Apply a patch to Guardium Data Security Center
to go to the next minor version.
Procedure
- Download the catalog and operator from the CASE files to your local
directory.
export ICS_USER=<ICS Admin User>
export ICS_PASS=<ICS PASS>
export NAMESPACE=<Namespace where GI is installed>
export CP_REPO_USER=cp
export CP_REPO_PASS=<cp key for ER>
export CASE_NAME=ibm-guardium-data-security-center
export CASE_VERSION=<CASE_VERSION>
export LOCAL_CASE_DIR=$HOME/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION
oc ibm-pak get $CASE_NAME \
--version $CASE_VERSION \
--skip-verify
Specify the
CASE_VERSION
for the version of Guardium Data Security Center you are deploying.
- Verify that you are logged in to the IBM Cloud®
Private command-line interface (CLI). Logging in to this
CLI also authenticates your account to use the OpenShift CLI. To log in, run the following command:
oc login -u <openshift_username> -p <openshift_password> --server=https://ICP_Hostname>:6443
<ICP_hostname>
is your Cloud Private server, for example https://cp-console.apps.myserver.com
<openshift_username>
is your OpenShift username.
<openshift_password>
is your OpenShift password.
- Verify that Guardium Data Security Center is reconciled to
the previous version by running the following command:
oc get guardiumdatasecuritycenter
The expected results are similar to the following example:
NAME TYPE STATUS REASON MESSAGE DESIRED_VERSION INSTALLED_VERSION
staging Ready True Completed Completed Reconciliation 3.6.0 3.6.0
- Run this command to determine the version of IBM Cloud Pak®
foundational services that is installed on your system:
oc get csv -n ibm-common-services | grep foundational
Note the version number (version_number
) in the output:
ibm-common-service-operator.<version_number> IBM Cloud Pak foundational services <version_number> ibm-common-service-operator.<version_number> Succeeded
Guardium Data Security Center requires IBM Cloud
Pak foundational services
4.6.x.
- If you are using an OpenShift Data
Foundation (ODF) storage
class, run the Guardium Data Security Center preinstall
script:
oc ibm-pak launch $CASE_NAME \
--version $CASE_VERSION \
--namespace ${NAMESPACE} \
--inventory install \
--action preInstall \
--tolerance 1 \
--args "-n ${NAMESPACE} -h <DB_worker_host> -l true"
<DB_worker_host>
is the worker node name on which you want to host
Db2®.
Important: When you run the preinstall script during a Guardium Data Security Center patch, the Db2 worker node (<DB_worker_host>
) must match
the same set of nodes that were set during installation. If there is more than one, provide them in
a comma-separated list.
- Install the IBM® Certificate
Manager and IBM Common
Services.
- Create a namespace ibm-cert-manager for
the IBM Certificate
Manager.
oc create namespace ibm-cert-manager
- Set the environment variable for the
--inventory parameter.
export CERT_MANAGER_INVENTORY_SETUP=ibmCertManagerOperatorSetup
- Install the IBM Certificate
Manager catalog.
oc ibm-pak launch $CASE_NAME \
--version $CASE_VERSION \
--action install-catalog \
--inventory $CERT_MANAGER_INVENTORY_SETUP \
--namespace openshift-marketplace \
--args "--inputDir ${LOCAL_CASE_DIR}"
- Install IBM Common Services in the same namespace as your Guardium Data Security Center installation.
export NAMESPACE=<GDSC-NAMESPACE>
- Set the environment variable for --inventory parameter.
export ICS_INVENTORY_SETUP=ibmCommonServiceOperatorSetup
- Install the IBM Common Services
catalog.
oc ibm-pak launch $CASE_NAME \
--version $CASE_VERSION \
--action install-catalog \
--inventory $ICS_INVENTORY_SETUP \
--namespace ${NAMESPACE} \
--args "--registry icr.io --recursive \
--inputDir ${LOCAL_CASE_DIR}"
- Uninstall IBM Common
Services
version 3.x.x by using the
following script.
./uninstall_tenant.sh --operator-namespace ibm-common-services
- Install the catalog.
oc ibm-pak launch $CASE_NAME \
--version $CASE_VERSION \
--namespace openshift-marketplace \
--inventory install \
--action install-catalog \
--args "--inputDir ${LOCAL_CASE_DIR}" --tolerance 1
- Install the operator.
oc ibm-pak launch $CASE_NAME \
--version $CASE_VERSION \
--namespace ${NAMESPACE} \
--inventory install \
--action install-operator \
--tolerance 1 \
--args "--registry cp.icr.io --user ${CP_REPO_USER} --pass ${CP_REPO_PASS} --secret ibm-entitlement-key --inputDir ${LOCAL_CASE_DIR}"
- Upgrade the custom resource (CR) file to the new version:
- Put guardiumdatasecuritycenter into edit mode:
oc edit guardiumdatasecuritycenter
- Locate the
Version
value:
Version: <current_version>
- Change the version to the new version:
- Save and exit the file. The expected message is similar to the following
example:
guardiumdatasecuritycenter.gi.ds.isc.ibm.com/staging edited
- To verify that your environment was upgraded:
- Log in to check the version of Guardium Data Security Center.
- Run
oc get guardiumdatasecuritycenter
to verify the system
reconciliation status.
When the upgrade is complete, the output is similar to the following example:
NAME TYPE STATUS REASON MESSAGE DESIRED_VERSION INSTALLED_VERSION
staging Ready True Completed Completed Reconciliation 3.6.0 3.6.0
- Run
oc get pods
to verify that pods are running or
completed.
- Use one of these methods for removing an unused mount point from the Guardium Data Security Center user interface services that might cause stability
problems (use step 15.a or 15.b, but not both):
- Run this command:
oc edit deployment <gi_installation_name>-insights
When you edit the file, locate and delete these fields:
- mountPath: /node_app/src/static/insights_exports
name: db2-scratch-mount
subPath: scratch/insights-exports
Save the file after you remove the fields.
- To remap the extra mount to an unused location, run the following
command:
oc get deployment -oyaml <gi install name>-insights | sed 's#/node_app/src/static/insights_exports#/tmp/ignore#g' | oc replace -f -