Installing IBM Cloud Pak foundational services on Guardium Insights

IBM Guardium Insights is deployed on IBM Cloud Pak foundational services with OpenShift® Container Platform.

Before you begin

If the SKIP_INSTALL_ICS parameter in the configuration file is set to the default value of false, you can proceed directly to Online and offline/air gap installation of Guardium Insights by using automated (all-in-one) installation script.

If you are installing Guardium Insights manually or if SKIP_INSTALL_ICS is set to true, install IBM Cloud Pak foundational services beforehand by following the procedure.

About this task

Version 3.3.x If you are installing Guardium Insights version 3.3.x, install Cloud Pak foundational services version 3.x.x.

Version 3.4.x If you are installing Guardium Insights version 3.4.x, install Cloud Pak foundational services version 4.5.x.

If you currently have IBM® Common Services version 3.19.x, update to IBM Common Services version 4.5.x to successfully install Guardium Insights version 3.4.x. For more information about upgrading IBM Common Services, see step 7 in Upgrading IBM Common Services.

Version 3.5.x and later If you are installing Guardium Insights version 3.5.x, install Cloud Pak foundational services version 4.6.x.

If you currently have IBM Common Services version 4.5.x, you can upgrade to IBM Common Services version 4.6.x by using the case bundle.

Important: If you already downloaded Cloud Pak foundational services for use with another product, you might not need to download it again. If you have the correct version for the Guardium Insights version that you want to install, you can skip this task.

Procedure

  1. Log in to your Red Hat® OpenShift cluster instance.
    oc login -u <KUBE_USER> -p <KUBE_PASS> [--insecure-skip-tls-verify=true]
    For example,
    oc login api.example.ibm.com:6443 -u kubeadmin -p xxxxx-xxxxx-xxxxx-xxxxx
  2. Create a namespace for Cloud Pak foundational services. Use the same namespace where you install Guardium Insights.
    export NAMESPACE=<GI NAMESPACE>
    oc create namespace ${NAMESPACE}
  3. Choose the CASE version that you want to use.
    export CASE_ARCHIVE=ibm-guardium-insights-<GI Case version>.tgz
    For example, to use version 2.5.0, specify the 2.5.0 bundle file as shown in the following command.
    export CASE_ARCHIVE=ibm-guardium-insights-2.5.0.tgz
  4. Version 3.4.x and later Install the IBM Certificate Manager and IBM Common Services.
    1. Version 3.4.xCreate a namespace ibm-cert-manager for the IBM Certificate Manager.
      oc create namespace ibm-cert-manager
    2. Version 3.4.xVersion 3.5.xSet the environment variable for the --inventory parameter.
      export CERT_MANAGER_INVENTORY_SETUP=ibmCertManagerOperatorSetup
    3. Version 3.4.xVersion 3.5.xInstall the IBM Certificate Manager catalog.
      oc ibm-pak launch $CASE_NAME \
      --version $CASE_VERSION \
      --action install-catalog \
      --inventory $CERT_MANAGER_INVENTORY_SETUP \
      --namespace openshift-marketplace \
      --args "--inputDir ${LOCAL_CASE_DIR}"
  5. Version 3.4.x and later Check the pod and catalog source status.
    oc get pods -n openshift-marketplace
    oc get catalogsource -n openshift-marketplace

    The following output is an example of the output that results from running the command.

    NAME                                      READY    STATUS     RESTARTS   AGE
    ibm-cert-manager-catalog-bxjjb            1/1      Running    0          49s
    
    NAME                            DISPLAY               TYPE   PUBLISHER   AGE
    ibm-cert-manager-catalog    ibm-cert-manager-4.2.1    grpc   IBM         52s
  6. Version 3.4.x and later Install the IBM Certificate Manager operators.
    oc ibm-pak launch $CASE_NAME \
       --version $CASE_VERSION \
       --inventory $CERT_MANAGER_INVENTORY_SETUP \
       --action install-operator \
       --namespace ibm-cert-manager \
       --args "--inputDir ${LOCAL_CASE_DIR}"
    Verify that the IBM Certificate Manager CSV is in the Succeeded phase.
      oc get csv,pod -n ibm-cert-manager
    The following example shows the output of the commands.
    NAME                                               DISPLAY                       VERSION               REPLACES   PHASE 
    aws-efs-csi-driver-operator.v4.14.0-202403060538   AWS EFS CSI Driver Operator   4.14.0-202403060538              Succeeded 
    ibm-cert-manager-operator.v4.2.1                   IBM Cert Manager              4.2.1                            Succeeded 
    oc get pods -n ibm-cert-manager  
      
    NAME                              READY   STATUS    RESTARTS   AGE 
    cert-manager-cainjector-c9dd8     1/1     Running   0          97s 
    cert-manager-controller-54fb      1/1     Running   0          97s 
    cert-manager-webhook-5dc          1/1     Running   0          96s 
    ibm-cert-manager-operator-75c8    1/1     Running   0          106s
  7. Install the IBM Cloud Pak foundational services catalog.
    export ICS_INVENTORY_SETUP=ibmCommonServiceOperatorSetup
    
       oc ibm-pak launch $CASE_NAME \
         --version $CASE_VERSION \
         --action install-catalog \
         --inventory $ICS_INVENTORY_SETUP \
         --namespace $NAMESPACE \
         --args "--registry icr.io --recursive \
         --inputDir ${LOCAL_CASE_DIR}"
  8. Check the pod and catalog source status of the opencloud-operators by using the following commands.
    oc get pods -n openshift-marketplace;
    oc get catalogsource -n openshift-marketplace
    The following example shows the output of the commands.
    opencloud-operators-zmtmv                                         1/1     Running     0          25s 
    opencloud-operators        IBMCS Operators          grpc   IBM         46s 
  9. Install the Cloud Pak foundational services operators.
    export ICS_SIZE=small;
    
    oc ibm-pak launch $CASE_NAME \
       --version $CASE_VERSION \
       --action install-operator \
       --inventory $ICS_INVENTORY_SETUP \
       --namespace $NAMESPACE \
       --args "--size ${ICS_SIZE} --registry cp.icr.io --user ${CP_REPO_USER} --pass ${CP_REPO_PASS} --secret ibm-entitlement-key --recursive --inputDir ${LOCAL_CASE_DIR}"
  10. Verify that the CSV is in Succeeded state:
    oc get csv -n $NAMESPACE
    The following example shows the output of the command.
    oc get pods -n ${NAMESPACE}
    
    NAME                                                            READY    STATUS    RESTARTS   AGE
    common-service-db-1                                               1/1    Running       0      4h2m
    common-web-ui-75fb7fcbff-rpx9w                                    1/1    Running       0      4h3m
    create-postgres-license-config-vvzj8                              0/1   Completed      0      4h3m
    ibm-common-service-operator-7b9f6c49bc-ffl9f                      1/1    Running       0      4h7m
    ibm-commonui-operator-86c45f5df9-grm27                            1/1    Running       0      4h3m
    ibm-iam-operator-76969bf99b-lbd85                                 1/1    Running       0      4h4m
    ibm-zen-operator-69c4bf46f8-9vt5x                                 1/1    Running       0      4h4m
    oidc-client-registration-hcmxf                                    0/1   Completed      0      4h3m
    operand-deployment-lifecycle-manager-5d4fff9f89-75vkf             1/1    Running       0      4h5m
    platform-auth-service-6d7c654fc6-sj5gg                            1/1    Running       0      4h1m
    platform-identity-management-8dccc6b84-rt47d                      1/1    Running       0      4h1m
    platform-identity-provider-5d74f7d65d-h7l7l                       1/1    Running       0      4h1m
    postgresql-operator-controller-manager-1-18-12-6b9b4fb545-d6stw   1/1    Running       0      4h3m
  11. Verify that the operandrequest is available:
    oc get opreq -n $NAMESPACE
    The following example shows the output of the command.
    NAME                         AGE    PHASE     CREATED AT
    common-service               4h3m   Running   2024-08-27T09:27:50Z
    ibm-iam-request              4h2m   Running   2024-08-27T09:28:36Z
    postgresql-operator-request  4h2m   Running   2024-08-27T09:29:00Z
  12. Verify that all the Cloud Pak foundational services pods are in the Running or Completed state by using the following command.
    oc get pods -n ${NAMESPACE}
    The following example shows the output of the command.
    oc get pods -n ${NAMESPACE}
    
    NAME                                                              READY   STATUS    RESTARTS   AGE
    common-service-db-1                                               1/1     Running      0       4h2m
    common-web-ui-75fb7fcbff-rpx9w                                    1/1     Running      0       4h3m
    create-postgres-license-config-vvzj8                              0/1     Completed    0       4h3m
    ibm-common-service-operator-7b9f6c49bc-ffl9f                      1/1     Running      0       4h7m
    ibm-commonui-operator-86c45f5df9-grm27                            1/1     Running      0       4h3m
    ibm-iam-operator-76969bf99b-lbd85                                 1/1     Running      0       4h4m
    ibm-zen-operator-69c4bf46f8-9vt5x                                 1/1     Running      0       4h4m
    oidc-client-registration-hcmxf                                    0/1     Completed    0       4h3m
    operand-deployment-lifecycle-manager-5d4fff9f89-75vkf             1/1     Running      0       4h5m
    platform-auth-service-6d7c654fc6-sj5gg                            1/1     Running      0       4h1m
    platform-identity-management-8dccc6b84-rt47d                      1/1     Running      0       4h1m
    platform-identity-provider-5d74f7d65d-h7l7l                       1/1     Running      0       4h1m
    postgresql-operator-controller-manager-1-18-12-6b9b4fb545-d6stw   1/1     Running      0       4h3m
    After you complete the verification, install the Guardium Insights operators. This process takes approximately 20 minutes.
  13. The default username to access the console is cpadmin. To retrieve the password, use these commands:
    oc get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_username}' -n $NAMESPACE | base64 -d | awk '{print $1}'
    oc get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_password}' -n $NAMESPACE | base64 -d | awk '{print $1}'

    The output that you receive, for example EwK9dj_example_password_lZSzVsA, is the password that is used for accessing the console. To change the default username (cpadmin) or password, see Changing the cluster administrator access credentials.

  14. To retrieve the cp-console route and credentials, use the following command.
    oc get route cp-console -n $NAMESPACE

What to do next

After you install the Cloud Pak foundational services, you can continue with the installation of Guardium Insights.