Online manual installation of Guardium Insights

Before you begin

Procedure

  1. Log in to your OpenShift® cluster instance: 
    oc login -u <KUBE_USER> -p <KUBE_PASS> [--insecure-skip-tls-verify=true]

    For example,

    oc login api.example.ibm.com:6443 -u kubeadmin -p xxxxx-xxxxx-xxxxx-xxxxx
  2. Set these environment variables: 
    export CP_REPO_USER=<entitlement_user>
export CP_REPO_PASS=<entitlement_key>
export NAMESPACE=<guardium_insights_namespace>

    where:

    • <entitlement_user> and <entitlement_key> are the entitlement user and key, as described in Obtain your entitlement key.
    • <guardium_insights_namespace> is the namespace you will create in step 3. This namespace must be 10 or fewer characters in length.
  3. Create the namespace for the Guardium Insights instance. 
    oc create namespace ${NAMESPACE}
  4. Install the Guardium Insights operator and related components:
    1. Run the pre-install script. This script sets up secrets and parameters for the Guardium Insights instance. 
      export GI_INVENTORY_SETUP=install
      For Guardium Insights 3.2.10 and later:
      oc ibm-pak launch $CASE_NAME \
  --version $CASE_VERSION \
  --namespace ${NAMESPACE} \
  --inventory install     \
  --action preInstall    \
  --tolerance 1 \
  --args "-n ${NAMESPACE} -h <DB_worker_host> -l <true/false>"
      Note: For Red Hat OpenShift service on Amazon Web Services (ROSA), avoid labeling by setting -l to false.
      For Guardium Insights 3.2.8 and earlier:
      cloudctl case launch    \
  --case ${LOCAL_CASE_DIR}/${CASE_ARCHIVE} \
  --namespace ${NAMESPACE} \
  --inventory install     \
  --action pre-install    \
  --tolerance 1 \
  --args "-n ${NAMESPACE} -h <DB_worker_host> -l <true/false>"
      The pre-install script supports these parameters:
      Table 1. Parameters for preInstall.sh
      Name Description Type
      -n or --i-namespace Guardium Insights OpenShift namespace (this value must be 10 or fewer characters) Mandatory
      -h or --host-datanodes Specify the comma-delimited host names of the data nodes that you have designated for data computation (you can determine the host names by running oc get nodes).
      Note: When managing Hardware cluster requirements, the larger set of Guardium Insights nodes should be used as your data nodes. To determine which node has the most free requests, issue the oc describe nodes command and then look in the Allocation section.
      		 Mandatory
      -l or --label-datanodes If you specify true, data nodes will be labeled as dedicated for data service usage. If you specify false, labeling will be skipped. Default is true. Mandatory
      -t or --taint-datanodes If you specify true, data nodes will be tainted and dedicated for data service usage. If you specify false, tainting will be skipped (do not use false to skip tainting for production deployments). Optional
      -k or --ingress-keystore

      The path of the TLS certificate associated with the Guardium Insights application domain.

      If you will supply a custom Ingress (this is recommended), provide the path to its key file. This file can only contain newline (\n) delimiters. If you do not supply a custom Ingress, a default of none will be assumed (this is not recommended).

      See Domain name and TLS certificates for more information.

      		 Optional
      -f or --ingress-cert

      The path of the TLS key associated with the Guardium Insights application domain.

      If you will supply a custom Ingress (this is recommended), provide the path to its cert file. This file can only contain newline (\n) delimiters. If you do not include this, a default of none will be assumed (this is not recommended).

      See Domain name and TLS certificates for more information.

      		 Optional
      -c or --ingress-ca

      The path of the custom TLS certificate associated with the Guardium Insights application domain.

      If you will supply a custom Ingress (this is recommended), provide the path to its certificate authority (CA) file. This file can only contain newline (\n) delimiters. If you do not include this, a default of none will be assumed (this is not recommended).

      See Domain name and TLS certificates for more information.

      		 Optional
      -help or --help Displays the preInstall.sh parameters. Optional
    2. Install the catalogs.
      For Guardium Insights 3.2.10 and later:
      oc ibm-pak launch $CASE_NAME \
  --version $CASE_VERSION \
 --namespace openshift-marketplace \
 --inventory install \
 --action installCatalog \
 --args "--inputDir ${LOCAL_CASE_DIR}" \
 --tolerance 1
      For Guardium Insights 3.2.8 and earlier:
      cloudctl case launch \
 --case ${LOCAL_CASE_DIR}/${CASE_ARCHIVE} \
 --namespace openshift-marketplace \
 --inventory install \
 --action install-catalog \
 --args "--inputDir ${LOCAL_CASE_DIR}" \
 --tolerance 1
      To verify that the catalogs are installed, issue this command:
      oc get pod -n openshift-marketplace

      The output should be similar to:

      ibm-cloud-databases-redis-operator-catalog-ms97x                  1/1     Running     0          12m
ibm-db2uoperator-catalog-k8pwc                                    1/1     Running     0          13m
    3. Install the operators.
      For Guardium Insights 3.2.10 and later:
      oc ibm-pak launch $CASE_NAME \
  --version $CASE_VERSION \
  --namespace ${NAMESPACE} \
  --inventory install \
  --action installOperator \
  --tolerance 1 \
  --args "--registry cp.icr.io --user ${CP_REPO_USER} --pass ${CP_REPO_PASS} --secret ibm-entitlement-key --inputDir ${LOCAL_CASE_DIR}"
      For Guardium Insights 3.2.5 to 3.2.8:
      cloudctl case launch \
  --case ${LOCAL_CASE_DIR}/${CASE_ARCHIVE} \
  --namespace ${NAMESPACE} \
  --inventory install \
  --action install-operator \
  --tolerance 1 \
  --args "--registry cp.icr.io --user ${CP_REPO_USER} --pass ${CP_REPO_PASS} --secret ibm-entitlement-key --inputDir ${LOCAL_CASE_DIR}"
      For Guardium Insights 3.2.4 and earlier:
      cloudctl case launch \
  --case ${LOCAL_CASE_DIR}/${CASE_ARCHIVE} \
  --namespace ${NAMESPACE} \
  --inventory install \
  --action install-operator \
  --tolerance 1 \
  --args "--registry cp.icr.io --user ${CP_REPO_USER} --pass ${CP_REPO_PASS} --secret ibm-entitlement-key"
    4. Verify that the operators are installed by issuing this command: 
      oc get pods

      The output should be similar to:

      NAME                                                              READY   STATUS             RESTARTS   AGE
guardiuminsights-controller-manager-6c5f8c685c-85d7s              1/1     Running            0          6m22s
ibm-cloud-databases-redis-operator-54f95f8d48-csrxj               1/1     Running            0          6m20s
mongodb-kubernetes-operator-745746b45c-jz7hw                      1/1     Running            0          6m37s

What to do next

Follow the Guardium Insights instance creation using custom resource (CR).