Installing IBM Cloud Pak for AIOps on Azure Red Hat OpenShift (ARO)

If you are installing IBM Cloud Pak® for AIOps on Azure Red Hat OpenShift (ARO), then you must complete some additional steps before you rejoin the main installation procedure for installing IBM Cloud Pak for AIOps on Red Hat® OpenShift® Container Platform.

Before you begin

Ensure that you meet the following prerequisites:

  • Access to the Azure portal (requires email invitation).

  • Red Hat subscription, with username and password.

  • Azure account permissions to deploy an ARO cluster. You must have the following permissions directly on the virtual network, on the resource group, or on the subscription containing it:

    • Contributor and User Access Administrator permissions, or
    • Owner permissions

    For example, an Azure user with assigned roles of Application administrator and Conditional Access administrator has adequate permission.

Installation procedure

Follow these steps to install IBM Cloud Pak for AIOps on ARO.

  1. Configure Azure and Red Hat access
  2. Create an ARO cluster
  3. Configure storage
  4. Install IBM Cloud Pak for AIOps

1. Configure Azure and Red Hat access

  1. Install the Azure command-line interface (CLI), az.

    Follow the instructions Install the Azure CLI on LinuxOpens in a new tab in the Azure documentation.

  2. Get an OpenShift pull secret to enable access to the OpenShift container registries.

    1. Log in to the OpenShift cluster manager portalOpens in a new tab.

    2. Click Download pull secret to download the pull secret, and save it to a file called pull-secrets.json. This file is used in step 2.2

  3. Log in to the Azure CLI.

    Run the following command to log in to the Azure CLI, and to find your subscription-id.

    az login
    az account show | jq .id
    
  4. Register providers to your Azure account.

    az account set --subscription <subscription-id>
    az provider register -n Microsoft.RedHatOpenShift --wait
    az provider register -n Microsoft.Compute --wait
    az provider register -n Microsoft.Storage --wait
    az provider register -n Microsoft.Authorization --wait
    az feature register --namespace Microsoft.RedHatOpenShift --name preview
    

    Where <subscription-id> is the subscription-id that you found in the previous step.

2. Create an ARO cluster

  1. Create dependant assets.

    Run the following commands to create a virtual network that contains two empty subnets.

    # Set environment variables for use by the `az` commands
    export SUFFIX=waiops4test
    export LOCATION=eastus
    export RESOURCEGROUP=aro-$SUFFIX
    export CLUSTER=cluster-$SUFFIX
    
    # Create a resource group
    az group create -g $RESOURCEGROUP -l $LOCATION
    
    # Create a new virtual network in the resource group that you created above:
    az network vnet create -g $RESOURCEGROUP \
      -n aro-vnet-$SUFFIX \
      --address-prefixes 10.0.0.0/22
    
    # Add an empty subnet for the master nodes:
    az network vnet subnet create -g $RESOURCEGROUP \
      -n master-subnet-$SUFFIX \
      --vnet-name aro-vnet-$SUFFIX \
      --address-prefixes 10.0.0.0/23 \
      --service-endpoints Microsoft.ContainerRegistry \
      --disable-private-link-service-network-policies true
    
    # Add an empty subnet for the worker nodes:
    az network vnet subnet create -g $RESOURCEGROUP \
      -n worker-subnet-$SUFFIX \
      --vnet-name aro-vnet-$SUFFIX \
      --address-prefixes 10.0.2.0/23 \
      --service-endpoints Microsoft.ContainerRegistry
    
  2. Run the following command to create an ARO cluster.

    Note: Use worker-vm-size Standard_D16s_v3 for a small, starter deployment of IBM Cloud Pak for AIOps and a worker-vm-size of Standard_D48s_v3 for a large, production deployment of IBM Cloud Pak for AIOps.

    az aro create -g $RESOURCEGROUP \
      -n $CLUSTER \
      --vnet aro-vnet-$SUFFIX \
      --master-subnet master-subnet-$SUFFIX \
      --worker-subnet worker-subnet-$SUFFIX \
      --worker-count 6 \
      --worker-vm-size Standard_D16s_v3 \
      --master-vm-size Standard_D8s_v3 \
      --pull-secret @pull-secrets.json
    

    Note: pull-secrets.json must be the file that the Red Hat OpenShift secret was stored in, in step 1.2.

    It takes approximately 35 minutes for the ARO cluster to be created. Progress can be viewed from the Azure console or CLI.

  3. When the ARO cluster is created, run the following command to log in to it.

    oc login \
     -u kubeadmin -p $(az aro list-credentials  -n $CLUSTER -g $RESOURCEGROUP | jq -r .kubeadminPassword) \
     -s $(az aro show  -n $CLUSTER -g $RESOURCEGROUP | jq -r .apiserverProfile.url)
    

3. Configure storage

Azure's native storage is not compatible with some IBM Cloud Pak for AIOps components. Configure one of the following supported storage providers for IBM Cloud Pak for AIOps:

  • Red Hat® OpenShift® Data Foundation (ODF)
  • Portworx Enterprise

Note: Storage classes and storage providers cannot be changed after you install IBM Cloud Pak for AIOps. OADP backup and restore requires that a ReadWriteMany (RWX) storage class must be provided. If OADP backup and restore is not needed, a ReadWriteOnce (RWO) storage class can be provided as the RWX-storage-class-name in the installation instance CR YAML file. This configuration cannot be changed after IBM Cloud Pak for AIOps is installed.

3.1 Configuring Red Hat OpenShift Data Foundation

To configure Red Hat OpenShift Data Foundation storage for your IBM Cloud Pak for AIOps on ARO deployment, use the instructions in Deploying OpenShift Data Foundation on Azure Red Hat OpenShiftOpens in a new tab in the Red Hat documentation.

3.2 Configuring Portworx Enterprise

To configure Portworx storage for your IBM Cloud Pak for AIOps on ARO deployment, use the following instructions.

3.2.1 Create secret for Portworx

  1. Use a browser to access the Azure portal, portal.azure.com, click Azure Active Directory and find the value of Tenant ID in the returned page.

  2. From the command line, run the following command to set an environment that contains the tenant ID.

    export AZURE_TENANT_ID=<value of the tenant ID>
    
  3. Use a browser to access the Azure portal, portal.azure.com, and then click Virtual machines.

  4. In the search bar on the Virtual machines page, enter the value of your $SUFFIX environment variable as a filter and click the Name of any of the returned VMs.

  5. Click Access control (IAM) on the menu.

  6. On the cluster name | Access control (IAM) page, click View in the View deny assignments section.

  7. On the cluster name | Access control (IAM) page's Deny assignments tab, click the link beneath Name.

  8. On the Deny assignment | Users page, click the link in the Name column in the Deny assignment excludes section.

  9. In the enterprise application | Overview page, locate the Application ID field and copy it.

  10. From the command line, run the following command to set an environment variable that contains the application ID.

    export AZURE_CLIENT_ID=<value of the application ID>
    
  11. Use a browser to navigate to the Azure portal, portal.azure.com, and then click Azure Active Directory.

  12. On the Azure Active Directory | Overview page, click App registrations on the menu.

  13. On the Azure Active Directory | App registrations page, enter the cluster's client-id (that you just exported) in the filter field, and then click the link in the Display name column.

  14. On the returned Application registration details page, click Certificates and secrets on the menu.

  15. In the Certficates and secrets page, select + New client secret to create a new client secret.

  16. In the Add a client secret page, enter a Description and an Expiry, and select Add.

  17. On the Certificates and secrets page, locate the secret that you just added in the Client secrets section. Then select the copy icon next to the Value column to get the secret.

  18. From the command line, run the following command to set an environment variable that contains the client secret.

    export AZURE_CLIENT_SECRET=<value of the client secret>
    
  19. Create a secret

    Run the following command to create the secret

    oc delete secret px-azure -n kube-system
    oc create secret generic px-azure \
    -n kube-system \
    --from-literal=AZURE_TENANT_ID=${AZURE_TENANT_ID} \
    --from-literal=AZURE_CLIENT_ID=${AZURE_CLIENT_ID} \
    --from-literal=AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET}
    

3.2.2 Create a Portworx spec

A Portworx Enterprise spec is required to set up a Portworx storage cluster.

  1. From a browser, go to https://portworx.com, select LOGIN, and log in to your Portworx account. Select to use the Portworx Enterprise edition. Then, click Continue, and Continue again on the Portworx product comparison page.

  2. On the Spec Generator - Enterprise page, enter or select the following settings and then click Next.

    1. Select the checkbox for Use the Portworx Operator.
    2. Select 2.10 for the Portworx Version.
    3. Select the Built-in radio button for ETCD.
  3. On the next page, set the following values and then click Next.

    1. For Select your environment, select the Cloud radio button.
    2. Under Select Cloud Platform, select AZURE.
    3. Under Configure storage devices, select Create Using a Spec
    4. Under Size(GB), select 2000 GB
  4. Click Next to skip the Network configuration page.

  5. On the Customize page, select Azure Kubernetes Service (AKS), then click Finish, and click Agree to accept the license agreement.

  6. In the spec page, highlight and select the live download URL.

    For example, https://install.portworx.com/2.10?operator=true&mc=false&kbver=&b=true&kd=type%3DPremium_LRS%2Csize%3D150&s=%22type%3DPremium_LRS%2Csize%3D2000%22&c=px-cluster-e0fb19ba-4e45-4175-b92e-18003948b965&aks=true&stork=true&csi=true&mon=true&tel=false&st=k8s&promop=true

3.2.3 Installing the Portworx operator from Red Hat OpenShift Container Platform

  1. Open the Red Hat OpenShift Container Platform console for your Red Hat OpenShift Service on AWS cluster.

    If you need to find your ARO cluster credentials and console URL, you can use the following commands.

    az aro list-credentials  -n $CLUSTER -g $RESOURCEGROUP
    az aro show  -n $CLUSTER -g $RESOURCEGROUP | jq -r .consoleProfile.url
    
  2. Go to Operators > OperatorHub.

  3. Search for Portworx Enterprise. Then, click Install > Install.

    Warning: Do not click Create StorageCluster. You will create the storage cluster in the next step, with the spec that you saved.

  4. Portworx Enterprise is now listed under Operators > Installed Operators.

3.2.4 Create the Portworx storage cluster

  1. From the command line, run the following command to load the Portworx spec that you created into the ARO cluster.

    export PORTWORX_SPEC_URL=<spec_URL>
    curl -ks "${PORTWORX_SPEC_URL}&osft=true" | oc apply -f -
    

    Where <spec_URL> is the spec URL that you copied earlier.

  2. From the console, go to Operators > Installed Operators > Portworx Enterprise and select the StorageClusters tab. The storage cluster is ready when the Status changes from Phase: Initializing to Phase: Online.

  3. Create the Portworx storage classes. Follow the Define a custom Portworx storage class instructions in Installing recommended storage providers and configuring storage classes: Portworx.

4. Install IBM Cloud Pak for AIOps

You are now ready to install IBM Cloud Pak for AIOps.

Follow the procedure for installing IBM Cloud Pak for AIOps from step 3 in one of the following topics, according to your requirements:

Deleting the ARO cluster

If you no longer require your ARO cluster, you can remove it with the following command.

az aro delete -y -g $RESOURCEGROUP -n $CLUSTER