Online installation of Infrastructure Automation

Follow these steps to install Infrastructure automation.

Infrastructure automation is included with IBM Cloud Pak® for Watson AIOps. If you have a license for IBM Cloud Pak® for Watson AIOps, you are entitled to install and use Infrastructure automation.

Before you begin

Confirm that your environment meets the requirements for Infrastructure Automation and your chosen installation method:

  • Review the Planning section.

  • You need to make sure that your system has the minimum requirements needed for installing Infrastructure Automation. For instance, your architecture must be AMD64 or Linux® on Power® (ppc64le) or Linux® on IBM Z® and LinuxONE.

Note: The display names of some OpenShift console components, such as window titles and push buttons, vary between OpenShift versions. The following instructions are based on OpenShift version 4.8 console components.

Procedure

From a high level, an installation of Infrastructure Automation consists of the following steps:

  1. Install and configure Red Hat OpenShift
  2. Configure storage
  3. Create a custom project (namespace)
  4. Create the catalog source
  5. Create the entitlement key secret
  6. Create an EgressNetworkPolicy
  7. Install the Infrastructure Automation operator
  8. Install Infrastructure Automation
  9. Verify the install
  10. Check the deployed pods in the deployed namespace
  11. Log in to the Infrastructure Automation console
  12. Assign user roles and permissions

1. Install and configure Red Hat OpenShift Container Platform

For more information about the supported OpenShift versions, see Supported Red Hat OpenShift Container Platform versions.

  1. Install OpenShift by using the instructions in Installing Red Hat OpenShift Container Platform Opens in a new tab.

  2. Install the OpenShift (oc) command-line interface (CLI) on your cluster's boot node by using the instructions in Getting started with the OpenShift CLI Opens in a new tab, and then run oc login.

  3. Optionally configure a custom certificate for Infrastructure Automation to use. You can use either of the following methods:

2. Configure storage

You must configure your own storage for use with Infrastructure Automation. For more information, see Storage considerations.

3. Create a custom project (namespace)

Create a project (namespace) called cp4waiops for your Infrastructure Automation deployment, by running the following command:

oc create namespace cp4waiops

Infrastructure Automation does not support deploying into different namespaces within a cluster. It has to be the same namespace.

4. Create the catalog source

You must add the Infrastructure Automation catalog source to your OpenShift cluster.

  1. Log in to your OpenShift cluster's console.

  2. Add the IBM Operators CatalogSource.

    The ibm-operator-catalog CatalogSource object can be configured to automatically poll for a newer version, and to retrieve it if one is available. This triggers an automatic update of your Infrastructure Automation deployment. Polling for updates is enabled by configuring the polling attribute, spec.updateStrategy.registryPoll.

    Note: ibm-operator-catalog also contains the catalogs for other CloudPaks. If you have multiple CloudPaks installed on your cluster then an automatic update will be configured for all of them.

    Click the plus icon in the upper right corner to open the Import YAML dialog box, paste in one of the following codeblocks, and then click Create.

    If you do not want to enable automatic updates, use this YAML:

    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      name: ibm-operator-catalog
      namespace: openshift-marketplace
    spec:
      displayName: ibm-operator-catalog
      publisher: IBM Content
      sourceType: grpc
      image: icr.io/cpopen/ibm-operator-catalog:latest
    

    If you want to enable automatic updates, use this YAML:

    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      name: ibm-operator-catalog
      namespace: openshift-marketplace
    spec:
      displayName: ibm-operator-catalog
      publisher: IBM Content
      sourceType: grpc
      image: icr.io/cpopen/ibm-operator-catalog:latest
      updateStrategy:
        registryPoll:
          interval: 45m
    
  3. Go to Administration > Cluster Settings. Under Global Configuration > OperatorHub > Sources, verify that the ibm-operator-catalog CatalogSource object is present.

5. Create the entitlement key pull secret

  1. Log in to MyIBM Container Software Library Opens in a new tab with the IBMid and password details that are associated with the entitled software.

  2. In the Entitlement keys section, select Copy key to copy your entitlement key to the clipboard.

  3. From the OpenShift CLI, run the following command:

    oc create secret docker-registry ibm-entitlement-key \
        --docker-username=cp\
        --docker-password=<entitlement-key> \
        --docker-server=cp.icr.io \
        --namespace=cp4waiops
    

    Where <entitlement-key> is the entitlement key that you copied in the previous step.

6. Create an EgressNetworkPolicy

There is no egress firewall policy defined when you install Infrastructure Automation, so outgoing traffic from workload pods to the internal and external network is unrestricted.

If you require a more secure environment, then use the following steps.

  1. Create an EgressNetworkPolicy on your Red Hat OpenShift cluster to limit egress from the Infrastructure Automation project (namespace).

    For information on creating an EgressNetworkPolicy, see Configuring an egress firewall for a project.

    Note: There must be only one EgressNetworkPolicy per project (namespace).

  2. Configure exceptions to the EgressNetworkPolicy.

    You must edit your EgressNetworkPolicy to allow traffic for external services, outbound cloud connections, and Infrastructure Management providers that you manage that have egress dependencies, otherwise these components fail when attempting egress.

    For more information about Infrastructure Automation connections and providers, see Managing connections and Managing Providers.

    Edit your EgressNetworkPolicy to allow or deny egress, as in the following example:

    kind: EgressNetworkPolicy
    metadata:
      name: default
    spec:
      egress:
      - type: Allow
        to:
          cidrSelector: <1.2.3.0/24>
      - type: Allow
        to:
          dnsName: <www.example.com>
      - type: Allow
        to:
          dnsName: <www.developer.kubernetes.com>
      - type: Deny
        to:
          cidrSelector: <0.0.0.0/0>
    

    Where the values you enter for dnsName and cidrSelector are the DNS names and addresses of sources that you require access for.

7. Install the Infrastructure Automation operator

Note: Both the operators iaf-core-operators and iaf-operators need to be pre-installed to prevent Cloud Pak for Watson AIOps from crashing. Install the Infrastructure Automation operator for a Power cluster.

For more information about operators, see Adding Operators to a cluster in the Red Hat OpenShift documentation.

  1. Log in to your OpenShift cluster's console.

  2. Click Operators > OperatorHub. The OperatorHub page is displayed.

  3. In the All Items field, enter IBM Infrastructure Automation. The Infrastructure Automation operator is displayed.

  4. Click the IBM Infrastructure Automation tile. The IBM Infrastructure Automation window is displayed.

  5. Click Install. The Install Operator page is displayed.

  6. Enter the following values:

    • Set the Namespace to be the project (namespace) in which to install the Operator, such as cp4waiops.
    • Set Update Channel to v4.1
    • Set Approval Strategy to Automatic.
  7. Click Install and wait for the IBM Infrastructure Automation operator to install.

  8. Verify that the IBM Infrastructure Automation is successfully installed.

Navigate to Operators > Installed Operators, and select your project from the Projects dropdown. IBM Infrastructure Automation and its dependent operators in the project are listed with a status of Succeeded.

After a few minutes, verify that the Infrastructure Automation operator is installed in the cp4waiops project (namespace) with the following command:

oc get pods -n cp4waiops | grep ibm-infrastructure-automation-operator-controller-manager

8. Install Infrastructure Automation

You can either create Infrastructure Automation custom resource with the default set of values that are provided by default or customize these value before you create Infrastructure Automation custom resource.

You would typically change the default value of Infrastructure Automation custom resource, if you plan to change one or more of the following for Managed services during installation of Managed services:

Create Infrastructure Automation custom resource with customization

The following command creates an instance of the Infrastructure Automation custom resource called IAConfig with customization to Managed services. You must have your customization parameters under spec.manageservice section. The list of install parameters that can be customized along with its default values are listed in Managed services installation parameters page.

cat << EOF | oc apply -f -
kind: IAConfig
apiVersion: aiops.ibm.com/v1alpha1
metadata:
  name: ibm-ia-installer
  namespace: cp4waiops
spec:
  imagePullSecret: ibm-entitlement-key
  infraAutoComposableComponents:
  - enabled: <Set to true to install Infrastructure Management component of Infrastructure Automation, false otherwise>
    name: ibm-management-im-install
    spec: {}
  - enabled: <Set to true to install Managed services component of Infrastructure Automation, false otherwise>
    name: ibm-management-cam-install
    spec:
      manageservice:
        <Set your custom installation parameter values>
  license:
  accept: <Set true to accept the license>
  storageClass: <Storage Class name that supports RWX>
  storageClassLargeBlock: <Select a storage class with a large block size (for example, 64k)>
EOF

Create Infrastructure Automation custom resource with default values

Run the following command to create an instance of the Infrastructure Automation custom resource called IAConfig. The list of install parameters with its default values are listed in Managed services installation parameters page.

cat << EOF | oc apply -f -
kind: IAConfig
apiVersion: aiops.ibm.com/v1alpha1
metadata:
  name: ibm-ia-installer
  namespace: cp4waiops
spec:
  imagePullSecret: ibm-entitlement-key
  infraAutoComposableComponents:
    - enabled: <set to true to install Infrastructure Management component of Infrastructure Automation, false otherwise>
      name: ibm-management-im-install
      spec: {}
    - enabled: <set to true to install Managed services component of Infrastructure Automation, false otherwise>
      name: ibm-management-cam-install
      spec: {}
  license:
    accept: <set true to accept the license>
  storageClass: <Storage Class name that supports RWX>
  storageClassLargeBlock: <Select a storage class with a large block size (for example, 64k)>
EOF

Create Infrastructure Automation custom resource and deploying Infrastructure management operand.

Run the following command to create an instance of the Infrastructure Automation custom resource called IAConfig. The list of install parameters will deploy Infrastructure management operand.

cat << EOF | oc apply -f -
kind: IAConfig
apiVersion: aiops.ibm.com/v1alpha1
metadata:
  name: ibm-ia-installer
  namespace: cp4waiops
spec:
  imagePullSecret: ibm-entitlement-key
  infraAutoComposableComponents:
    - enabled: <set to true to install Infrastructure Management component of Infrastructure Automation, false otherwise>
      name: ibm-management-im-install
      spec:
        iminstall:
          applicationDomain: <YOUR_IM_HTTPD_ROUTE>
          imagePullPolicy: Always
          imagePullSecret: ibm-entitlement-key
          initialAdminGroupName: <YOUR_LDAP_USER_GROUP>
          license:
            accept: true
    - enabled: <set to true to install Managed services component of Infrastructure Automation, false otherwise>
      name: ibm-management-cam-install
      spec: {}
  license:
    accept: <set true to accept the license>
  storageClass: <Storage Class name that supports RWX>
  storageClassLargeBlock: <Select a storage class with a large block size (for example, 64k)>
EOF

Where:

  • YOUR_IM_HTTPD_ROUTE is a user-defined route, which must include a name for your installation plus part of your Infrastructure Automation console route. Use the following oc command to obtain the console route and modify it to derive your Infrastructure Automation route.

    oc get ingress.config.openshift.io -o=jsonpath='{.items[0].spec.domain}'
    

    Example output:

    apps.mycluster.myibm.com
    
  • Add inframgmtinstall to the output to create YOUR_IM_HTTPD_ROUTE

    For example: inframgmtinstall.apps.mycluster.myibm.com

  • YOUR_LDAP_USER_GROUP is an existing user-group defined in your LDAP repository. As part of the initial setup, this LDAP group is created in Infrastructure Automation to match your existing LDAP group by name, and assigned an account role which facilitates SSO login.

Important:

  • You must specify an LDAP user-group and it must contain at least one user that is able to login to the Infrastructure Automation console. For example, you have an existing LDAP group that is named group100 and a user with the username user100 is a member of the group. You enter group100 for the value of <YOUR_LDAP_USER_GROUP>.

  • YOUR_IM_HTTPD_ROUTE is a user-defined route, which must include a name for your installation plus part of your Infrastructure Automation console route. Use the following oc command to obtain the console route and modify it to derive your Infrastructure Automation route.

    oc -n ibm-common-services get route cp-console --template `{{.spec.host}}`
    

    Example output:

    cp-console.apps.mycluster.myibm.com
    

    Replace the first section cp-console with inframgmtinstall to create YOUR_IM_HTTPD_ROUTE

    For example: inframgmtinstall.apps.mycluster.myibm.com

  • YOUR_LDAP_USER_GROUP is an existing user-group defined in your LDAP repository. As part of the initial setup, this LDAP group is created in Infrastructure Automation to match your existing LDAP group by name, and assigned an account role which facilitates SSO login.

Important: After deploying the Infrastructure management operand, make sure the LDAP group is added to the Platform UI by navigating to Administration > Access control, and then create a new LDAP group from existing LDAP group. Add the LDAP group to the Platform UI. For more information, see Configuring LDAP connections.

9. Verify the install

After a few minutes, run the following command to verify that your deployment is successful.

oc get iaconfigs.aiops.ibm.com -A

Example output:

NAME               PHASE        VERSION   STORAGECLASS   STORAGECLASSLARGEBLOCK   AGE
ibm-ia-installer   Installing   4.1.2     rook-cephfs    rook-ceph-block          8m44s

Note: The STORAGECLASSLARGEBLOCK will be blank if the environment is upgraded from a previous release.

There is no egress firewall policy defined when you install Infrastructure Automation, so outgoing traffic from workload pods to the internal and external network is unrestricted. There is a need to create an Egress network policy to make your environment more secure. Follow the steps here to create an EgressNetwork policy.

10. Check the deployed pods in the deployed namespace

oc -n cp4waiops get deploy | grep -E "cam|ibm-infra"

Example output:

cp4waiops     cam-iaas                                                    1/1     1            1           12h
cp4waiops     cam-install-operator-controller-manager                     1/1     1            1           12h
cp4waiops     cam-mongo                                                   1/1     1            1           12h
cp4waiops     cam-orchestration                                           1/1     1            1           12h
cp4waiops     cam-portal-ui                                               1/1     1            1           12h
cp4waiops     cam-provider-ansible                                        0/0     0            0           12h
cp4waiops     cam-provider-bpm                                            0/0     0            0           12h
cp4waiops     cam-provider-terraform-api                                  1/1     1            1           12h
cp4waiops     cam-provider-terraform-runtime                              0/0     0            0           12h
cp4waiops     cam-proxy                                                   1/1     1            1           12h
cp4waiops     cam-service-composer-api                                    1/1     1            1           12h
cp4waiops     cam-service-composer-ui                                     1/1     1            1           12h
cp4waiops     cam-service-library-ui                                      1/1     1            1           12h
cp4waiops     cam-service-library-ui-api                                  1/1     1            1           12h
cp4waiops     cam-tenant-api                                              1/1     1            1           12h
cp4waiops     cam-ui-basic                                                1/1     1            1           12h
cp4waiops     ibm-infra-management-install-operator                       1/1     1            1           12h

11. Log in to the Infrastructure Automation console

  1. Find the password for the admin username by running the following command:

    oc -n ibm-common-services get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_password}' | base64 -d
    
  2. Find the URL to access the Infrastructure Automation console with the following command.

    oc get route -n cp4waiops cpd -o jsonpath={.spec.host}
    

    The following output is a sample output:

    cpd-cp4waiops.apps.mycluster.mydomain
    

    Based on the sample output, your console URL would be https://cpd-cp4waiops.apps.mycluster.mydomain

12. Assign user roles and permissions

When you install Infrastructure Automation and deploy Infrastructure management, you, or an administrator, must add the required Kubernetes permissions to user roles before your users can begin to access and use Infrastructure Automation tools, such as Managed services or the Service catalog. For instance, users that do not have an Administrator role are not able to use the Infrastructure management Managed services and Service Catalog or create user groups. For more information about how to add permissions to a role, see Managing roles for Infrastructure Automation.