Preparing to install nginx, IBM Cert Manager, and Cloud Pak foundational services
Procedure
- Clone the repository and files. Make sure that you have all files for nginx, Cloud Pak foundational services, and IBM® Certificate
Manager.
- Download and unpack the repository to your local system.
curl -L -o ibm-guardium-data-security-center-2.6.0.tgz https://github.com/IBM/cloud-pak/raw/master/repo/case/ibm-guardium-data-security-center/2.6.0/ibm-guardium-data-security-center-2.6.0.tgz tar xvzf ibm-guardium-data-security-center-2.6.0.tgz
- Go to the Guardium® Data Security Center operator
directory.
cd ibm-guardium-data-security-center-/inventory/install/files/support/eks
- Download and unpack the repository to your local system.
- The nginx controller is necessary for managing the Amazon load balancer and serving web
pages through your EKS cluster.
- It is important to revise the
aws-load-balancer-subnet
field in the services before you apply the manifest. To do this, open nginx-controller-deploy.yaml, go to theannotations
section, and replace the values with the output that you obtain with the following commands. - Run the following command to obtain the subnet.
export cluster_name="gi-eks" # replace with your EKS cluster name export region="us-east-2" # replace with region where you have created your cluster aws eks describe-cluster --name ${cluster_name} --region ${region} --query "cluster.resourcesVpcConfig.subnetIds"
Example output:[ "subnet-6594180c", "subnet-a35cb3ee", "subnet-8d9c4af6" ]
- Deploy the nginx controller.
export subnets=$(aws eks describe-cluster --name ${cluster_name} --region ${region} --query "cluster.resourcesVpcConfig.subnetIds" --output json | jq -r 'join(",")') sed "s/{{subnets}}/$subnets/" nginx-controller-deploy.yaml | oc apply -f -
- To confirm that the controller is installed successfully and an ELB/NLB is assigned to
it.
oc get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx-controller LoadBalancer 10.100.245.72 XX-33ff0d06be12646a.elb.us-east-2.amazonaws.com 80:32719/TCP,443:31834/TCP 28d ingress-nginx-controller-admission ClusterIP 10.100.31.56 <none>
In this example,
EXTERNAL-IP
is your ELB/NLB address. - Retrieve the external IP from the previous step and create an A record in your Amazon
Route 53, or any other service that you use for creating subdomains. For example,
*.apps.yoursubdomainname.domainname
.
- It is important to revise the
- Install the IBM Certificate
Manager.
- Disable prerequisite checks.
export IBMPAK_LAUNCH_SKIP_PREREQ_CHECK=true
Important: Prerequisite checks are disabled because they often mistakenly flag thekubectl
version as outdated, even when you use the latest version. - Install the IBM Certificate
Manager
catalog.
oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --action install-catalog \ --inventory $CERT_MANAGER_INVENTORY_SETUP \ --namespace openshift-marketplace \ --args "--inputDir ${LOCAL_CASE_DIR}"
- Verify the pods.
oc get pods -n openshift-marketplace NAME READY STATUS RESTARTS AGE community-operators-pzsjl 1/1 Running 0 117m ibm-cert-manager-catalog-vsq58 1/1 Running 0 30s
- Install the IBM Cert Manager operators.
oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --inventory $CERT_MANAGER_INVENTORY_SETUP \ --action install-operator \ --namespace ibm-cert-manager \ --args "--inputDir ${LOCAL_CASE_DIR}"
- Make sure that the
csv
for IBM Cert Manager has aSucceeded
phase.oc get csv -n ibm-cert-manager NAME DISPLAY VERSION REPLACES PHASE aws-efs-csi-driver-operator.v4.14.0-202403060538 AWS EFS CSI Driver Operator 4.14.0-202403060538 Succeeded ibm-cert-manager-operator.v4.2.1 IBM Cert Manager 4.2.1 Succeeded
oc get pods -n ibm-cert-manager NAME READY STATUS RESTARTS AGE cert-manager-cainjector-c9dd8 1/1 Running 0 97s cert-manager-controller-54fb 1/1 Running 0 97s cert-manager-webhook-5dc 1/1 Running 0 96s ibm-cert-manager-operator-75c8 1/1 Running 0 106s
- Disable prerequisite checks.