Prerequisites for installing Cloud Automation Manager

Prerequisites to install Cloud Automation Manager Community Edition and Cloud Automation Manager. It is applicable for both online and offline installations.

Note: As Cloud Automation Manager 3.2.1.0 is a full release by itself, you do not have to import or deploy any prior version of Cloud Automation Manager.

  1. Ensure that you have a Cluster Administrator role to install Cloud Automation Manager.
  2. Ensure you meet all the requirements listed in System requirements.
  3. Optionally, if you want FIPS compliance in Cloud Automation Manager, go through the FIPS compliance topic in IBM Cloud Private External link icon before you install IBM Cloud Private.
  4. Installing IBM Multicloud Manager with IBM Cloud Private 3.2.1, 3.2.0 or IBM Cloud Private 3.1.2 is required for IBM Cloud Automation Manager. For the installation procedure, see IBM Multicloud Manager with IBM Cloud Private installation External link icon.
  5. Post installation steps for IBM Cloud Private behind proxy Open in a new tab.
  6. Though service-catalog is enabled by default, confirm whether it is enabled during IBM Cloud Private Installation. Unless it is enabled, you cannot install Cloud Automation Manager. For more information, see Using service catalog resources in IBM Cloud Private Open in a new tab. For more information about where and how to verify, see management_services row in General settings table of Customizing the cluster with the config.yaml file Open in a new tab.
  7. If IBM Cloud Private is installed by using HTTPS certificates that is signed by IBM CAPKI, then do the following steps to avoid certificate errors:

    1. Run the following command to open the configmap in edit mode:

      kubectl -n services edit configmap oauth-client-map
      
    2. Replace the IP with host name.
  8. Ensure you go through the points covered in the Planning the installation.
  9. Install Helm CLI. For instructions about using the Helm CLI with IBM Cloud Private, see the following IBM Cloud Private topics:
  10. Ensure you install the required socat package. For actual procedure, see "Before you set up the Helm CLI" section in Setting up the Helm CLI Open in a new tab.

    Note: The socat is used to connect Helm to the Tiller API. For more information about socat, see Helm Documentation External link icon.

  11. The Helm repository must be configured to the ibm-charts repository and local-charts repository. To verify, from the IBM Cloud Private user interface, do the following steps:

    1. In the navigation menu, click Manage > Helm Repositories.
    2. Verify whether you have configured the following repositories:
    3. If you do not have these repositories configured, click Add repository and enter the Name and URL of the Helm repositories.
  12. If you plan to use NFS for persistent volume claims in Cloud Automation Manager, then ensure that nfs-common package is installed on all IBM Cloud Private nodes. Configure your NFS server and note down the IP address. Use this IP address while you configure the PersistentVolumes. Cloud Automation Manager also supports GlusterFS and other storage systems. For multi-node IBM Cloud Private, ensure it is installed on all worker nodes.
  13. The Pod security policy control is enabled by default on IBM Cloud Private 3.2.0. IBM Cloud Automation Manager includes a PodSecurityPolicy in the Helm chart that supports the following securityContext settings:

    privileged: false
    allowPrivilegeEscalation: false
    hostPID: false
    hostIPC: false
    hostNetwork: false
    allowedCapabilities:
    - SETPCAP
    - AUDIT_WRITE
    - CHOWN
    - NET_RAW
    - DAC_OVERRIDE
    - FOWNER
    - FSETID
    - KILL
    - SETGID
    - SETUID
    - NET_BIND_SERVICE
    - SYS_CHROOT
    - SETFCAP
    requiredDropCapabilities:
    - MKNOD
    readOnlyRootFilesystem: false
    {{- if .Values.global.audit }}
    allowedHostPaths:
      - pathPrefix: {{ .Values.auditService.config.journalPath }}
      readOnly: false
    runAsUser:
      rule: RunAsAny
    {{- else }}
     runAsUser:
      ranges:
      - max: 1111
        min: 999
     rule: MustRunAs
    {{- end }}
     fsGroup:
      ranges:
      - max: 1111
        min: 999
      rule: MustRunAs
     seLinux:
      rule: RunAsAny
     supplementalGroups:
      ranges:
       - max: 1111
        min: 999
      rule: MustRunAs
     volumes:
      - configMap
      - emptyDir
      - secret
      - persistentVolumeClaim
      - nfs
      - downwardAPI
      - projected
    

    Note: The Pod Security Policy can be found using the IBM Cloud Private UI at https:// :ICP PORT/console/manage/resourcesecurity/podsecurity. You can review and edit it as per your requirement.