Installing IBM Cloud Cost and Asset Management

IBM® Cloud Cost and Asset Management (ICCAM) enables users to identify and analyze assets and costs, spending and allocation, and underused resources.

To install ICCAM, complete the following steps:

1. Ensure that you have followed all the steps mentioned in Preparing to install IBM Cloud Cost and Asset Management and completed them.

2. Go to the folder pre-post-install/ibm-cloud-cost-asset-mgmt-prod/pre-install that was extracted in prerequisites.

3. Enter the namespace and secret values as needed in the resources/preCCAM.properties file. For more details on the properties file, refer to Properties File.

4. Create a folder named cert inside the resources folder. Place the certificate and key required for ICCAM into the resources/cert folder. Refer to Steps to generate self signed certificates for more information on required certificates and the steps to generate them if they do not exist.

5. Log in using the cloudctl command on IBM Cloud Private (ICP):

    ```
      cloudctl login -a https://<cluster_host_name>:<cluster port> --skip-ssl-validation  
    ```
    When prompted, log in with your ICP cluster admin user name.
   
    After the login succeeds, select the default account.
   
    Where `cluster_host_name` is the external host name or IP address for your master or leading master node, and cluster port is the port for master host.
    For information on cloudctl login, refer to [Cloudctl login](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.2.0/manage_cluster/cli_commands.html).
   

   For ICP on OpenShift

   ```
    oc login https://<OpenShift_cluster_host_name>:<OpenShift_Cluster_Port>
   ```  
   When prompted, log in with your OpenShift cluster admin user name.
   
   After the login succeeds, select the default project.  
   

6. Go to the scripts folder. Run the following commands to create the namespace and secrets for ICCAM.

          sh preCCAM.sh -c -f preCCAM.properties
   

   readOnlyRootFilesystem: The namespace must be created before loading PPA.

       The secrets must be created before installing ICCAM.
   

7. Ensure that the secrets for ICCAM are created before configuring the Helm chart.

8. Ensure IBM Cloud Management Platform is installed before installing ICCAM in ICP or ICP with OpenShift.

9. Run the docker login command:

   ICP:

      docker login << registry name>>
   

   Example : docker login mycluster.icp:8500

   When prompted, enter the credentials to log in to the registry. Refer to Configure Docker CLI for more information on logging in to the registry server.

   ICP with OpenShift:

      docker login -u <username> -p $(oc whoami -t) docker-registry.default.svc:5000
   

10. Log in using the cloudctl command on ICP or ICP with OpenShift:

      cloudctl login -a https://<cluster_host_name>:<cluster port> --skip-ssl-validation
    

    When prompted, login with your ICP cluster admin user name.

    After the login succeeds, select the account.

    Where cluster_host_name is the external host name or IP address for your master or leading master node, and cluster port is the port for master host. For information on cloudctl login, refer to Cloudctl login.

    During cloudctl login, select the namespace that was entered in the preCCAM.properties file for "cam_namespace".

11. Go to the folder where the PPA archive was extracted in prerequisites. Run the following command to load the ICCAM archive into ICP:

          cloudctl catalog load-ppa-archive --archive ibm-cloud-cost-asset-mgmt-prod-3.2.0.tar.gz
    

    Run the following command to load the ICCAM PPA archive into ICP with OpenShift.

         cloudctl catalog load-ppa-archive  --archive ibm-cloud-cost-asset-mgmt-prod-3.2.0.tar.gz --registry docker-registry.default.svc:5000/<cam_namespace>
    

    Enter the value for cam_namespace as the value entered in the preCCAM.properties file.

    For more information, refer to Catalog CLI. Wait till the PPA archive loads successfully.

12. To intall on ICP, create a pod security policy, a role, and role binding by using the following example yamls and bind it to a namespace. The following steps must be performed by a cluster administrator.

    • Custom PodSecurityPolicy definition: ```

    ---

    apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: cam-security labels: spec: allowPrivilegeEscalation: false fsGroup:

    rule: RunAsAny
    

    requiredDropCapabilities:

    • MKNOD allowedCapabilities:
    • SETGID
    • SETFCAP
    • CHOWN
    • DAC_OVERRIDE seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny volumes:
    • configMap
    • emptyDir
    • projected
    • secret
    • downwardAPI
    • persistentVolumeClaim forbiddenSysctls:
    • '*' ``` To create PSP in a file, create the file by copying and pasting the content above, and then run the following command:

      kubectl create -f <filename.yaml>
    

    • Custom Role for the custom PodSecurityPolicy:

    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: cam-security-role
      labels:
    rules:
     -
       apiGroups:
         - extensions
       resourceNames:
         - cam-security
       resources:
         - podsecuritypolicies
       verbs:
         - use
    

    Create a role in a file by copying and pasting the content above, and then running the following command:

      kubectl create -f <filename.yaml>
    

    • Custom RoleBinding for the custom PodSecurityPolicy:

    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: cam-security-psp-users
      labels:
    subjects:
     - kind: Group
       apiGroup: rbac.authorization.k8s.io
       name: "system:serviceaccounts:<<Namespace for ibm-cloud-cost-asset-mgmt-prod chart>>"
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: cam-security-role
    

    Create role binding in a file by creating the file by copying and pasting the content above, modifying the namespace to what was created, and then running the following command:

      kubectl create -f <filename.yaml>
    

    Installing on ICP with OpenShift - Create scc on OpenShift using the following example yaml and binding it to the namespace. The OpenShift Administrator role is required to create and add scc to a project.

    ---
    apiVersion: security.openshift.io/v1
    metadata:
      annotations:
      name: cost-mgmt
    allowHostDirVolumePlugin: false
    allowHostIPC: false
    allowHostNetwork: false
    allowHostPID: false
    allowHostPorts: false
    allowPrivilegedContainer: false
    allowedCapabilities:
    - CHOWN
    - SETFCAP
    - SETGID
    - DAC_OVERRIDE
    defaultAddCapabilities: []
    fsGroup:
      type: RunAsAny
    groups:
    - system:cluster-admins
    kind: SecurityContextConstraints
    priority: 12
    readOnlyRootFilesystem: false
    requiredDropCapabilities:
    - MKNOD
    runAsUser:
      type: RunAsAny
    seLinuxContext:
      type: MustRunAs
    supplementalGroups:
      type: RunAsAny
    users: null
    volumes:
    - configMap
    - downwardAPI
    - emptyDir
    - persistentVolumeClaim
    - projected
    - secret
    

    Run the following command to create the SCC using the content above in the cost-mgmt.yaml:

    oc create -f cost-mgmt.yaml
    

    Run the following command to add the scc added above to a project where you are going to deploy the chart:

    oc adm policy add-scc-to-group cost-mgmt system:serviceaccounts:<<project name of ibm-cloud-cost-asset-mgmt-prod chart>>
    

    Run the following command to add the scc added above to the project using the same namespace where you are going to deploy chart:

    oc adm policy add-scc-to-group cost-mgmt system:serviceaccounts:<<project name of ibm-cloud-cost-asset-mgmt-prod chart>>
    

13. If you plan to use NFS storage, refer to this link to create Persistent Volumes. If you are using glusterFS storage, refer to this link for details.

14. Install ICCAM in ICP:

    1. Log in to ICP.
    2. Go to Catalog > Helm Charts.
    3. Search for IBM Cloud Cost charts.
    4. Double Click ibm-cloud-cost-asset-mgmt-prod.
    5. Review the instructions and click Configure.

15. Enter the following installation parameters and accept the license agreement:

    Release name - Enter cam.

    Target namespace - From the drop-down list, select the namespace for cam.

    Target Cluster - From the drop-down list, select the target cluster.

    UI Host - IP address of the Host.

    API Gateway URL - URL to access the API Gateway.

    Storage Type - NFS or GlusterFS Storage. If you are using GlusterFS for persistent volumes, then specify additional chart installation parameters. Refer to Creating Cost and Asset Management persistent volumes using GlusterFS for more details.

    Service Type - Service type is either NodePort or Ingress.

    Cloud Management Platform namespace - Namespace in which Cloud Management Platform chart is deployed.

    Cost and Asset Management namespace - Namespace in which Cost and Asset Management chart is deployed.

    Note: For information on additional installation parameters, see Installation parameters.

16. Verify any other configuration parameters required for ICCAM and click Install.

17. You must complete the Post install configuration of Cost and Asset Management to access ICCAM in a browser.