Installing Concert, Concert Workflows, and Concert Data Apps with Secure Coder (Kubernetes)

Before you begin

Before you begin the installation process, ensure that you have the following prerequisites in place:

Kubernetes cluster: A functional Kubernetes cluster (OCP, EKS, or RKE2) with appropriate resources allocated.
Cluster CLI: You must have a cluster CLI (kubectl/oc) installed and logged in to the target cluster.
Cluster access: Administrative access to the Kubernetes cluster with kubectl/oc configured.
Helm installation:
Note: This step applies only if you are installing Concert Workflows.
Install Helm version 3.x in a connected environment:
```
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh
```
Storage: Persistent storage provisioner configured for dynamic volume provisioning.
Network access: Network connectivity to download software packages from IBM GitHub repository and container registry.
Entitlement key: Valid IBM entitlement key for accessing container images from cp.icr.io/cp registry. See Obtaining an IBM entitlement API key.
Sizing specifications: Verify that your cluster meets the minimum sizing specifications. See Sizing specifications for Kubernetes deployments.
System requirements: Verify that your cluster meets the minimum system requirements for the products you are installing. See Hardware requirements, Software requirements, and Storage requirements.
Consider this optional configuration option:
- Configure external databases: You can use external databases and storage services instead of the default internal ones. To configure external databases and storage services for the components you are installing, see:

Step 1: Download, extract, and export the latest software packages

Download the latest software package, or download directly from the GitHub repository: https://github.com/IBM/Concert/releases
```
wget https://github.com/IBM/Concert/releases/download/v3.0.0/ibm-concert-x86.tar.gz
```
Extract the package.
```
tar xfz ibm-concert-x86.tar.gz
```

Export install directory.

export INSTALL_DIR=<install_directory>/ibm-concert

Navigate to the target installation directory.
```
cd $INSTALL_DIR
```

Step 2: Create an external load balancer hostname

Note: This step is required only if you are installing Concert Workflows on an EKS cluster.

Export the Concert Workflows deployment namespace.
```
export CW_NS="concert-workflows"
```

Create an external load balancer hostname for Concert Workflows.

Create a Concert Workflows namespace.
```
kubectl create namespace ${CW_NS}
```

Navigate to the package directory.

cd ibm-concert/ibm-concert-k8s-workflows/bin/aws-eks

Run the following command.

kubectl apply -f service-cw-ext.yaml -n ${CW_NS}

Sample result:

The external load balancer host name should be printed in the CLUSTER-IP column.

jkoza$ kubectl get svc -n ${CW_NS}
NAME           TYPE           CLUSTER-IP       EXTERNAL-IP                                                                 PORT(S)         AGE
solis-gw-ext   LoadBalancer   10.100.155.195   xyzxyzxyzxyzxyz-123456.eu-central-1.elb.amazonaws.com   443:31129/TCP   11h

Note: The EXTERNAL-IP value returned in this step is required when modifying the WORKFLOWS_INSTANCE_ADDRESS parameter in the params.ini file.

Step 3: Configure the params.ini file

The installation script requires a configuration file (params.ini) that defines environment-specific settings for Concert, Concert Workflows, and Concert Data Apps, located at $INSTALL_DIR/etc/params.ini.

For more information on params.ini file, list of sample params files as per the installation type, and list of required and optional parameters for installing on Kubernetes cluster, see Configuring the params.ini file.

Copy the required parameters from the sample-params file as per your installation type:
```
cp $INSTALL_DIR/etc/sample-params/<sample-params-file-name> $INSTALL_DIR/etc/params.ini
```
Replace the <sample-params-file-name> with the sample params file name as per your installation type.
For example: If you want to install all three products (Concert, Concert Workflows, and Concert Data Apps), copy the concert-dataapps-workflows-k8s-params.ini file:
```
cp $INSTALL_DIR/etc/sample-params/concert-dataapps-workflows-k8s-params.ini $INSTALL_DIR/etc/params.ini
```
For more information on list of sample params.ini files as per the installation type, see Sample params.ini files.

Open and edit the $INSTALL_DIR/etc/params.ini file with required parameters:

vi $INSTALL_DIR/etc/params.ini

For more information on list of required and optional parameters for installing on VM, see Parameters for installing on Kubernetes.

For example:

INSTALL_EKS=

# ----- Hub Configuration -----

# OPTIONAL: 
# For connecting installed product(s) to an existing remote Hub,
# set HUB_URL and HUB_ACCESS_KEY parameters (details and examples in all-params.ini file).
# If these parameters are not provided, local Hub will be automatically installed
# HUB_URL=
# HUB_ACCESS_KEY=

# Registry users
REG_USER=
IMAGE_REGISTRY_PREFIX=cp.stg.icr.io/cp
# OPTIONAL: Set to 'true' to install additional local Hub components needed for integration with products like Turbonomic or Instana.
ENABLE_CROSS_PRODUCT_INTEGRATION=
HUB_IMAGE_REGISTRY_SUFFIX=/platform-hub

# ----- Concert Configuration -----

INSTALL_CONCERT=true
CONCERT_IMAGE_REGISTRY_SUFFIX=/concert

# ----- Secure Coder Configuration -----

INSTALL_SECURECODER=true
SECURECODER_NS=concert-securecoder
SECURECODER_IMAGE_REGISTRY_SUFFIX=/concert
SECURECODER_MEND_ENABLED=false

Save the $INSTALL_DIR/etc/params.ini file.

Step 4: Configure the Secure Coder Mend integration (Optional)

If you set the SECURECODER_MEND_ENABLED parameter to true in the params.ini file, you must provide the sensitive credentials that will be used to configure the Secure Coder Mend integration.

If you want to use Secure Coder Mend integration, you must provide the key that is used to authenticate to the Mend user by running this command:
```
export SECURECODER_MEND_USER_KEY=<my-user-key>
```
Replace <my-user-key> with the user key.
If you want to use Secure Coder Mend integration, you must provide the API key that is used to authenticate to the Mend service by running this command:
```
export SECURECODER_MEND_API_KEY=<my-mend-api-key>
```
Replace <my-mend-api-key> with the Mend API key.
If you want to use a Secure Coder Mend integration with watsonx.ai, provide the API key that is used to authenticate to the watsonx.ai instance by running this command:
```
export WATSONX_API_KEY=<my-watsonx-api-key>
```
Replace <my-watsonx-api-key> with the API key.

Step 5: Authenticate to an LLM instance (Optional)

Note: This step applies only if you intend to enable the Concert Workflows AI assistant.

If you set the ENABLE_AI parameter to true in the params.ini file, you must provide the sensitive credentials that will be used to authenticate to the large language model (LLM) instance.

If you want to use the on-premises instance of watsonx.ai that your Concert license entitles you to, and you set the WATSONX_API_USER parameter in params.ini, provide the corresponding password by running this command:
```
export WATSONX_API_PASSWORD=<my-secret-password>
```
Replace <my-secret-password> with the password.
If you want to use a SaaS instance of watsonx.ai, provide the API key that is used to authenticate to the SaaS watsonx.ai instance by running this command:
```
export WATSONX_API_KEY=<my-watsonx-api-key>
```
Replace <my-watsonx-api-key> with the API key. If required, you can generate a key here.
If you want to use a vLLM-provided model instance which requires authentication, you must provide the API key that is used to authenticate to the vLLM instance by running this command:
```
export LLM_API_KEY=<my-vllm-api-key>
```
Replace <my-vllm-api-key> with the API key.

Step 6: Run the installation setup script

Run the installation setup script to deploy Concert, Concert Workflows, and Concert Data Apps on your Kubernetes cluster:

$INSTALL_DIR/bin/setup --license_acceptance=y --username=<user> --password=<password> --registry_password=<registry_entitlement_key>

Remember: The username and password that you specify when running the setup script will be used as the default values for the login, providing the initial credentials for access.

Parameter	Description
`--username`	Use the `--username` option to specify the default user for the installation. This option enables you to set a custom username value, which is used as the username for your product login.
`--password`	Use the `--password` option to specify the password for the default user for the installation. If you do not specify a value for this option, the tool prompts you to enter it.
`--registry_password`	Use the `--registry_password` option to specify the password required to access the source registry. If you are using `cp.icr.io/cp` as the source registry, then the password is the entitlement key.
`--license_acceptance`	License acceptance flag must be set to`y` to proceed with installation. Note: Concert is sold under multiple licenses. All licenses are available in IBM Terms. Prior to installing or upgrading Concert, ensure that you know the license associated with your product, read the license that applies to your purchase, and ensure that you agree to the terms and conditions of the license.

Note: The installation process may take 15 to 30 minutes depending on your system resources and network speed.

Verify installation:
- Upon successful installation completion, you will see:
```
INFO DEPLOYMENT SUCCESSFUL
```
- If you encounter any errors during installation, check the installation logs:
```
$INSTALL_DIR/localstorage/logs/prod_install_logs_<timestamp>.log
```

Step 7: Create an ingress route

Note: This step is required only if you are installing on an EKS cluster.

After completing the Concert installation, the next step is to create an ingress for the login URL. However, prior to creating the ingress, it is necessary to modify your configMap file. This is to ensure proper configuration before setting up the ingress for the login URL.

Note: Makesure that you are installing nginx-controller or ALB controller to create ingress after Concert installation.

Add the following modifications to the configMap file associated with your nginx-controller within your Concert namespace.

data:
  large-client-header-buffers: 8 64k
  proxy-buffer-size: 64k
  proxy-buffers-number: "8"
  proxy-busy-buffers-size: 128k

Create the ingress to generate login details for Concert.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: concert
  namespace: concert
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  ingressClassName: <nginx|alb>
  rules:
  - host: <host-name>
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: ibm-concert-solis-gw-svc
            port:
              number: 11443

Replace <nginx|alb> with ingress controller name (NGINX ingress controller or ALB controller).
Replace <host-name> with the ingress controller load balancer hostname.

Sample output

kubectl get service -n concert-ingress-nginx
NAME                                         TYPE           CLUSTER-IP      EXTERNAL-IP                                                              PORT(S)                      AGE
concert-ingress-nginx-controller             LoadBalancer   172.20.4.86     af3665f70f31448fab7c7ef4ce9e4bfd-135489691.us-east-2.elb.amazonaws.com   80:30180/TCP,443:30979/TCP   71d
concert-ingress-nginx-controller-admission   ClusterIP      172.20.95.226   <none>                                                                   443/TCP                      71d

Create the ingress to generate login details for Concert Data Apps.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dataapps
  namespace: dataapps
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  ingressClassName: <nginx|alb>
  rules:
  - host: <host-name>
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: ibm-dataapps-solis-gw-svc
            port:
              number: 11443

Replace <nginx|alb> with ingress controller name (NGINX ingress controller or ALB controller).
Replace <host-name> with the ingress controller load balancer hostname.

Sample output

kubectl get service -n dataapps-ingress-nginx
NAME                                         TYPE           CLUSTER-IP      EXTERNAL-IP                                                              PORT(S)                      AGE
dataapps-ingress-nginx-controller             LoadBalancer   172.20.4.86     af3665f70f31448fab7c7ef4ce9e4bfd-135489691.us-east-2.elb.amazonaws.com   80:30180/TCP,443:30979/TCP   71d
dataapps-ingress-nginx-controller-admission   ClusterIP      172.20.95.226   <none>                                                                   443/TCP                      71d

Copy the EXTERNAL-IP details from the route output. Then, use these details to create the login URL by replacing <EXTERNAL-IP> in https://<EXTERNAL-IP> with the copied information, resulting in a complete login URL that you can use to access the unified UI.

Step 8: Expose the route

Note: This step is required only if you are installing on an OCP cluster.

Complete the following steps to expose the route on an OCP cluser.

Expose the Concert route:
1. If Concert installation is complete, generate a route to access Concert on your OCP cluster. The command uses a TLS certificate that is generated for internal communication. Alternatively, to use a custom certificate, refer to the Replacing the default ingress certificate in the Red Hat® documentation for instructions:
2. Generate a route to access Concert on your OCP cluster:
```
$INSTALL_DIR/ibm-concert-k8s/ocp-route.sh <concert_namespace>
```
3. Retrieve the route created in the previous step:
```
oc get route concert -n <concert_namespace>
```
  Tip: Record the details returned in the response, including the host, port, password, username, and keys. You need these values to access and manage your Concert instance.
4. Extract the route secret:
```
oc extract -n <concert_namespace> secret/app-cfg-secret --to=-
```
5. If you use your own custom certificate, edit the route to include the custom certificate. Refer to Creating a re-encrypt route with a custom certificate in the Red Hat documentation for details:
  Sample output:
```
NAME      HOST/PORT                                     PATH   SERVICES                   PORT    TERMINATION          WILDCARD
concert   concert-concert.apps.bhocpb.cp.fyre.ibm.com          ibm-concert-solis-gw-svc   <all>   reencrypt/Redirect   None
```

Expose the Concert Data Apps route:

$INSTALL_DIR/ibm-dataapps-k8s/ocp-route.sh <dataapps_namespace>

Expose Concert Workflows route:

export CW_NS=<workflows-namespace>
oc get route -n ${CW_NS}

Sample output:

oc get route -n concertworkflows
 NAME       HOST/PORT                                                   PATH   SERVICES   PORT    TERMINATION   WILDCARD
 solis-gw   xxxx-gw-concertworkflows.apps.cdwinstall.cp.fyre.ibm.com          solis-gw   11443   passthrough   None

Copy the HOST/PORT details from the route output. Then, use these details to create the login URL by replacing <HOST/PORT> in https://<HOST/PORT> with the copied information, resulting in a complete login URL that you can use to access the unified UI.

Enable or disable Secure Coder Mend integration

You can enable or disable Secure Coder Mend integration after you complete the installation without resetting IBM Concert. The manage-sc-scanner-config.sh in ibm-concert-std-securecoder/bin/manage-sc-scanner-config.sh path allows Mend SAST or SCA scanner integration to be enabled or disabled without performing a full reinstallation.

To enable Secure Coder Mend integration:

Export the required variables:

# Credentials
export SECURECODER_MEND_USER_KEY="<mend-user-key>"
export SECURECODER_MEND_API_KEY="<mend-api-key>"
export WATSONX_API_KEY="<watsonx-api-key>"

# Non-sensitive configuration
export SECURECODER_MEND_ORG_NAME="<org-name>"
export SECURECODER_MEND_SERVICE_URL="https://saas.mend.io"
export SECURECODER_MEND_EMAIL_ADDRESS="<mend-account-email>"
export SECURECODER_MEND_PROJECT_NAME="<project-name>"
export WATSONX_API_PROJECT_ID="<watsonx-project-id>"
export WATSONX_API_URL="<watsonx-base-url>"

# Optional
# export SECURECODER_MEND_PRODUCT_NAME="<product-name>"
# export WATSONX_API_MODEL_ID="<model-id>"

Variable	Description
`<mend-user-key>`	Replace with your Mend user key.
`<mend-api-key>`	Replace with the Mend API key.
`<watsonx-api-key>`	Replace with the API key.
`<org-name>`	Replace with the Mend organization name. This is the organization identifier in your Mend account, for example: my-company-org.
<service-url>	Replace with the Mend service endpoint URL, for example:`https://app.mend.io`.
<mend-account-email>	Replace with the email address associated with your Mend account, for example:`security-team@company.com`.
<project-name>	Replace with the name of the Mend project associated with the deployment.
<watsonx-project-id>	Replace with the ID of the watsonx.ai project that you want to use.
<watsonx-base-url>	Replace with the URL of the watsonx.ai instance, for example:`https://us-south.ml.cloud.ibm.com`.
<product-name>	Replace with the Mend product name.
<model-id>	Replace with the watsonx.ai model that is used.

Enable Secure Coder Mend integration by running the following command:

./ibm-concert-k8s-securecoder/bin/manage-sc-scanner-config.sh \
  enable-mend --namespace=concert-securecoder

Disable Secure Coder Mend integration by running the following command:

./ibm-concert-k8s-securecoder/bin/manage-sc-scanner-config.sh \
  disable-mend --namespace=concert-securecoder

Check the current scanner status by running the following command:

./ibm-concert-k8s-securecoder/bin/manage-sc-scanner-config.sh \
  status --namespace=concert-securecoder

Next steps

For viewing audit logs and disabling audit logs, see Audit logging (Kubernetes).

After accessing the product, manage user permissions through the Managing users and roles guide.

If you encounter issues during installation or operation, see Troubleshooting .