Online installation of stand-alone Infrastructure Automation (console)

Follow these steps to complete an online installation of stand-alone Infrastructure Automation.

If you have a license for IBM Cloud Pak for AIOps, you are entitled to install and use Infrastructure Automation.

Before you begin

Review the Planning section.
Some steps must still be run with the command line. Ensure that you are logged in to your Red Hat OpenShift cluster with oc login for any steps that use the Red Hat OpenShift command-line interface (CLI).
Check that your system meets the minimum requirements for installing Infrastructure Automation.
If you require details about the permissions that the Infrastructure Automation operators need, see Permissions (Infrastructure Automation).
A user with cluster-admin privileges is needed for the following operations:

Procedure

Follow these steps to install Infrastructure Automation.

Install and configure Red Hat OpenShift
Configure storage
Create a custom project (namespace)
Create the entitlement key secret
Create the catalog source
Install Cert Manager
Install the License Service
Create an EgressFirewall
Install the Infrastructure Automation operator
Install Infrastructure Automation
Verify the deployment
Check the deployed pods in the deployed namespace
Log in to the Infrastructure Automation console
Assign user roles and permissions

Prerequisites

Allow access to the following sites and ports:

Table 1. Sites and ports that must be accessible
Site	Description
`icr.io` `cp.icr.io` `dd0.icr.io` `dd2.icr.io` `dd4.icr.io` `dd6.icr.io`	Allow access to these hosts on port 443 to enable access to the `IBM Cloud Container Registry` and IBM Cloud Pak® foundational services catalog source.
`dd1-icr.ibm-zh.com` `dd3-icr.ibm-zh.com` `dd5-icr.ibm-zh.com` `dd7-icr.ibm-zh.com`	If you are located in China, also allow access to these hosts on port 443.
`github.com`	Github houses IBM Cloud Pak tools and scripts.
`redhat.com`	Red Hat OpenShift registries that are required for Red Hat OpenShift, and for Red Hat OpenShift upgrades.

For more information, see Configuring your firewall for OpenShift Container Platform.

1. Install and configure Red Hat OpenShift Container Platform

For more information about the supported Red Hat OpenShift versions, see Supported Red Hat OpenShift Container Platform versions.

Install Red Hat OpenShift by using the instructions in the Red Hat OpenShift documentation .
Install the Red Hat OpenShift command line interface (oc) on your cluster's boot node and run oc login. For more information, see the instructions in Getting started with the Red Hat OpenShift CLI.
Optionally configure a custom certificate for Infrastructure Automation to use. You can use either of the following methods:
- Configure a custom certificate for the Red Hat OpenShift cluster. Follow the instructions in the Red Hat OpenShift documentation Replacing the default ingress certificate. Then, deploy the signing CA certificate into the cluster by following the instructions in the Red Hat OpenShift documentation Replacing the CA Bundle certificate.
- If you would like to use a custom certificate for Infrastructure Automation only, then after installation is complete follow the instructions in Using a custom certificate.

2. Configure storage

You must configure your own storage for use with Infrastructure Automation. For more information, see Storage considerations.

3. Create a custom project (namespace)

Create a project (namespace) called cp4aiops for your Infrastructure Automation deployment:

From Red Hat OpenShift Container Platform console, navigate to Home > Projects.
Click Create Project.
Enter a project (namespace) name. For example, cp4aiops.
Add a display name and description as needed.
Click Create.

Note: Infrastructure Automation does not support deploying into different namespaces within a cluster.

4. Create the entitlement key pull secret

Complete the following steps to create a registry secret to enable your deployment to pull the IBM Cloud Pak for AIOps images from the IBM® Entitled Registry.

Obtain the entitlement key that is assigned to your IBMid. Log in to MyIBM Container Software Library with the IBMid and password details that are associated with the entitled software.
In the Active entitlement keys section, select Copy to copy the entitlement key to the clipboard.
From your Red Hat OpenShift console, click Workloads > Secrets.
From the Project menu, select the project that you created earlier in Create a custom project (namespace).
Click the Create button, and select Image pull secret from the menu. The Create image pull secret form is displayed. Enter the following values and then click Create.
- Secret name: ibm-entitlement-key
- Authentication type: Image registry credentials
- Registry server address: cp.icr.io
- Username: cp
- Password: use the entitlement key that you copied in step 2.

5. Create the catalog source

Add the Infrastructure Automation catalog source to your Red Hat OpenShift cluster.

After installation, the ibm-operator-catalog CatalogSource object determines whether the upgrade of your Infrastructure Automation deployment is initiated automatically when a new patch becomes available. The ibm-operator-catalog CatalogSource object can be configured to automatically poll for and retrieve a newer catalog by enabling the polling attribute spec.updateStrategy.registryPoll. If a newer catalog for a patch is found and retrieved, then an automatic upgrade of your Infrastructure Automation deployment is initiated. For more information, see Upgrading Infrastructure Automation.

You can disable or re-enable automatic patch upgrade after installation if you change your mind. For more information, see Configuring automatic patch upgrades.

Note: ibm-operator-catalog also contains the catalogs for other IBM Cloud Paks®. If multiple IBM Cloud Paks are installed on your cluster, then the polling attribute is configured for all of them.

Run the steps in Create the catalog source with automatic upgrade disabled or Create the catalog source with automatic upgrade enabled.

Create the catalog source with automatic upgrade disabled

Create the ibm-operator-catalog CatalogSource object without polling enabled.

Log in to your Red Hat OpenShift cluster's console. Click the plus icon in the upper right to open the Import YAML dialog box, paste in the following YAML, and then click Create.

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: ibm-operator-catalog
  namespace: openshift-marketplace
spec:
  displayName: ibm-operator-catalog
  publisher: IBM Content
  sourceType: grpc
  image: icr.io/cpopen/ibm-operator-catalog:latest

Update the ibm-operator-catalog CatalogSource to fix it to always use the current image digest, instead of icr.io/cpopen/ibm-operator-catalog:latest. This ensures that the ibm-operator-catalog CatalogSource pods do not pull the latest image if a node reload or other issue causes them to restart.
1. Go to Home > Projects, and select openshift-marketplace.
2. Go to Workloads > Pods (on the left menu), and then search for ibm-operator-catalog.
3. Click the returned ibm-operator-catalog-<...> pod.
4. Click YAML to switch to the YAML view.
5. Search for imageID in the YAML, and copy down the value of spec.containerStatuses.imageID. The value is in a format similar to the following example:
```
icr.io/cpopen/ibm-operator-catalog@sha256:<...>
```
6. Go to Administration > Cluster Settings. Under Configuration > OperatorHub > Sources, scroll down and click ibm-operator-catalog.
7. Click YAML to switch to the YAML view.
8. Set the value of spec.image to the value of the current image digest that you found in step 2, instead of to icr.io/cpopen/ibm-operator-catalog:latest.
Go to Administration > Cluster Settings. Under Configuration > OperatorHub > Sources, verify that the ibm-operator-catalog CatalogSource object is present.

Create the catalog source with automatic upgrade enabled

Create the ibm-operator-catalog CatalogSource object with polling enabled.

Log in to your Red Hat OpenShift cluster's console. Click the plus icon in the upper right corner to open the Import YAML dialog box, paste in the following YAML, and then click Create.

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: ibm-operator-catalog
  namespace: openshift-marketplace
spec:
  displayName: ibm-operator-catalog
  publisher: IBM Content
  sourceType: grpc
  image: icr.io/cpopen/ibm-operator-catalog:latest
  updateStrategy:
    registryPoll:
      interval: 45m

Go to Administration > Cluster Settings. Under Configuration > OperatorHub > Sources, verify that the ibm-operator-catalog CatalogSource object is present.

6. Install Cert Manager

Skip this step if you already have a certificate manager installed on the Red Hat OpenShift cluster that you are installing Infrastructure Automation on. If you do not have a certificate manager then you must install one. The IBM Cloud Pak® foundational services Cert Manager is recommended, and can be installed with the following steps.

For more information about IBM Cloud Pak® foundational services Cert Manager hardware requirements, see IBM Certificate Manager (cert-manager) hardware requirements Opens in a new tab in the IBM Cloud Pak foundational services documentation.

Log in to your Red Hat OpenShift cluster's console.
Click Operators > OperatorHub. The OperatorHub page is displayed.
In the All Items field, enter IBM Cert Manager. The IBM Cert Manager operator is displayed.
Click the IBM Cert Manager tile. The IBM Cert Manager window is displayed.
Click Install. You see the Install Operator page.
Set the Update Channel to the v4.2 version. If the Channel `v4.2`` version is not available, click other IBM Cert Manager tile from OperatorHub to install the correct version.
Set Installation Mode to All namespaces on the cluster (default).
Set Installed Namespace to ibm-cert-manager(Operator recommended).
Set Update approval to Automatic.
Click Install.

7. Install the License Service

Skip this step if the IBM Cloud Pak® foundational services License Service is already installed on the Red Hat OpenShift cluster that you are installing Infrastructure Automation on.

Infrastructure Automation requires the installation of the IBM Cloud Pak foundational services License Service. You must install the IBM Cloud Pak foundational services License Service on the Red Hat OpenShift cluster that you are installing Infrastructure Automation on.

Follow the instructions in Installing the License Service with OpenShift console Opens in a new tab in the IBM Cloud Pak foundational services documentation, from step 2 Create the ibm-licensing namespace onwards.

8. Create an EgressFirewall

There is no egress firewall policy defined when you install Infrastructure Automation, so outgoing traffic from workload pods to the internal and external network is unrestricted.

If you require a more secure environment, then use the following steps.

Create an EgressFirewall on your Red Hat OpenShift cluster to limit egress from the Infrastructure Automation project (namespace).

For information on creating an EgressFirewall, see Configuring an egress firewall for a project.

Note: There must be only one EgressFirewall per project (namespace).
Configure exceptions to the EgressFirewall.

You must edit your EgressFirewall to allow traffic for external services, outbound cloud connections, and Infrastructure Management providers that you manage that have egress dependencies, otherwise these components fail when attempting egress.

For more information about Infrastructure Automation connections and providers, see Managing connections and Managing Providers.

Edit your EgressFirewall to allow or deny egress, as in the following example:
```
kind: EgressFirewall
metadata:
  name: default
spec:
  egress:
  - type: Allow
    to:
      cidrSelector: <1.2.3.0/24>
  - type: Allow
    to:
      dnsName: <www.example.com>
  - type: Allow
    to:
      dnsName: <www.developer.kubernetes.com>
  - type: Deny
    to:
      cidrSelector: <0.0.0.0/0>
```
Where the values you enter for dnsName and cidrSelector are the DNS names and addresses of sources that you require access for.

9. Install the Infrastructure Automation operator

For more information about operators, see Adding Operators to a cluster in the Red Hat OpenShift documentation.

Click Operators > OperatorHub. The OperatorHub page is displayed.
In the All Items field, enter IBM Infrastructure Automation. The IBM Infrastructure Automation operator is displayed.
Click the IBM Infrastructure Automation tile. The IBM Infrastructure Automation window is displayed.
Click Install. The Install Operator page is displayed.
Enter the following values:
- Set Update channel to v4.6.
- Installation mode - For more information about installation modes, see Operator installation mode.
- Installed Namespace - If you are using the OwnNamespace installation mode (a specific namespace), then set this field to be the project (namespace) in which to install the operator. If you are using the AllNamespaces installation mode, then set this field to openshift-operators.
- Set Update approval to Automatic.
Warning: Update approval must not be changed to Manual. Manual approval, which requires the manual review and approval of the generated InstallPlans, is not supported. Incorrect timing or ordering of manual approvals of InstallPlans can result in a failed installation.
Click Install and wait for the IBM Infrastructure Automation operator to install.

Warning: installPlanApproval must not be changed to Manual. Manual approval, which requires the manual review and approval of the generated InstallPlans, is not supported. Incorrect timing or ordering of manual approvals of InstallPlans can result in a failed installation.
Verify that the IBM Infrastructure Automation operator is successfully installed.
Navigate to Operators > Installed Operators, and select your project from the Projects dropdown. IBM Infrastructure Automation operator and its dependant operators in the project are listed with a Status of Succeeded.

10. Install Infrastructure Automation

You can create the Infrastructure Automation custom resource with the default set of values, or customize these values before you create the Infrastructure Automation custom resource.

Customize the default values for the Infrastructure Automation custom resource to modify the default replica count of the pods in Managed services, or to adjust any of the following defaults for Managed services:

Create Infrastructure Automation custom resource with default values

The following YAML file creates an instance of the Infrastructure Automation custom resource called IAConfig. The list of installation parameters with its default values are listed in Managed services installation parameters page.

Navigate to Operators > Installed Operators.
Select the project (namespace) that you created earlier for your Infrastructure Automation deployment.
Under the Provided APIs section, click IBM Infrastructure Automation.
Click Create IAConfig tab.

Switch to the YAML view and paste the following file:

kind: IAConfig
apiVersion: aiops.ibm.com/v1alpha1
metadata:
  name: ibm-ia-installer
  namespace: cp4aiops
spec:
  imagePullSecret: ibm-entitlement-key
  infraAutoComposableComponents:
    - enabled: <set to true to install Infrastructure Management component of Infrastructure Automation, false otherwise>
      name: ibm-management-im-install
      spec: {}
    - enabled: <set to true to install Managed services component of Infrastructure Automation, false otherwise>
      name: ibm-management-cam-install
      spec: {}
  license:
    accept: <set true to accept the license>
  storageClass: <Storage Class name that supports RWX>
  storageClassLargeBlock: <Select a storage class with a large block size (for example, 64k)>

To customize Managed services, you must have your customization parameters under spec.manageservice section.

- enabled: <Set to true to install Managed services component of Infrastructure Automation, false otherwise>
  name: ibm-management-cam-install
  spec:
    manageservice:
      <Set your custom installation parameter values>

Click Apply.

Note: This option does not install Infrastructure Management. If you need to install Infrastructure Management, complete the installation of Infrastructure Automation and follow the steps that are listed in Create Infrastructure Automation custom resource and deploying Infrastructure Management operand.

Create Infrastructure Automation custom resource and deploying Infrastructure Management operand.

The following YAML file creates an instance of the Infrastructure Automation custom resource called IAConfig. The list of install parameters will deploy Infrastructure Management operand.

Navigate to Operators > Installed Operators.
Select the project (namespace) that you created earlier for your Infrastructure Automation deployment.
Under the Provided APIs section, click IBM Infrastructure Automation.
Click Create IAConfig tab.

Switch to the YAML view and paste the following file:

kind: IAConfig
apiVersion: aiops.ibm.com/v1alpha1
metadata:
  name: ibm-ia-installer
  namespace: cp4aiops
spec:
  imagePullSecret: ibm-entitlement-key
  infraAutoComposableComponents:
    - enabled: <set to true to install Infrastructure Management component of Infrastructure Automation, false otherwise>
      name: ibm-management-im-install
      spec:
        iminstall:
          applicationDomain: <YOUR_IM_HTTPD_ROUTE>
          imagePullPolicy: Always
          imagePullSecret: ibm-entitlement-key
          initialAdminGroupName: <YOUR_LDAP_USER_GROUP>
          license:
            accept: true
    - enabled: <set to true to install Managed services component of Infrastructure Automation, false otherwise>
      name: ibm-management-cam-install
      spec: {}
  license:
    accept: <set true to accept the license>
  storageClass: <Storage Class name that supports RWX>
  storageClassLargeBlock: <Select a storage class with a large block size (for example, 64k)>

Where:

YOUR_IM_HTTPD_ROUTE is a user-defined route, which must include a name for your installation plus part of your Infrastructure Automation console route. Obtain the console route and modify it to derive your Infrastructure Automation route.
1. In the Red Hat OpenShift console, navigate to API Explorer.
2. Search Ingress in the Filter by kind search bar.
3. Click the Ingress name, where the Group name is config.openshift.io.
4. Click Instances.
5. Click cluster > YAML.
  
  You see the value of domain located under spec.domain.
  
  Example output:
```
apps.mycluster.myibm.com
```
Add inframgmtinstall to the output to create YOUR_IM_HTTPD_ROUTE

For example: inframgmtinstall.apps.mycluster.myibm.com
YOUR_LDAP_USER_GROUP is an existing user-group that is defined in your LDAP repository. As part of the initial setup, this LDAP group is created in Infrastructure Automation to match your existing LDAP group by name, and assigned an account role that facilitates SSO login.

Important:

You must specify an LDAP user-group and it must contain at least one user that is able to login to the Infrastructure Automation console. For example, you have an existing LDAP group that is named group100 and a user with the username user100 is a member of the group. You enter group100 for the value of <YOUR_LDAP_USER_GROUP>.
YOUR_IM_HTTPD_ROUTE is a user-defined route, which must include a name for your installation plus part of your Infrastructure Automation console route. Obtain the console route and modify it to derive your Infrastructure Automation route.

Navigate to Networking > Routes.
Click the route that is named as cp-console.
Click YAML.
Find the value for spec.host.

Example output:
```
cp-console.apps.mycluster.myibm.com
```
Replace the first section cp-console with inframgmtinstall to create YOUR_IM_HTTPD_ROUTE

For example: inframgmtinstall.apps.mycluster.myibm.com

YOUR_LDAP_USER_GROUP is an existing user-group that is defined in your LDAP repository. As part of the initial setup, this LDAP group is created in Infrastructure Automation to match your existing LDAP group by name, and assigned an account role that facilitates SSO login.

Note: This option installs Infrastructure Management.

Important: After deploying the Infrastructure Management operand, make sure that the LDAP group is added to the Platform UI by navigating to Administration > Access control, and then create a new LDAP group from existing LDAP group. Add the LDAP group to the Platform UI. For more information, see Configuring LDAP connections.

11. Verify the deployment

After a few minutes, use the following steps to check the status of your Infrastructure Automation installation.

Click Operators > Installed Operators.
From the Project list, select the project (namespace) where Infrastructure Automation is deployed.
Click IBM Infrastructure Automation, then click IBM Infrastructure Automation tab.
Under IAConfigs, look at the entry with the name that you specified in the IAConfigs custom resource (Infrastructure Automation instance), and verify that the Status indicates Phase: Running.

Note: The STORAGECLASSLARGEBLOCK is blank if the environment is upgraded from a previous release.

There is no egress firewall policy defined when you install Infrastructure Automation, so outgoing traffic from workload pods to the internal and external network is unrestricted. There is a need to create an Egress network policy to make your environment more secure. Follow the steps here to create an EgressNetwork policy.

12. Check the deployed pods in the deployed namespace

From the OpenShift Container Platform console, navigate to Workloads > Pods, and verify that the following pods are running:

Name                                                          Status                                          Status

1-automation                                                  Running                                          1/1
1-ems-metrics-processor                                       Running                                          2/2
1-event-handler                                               Running                                          1/1
1-generic                                                     Running                                          2/2
1-priority                                                    Running                                          2/2
1-remote-console                                              Running                                          1/1
1-reporting                                                   Running                                          2/2
1-schedule                                                    Running                                          1/1
1-ui                                                          Running                                          2/2
1-web-service                                                 Running                                          2/2
cam-iaas                                                      Running                                          1/1
cam-install-operator-controller-manager                       Running                                          1/1
cam-mongo                                                     Running                                          1/1
cam-orchestration                                             Running                                          1/1
cam-portal-ui                                                 Running                                          1/1
cam-provider-ansible                                          Running                                          0/0
cam-provider-bpm                                              Running                                          0/0
cam-provider-terraform-api                                    Running                                          1/1
cam-provider-terraform-runtime                                Running                                          0/0
cam-proxy                                                     Running                                          1/1
cam-service-composer-api                                      Running                                          1/1
cam-service-composer-ui                                       Running                                          1/1
cam-service-library-ui                                        Running                                          1/1
cam-service-library-ui-api                                    Running                                          1/1
cam-tenant-api                                                Running                                          1/1
cam-ui-basic                                                  Running                                          1/1
ibm-infra-management-application                              Running                                          1/1
ibm-infra-management-install-operator                         Running                                          1/1
ibm-infrastructure-automation-operator-controller-manager     Running                                          1/1

After you successfully install Infrastructure Automation, get the URL for accessing the Infrastructure Automation console.

You can use the Launch Cloud Pak in IBM Automation link to access the Infrastructure Automation console:

Log in to the Red Hat OpenShift Container Platform web console as an administrator.
Click Operators > Installed Operators.
Click IBM Cloud Pak for AIOps.
On the Operator Details page, click the IBM Cloud Pak for AIOps tab, and then click the IBM Cloud Pak for AIOps installation name.
In the Details tab, right-click on the URL underneath Launch Cloud Pak in IBM Automation, and select Open Link in New Tab.

The following output is a sample output:
```
cpd-cp4aiops.apps.mycluster.mydomain
```
Based on the sample output, your console URL would be https://cpd-cp4aiops.apps.mycluster.mydomain
In the browser, log in with your username and password.

Find the Infrastructure Automation console username and password

The default username to access the Infrastructure Automation console is admin. You can check the default username and their password with the following commands.

Note: This information is for the IBM provided credentials (admin only) authentication type.

To find the default username, select the project (namespace) that IBM Cloud Pak for AIOps is deployed, then navigate to Workloads > Secrets. Search the platform-auth-idp-credentials secret name in the search bar. Click platform-auth-idp-credentials to view the secret. You can see the value of username from the admin_username field.
To get the password, you can get the value from the admin_password field of the secret.

The following extract shows a sample output:
```
EwK9dj9fwPZHyHTyu9TyIgh9klZSzVsA
```
Based on the sample output, your password would be EwK9dj9fwPZHyHTyu9TyIgh9klZSzVsA.

Important: You can change this default password at any time. For more information, see Changing the cluster administrator password.

14. Assign user roles and permissions

When you install Infrastructure Automation and deploy Infrastructure Management, you, or an administrator, must add the required Kubernetes permissions to user roles before your users can access and use Infrastructure Automation tools, such as Managed services or the Service catalog. For instance, users that do not have an Administrator role are not able to use the Infrastructure Management Managed services and Service Catalog or create user groups. For more information about how to add permissions to a role, see Managing roles for Infrastructure Automation.

15. Configure usage data collection (optional)

To help the development of Infrastructure Automation - Infrastructure Management, aggregated usage data is collected to analyze how Infrastructure Management is used. The collection of usage data is enabled by default, but can be disabled.

For the data collection, Infrastructure Management uses the existing daily job that is used for audit logging of managed resources and for licensing tracking. This job is extended to collect and send the usage data metrics to IBM. The sent data is then stored in IBM controlled GDPR-compliant systems. The usage data that is collected does not include personal information, passwords, or specific details. Only the following data is collected:

The number of virtual machines (VMs), hosts, providers (and provider types), services, and service catalog items that are being used in the Infrastructure Management inventory.
Whether Infrastructure Management is deployed as a containerized deployment (podified) or virtual machine appliance.
(Stand-alone deployments) The architecture where Infrastructure Management is deployed (Linux x86_64, Linux on Power (ppc64le), Linux® on IBM Z® and LinuxONE (s390x)).

Enabling the collection of usage data

To configure the collection of usage data, a secret is used, which includes your opt-in details, or your opt-out (disabling) of the data collection. Infrastructure Management uses the same aiops-metrics-processor secret as IBM Cloud Pak for AIOps to configure the opt-in or opt-out details for usage data collection. If you deployed Infrastructure Automation - Infrastructure Management and IBM Cloud Pak for AIOps in the same namespace, you can share this secret for configuring the data collection.

Follow the steps to create the aiops-metrics-processor secret to configure your opt-in details:

From OpenShift Container Platform console, click Workloads > Secrets.
From the Project menu, select the project that you created earlier in Create a custom project (namespace) step.
Click Create > Key/value secret from the menu. The create key/value secret form is displayed.
Enter the following Key/Value pairs:
- Secret name: name of the secret, for example aiops-metrics-processor.
- customerName: your company name.
- customerICN: your IBM Customer Number (ICN).
- environment: you can choose trial for testing, poc for proof of concept, or production for production environments.
If you have a firewall enabled, ensure that outbound traffic to https://api.segment.io is allowed.

Important: Usage data without your customer details is still collected even if you do not create this secret. If you do not want any usage data collected, then you must disable the collection of usage data. For more information about Disabling the collection of usage data, see Disabling the collection of usage data.

Disabling the collection of usage data

To disable the collection of usage data, add the key/value pair enableCollection=false in the created secret.

From OpenShift Container Platform console, click Workloads > Secrets.
Click secret name that you created for collection of usage data, for example aiops-metrics-processor.
Add enableCollection as key and false as its value.
Click Save.

Note: You can update your usage data collection preferences after installation.