Online installation of Infrastructure Automation (CLI)

Follow these steps to complete an online installation of Infrastructure Automation.

If you have a license for IBM Cloud Pak for AIOps, you are entitled to install and use Infrastructure Automation.

Before you begin

Procedure

Follow these steps to install Infrastructure Automation.

  1. Install and configure Red Hat OpenShift
  2. Configure storage
  3. Create a custom project (namespace)
  4. Create the entitlement key secret
  5. Create the catalog source
  6. Install Cert Manager
  7. Install the License Service
  8. Create an EgressFirewall
  9. Install the Infrastructure Automation operator
  10. Install Infrastructure Automation
  11. Verify the deployment
  12. Check the deployed pods in the deployed namespace
  13. Log in to the Infrastructure Automation console
  14. Assign user roles and permissions

Prerequisites

Allow access to the following sites and ports:

Table 1. Sites and ports that must be accessible
Site Description
icr.io
cp.icr.io
dd0.icr.io
dd2.icr.io
dd4.icr.io
dd6.icr.io		 Allow access to these hosts on port 443 to enable access to the IBM Cloud Container Registry and IBM Cloud Pak® foundational services catalog source.
dd1-icr.ibm-zh.com
dd3-icr.ibm-zh.com
dd5-icr.ibm-zh.com
dd7-icr.ibm-zh.com 		If you are located in China, also allow access to these hosts on port 443.
github.com Github houses IBM Cloud Pak tools and scripts.
redhat.com Red Hat OpenShift registries that are required for Red Hat OpenShift, and for Red Hat OpenShift upgrades.

For more information, see Configuring your firewall for OpenShift Container Platform.

1. Install and configure Red Hat OpenShift Container Platform

For more information about the supported Red Hat OpenShift versions, see Supported Red Hat OpenShift Container Platform versions.

  1. Install Red Hat OpenShift by using the instructions in the Red Hat OpenShift documentation Opens in a new tab.

  2. Install the Red Hat OpenShift command line interface (oc) on your cluster's boot node and run oc login. For more information, see the instructions in Getting started with the Red Hat OpenShift CLIOpens in a new tab.

  3. Optionally configure a custom certificate for Infrastructure Automation to use. You can use either of the following methods:

2. Configure storage

You must configure your own storage for use with Infrastructure Automation. For more information, see Storage considerations.

3. Create a custom project (namespace)

Create a project (namespace) called cp4aiops for your Infrastructure Automation deployment, by running the following command:

oc create namespace cp4aiops

Note: Infrastructure Automation does not support deploying into different namespaces within a cluster.

4. Create the entitlement key pull secret

  1. Log in to MyIBM Container Software Library Opens in a new tab with the IBMid and password details that are associated with the entitled software.

  2. In the Entitlement keys section, select Copy key to copy your entitlement key to the clipboard.

  3. From the Red Hat OpenShift CLI, run the following command:

    oc create secret docker-registry ibm-entitlement-key \
    --docker-username=cp\
    --docker-password=<entitlement-key> \
    --docker-server=cp.icr.io \
    --namespace=cp4aiops

    Where <entitlement-key> is the entitlement key that you copied in the previous step.

5. Create the catalog source

Add the Infrastructure Automation catalog source to your Red Hat OpenShift cluster.

After installation, the ibm-operator-catalog CatalogSource object determines whether the upgrade of your Infrastructure Automation deployment is initiated automatically when a new patch becomes available. The ibm-operator-catalog CatalogSource object can be configured to automatically poll for and retrieve a newer catalog by enabling the polling attribute spec.updateStrategy.registryPoll. If a newer catalog for a patch is found and retrieved, then an automatic upgrade of your Infrastructure Automation deployment is initiated. For more information, see Upgrading Infrastructure Automation.

You can disable or re-enable automatic patch upgrade after installation if you change your mind. For more information, see Configuring automatic patch upgrades.

Note: ibm-operator-catalog also contains the catalogs for other IBM Cloud Paks®. If multiple IBM Cloud Paks are installed on your cluster, then the polling attribute is configured for all of them.

Run the steps in Create the catalog source with automatic upgrade disabled or Create the catalog source with automatic upgrade enabled.

Create the catalog source with automatic upgrade disabled

  1. Run the following command to create the ibm-operator-catalog CatalogSource object without polling enabled.

    cat << EOF | oc apply -f -
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: ibm-operator-catalog
  namespace: openshift-marketplace
spec:
  displayName: ibm-operator-catalog
  publisher: IBM Content
  sourceType: grpc
  image: icr.io/cpopen/ibm-operator-catalog:latest
EOF

  2. Update the ibm-operator-catalog CatalogSource to fix it to always use the current image digest, instead of icr.io/cpopen/ibm-operator-catalog:latest. This ensures that the ibm-operator-catalog CatalogSource pods do not pull the latest image if a node reload or other issue causes them to restart. Run the following commands:

    IMGDIGEST=`oc get pods -n openshift-marketplace -l=olm.catalogSource=ibm-operator-catalog --no-headers -o=jsonpath="{.items[0].status.containerStatuses[0].imageID}" -n openshift-marketplace`
CATALOGIMG=`oc get catalogsource ibm-operator-catalog -n openshift-marketplace -o jsonpath='{.spec.image}'`
if [ "${CATALOGIMG}" = "icr.io/cpopen/ibm-operator-catalog:latest" ]; then
  oc patch catalogsource ibm-operator-catalog -n openshift-marketplace --type=json -p "[{ "op": "replace", "path": "/spec/image", "value": "\"$IMGDIGEST\"" }]"
fi

  3. Verify that the ibm-operator-catalog CatalogSource object is present, and is returned by the following command.

    oc get CatalogSources ibm-operator-catalog -n openshift-marketplace

    Example output:

    oc get CatalogSources ibm-operator-catalog -n openshift-marketplace
NAME                   DISPLAY                 TYPE   PUBLISHER   AGE
ibm-operator-catalog   IBM Operator Catalog    grpc   IBM         4h13m

Create the catalog source with automatic upgrade enabled

  1. Run the following command to create the ibm-operator-catalog CatalogSource object with polling enabled.

    cat << EOF | oc apply -f -
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: ibm-operator-catalog
  namespace: openshift-marketplace
spec:
  displayName: ibm-operator-catalog
  publisher: IBM Content
  sourceType: grpc
  image: icr.io/cpopen/ibm-operator-catalog:latest
  updateStrategy:
    registryPoll:
      interval: 45m
EOF

  2. Verify that the ibm-operator-catalog CatalogSource object is present, and is returned by the following command.

    oc get CatalogSources ibm-operator-catalog -n openshift-marketplace

    Example output:

    oc get CatalogSources ibm-operator-catalog -n openshift-marketplace
NAME                   DISPLAY                 TYPE   PUBLISHER   AGE
ibm-operator-catalog   IBM Operator Catalog    grpc   IBM         4h13m

6. Install Cert Manager

Skip this step if you already have a certificate manager installed on the Red Hat OpenShift cluster that you are installing Infrastructure Automation on. If you do not have a certificate manager then you must install one. The IBM Cloud Pak® foundational services Cert Manager is recommended, and can be installed with the following steps.

For more information about IBM Cloud Pak® foundational services Cert Manager hardware requirements, see IBM Certificate Manager (cert-manager) hardware requirements Opens in a new tab in the IBM Cloud Pak foundational services documentation.

  1. Run the following command to create the resource definitions that you need:

    cat << EOF | oc apply -f -
apiVersion: v1
kind: Namespace
metadata:
  name: ibm-cert-manager
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: ibm-cert-manager-operator-group
  namespace: ibm-cert-manager
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: ibm-cert-manager-operator
  namespace: ibm-cert-manager
spec:
  channel: v4.2
  installPlanApproval: Automatic
  name: ibm-cert-manager-operator
  source: ibm-operator-catalog
  sourceNamespace: openshift-marketplace
EOF

  2. Run the following command to ensure that the IBM Cloud Pak® foundational services Cert Manager pods have a STATUS of Running before proceeding to the next step.

    oc -n ibm-cert-manager get pods

    Example output for a successful IBM Cloud Pak® foundational services Cert Manager installation:

    NAME                                        READY   STATUS    RESTARTS   AGE
cert-manager-cainjector-674854c49d-vstq4    1/1     Running   0          8d
cert-manager-controller-646d4bd6fd-zwmqm    1/1     Running   0          8d
cert-manager-webhook-8598787c8-s4lkt        1/1     Running   0          8d
ibm-cert-manager-operator-c96957695-dkxnm   1/1     Running   0          8d

7. Install the License Service

Skip this step if the IBM Cloud Pak® foundational services License Service is already installed on the Red Hat OpenShift cluster that you are installing Infrastructure Automation on.

Infrastructure Automation requires the installation of the IBM Cloud Pak foundational services License Service. You must install the IBM Cloud Pak foundational services License Service on the Red Hat OpenShift cluster that you are installing Infrastructure Automation on.

  1. Run the following command to create the resource definitions that you need:

    cat << EOF | oc apply -f -
apiVersion: v1
kind: Namespace
metadata:
  name: ibm-licensing
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: ibm-licensing-operator-group
  namespace: ibm-licensing
spec:
  targetNamespaces:
  - ibm-licensing
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: ibm-licensing-operator-app
  namespace: ibm-licensing
spec:
  channel: v4.2
  installPlanApproval: Automatic
  name: ibm-licensing-operator-app
  source: ibm-operator-catalog
  sourceNamespace: openshift-marketplace
EOF

  2. Run the following command to ensure that the IBM Cloud Pak® foundational services License Server pods have a STATUS of Running before proceeding to the next step.

    oc -n ibm-licensing get pods

    Example output for a successful IBM Cloud Pak® foundational services License Service installation:

    NAME                                              READY   STATUS    RESTARTS   AGE
ibm-licensing-operator-db4cd746c-xzmlf            1/1     Running   0          8d
ibm-licensing-service-instance-596b99588f-76cc5   1/1     Running   0          8d

For more information about the IBM Cloud Pak® foundational services License Service, see License Service Opens in a new tab in the IBM Cloud Pak foundational services documentation.

8. Create an EgressFirewall

There is no egress firewall policy defined when you install Infrastructure Automation, so outgoing traffic from workload pods to the internal and external network is unrestricted.

If you require a more secure environment, then use the following steps.

  1. Create an EgressFirewall on your Red Hat OpenShift cluster to limit egress from the Infrastructure Automation project (namespace).

    For information on creating an EgressFirewall, see Configuring an egress firewall for a project.

    Note: There must be only one EgressFirewall per project (namespace).

  2. Configure exceptions to the EgressFirewall.

    You must edit your EgressFirewall to allow traffic for external services, outbound cloud connections, and Infrastructure Management providers that you manage that have egress dependencies, otherwise these components fail when attempting egress.

    For more information about Infrastructure Automation connections and providers, see Managing connections and Managing Providers.

    Edit your EgressFirewall to allow or deny egress, as in the following example:

    kind: EgressFirewall
metadata:
  name: default
spec:
  egress:
  - type: Allow
    to:
      cidrSelector: <1.2.3.0/24>
  - type: Allow
    to:
      dnsName: <www.example.com>
  - type: Allow
    to:
      dnsName: <www.developer.kubernetes.com>
  - type: Deny
    to:
      cidrSelector: <0.0.0.0/0>

    Where the values you enter for dnsName and cidrSelector are the DNS names and addresses of sources that you require access for.

9. Install the Infrastructure Automation operator

For more information about operators, see Adding Operators to a cluster in the Red Hat OpenShift documentation.

  1. Create an OperatorGroup.

    Important: Skip this step if you are installing using the All Namespaces installation mode, and proceed to step 2, Set an environment variable for the Infrastructure Automation catalog.

    If you are installing using the OwnNamespace installation mode, then you must create an operator group in your custom project (namespace), or the Infrastructure Automation operator will not install. There might be an operator group for managing a namespace for given APIs. If there is an operator group for the namespace, do not create a second one. For more information, see Operator installation modes.

    Create the operator group by running the following command:

    cat << EOF | oc apply -f -
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: cp4aiops-operator-group
  namespace: cp4aiops
spec:
  targetNamespaces:
    - cp4aiops
EOF

  2. Set an environment variable for the Infrastructure Automation catalog.

    export CATALOG_SRC_IA=<ia_catalog>

    Where <ia_catalog> is ibm-operator-catalog for an online deployment, or ibm-infrastructure-automation-operator-catalog for an offline deployment.

  3. Install the Infrastructure Automation operator.

    Run the following command.

    cat << EOF | oc apply -f -
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: ibm-infrastructure-automation-operator
  namespace: cp4aiops
spec:
  channel: v4.9
  installPlanApproval: Automatic
  name: ibm-infrastructure-automation-operator
  source:  ${CATALOG_SRC_IA}
  sourceNamespace: openshift-marketplace
EOF

Warning: installPlanApproval must not be changed to Manual. Manual approval, which requires the manual review and approval of the generated InstallPlans, is not supported. Incorrect timing or ordering of manual approvals of InstallPlans can result in a failed installation.

After a few minutes, verify that the Infrastructure Automation operator is installed in the cp4aiops project (namespace) with the following command:

oc get pods -n cp4aiops | grep ibm-infrastructure-automation-operator-controller-manager

10. Install Infrastructure Automation

You can create the Infrastructure Automation custom resource with the default set of values, or customize these values before you create the Infrastructure Automation custom resource.

Customize the default values for the Infrastructure Automation custom resource to modify the default replica count of the pods in Managed services, or to adjust any of the following defaults for Managed services:

Create Infrastructure Automation custom resource with default values

With the default values, you can install Managed services.

Run the following command to create an instance of the Infrastructure Automation custom resource called IAConfig. The list of installation parameters with its default values are listed in Managed services installation parameters page.

cat << EOF | oc apply -f -
kind: IAConfig
apiVersion: aiops.ibm.com/v1alpha1
metadata:
  name: ibm-ia-installer
  namespace: cp4aiops
spec:
  imagePullSecret: ibm-entitlement-key
  infraAutoComposableComponents:
    - enabled: <set to true to install Infrastructure Management component of Infrastructure Automation, false otherwise>
      name: ibm-management-im-install
      spec: {}
    - enabled: <set to true to install Managed services component of Infrastructure Automation, false otherwise>
      name: ibm-management-cam-install
      spec: {}
  license:
    accept: <set true to accept the license>
  storageClass: <Storage Class name that supports RWO>
  storageClassLargeBlock: <Select a storage class with a large block size (for example, 64k)>
EOF

To customize Managed services, you must have your customization parameters under spec.manageservice section.

name: ibm-management-cam-install
spec:
  manageservice:
    <Set your custom installation parameter values>

The list of install parameters that can be customized are listed in Managed services installation parameters page.

Note: This option does not install Infrastructure Management. If you need to install Infrastructure Management, complete the installation of Infrastructure Automation and follow the steps that are listed in Create Infrastructure Management custom resource.

An example of this is shown here

name: ibm-management-cam-install 
spec: 
  manageservice: 
    global: 
      offline: true 
    license: 
    accept: true

where you use customization when installing Managed services in offline mode.

Create Infrastructure Management custom resource

Important: If you previously created IAConfig with spec.manageservice section (customized parameters for Managed services), then you can edit the existing IAConfig file that you created, copy the content of spec.iminstall section as listed in the following example YAML file, and paste this content in the existing IAConfig file. In this case, you do not need to create the following YAML file.

Run the following command to create an instance of the Infrastructure Automation custom resource called IAConfig. The list of install parameters will deploy Infrastructure Management operand.

cat << EOF | oc apply -f -
kind: IAConfig
apiVersion: aiops.ibm.com/v1alpha1
metadata:
  name: ibm-ia-installer
  namespace: cp4aiops
spec:
  imagePullSecret: ibm-entitlement-key
  infraAutoComposableComponents:
    - enabled: <set to true to install Infrastructure Management component of Infrastructure Automation, false otherwise>
      name: ibm-management-im-install
      spec:
        iminstall:
          applicationDomain: <YOUR_IM_HTTPD_ROUTE>
          imagePullPolicy: Always
          imagePullSecret: ibm-entitlement-key
          initialAdminGroupName: <YOUR_LDAP_USER_GROUP>
          license:
            accept: true
    - enabled: <set to true to install Managed services component of Infrastructure Automation, false otherwise>
      name: ibm-management-cam-install
      spec: {}
  license:
    accept: <set true to accept the license>
  storageClass: <Storage Class name that supports RWO>
  storageClassLargeBlock: <Select a storage class with a large block size (for example, 64k)>
EOF

Where:

  • YOUR_IM_HTTPD_ROUTE is a user-defined route, which must include a name for your installation plus part of your Infrastructure Automation console route. Use the following oc command to obtain the console route and modify it to derive your Infrastructure Automation route.

    oc get ingress.config.openshift.io -o=jsonpath='{.items[0].spec.domain}'

    Example output:

    apps.mycluster.myibm.com

  • Add inframgmtinstall to the output to create YOUR_IM_HTTPD_ROUTE

    For example: inframgmtinstall.apps.mycluster.myibm.com

  • YOUR_LDAP_USER_GROUP is an existing user-group that is defined in your LDAP repository. As part of the initial setup, this LDAP group is created in Infrastructure Automation to match your existing LDAP group by name, and assigned an account role that facilitates SSO login.

Important:

  • You must specify an LDAP user-group and it must contain at least one user that is able to login to the Infrastructure Automation console. For example, you have an existing LDAP group that is named group100 and a user with the username user100 is a member of the group. You enter group100 for the value of <YOUR_LDAP_USER_GROUP>.

  • YOUR_IM_HTTPD_ROUTE is a user-defined route, which must include a name for your installation plus part of your Infrastructure Automation console route. Use the following oc command to obtain the console route and modify it to derive your Infrastructure Automation route.

    oc -n cp4aiops get route cp-console --template `{{.spec.host}}`

    Example output:

    cp-console.apps.mycluster.myibm.com

    Replace the first section cp-console with inframgmtinstall to create YOUR_IM_HTTPD_ROUTE

    For example: inframgmtinstall.apps.mycluster.myibm.com

  • YOUR_LDAP_USER_GROUP is an existing user-group that is defined in your LDAP repository. As part of the initial setup, this LDAP group is created in Infrastructure Automation to match your existing LDAP group by name, and assigned an account role that facilitates SSO login.

Note: This option installs Infrastructure Management.

Important: After deploying the Infrastructure Management operand, make sure that the LDAP group is added to the Platform UI by navigating to Administration > Access control, and then create a new LDAP group from existing LDAP group. Add the LDAP group to the Platform UI. For more information, see Configuring LDAP connections.

11. Verify the deployment

After a few minutes, run the following command to verify that your deployment is successful.

oc get iaconfigs.aiops.ibm.com -A

Example output:

NAME               PHASE        VERSION   STORAGECLASS   STORAGECLASSLARGEBLOCK   AGE
ibm-ia-installer   Installing   4.9.0     rook-cephfs    rook-ceph-block          8m44s

Note: The STORAGECLASSLARGEBLOCK is blank if the environment is upgraded from a previous release.

There is no egress firewall policy defined when you install Infrastructure Automation, so outgoing traffic from workload pods to the internal and external network is unrestricted. There is a need to create an Egress network policy to make your environment more secure. Follow the steps here to create an EgressFirewall.

12. Check the deployed pods in the deployed namespace

oc -n cp4aiops get deploy | grep -E "cam|ibm-infra|1-"

Example output:

1-automation                                                1/1     1            1           15m
1-ems-metrics-processor                                     2/2     2            2           15m
1-event-handler                                             1/1     1            1           15m
1-generic                                                   2/2     2            2           15m
1-priority                                                  2/2     2            2           15m
1-remote-console                                            1/1     1            1           15m
1-reporting                                                 2/2     2            2           15m
1-schedule                                                  1/1     1            1           15m
1-ui                                                        2/2     2            2           15m
1-web-service                                               2/2     2            2           15m
cam-iaas                                                    1/1     1            1           17m
cam-install-operator-controller-manager                     1/1     1            1           20m
cam-mongo                                                   1/1     1            1           17m
cam-orchestration                                           1/1     1            1           17m
cam-portal-ui                                               1/1     1            1           17m
cam-provider-ansible                                        0/0     0            0           17m
cam-provider-bpm                                            0/0     0            0           17m
cam-provider-terraform-api                                  1/1     1            1           17m
cam-provider-terraform-runtime                              0/0     0            0           17m
cam-proxy                                                   1/1     1            1           17m
cam-service-composer-api                                    1/1     1            1           17m
cam-service-composer-ui                                     1/1     1            1           17m
cam-service-library-ui                                      1/1     1            1           17m
cam-service-library-ui-api                                  1/1     1            1           17m
cam-tenant-api                                              1/1     1            1           17m
cam-ui-basic                                                1/1     1            1           17m
ibm-infra-management-application                            1/1     1            1           20m
ibm-infra-management-install-operator                       1/1     1            1           20m
ibm-infrastructure-automation-operator-controller-manager   1/1     1            1           41m

13. Access the Infrastructure Automation console

After you successfully install Infrastructure Automation, get the URL for accessing the Infrastructure Automation console.

  1. Use the following command to get the URL to access the Infrastructure Automation console:

    oc get route -n cp4aiops cpd -o jsonpath={.spec.host}

    The following output is a sample output:

    cpd-cp4aiops.apps.mycluster.mydomain

    Based on the sample output, your console URL would be https://cpd-cp4aiops.apps.mycluster.mydomain

  2. Enter the URL in your browser to open the Infrastructure Automation console. Log in with your username and password.

Find the Infrastructure Automation console username and password

The default username to access the Infrastructure Automation console is admin. You can check the default username and their password with the following commands.

Note: This information is for the IBM provided credentials (admin only) authentication type.

  1. Find the default username.

    oc -n cp4aiops get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_username}' | base64 -d && echo

  2. Get the password for the admin username.

    oc -n cp4aiops get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_password}' | base64 -d

    The following extract shows a sample output:

    EwK9dj9fwPZHyHTyu9TyIgh9klZSzVsA

    Based on the sample output, your password would be EwK9dj9fwPZHyHTyu9TyIgh9klZSzVsA.

Important: You can change this default password at any time. For more information, see Changing the cluster administrator password.

14. Assign user roles and permissions

When you install Infrastructure Automation and deploy Infrastructure Management, you, or an administrator, must add the required Kubernetes permissions to user roles before your users can access and use Infrastructure Automation tools, such as Managed services or the Service catalog. For instance, users that do not have an Administrator role are not able to use the Infrastructure Management Managed services and Service Catalog or create user groups. For more information about how to add permissions to a role, see Managing roles for Infrastructure Automation.