Installing Concert, Concert Workflows, and Concert Data Apps (EKS)

Before you begin

Before you begin the installation process, ensure that you have the following prerequisites in place:

EKS cluster: A functional EKS cluster with appropriate resources allocated.
Cluster CLI: You must have the AWS CLI and kubectl client installed and logged in to the target cluster.
Cluster access: Administrative access to the EKS cluster with kubectl configured.
Helm installation:
Note: This step applies only if you are installing Concert Workflows.
Install Helm version 3.x in a connected environment:
```
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh
```
Ingress controller: NGINX ingress controller or ALB controller installed and configured on your cluster.
Storage: Persistent storage provisioner configured for dynamic volume provisioning.
Network access: Network connectivity to download software packages from IBM GitHub repository and container registry.
Entitlement key: Valid IBM entitlement key for accessing container images from cp.icr.io/cp registry. See Obtaining an IBM entitlement API key.
Sizing specifications: Verify that your cluster meets the minimum sizing specifications. See Sizing specifications for Kubernetes deployments.
System requirements: Verify that your cluster meets the minimum system requirements for the products you are installing. See Hardware requirements, Software requirements, and Storage requirements.
Consider this optional configuration option:
- Configure external databases: You can use external databases and storage services instead of the default internal ones. To configure external databases and storage services for the components you are installing, see:

Step 1: Download, extract, and export the latest software packages

Download the latest software package, or download directly from the GitHub repository: https://github.com/IBM/Concert/releases
```
wget https://github.com/IBM/Concert/releases/download/v3.0.0/ibm-concert-x86.tar.gz
```
Extract the package.
```
tar xfz ibm-concert-x86.tar.gz
```

Export install directory.

export INSTALL_DIR=<install_directory>/ibm-concert

Navigate to the target installation directory.
```
cd $INSTALL_DIR
```

Step 2: Create an external load balancer hostname

Note: This step is required only if you are installing Concert Workflows.

Export the Concert Workflows deployment namespace.
```
export CW_NS="concert-workflows"
```

Create an external load balancer hostname for Concert Workflows.

Create a Concert Workflows namespace.
```
kubectl create namespace ${CW_NS}
```

Navigate to the package directory.

cd ibm-concert/ibm-concert-k8s-workflows/bin/aws-eks

Run the following command.

kubectl apply -f service-cw-ext.yaml -n ${CW_NS}

Sample result:

The external load balancer host name should be printed in the CLUSTER-IP column.

jkoza$ kubectl get svc -n ${CW_NS}
NAME           TYPE           CLUSTER-IP       EXTERNAL-IP                                                                 PORT(S)         AGE
solis-gw-ext   LoadBalancer   10.100.155.195   xyzxyzxyzxyzxyz-123456.eu-central-1.elb.amazonaws.com   443:31129/TCP   11h

Note: The EXTERNAL-IP value returned in this step is required when modifying the WORKFLOWS_INSTANCE_ADDRESS parameter in the params.ini file.

Step 3: Configure the params.ini file

The installation script requires a configuration file (params.ini) that defines environment-specific settings for Concert, Concert Workflows, and Concert Data Apps, located at $INSTALL_DIR/etc/params.ini.

For more information on params.ini file, list of sample params files as per the installation type, and list of required and optional parameters for installing on EKS, see Configuring the params.ini file.

Copy the required parameters from the sample-params file as per your installation type:
```
cp $INSTALL_DIR/etc/sample-params/<sample-params-file-name> $INSTALL_DIR/etc/params.ini
```
Replace <sample-params-file-name> with the sample params file name as per your installation type.
For example: If you want to install all three products (Concert, Concert Workflows, and Concert Data Apps), copy the concert-dataapps-workflows-k8s-params.ini file:
```
cp $INSTALL_DIR/etc/sample-params/concert-dataapps-workflows-k8s-params.ini $INSTALL_DIR/etc/params.ini
```
For more information on list of sample params.ini files as per the installation type, see Sample params.ini files.
Open and edit the $INSTALL_DIR/etc/params.ini file with required parameters:
```
vi $INSTALL_DIR/etc/params.ini
```
For more information on list of required and optional parameters for installing on Kubernetes, see Parameters for installing on Kubernetes.
Save the $INSTALL_DIR/etc/params.ini file.

Step 4: Configure the Secure Coder Mend integration (Optional)

Note: This step applies only if you intend to enable the Secure Coder.

If you set the SECURECODER_MEND_ENABLED parameter to true in the params.ini file, you must provide the sensitive credentials that will be used to configure the Secure Coder Mend integration.

If you want to use Secure Coder Mend integration, you must provide the key that is used to authenticate to the Mend user by running this command:
```
export SECURECODER_MEND_USER_KEY=<my-user-key>
```
Replace <my-user-key> with the user key.
If you want to use Secure Coder Mend integration, you must provide the API key that is used to authenticate to the Mend service by running this command:
```
export SECURECODER_MEND_API_KEY=<my-mend-api-key>
```
Replace <my-mend-api-key> with the Mend API key.
If you want to use a Secure Coder Mend integration with watsonx.ai, provide the API key that is used to authenticate to the watsonx.ai instance by running this command:
```
export WATSONX_API_KEY=<my-watsonx-api-key>
```
Replace <my-watsonx-api-key> with the API key.

Step 5: Authenticate to an LLM instance (Optional)

Note: This step applies only if you intend to enable the Concert Workflows AI assistant.

If you set the ENABLE_AI parameter to true in the params.ini file, you must provide the sensitive credentials that will be used to authenticate to the large language model (LLM) instance.

If you want to use the on-premises instance of watsonx.ai that your Concert license entitles you to, and you set the WATSONX_API_USER parameter in params.ini, provide the corresponding password by running this command:
```
export WATSONX_API_PASSWORD=<my-secret-password>
```
Replace <my-secret-password> with the password.
If you want to use a SaaS instance of watsonx.ai, provide the API key that is used to authenticate to the SaaS watsonx.ai instance by running this command:
```
export WATSONX_API_KEY=<my-watsonx-api-key>
```
Replace <my-watsonx-api-key> with the API key. If required, you can generate a key here.
If you want to use a vLLM-provided model instance which requires authentication, you must provide the API key that is used to authenticate to the vLLM instance by running this command:
```
export LLM_API_KEY=<my-vllm-api-key>
```
Replace <my-vllm-api-key> with the API key.

Step 6: Run the installation setup script

Run the installation setup script to deploy Concert, Concert Workflows, and Concert Data Apps on your EKS cluster:

$INSTALL_DIR/bin/setup --license_acceptance=y --username=<user> --password=<password> --registry_password=<registry_entitlement_key>

Remember: The username and password that you specify when running the setup script will be used as the default values for the login, providing the initial credentials for access.

Parameter	Description
`--username`	Use the `--username` option to specify the default user for the installation. This option enables you to set a custom username value, which is used as the username for your product login.
`--password`	Use the `--password` option to specify the password for the default user for the installation. If you do not specify a value for this option, the tool prompts you to enter it.
`--registry_password`	Use the `--registry_password` option to specify the password required to access the source registry. If you are using `cp.icr.io/cp` as the source registry, then the password is the entitlement key.
`--license_acceptance`	License acceptance flag must be set to `y` to proceed with installation. Note: Concert is sold under multiple licenses. All licenses are available in IBM Terms. Prior to installing or upgrading Concert, ensure that you know the license associated with your product, read the license that applies to your purchase, and ensure that you agree to the terms and conditions of the license.

Note: The installation process may take 15 to 30 minutes depending on your system resources and network speed.

Verify installation:
- Upon successful installation completion, you will see:
```
INFO DEPLOYMENT SUCCESSFUL
```
- If you encounter any errors during installation, check the installation logs:
```
$INSTALL_DIR/localstorage/logs/prod_install_logs_<timestamp>.log
```

Step 7: Create an ingress route

After completing the Concert installation, the next step is to create an ingress for the login URL. However, prior to creating the ingress, it is necessary to modify your configMap file. This is to ensure proper configuration before setting up the ingress for the login URL.

Note: Make sure that you are installing nginx-controller or ALB controller to create ingress after Concert installation.

Add the following modifications to the configMap file associated with your nginx-controller within your Concert namespace.

data:
  large-client-header-buffers: 8 64k
  proxy-buffer-size: 64k
  proxy-buffers-number: "8"
  proxy-busy-buffers-size: 128k

Create the ingress to generate login details for Concert.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: concert
  namespace: concert
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  ingressClassName: <nginx|alb>
  rules:
  - host: <host-name>
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: ibm-concert-solis-gw-svc
            port:
              number: 11443

Replace <nginx|alb> with ingress controller name (NGINX ingress controller or ALB controller).
Replace <host-name> with the ingress controller load balancer hostname.

Sample output

kubectl get service -n concert-ingress-nginx
NAME                                         TYPE           CLUSTER-IP      EXTERNAL-IP                                                              PORT(S)                      AGE
concert-ingress-nginx-controller             LoadBalancer   172.20.4.86     af3665f70f31448fab7c7ef4ce9e4bfd-135489691.us-east-2.elb.amazonaws.com   80:30180/TCP,443:30979/TCP   71d
concert-ingress-nginx-controller-admission   ClusterIP      172.20.95.226   <none>                                                                   443/TCP                      71d

Create the ingress to generate login details for Concert Data Apps.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dataapps
  namespace: dataapps
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  ingressClassName: <nginx|alb>
  rules:
  - host: <host-name>
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: ibm-dataapps-solis-gw-svc
            port:
              number: 11443

Replace <nginx|alb> with ingress controller name (NGINX ingress controller or ALB controller).
Replace <host-name> with the ingress controller load balancer hostname.

Sample output

kubectl get service -n dataapps-ingress-nginx
NAME                                         TYPE           CLUSTER-IP      EXTERNAL-IP                                                              PORT(S)                      AGE
dataapps-ingress-nginx-controller             LoadBalancer   172.20.4.86     af3665f70f31448fab7c7ef4ce9e4bfd-135489691.us-east-2.elb.amazonaws.com   80:30180/TCP,443:30979/TCP   71d
dataapps-ingress-nginx-controller-admission   ClusterIP      172.20.95.226   <none>                                                                   443/TCP                      71d

Step 8: Access the UI

After successful installation, open your web browser and access the Concert product. To login to your required component, you can either login to the unified instance UI or use the component-specific URL for log in:

Open the unified UI by entering https://<EXTERNAL-IP> in your browser.

Access to the Concert products using the following URLs:

Table 1. Component-specific access url
Components	URL	Example URL
Concert	`https://<EXTERNAL-IP>`	`https://af3665f70f31448fab7c7ef4ce9e4bfd-135489691.us-east-2.elb.amazonaws.com`
Concert Workflows	`https://<WORKFLOWS_INSTANCE_ADDRESS/EXTERNAL-IP>`	`https://xyzxyzxyzxyzxyz-123456.eu-central-1.elb.amazonaws.com`
Concert Data Apps	`https://<EXTERNAL-IP>`	`https://af3665f70f31448fab7c7ef4ce9e4bfd-135489691.us-east-2.elb.amazonaws.com`

Replace <EXTERNAL-IP> in the URL with the EXTERNAL-IP details from the ingress output.

Log in with your credentials. Use the username and password that you specified when running the installation setup script to log in to Concert.
Click Login to access the product.

Next steps

For viewing audit logs and disabling audit logs, see Audit logging (Kubernetes).

After accessing the product, manage user permissions through the Managing users and roles guide.

If you encounter issues during installation or operation, see Troubleshooting.