Installing the server software on Red Hat OpenShift

You can install HCL OneTest™ Server on the Red Hat OpenShift server that has the Kubernetes Engine environment to run functional, integration, and performance tests. HCL OneTest™ Server combines test data, test environments, and test runs and reports into a single web-based browser for testers and non-testers.

Before you begin

You must have performed the following tasks:

Completed tasks provided in the Prerequisites section. See Prerequisites for installing the server software on Red Hat OpenShift.
Installed the following software:
- OpenShift CLI
- Helm
Copied the Secret key from the Harbor repository.

Procedure

Log in to your OCP cluster as a cluster administrator by running the oc login command.
Create a namespace in which you want to install the server software by running the following command:
```
oc new-project test-system
```
Remember: The test-system is the name of the namespace. If you created a namespace by using a different value, then you must use that value in place of test-system in all the instances in this procedure.
Add the software registry to Helm to access the server install charts by running the following command:
```
helm repo add hclsoftware https://hclcr.io/chartrepo/ot --username {okta-email-address} --password {harbor-cli-secret}
```
Note: You must replace {okta-email-address} with the user name of the Harbor repository and replace {harbor-cli-secret} with the secret key that you copied from the Harbor repository.
If the user name contains any special characters, such as $, you must enclose it within single quotes.
Run the following command to get the latest updates from the repository:
```
helm repo update
```

Run the following command to retrieve the charts:

helm pull --untar hclsoftware/hcl-onetest-server --version 5.1020.0

Create a Secret to pull images that are used by HCL OneTest™ Server by running the following commands:
```
oc create secret docker-registry hclcr.io \
-n test-system \
--docker-server=hclcr.io \
--docker-username={okta-email-address} \
--docker-password={harbor-cli-secret} \
--docker-email=example@abc.com
```
Notes:
- You must replace {okta-email-address} with the user name of the Harbor repository and replace {harbor-cli-secret} with the secret key that you copied from the Harbor repository.
  
  If the user name contains any special characters, such as $, you must enclose it within single quotes.
- You can replace example@abc.com with the email address of the administrator if required.
Remember: test-system is the name of the namespace. If you created a namespace by using a different value, then you must use that value in place of the test-system in all the instances in this procedure.
Perform one of the following steps to enable certificates as trusted certificates:

You must go to Step 7.b if you use OpenShift Service Mesh service virtualization, a Tech Preview feature.
1. Perform the following steps to add the Certificate Authority (CA) into a Secret:
  1. Run the following command to verify whether an additional CA is required:
```
curl -sw'%{http_code}' -o/dev/null \
"https://wildcard.$(oc get -n openshift-ingress-operator ingresscontroller default -ojsonpath='{.status.domain}')"
```
    If the result of the command is displayed as 503, the CA is already trusted. You must continue with 8.
    
    If the result of the command is displayed as 000, then CA must be added into a Secret. You must continue with 7.a.ii.
  2. Run the following command to get the default CA in a PEM format:
```
oc get -n openshift-ingress-operator secret router-ca -ojsonpath='{.data.tls\.crt}' | base64 --decode > ca.crt
```
  3. Run the following command to validate that the CA used to sign the certificate is the same for ingress:
```
curl -sw'%{http_code}' -o/dev/null --cacert ca.crt \
"https://wildcard.$(oc get -n openshift-ingress-operator ingresscontroller default -ojsonpath='{.status.domain}')"
```
    If the result of the command is displayed as 503, then you must continue with next step.
    
    If the result of the command is displayed as 000, then the configuration of the certificate has been customized. You must find the signer of the certificate to continue with the next step.
  4. Run the following command to create an ingress Secret to store the CA:
```
oc create secret generic -n test-system ingress --from-file=ca.crt=ca.crt
```
2. Perform the following steps to add the Certificate Authority (CA) into a Secret if you use OpenShift Service Mesh service virtualization, a Tech Preview feature:
  1. Run the following script from the hcl-onetest-server/files directory:
```
./files/certificate.sh -n istio-system -s istio-ingressgateway-certs {openshift-cluster-dns-name}
```
    You must replace the {openshift-cluster-dns-name} with the ingress DNS name that you selected for the server. You can run the following command to obtain the default value of openshift-cluster-dns-name:
    oc get --namespace=openshift-ingress-operator ingresscontroller/default -ojsonpath='{.status.domain}'
  2. Run the following command to create an ingress Secret:
    oc create secret generic -n test-system ingress \ "--from-literal=ca.crt=$(oc get -n istio-system secret istio-ingressgateway-certs -ojsonpath='{.data.ca\.crt}' | base64 --decode)"
  3. Run the following commands to enable an OpenShift route that the product creates for the Istio gateway:
    cat <<EOF | oc apply -n istio-system -f - >/dev/null apiVersion: maistra.io/v1 kind: ServiceMeshMemberRoll metadata: name: default spec: members: - test-system EOF
When some components such as static agents or Docker agents want to communicate with HCL OneTest™ Server, the component presents its certificate to the server to verify its identity. HCL OneTest™ Server trusts the component only if it is signed by a recognized and trusted CA. Therefore, you must add the signed CA into a trust by placing it in a Secret to enable certificates as trusted certificates.

Perform the following steps to install the server software:

Run the following commands to update the runAsUser and fsGroup to match the Security Context Constraints (SCCs):
```
sed -i -e "s/runAsUser: 1001/runAsUser: $(oc get project test-system -oyaml \
  | sed -r -n 's# *openshift.io/sa.scc.uid-range: *([0-9]*)/.*#\1#p')/g;
           s/fsGroup: 1001/fsGroup: $(oc get project test-system -oyaml \
  | sed -r -n 's# *openshift.io/sa.scc.supplemental-groups: *([0-9]*)/.*#\1#p')/g" hcl-onetest-server/values-openshift.yaml
```
HCL OneTest™ Server is compatible with the restricted SCC. You must run this command to ensure that the runAsUser and fsGroup strategies match with the SCC policy.

Perform one of the steps described in the following table to install the server software based on your requirement:

Step description	Step no
To install the server software	Perform 8.b.i
To install the server software and enable the OpenShift Service Mesh service virtualization through Istio, a Tech Preview feature	Perform 8.b.ii and 8.b.iv
To install the server software, enable the OpenShift Service Mesh service virtualization through Istio, a Tech Preview feature, and enable Jaeger for performance and Web UI tests logs	Perform 8.b.iii and 8.b.iv
To install the server software and enable Jaeger for performance and Web UI tests logs	Perform 8.b.v

Run the following command to install the server software:

helm install {my-ots} ./hcl-onetest-server -n test-system \
-f hcl-onetest-server/values-openshift.yaml \
--set global.persistence.rwxStorageClass=rook-ceph-file
--set global.hclOneTestIngressDomain=onetest.{openshift-cluster-dns-name} \
--set global.hclFlexnetURL=https://hclsoftware.compliance.flexnetoperations.com \
--set global.hclFlexnetID={cloud-license-server-id} \
--set global.hclImagePullSecret=hclcr.io \
--set global.hclOneTestPasswordAutoGenSeed={password-seed}

Note: You must use the --set global.hclCertSecretOptional=false parameter in the

helm
                    install

command only if you performed step 7.a.iv to create an ingress Secret to store the CA.

Run the following command to install the server software and to enable OpenShift Service Mesh service virtualization, a Tech Preview feature:

helm install {my-ots} ./hcl-onetest-server -n test-system \
-f hcl-onetest-server/values-openshift.yaml \
--set global.persistence.rwxStorageClass=rook-ceph-file
--set global.hclOneTestIngressDomain=onetest.{openshift-cluster-dns-name} \
--set global.hclFlexnetURL=https://hclsoftware.compliance.flexnetoperations.com \
--set global.hclFlexnetID={cloud-license-server-id} \
--set global.hclImagePullSecret=hclcr.io \
--set global.hclOneTestPasswordAutoGenSeed={password-seed} \
-f hcl-onetest-server/values-openshift-demo.yaml

Run the following command to install the server software, to enable OpenShift Service Mesh service virtualization, a Tech Preview feature, and to enable Jaeger for performance and Web UI tests logs:

helm install {my-ots} ./hcl-onetest-server -n test-system \
-f hcl-onetest-server/values-openshift.yaml \
--set global.persistence.rwxStorageClass=rook-ceph-file
--set global.hclOneTestIngressDomain=onetest.{openshift-cluster-dns-name} \
--set global.hclFlexnetURL=https://hclsoftware.compliance.flexnetoperations.com \
--set global.hclFlexnetID={cloud-license-server-id} \
--set global.hclImagePullSecret=hclcr.io \
--set global.hclOneTestPasswordAutoGenSeed={password-seed} \
-f hcl-onetest-server/values-openshift-demo.yaml \
--set-string execution.annotations.sidecar\\.jaegertracing\\.io/inject=true \
--set global.jaegerAgent.internalHostName=localhost \
--set global.jaegerDashboard.externalURL={my-jaeger-dashboard-url}

Run the following command to enable service virtualization through Istio, a Tech Preview feature in the specific namespace:
```
oc create rolebinding istio-virtualization-enabled -n bookinfo --clusterrole={my-ots}-execution-istio-test-system --serviceaccount=test-system:{my-ots}-execution
```
Where, {my-ots} is the name of the release that you provided during the installation of the server software.
Note: When you uninstall the chart, the manually created role bindings are not deleted from the namespace. You can run the following command to delete the role bindings:
```
oc delete rolebinding istio-virtualization-enabled -n bookinfo
```

Run the following command to install the server software and to enable Jaeger for performance and Web UI tests logs:

helm install {my-ots} ./hcl-onetest-server -n test-system \
-f hcl-onetest-server/values-openshift.yaml \
--set global.persistence.rwxStorageClass=rook-ceph-file
--set global.hclOneTestIngressDomain=onetest.{openshift-cluster-dns-name} \
--set global.hclFlexnetURL=https://hclsoftware.compliance.flexnetoperations.com \
--set global.hclFlexnetID={cloud-license-server-id} \
--set global.hclImagePullSecret=hclcr.io \
--set global.hclOneTestPasswordAutoGenSeed={password-seed} \
--set-string execution.annotations.sidecar\\.jaegertracing\\.io/inject=true \
--set global.jaegerAgent.internalHostName=localhost \
--set global.jaegerDashboard.externalURL={my-jaeger-dashboard-url}

Note: You must use the --set global.hclCertSecretOptional=false parameter in the

helm
                    install

command only if you performed step 7.a.iv to create an ingress Secret to store the CA.

You must substitute the value of the variables in the helm install command with the actual value:

{my-ots} with the release name of your choice.
Note: The release name must consist of alphanumeric characters that are in lowercase or - (hyphen). The release name must also start with an alphabetic character and end with an alphanumeric character. For example, my-org or abc-123.
{openshift-cluster-dns-name} with the ingress DNS name that you selected for the server.
Remember: You must provide the value that consists of alphanumeric characters that are in lowercase, -(hyphen) or .(period). The value must also start and end with an alphanumeric character.
Note: You can run the following command to obtain the default value of openshift-cluster-dns-name:
```
oc get --namespace=openshift-ingress-operator ingresscontroller/default -ojsonpath='{.status.domain}'
```
{password-seed} with a value of your choice.

Important: This password seed is used to create several default passwords for the server. You must store the password seed securely. When you install the server software by using the backup of the user data, you can reuse the password seed. You can use this seed to restore the backed-up files either on the current or later versions of the server software.
Optional: {cloud-license-server-id} with the ID of the License Server for the initial team space, if you want to set the license for the first time.

Important: If you want to upgrade the product from the previous version, you must configure the value of License Server ID from the Team Space License Configuration page when the installation of the server is complete.
{my-jaeger-dashboard-url} with the URL of the Jaeger server.

Optional: Run the following command to remove a job that is used to initialize the PostgresQL database during the installation of the server software:
```
oc delete job {my-ots}-postgresql-init -n test-system
```
Optional: Perform the following steps to migrate data into HCL OneTest™ Server, if you upgraded the product from the previous version (V10.1.0, V10.1.1, or V10.1.2):
1. Run the following script from the hcl-onetest-server/files directory to create a directory that contains metadata related to the Persistent Volume Claims and their Persistent Volumes:
  migrate.sh create-pvcs -n test-system {my-ots}
2. Run the following script from the hcl-onetest-server/files directory to merge the data into the server:
  migrate.sh merge-dbs -n test-system {my-ots}
3. Run the following command to remove the resources that were created during the migration process:
  migrate.sh delete-temp-resources -n test-system {my-ots}
where {my-ots} is the name of the release that you provided during the installation of the server software.
Run the following command to verify and test the installed server software:
```
$ helm test {my-ots} -n test-system
```
where {my-ots} is the name of the release that was provided during the installation of the server software.

Results

You have installed the server software. The command line displays the following information:

Keycloak URL to manage and authenticate users.
A URL to access the HCL OneTest™ Server UI.

What to do next

You can perform certain tasks as a Server Administrator. See Configuration of the server software.