Preparing to install nginx, IBM Cert Manager, and Cloud Pak foundational services

Procedure

  1. Clone the repository and files. Make sure that you have all files for nginx, Cloud Pak foundational services, and IBM® Certificate Manager.
    1. Download and unpack the repository to your local system.
      curl -L -o ibm-guardium-data-security-center-2.6.0.tgz https://github.com/IBM/cloud-pak/raw/master/repo/case/ibm-guardium-data-security-center/2.6.0/ibm-guardium-data-security-center-2.6.0.tgz
      tar xvzf ibm-guardium-data-security-center-2.6.0.tgz
    2. Go to the Guardium® Data Security Center operator directory.
      cd ibm-guardium-data-security-center-/inventory/install/files/support/eks
  2. The nginx controller is necessary for managing the Amazon load balancer and serving web pages through your EKS cluster.
    1. It is important to revise the aws-load-balancer-subnet field in the services before you apply the manifest. To do this, open nginx-controller-deploy.yaml, go to the annotations section, and replace the values with the output that you obtain with the following commands.
    2. Run the following command to obtain the subnet.
      export cluster_name="gi-eks"  # replace with your EKS cluster name
      export region="us-east-2" # replace with region where you have created your cluster
      aws eks describe-cluster --name ${cluster_name} --region ${region} --query "cluster.resourcesVpcConfig.subnetIds"
      Example output:
      [
          "subnet-6594180c",
          "subnet-a35cb3ee",
          "subnet-8d9c4af6"
      ]
    3. Deploy the nginx controller.
      export subnets=$(aws eks describe-cluster --name ${cluster_name} --region ${region} --query "cluster.resourcesVpcConfig.subnetIds" --output json | jq -r 'join(",")')
      
      sed "s/{{subnets}}/$subnets/" nginx-controller-deploy.yaml | oc apply -f -
    4. To confirm that the controller is installed successfully and an ELB/NLB is assigned to it.
      oc get svc -n ingress-nginx
      
      NAME                                 TYPE           CLUSTER-IP      EXTERNAL-IP                                                                     PORT(S)                      AGE
      ingress-nginx-controller             LoadBalancer   10.100.245.72   XX-33ff0d06be12646a.elb.us-east-2.amazonaws.com   80:32719/TCP,443:31834/TCP   28d
      ingress-nginx-controller-admission   ClusterIP      10.100.31.56    <none> 

      In this example, EXTERNAL-IP is your ELB/NLB address.

    5. Retrieve the external IP from the previous step and create an A record in your Amazon Route 53, or any other service that you use for creating subdomains.
      For example, *.apps.yoursubdomainname.domainname.
  3. Install the IBM Certificate Manager.
    1. Disable prerequisite checks.
      export IBMPAK_LAUNCH_SKIP_PREREQ_CHECK=true
      Important: Prerequisite checks are disabled because they often mistakenly flag the kubectl version as outdated, even when you use the latest version.
    2. Install the IBM Certificate Manager catalog.
      oc ibm-pak launch $CASE_NAME \
         --version $CASE_VERSION \
         --action install-catalog \
         --inventory $CERT_MANAGER_INVENTORY_SETUP \
         --namespace openshift-marketplace \
         --args "--inputDir ${LOCAL_CASE_DIR}"
    3. Verify the pods.
      oc get pods -n openshift-marketplace  
      
      NAME                            READY  STATUS    RESTARTS   AGE 
      community-operators-pzsjl       1/1    Running   0          117m 
      ibm-cert-manager-catalog-vsq58  1/1    Running   0          30s 
    4. Install the IBM Cert Manager operators.
      oc ibm-pak launch $CASE_NAME \
         --version $CASE_VERSION \
         --inventory $CERT_MANAGER_INVENTORY_SETUP \
         --action install-operator \
         --namespace ibm-cert-manager \
         --args "--inputDir ${LOCAL_CASE_DIR}"
    5. Make sure that the csv for IBM Cert Manager has a Succeeded phase.
      oc get csv -n ibm-cert-manager  
      
      NAME                                               DISPLAY                       VERSION               REPLACES   PHASE 
      aws-efs-csi-driver-operator.v4.14.0-202403060538   AWS EFS CSI Driver Operator   4.14.0-202403060538              Succeeded 
      ibm-cert-manager-operator.v4.2.1                   IBM Cert Manager              4.2.1                            Succeeded
      oc get pods -n ibm-cert-manager  
      
      NAME                           READY   STATUS    RESTARTS   AGE 
      cert-manager-cainjector-c9dd8  1/1     Running   0          97s 
      cert-manager-controller-54fb   1/1     Running   0          97s 
      cert-manager-webhook-5dc       1/1     Running   0          96s 
      ibm-cert-manager-operator-75c8 1/1     Running   0          106s