Set up FlashSystem.ai container

The FlashSystem.ai container enables the FlashSystem.ai assistant to interpret natural‑language queries and perform supported administrative tasks on IBM FlashSystem storage. The container runs entirely on customer‑managed, on‑premises Kubernetes infrastructure, and integrates securely with both IBM FlashSystem systems and IBM Storage Insights.

FlashSystem.ai requires an active IBM Storage Insights connection, using a Storage Insights API key and tenant ID. The container uses a secure proxy service through Storage Insights for language processing.

Environment requirements

Secure communication
To ensure secure interaction between FlashSystem systems and the container:
  • Use TLS‑protected communication end‑to‑end.
  • Install certificates trusted by both the FlashSystem and the container.
  • Enable only the network paths necessary for FlashSystem.ai.
  • The Kubernetes ingress controller must expose a valid TLS endpoint and support WebSocket connections.
Deployment characteristics
  • Deploy the container in a customer-managed, on‑premises Kubernetes or OpenShift environment.
  • GPUs not required.
  • A single container instance can support multiple FlashSystem systems.
  • One container per grid is recommended.
Connectivity
FlashSystem.ai uses REST API and WebSocket protocols. Your environment must allow the following connections:
Table 1. Connectivity requirements
Direction Protocol Requirement
FlashSystem ↔ Container
  • HTTPS 443
  • WSS 443
  • Outbound to ingress endpoint
  • FlashSystem REST API
  • Bi-directional communication
Container → IBM Storage Insights HTTPS Required for AI processing

FlashSystem.ai does not connect to IBM Cloud services directly.

Required credentials
Configure the container with the following credentials:
From IBM Storage Insights
  • Storage Insights API key
  • Storage Insights tenant ID
From IBM FlashSystems
  • One administrator service account per FlashSystem
  • Lower‑privilege accounts supported for monitoring‑only scenarios
From IBM Cloud
  • IBM Cloud login credentials
  • IBM Cloud IAM API Key

Preparing the Kubernetes environment

To complete the set up, obtain an IAM API Key from an IBM Cloud account.
Generate an IAM API key
  1. Log in to IBM Cloud.
  2. Select Manage > Access (IAM).
  3. Select API Keys, create a new key, and save it.
  4. This will be referred to as <YOUR_IAM_API_KEY>.
<INGRESS_HOST> is the DNS name for the application that resolves to your external ingress endpoint. The following examples assume you are using.
  • ingress controller of type ingress-nginx
  • imagePullSecret name: icr-io
  • deployed app name: flashsystem-app
Update commands if you use different names.
  1. Create a namespace
    kubectl create namespace flashsystem-app
  2. Create an image pull secret
    This step authenticates Kubernetes to IBM’s container registry.
    kubectl create secret docker-registry icr-io \
  --docker-server=icr.io \
  --docker-username=iamapikey \
  --docker-password=<YOUR_IAM_API_KEY> \
  --docker-email=<YOUR_EMAIL> \
  -n flashsystem-app
  3. Prepare TLS certificates
    FlashSystem.ai requires TLS re‑encryption:
    • FlashSystem to ingress: frontend TLS
    • Ingress to container: backend TLS
    Frontend TLS
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout ingress.key -out ingress.crt \
  -subj "/CN=<INGRESS_HOST>"

    kubectl create secret tls ingress-tls \
  --key ./ingress.key --cert ./ingress.crt \
  -n flashsystem-app
    Backend TLS
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout application.key -out application.crt \
  -subj "/CN=flashsystem-app-service.flashsystem-app.svc.cluster.local"

    kubectl create secret tls flashsystem-app-tls \
  --key ./application.key --cert ./application.crt \
  -n flashsystem-app
    Note:
    • If you deploy the app under a different name, update the certificate common name (CN) accordingly.
    • If your cluster uses an ingress controller other than ingress‑nginx, refer to the ingress provider’s documentation to enable backend TLS re‑encryption between the ingress controller and the application container.
    • Recommendation is using a certificate management solution, such as cert‑manager, to automate certificate issuance and rotation.

Preparing the helm chart

  1. Log in to IBM Container Registry
    helm registry login icr.io -u iamapikey
    The -u iamapikey value must be used exactly as shown. Do not replace it with your actual IAM API key.
  2. Pull the Helm chart
    Use the Helm chart URL provided by IBM:
    helm pull oci://icr.io/flashsystem-ai-release/flashsystem-ai:1.1.0
    Extract the chart:
    tar -xvf flashsystem-ai-1.1.0.tgz
cd flashsystem-ai-1.1.0/flashsystem-app

Configuring values.yaml

Edit the values.yaml file.
Namespace configuration
namespace:
create: false
name: "flashsystem-app"
Image pull secret
imagePullSecrets:
  - name: icr-io
Ingress host
hosts:
  - host: "<INGRESS_HOST>"
TLS secrets
tls:
  frontend:
    secretname: ingress-tls
  backend:
    secretname: flashsystem-app-tls
Modify settings as required, if your ingress controller differs from nginx.
Note: If you use an ingress controller other than ingress-nginx, you must update the configuration values and, if needed, modify the Helm chart to meet the requirements of your chosen ingress controller.

Deploy the container

Deploy into the target namespace:
helm install flashsystem-ai . --namespace flashsystem-app

Accessing the setup page

  1. Open your browser and go to: 
    https://<INGRESS_HOST>/setup
  2. On the Setup page, locate the GUI Key section.
  3. After generating the GUI Key, you must also add and configure each FlashSystem that you want the FlashSystem.ai application to manage. This includes entering the system address and providing the required Administrator service account for each system.
  4. If the key is regenerated later, you must re-run chaicontainerinfo command on each FlashSystem connected to the container.
You do not need to manually store or manage this key.

Register each FlashSystem

Run the following command on each FlashSystem to connect it to the container:
svctask chaicontainerinfo -key <GUI_KEY> -url <INGRESS_HOST>:443
svcinfo lsaicontainerinfo
where:
  • <GUI_KEY> comes from the setup page.
  • <INGRESS_HOST> is your ingress hostname.

Using FlashSystem.ai in the management GUI

After registration is complete and successful connectivity to the container:
  • The FlashSystem.ai icon appears in the management GUI.
  • Selecting the icon opens the AI assistant panel.
  • Each interaction creates a session that is associated with the logged‑in user.
  • Sessions end when the page is refreshed or when the user logs out.