims"]
  verbs: ["get", "watch", "list","create","delete","patch","update"]
- apiGroups: [""]
  resources: ["pods","pods/log"]
  verbs: ["get", "watch", "list","create","delete","patch","update"]
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "watch", "list","create","delete","patch","update"]
---

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: commerce-deploy-support-<namespace>
  namespace: <namespace>
subjects:
- kind: ServiceAccount
  name: default
  namespace: <namespace>
roleRef:
  kind: Role
  name: commerce-deploy-support-<namespace>
  apiGroup: rbac.authorization.k8s.io
      Note: If you want to deploy HCL Commerce Version 9 on a non-default namespace, or use a non-default service account, create the RBAC on target namespace with target service account.
    2. Save and close the file.
    3. Run the following kubectl command to create the role based access control.
      kubectl create -f rbac.yaml -n commerce
  5. Enable pod security policy control.
    Your pod PodSecurityPolicy must support the following securityContext settings:
    • capabilities:
      • CHOWN
      • DAC_OVERRIDE
      • FOWNER
      • FSETID
      • KILL
      • SETGID
      • SETUID
      • SETPCAP
      • NET_BIND_SERVICE
      • NET_RAW
      • SYS_CHROOT
      • MKNOD
      • AUDIT_WRITE
      • SETFCAP
      • SYS_RESOURCE
      • IPC_OWNER
      • SYS_NICE
    • allowPrivilegeEscalation: true
    • readOnlyRootFilesystem: false
    • runAsNonRoot: false
    • runAsUser: 0
    • privileged: false
    1. Create a policy.yaml file, and add the following file contents.
      apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: commerce-psp
spec:
  allowPrivilegeEscalation: true
  readOnlyRootFilesystem: false
  allowedCapabilities:
  - CHOWN
  - DAC_OVERRIDE
  - FOWNER
  - FSETID
  - KILL
  - SETGID
  - SETUID
  - SETPCAP
  - NET_BIND_SERVICE
  - NET_RAW
  - SYS_CHROOT
  - MKNOD
  - AUDIT_WRITE
  - SETFCAP
  - SYS_RESOURCE
  - IPC_OWNER
  - SYS_NICE
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - configMap
  - emptyDir
  - persistentVolumeClaim
  - secret
  forbiddenSysctls:
  - '*'
    2. Save and close the file.
    3. Run the following kubectl command to create the policy.
      kubectl create -f policy.yaml -n commerce
    4. Create the role with PodSecurityPolicy policy by running the following command. 
      kubectl -n Namespace create role wcs-psp --verb=use --resource=podsecuritypolicy --resource-name=commerce-psp
      Where:
      Namespace
      Is your current namespace; for example, commerce.
    5. Create a role binding to bind the default service account with target namespace.
      kubectl -n <Namespace> create rolebinding default:wcs-psp --role=wcs-psp --serviceaccount=commerce:default
      Where:
      Namespace
      Is your current namespace; for example, commerce.
  6. Load the HCL Commerce archive into your IBM Cloud Private Catalog by running the following command. 
    # cloudctl catalog load-archive --archive archiveFile.tgz
    Where:
    archiveFile.tgz
    The full path to the archive file that you downloaded from HCL License and Delivery portal.
    Wait for the load to complete successfully, then search for the package in IBM Cloud Private by using the commerce search term.

  7. Optional: The HCL Commerce Version 9 default Docker image is uploaded to the commerce namespace. If you deploy HCL Commerce Version 9 on a different namespace or are using a non-default service account, create the imagePullSecrets. For more information, see Creating imagePullSecrets for a specific namespace.

  8. Create a Docker image policy.
    1. From the navigation pane in IBM Cloud Private, click Manage > Resource Security.
    2. Click Image Policies. A list of available image policies is displayed.
    3. Click Create Image Policy.
    4. Provide a policy name, and set the Scope field to Cluster.
    5. Click Add Registry, then add the following registries.
      Registry URL VA scan
      docker.io/vault:* Not enforced
      docker.io/consul:* Not enforced
      docker.io/python:* Not enforced
      Note: Add these registries individually.
    6. Click Add to save and create the new image policy.
  9. Deploy ibm-websphere-commerce-vaultconsul or HCL Commerce Version 9.0.1.12 or laterhcl-commerce-vaultconsul from the IBM Cloud Private catalog. If you prefer to deploy by using Helm command, skip to the next step.
    1. Click Catalog in IBM Cloud Private.
    2. In the Release Name field, type commerce.
    3. Click ibm-websphere-commerce-vaultconsul or HCL Commerce Version 9.0.1.12 or laterhcl-commerce-vaultconsul.
    4. In the Release field, type vault-consul.
    5. Select the commerce namespace as a target.
    6. Click Install.

      The installation can take a few minutes, so the Helm release might not appear immediately. Check the status by going to the Helm Releases page and searching for vault.

      Note: Vault and Consul are used as the Certificate Authority (CA) to issue certificates to containers for internal communication, and as the Configuration Center to store environment related data. For more information, see Environment data structure in Consul/Vault.
  10. Optional: Deploy ibm-websphere-commerce-vaultconsul or HCL Commerce Version 9.0.1.12 or laterhcl-commerce-vaultconsul by using the Helm command.
    1. Log out, then back in to IBM Cloud Private. Your Helm chart is configured during the login process.
    2. Add the Helm repository from IBM Cloud Private to your Helm client by running the following commands.
      # helm add repo --cert-file path_to_helm /.helm/cert.pem --ca-file path_to_helm
/.helm/ca.pem --key-file path_to_helm /.helm/key.pem local-chart https://yourClusterHost:8443/helm-repo/charts
      Where:
      path_to_helm
      Is the full path to your Helm chart.
      yourClusterName
      Is the host name of your cluster
      # helm repo update

      # helm search -l
    3. Deploy vaultconsul by running the following command.
      # helm install --name name --namespace namespace local-charts/commerce-vaultconsul --tls
      Where:
      name
      The name of your deployment.
      namespace
      Is your current namespace; for example, Commerce.
      commerce-vaultconsul
      The chart name for commerce-vaultconsul.
      • ibm-websphere-commerce-vaultconsul for versions 9.0.1.11 and earlier.
      • HCL Commerce Version 9.0.1.12 or laterhcl-commerce-vaultconsul
    4. Verify the deployment status by running the following command.
      # helm list --tls  | grep name
      Where:
      name
      The name of your deployment.
  11. Deploy ibm-websphere-commerce or HCL Commerce Version 9.0.1.12 or laterhcl-commerce from the IBM Cloud Private catalog. If you prefer to deploy by using Helm command, skip to the next step. The HCL Commerce Version 9 IBM Cloud Private enabled package uses a quick deployment configuration that is set up with default configurations. .
    This process involves two deployments, one for authoring and one for live.
    • For authoring:
      1. Click Catalog.
      2. Search for commerce.
      3. Click ibm-websphere-commerce or HCL Commerce Version 9.0.1.12 or laterhcl-commerce.
      4. In the Release Name, enter demoqaauth.
        Note: If you want to deploy to another namespace, update the NameSpace value in the Common Configuration section. Be sure to input the imagePullSecrets value that you defined previously.
      5. Select commerce namespace as the target.
      6. If want to pull Docker images from a Docker repository from outside of IBM Cloud Private cluster, update the Image Repository.
      7. Click Install.
    • For live:
      1. Click Catalog.
      2. Search for commerce.
      3. Click ibm-websphere-commerce or HCL Commerce Version 9.0.1.12 or laterhcl-commerce.
      4. In the Release Name, enter demoqalive.
      5. Select commerce as the Target Namespace.
      6. Set the Environment Type to live.
      7. Set the Binding CongMap to demoqalive-config.properties.
      8. Set the Database Hostname in Quick Deploy Configuration to demoqalive.
      9. Ensure that Enale Creat Sample Config is selected.
      10. Click Install.
  12. Optional: Deploy ibm-websphere-commerce or HCL Commerce Version 9.0.1.12 or laterhcl-commerce by using the Helm command.
    1. Log out, then back in to IBM Cloud Private. Your Helm chart is configured during the log in process.
    2. Add the Helm repository from IBM Cloud Private to your Helm client by running the following commands.
      # helm add repo --cert-file path_to_helm /.helm/cert.pem --ca-file path_to_helm
/.helm/ca.pem --key-file path_to_helm /.helm/key.pem local-chart https://yourClusterHost:8443/helm-repo/charts
      Where:
      path_to_helm
      Is the full path to your Helm chart.
      yourClusterName
      Is the host name of your cluster
      # helm repo update
      # helm search -l
    3. Retrieve your Vault token by running the following command.
      # kubectl get pod -n namespace | grep vault.consul
      Where:
      namespace
      Is your current namespace; for example, Commerce.
      Look for the Root token in your log.
    4. Deploy ibm-websphere-commerce or HCL Commerce Version 9.0.1.12 or laterhcl-commerce by running the following command.
      # helm install --name name --namespace namespace local-charts/hcl-commerce --tls
      Where:
      name
      The name of your depoyment.
      namespace
      Is your current namespace; for example, Commerce.
      hcl-commerce
      Is the chart for HCL Commerce.
      • ibm-websphere-commerce for versions 9.0.1.11 and earlier.
      • HCL Commerce Version 9.0.1.12 or laterhcl-commerce
    5. Verify the deployment status by running the following command.
      # helm list --tls  | grep name
      Where:
      name
      The name of your deployment.
  13. Map the IP address and host names.
    1. Locate the Ingress_IP address by running the following command.
      #kubectl get ingress
      The following is a sample output: 
      NAME HOSTS ADDRESS PORTS AGE
demoqaauth-ingress cmc.demoqaauth.ibm.com,accelerator.demoqaauth.ibm.com,\
admin.demoqaauth.ibm.com + 4 more... 11.112.226.101 80, 443 1m
demoqalive-ingress cmc.demoqalive.ibm.com,accelerator.demoqalive.ibm.com,\
admin.demoqalive.ibm.com + 5 more... 11.112.226.101 80, 443 20m
    2. Add the following mappings to the host file of the environment where you want to access the HCL Commerce store and tools.
      <Ingress_IP>   cmc.demoqaauth.ibm.com 
<Ingress_IP>   cmc.demoqalive.ibm.com 
<Ingress_IP>   accelerator.demoqaauth.ibm.com
<Ingress_IP>   accelerator.demoqalive.ibm.com
<Ingress_IP>   admin.demoqaauth.ibm.com 
<Ingress_IP>   admin.demoqalive.ibm.com 
<Ingress_IP>   org.demoqaauth.ibm.com 
<Ingress_IP>   org.demoqalive.ibm.com 
<Ingress_IP>   store.demoqaauth.ibm.com 
<Ingress_IP>   store.demoqalive.ibm.com
    3. Add the following mappings to the hosts file of the environment where you want to trigger build index.
      <Ingress_IP>   tsapp.demoqaauth.ibm.com 
<Ingress_IP>   searchrepeater.demoqalive.ibm.com 
<Ingress_IP>   search.demoqaauth.ibm.com
  14. Verify the deployment of the HCL Commerce environment.
    1. Log in to the following HCL Commerce tools with your wcsadmin/wcs1admin username and password. If you need to reset your wcsadmin password, see Resetting the wcsadmin user password (runtime).
    2. Go to the following URLs to verify that the Aurora sample store is working properly.