Installing Guardium Insights

Procedure

  1. Obtain the CASE bundle. If you already obtained the CASE bundle when you installed ICS, skip this step.
    export CASE_NAME=ibm-guardium-insights
    export CASE_VERSION=2.2.9
    export LOCAL_CASE_DIR=$HOME/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION
    
  2. Save the CASE bundle. If you already saved the CASE bundle when you installed ICS, skip this step.
    oc ibm-pak get $CASE_NAME \
    --version $CASE_VERSION \
    --skip-verify
    
    The expected output is similar to:
    Downloading and extracting the CASE ...
    - Success
    Retrieving CASE version ...
    - Success
    Validating the CASE ...
    [warn] - certifications/ibmdefault.yaml: validation error: Certification file name [ibmdefault] not currently in supported list: [ibmmc, ibmccs, ibmccscp, ibmccp, ecomc, ecoccs]
    [warn] - certifications/ibmdefault.yaml: validation error: The certification file ibmdefault.yaml is not listed under the certifications parameter in case.yaml
    [warn] - certifications/ibmdefault.yaml: the specified certifications file does not exist in the certifications/files directory: ExternalSecurityReport.pdf
    [WARNING]: open /root/offline/ibm-guardium-insights/signature.yaml: no such file or directory
    - Success
    Creating inventory ...
    - Success
    Finding inventory items
    - Success
    Resolving inventory items ...
    Parsing inventory items
    [WARNING]: Ignoring the following digest error: Cannot validate digest for a case in the inventory item ibmCommonServiceOperatorSetup. Inventory Item ibmCommonServiceOperatorSetup is not found in the digest map
    Validating the signature for the ibm-cp-common-services CASE...
    Validating the signature for the ibm-auditlogging CASE...
    Validating the signature for the ibm-cert-manager CASE...
    Validating the signature for the ibm-cs-commonui CASE...
    Validating the signature for the ibm-events-operator CASE...
    Validating the signature for the ibm-cs-healthcheck CASE...
    Validating the signature for the ibm-cs-iam CASE...
    Validating the signature for the ibm-zen CASE...
    Validating the signature for the ibm-licensing CASE...
    Validating the signature for the ibm-management-ingress CASE...
    Validating the signature for the ibm-cs-mongodb CASE...
    Validating the signature for the ibm-cs-monitoring CASE...
    Validating the signature for the ibm-platform-api-operator CASE...
    [WARNING]: Ignoring the following digest error: Cannot validate digest for a case in the inventory item redisOperator. Inventory Item redisOperator is not found in the digest map
    Validating the signature for the ibm-cloud-databases-redis CASE...
    - Success
  3. Set the variables.
    export NAMESPACE=staging
    export ICS_USER=admin
    export ICS_PASS=<new password>
    export CP_REPO_USER=cp
    export CP_REPO_PASS=<ibm_entitlement_key>

    You can obtain the <ibm_entitlement_key> at https://myibm.ibm.com/products-services/containerlibrary.

  4. Create the namespace.
    oc create namespace $NAMESPACE
    oc project $NAMESPACE
  5. Run the preinstall script.
    oc ibm-pak launch $CASE_NAME \
      --version $CASE_VERSION \
      --namespace ${NAMESPACE} \
      --inventory install     \
      --action pre-install    \
      --tolerance 1 \
      --args "-n ${NAMESPACE} -a ${ICS_USER} -p ${ICS_PASS} -h sysgcp-xsbvp-worker-c-g48np.c.aesthetic-frame-155821.internal,sysgcp-xsbvp-worker-c-jv9f4.c.aesthetic-frame-155821.internal -t false -l true"
    Where, for the -h parameter, list the worker node names on which you want to host Db2.
    The expected output is similar to:
    Welcome to the CASE launcher
    Attempting to retrieve and extract the CASE from the specified location
    [✓] CASE has been retrieved and extracted
    Attempting to validate the CASE
    Skipping CASE validation...
    Attempting to locate the launch inventory item, script, and action in the specified CASE
    [✓] Found the specified launch inventory item, action, and script for the CASE
    Attempting to check the cluster and machine for required prerequisites for launching the item
    Checking for required prereqs...
                                                             
    Prerequisite                                                                           Result
    Cluster Kubernetes version must be >=1.16.0                                            true
    openshift Kubernetes version must be >=1.14.6                                          true
    Kubernetes node resource must match a set of expressions defined in prereqs.yaml       true
    Client openssl CLI must meet the following regex: OpenSSL 1.1.1*                       true
    Client cloudctl CLI must meet the following regex: [a-zA-Z]* v3.(1[0-9]|[4-9]).[1-9]*  true
    
    Required prereqs result: OK
    Checking user permissions...
                      
    Kubernetes RBAC Prerequisite  Verbs  Result  Reason
    *.*/                          *      true
    
    User permissions result: OK
    [✓] Cluster and Client Prerequisites have been met for the CASE
    Running the CASE install launch script with the following action context: preInstall
    Executing inventory item install, action preInstall : launch.sh
    -------------Installing dependent GI preinstall: /Users/myUsername/gcp-ocp4.6/ibm-guardium-insights-case-bundle/stable/ibm-guardium-insights-bundle/case/ibm-guardium-insights-------------
    PRE-INSTALL VALUES:
     -n staging -h testgcp-lnt5j-worker-d-2tcfb.c.aesthetic-frame-155821.internal -l true
    Warning : One or more optional parameters not passed, default values will be used
    OpenSSL is working with parameters -pbkdf2
    #####IBM Guardium Insights Pre-installation: Starting Preparation#####
    Already on project "staging" on server "https://api.testgcp.ibmguardiuminsights.com:6443".
    node/testgcp-lnt5j-worker-d-2tcfb.c.aesthetic-frame-155821.internal labeled
    Skipping data node(s) tainting.
    Node testgcp-lnt5j-worker-d-2tcfb.c.aesthetic-frame-155821.internal already labelled.
    #####IBM Guardium Insights Pre-installation: Ingress Certificate Recreation#####
    Overwrite existing secrets mode: no
    --------------------------------------------------------------
    Starting: IBM Guardium Insights: Ingress creation script.
    Generating certificates since some of the 3 arguments are not set
    Creating TLS secret
    Ingress Secret insights-ingressca not found. Creating secret.
    secret/insights-ingressca created
    Completed: IBM Guardium Insights : Ingress creation script.
    --------------------------------------------------------------
    [✓] CASE launch script completed successfully
    OK
  6. Install the catalogs.
    oc ibm-pak launch $CASE_NAME \ 
    --version $CASE_VERSION \ 
    --inventory install \ 
    --action install-catalog \ 
    --namespace openshift-marketplace \ 
    --args "--inputDir ${LOCAL_CASE_DIR}"
    The expected output is similar to:
    Welcome to the CASE launcher
    Attempting to retrieve and extract the CASE from the specified location
    [✓] CASE has been retrieved and extracted
    Attempting to validate the CASE
    Skipping CASE validation...
    Attempting to locate the launch inventory item, script, and action in the specified CASE
    [✓] Found the specified launch inventory item, action, and script for the CASE
    Attempting to check the cluster and machine for required prerequisites for launching the item
    Checking for required prereqs...
                                                             
    Prerequisite                                                                           Result
    Kubernetes node resource must match a set of expressions defined in prereqs.yaml       true
    Client oc CLI must meet the following regex: [a-zA-Z]* 4.[3-9]*.[0-9]*                 true
    Client cloudctl CLI must meet the following regex: [a-zA-Z]* v3.(1[0-9]|[4-9]).[1-9]*  true
    
    Required prereqs result: OK
    Checking user permissions...
                      
    Kubernetes RBAC Prerequisite  Verbs  Result  Reason
    *.*/                          *      true
    
    User permissions result: OK
    [✓] Cluster and Client Prerequisites have been met for the CASE
    Running the CASE install launch script with the following action context: installCatalog
    Executing inventory item install, action installCatalog : launch.sh
    -------------Installing catalog source-------------
    -------------Installing dependent catalog source: ibm-db2uoperator-------------
    Welcome to the CASE launcher
    Attempting to retrieve and extract the CASE from the specified location
    [✓] CASE has been retrieved and extracted
    Attempting to validate the CASE
    Skipping CASE validation...
    Attempting to locate the launch inventory item, script, and action in the specified CASE
    [✓] Found the specified launch inventory item, action, and script for the CASE
    Attempting to check the cluster and machine for required prerequisites for launching the item
    Checking for required prereqs...
                                         
    Prerequisite                                                            Result
    Client oc CLI must meet the following regex: [a-zA-Z]* 4.[3-9]*.[0-9]*  true
    
    Required prereqs result: OK
    Checking user permissions...
    No user rules specified.
    [✓] Cluster and Client Prerequisites have been met for the CASE
    Running the CASE db2uOperatorSetup launch script with the following action context: installCatalog
    Executing inventory item db2uOperatorSetup, action installCatalog : launch.sh
    Checking arguments for install catalog action
    catalogsource.operators.coreos.com/ibm-db2uoperator-catalog created
    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      name: ibm-db2uoperator-catalog
      namespace: openshift-marketplace
    spec:
      displayName: IBM Db2U Catalog
      image: docker.io/ibmcom/ibm-db2uoperator-catalog@sha256:5347c6f194868eb7531bd15cf584dabb0dc82b8674409e8ffbbea2c5bc4bcafe
      imagePullPolicy: Always
      publisher: IBM
      sourceType: grpc
      updateStrategy:
        registryPoll:
          interval: 45m
    ibm-db2uoperator-catalog
    {"connectionState":{"address":"ibm-db2uoperator-catalog.openshift-marketplace.svc:50051","lastConnect":"2021-12-01T10:17:01Z","lastObservedState":"CONNECTING"},"registryService":{"createdAt":"2021-12-01T10:16:59Z","port":"50051","protocol":"grpc","serviceName":"ibm-db2uoperator-catalog","serviceNamespace":"openshift-marketplace"}}
    {"connectionState":{"address":"ibm-db2uoperator-catalog.openshift-marketplace.svc:50051","lastConnect":"2021-12-01T10:17:18Z","lastObservedState":"READY"},"registryService":{"createdAt":"2021-12-01T10:16:59Z","port":"50051","protocol":"grpc","serviceName":"ibm-db2uoperator-catalog","serviceNamespace":"openshift-marketplace"}}
    [✓] CASE launch script completed successfully
    OK
    -------------Installing dependent catalog source: ibm-cloud-databases-redis-------------
    Welcome to the CASE launcher
    Attempting to retrieve and extract the CASE from the specified location
    [✓] CASE has been retrieved and extracted
    Attempting to validate the CASE
    Skipping CASE validation...
    Attempting to locate the launch inventory item, script, and action in the specified CASE
    [✓] Found the specified launch inventory item, action, and script for the CASE
    Attempting to check the cluster and machine for required prerequisites for launching the item
    Checking for required prereqs...
                                                             
    Prerequisite                                                                      Result
    Kubernetes node resource must match a set of expressions defined in prereqs.yaml  true
    openshift Kubernetes version must be >=1.14.6                                     true
    Client oc CLI must meet the following regex: [a-zA-Z]* 4.[3-9]*.[0-9]*            true
    
    Required prereqs result: OK
    Checking user permissions...
    No user rules specified.
    [✓] Cluster and Client Prerequisites have been met for the CASE
    Running the CASE redisOperator launch script with the following action context: installCatalog
    Executing inventory item redisOperator, action installCatalog : launch.sh
    Checking arguments for install catalog action
    -------------Installing catalog source-------------
    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      name: ibm-cloud-databases-redis-operator-catalog
      namespace: openshift-marketplace
    spec:
      displayName: ibm-cloud-databases-redis-operator-catalog
      publisher: IBM
      sourceType: grpc
      image: icr.io/cpopen/ibm-cloud-databases-redis-catalog@sha256:bb65ca87c987b040b0a8cea4cf44af9bf1a0110442f249529032dd580cc29b36
      updateStrategy:
        registryPoll:
          interval: 45m
    catalogsource.operators.coreos.com/ibm-cloud-databases-redis-operator-catalog created
    done
    [✓] CASE launch script completed successfully
    OK
    -------------Installing dependent catalog source: mongodbOperator-------------
    Welcome to the CASE launcher
    Attempting to retrieve and extract the CASE from the specified location
    [✓] CASE has been retrieved and extracted
    Attempting to validate the CASE
    Skipping CASE validation...
    Attempting to locate the launch inventory item, script, and action in the specified CASE
    [✓] Found the specified launch inventory item, action, and script for the CASE
    Attempting to check the cluster and machine for required prerequisites for launching the item
    Checking for required prereqs...
                                                             
    Prerequisite                                                                      Result
    Kubernetes node resource must match a set of expressions defined in prereqs.yaml  true
    openshift Kubernetes version must be >=1.14.6                                     true
    Client oc CLI must meet the following regex: [a-zA-Z]* 4.[3-9]*.[0-9]*            true
    
    Required prereqs result: OK
    Checking user permissions...
    No user rules specified.
    [✓] Cluster and Client Prerequisites have been met for the CASE
    Running the CASE mongodbOperator launch script with the following action context: installCatalog
    Executing inventory item mongodbOperator, action installCatalog : launch.sh
    No Actions required for this CASE
    [✓] CASE launch script completed successfully
    OK
    -------------Installing dependent catalog source: guardiumInsightsOperator-------------
    Welcome to the CASE launcher
    Attempting to retrieve and extract the CASE from the specified location
    [✓] CASE has been retrieved and extracted
    Attempting to validate the CASE
    Skipping CASE validation...
    Attempting to locate the launch inventory item, script, and action in the specified CASE
    [✓] Found the specified launch inventory item, action, and script for the CASE
    Attempting to check the cluster and machine for required prerequisites for launching the item
    Checking for required prereqs...
                                                             
    Prerequisite                                                                      Result
    Kubernetes node resource must match a set of expressions defined in prereqs.yaml  true
    openshift Kubernetes version must be >=1.14.6                                     true
    Client oc CLI must meet the following regex: [a-zA-Z]* 4.[3-9]*.[0-9]*            true
    
    Required prereqs result: OK
    Checking user permissions...
    No user rules specified.
    [✓] Cluster and Client Prerequisites have been met for the CASE
    Running the CASE guardiumInsightsOperator launch script with the following action context: installCatalog
    Executing inventory item guardiumInsightsOperator, action installCatalog : launch.sh
    No Actions required for this CASE
    [✓] CASE launch script completed successfully
    OK
    done
    [✓] CASE launch script completed successfully
    
    OK
  7. Run the following command.
    oc get pod -n openshift-marketplace
    The expected output is similar to:
    NAME                                                              READY   STATUS      RESTARTS   AGE
    3d79bc1fdd5b502dd48a21a7bde619cf1ab0fb24c2ba37b78c9db5e41dg7p74   0/1     Completed   0          58m
    432bf90a0a2ae4daeff1a8d8ad57ae936b47a6cd0b71a8dc1127c454casfd8j   0/1     Completed   0          57m
    5079f0b764665fdecef84a6f50c13c55710e81531ddacdbac8faa0b248779sf   0/1     Completed   0          57m
    602e82c9094e8c088d892ad6cf734efa67fa7a2fbb7404a9c1e996bfe247b47   0/1     Completed   0          55m
    67f545ebc1376cc60c655f177193079eb4920e08de78e9bb203fbd909e2v9p9   0/1     Completed   0          57m
    9692f8fbb670c2be83f95c021ca853588c2e4782515fa272d22969327amv2pl   0/1     Completed   0          59m
    acd7307aefe424b9030adbbd46641b0dbee3809e0cbc93604382e8db87m495s   0/1     Completed   0          57m
    acde7109b852622a0ba3377ccaa17fb33f852e65eb9f41dfbbd58a243af59ks   0/1     Completed   0          3h1m
    ad4622529533b14b1f7f21c19f3289861c17cad62c7a116f82596321fa4sp7w   0/1     Completed   0          57m
    b10d3e3c379419f2b9dabf78bc64372a00af14efabc9e87218b7f0e3d9x7vt6   0/1     Completed   0          57m
    bc7521b428f293bfff65fe56d17fba5d849836d1915f8666271cf153ecrrl45   0/1     Completed   0          57m
    certified-operators-glvts                                         1/1     Running     0          6h16m
    community-operators-2g87n                                         1/1     Running     0          13h
    dea584dca6d9d0ae177887936345eb3a316f48a0f3bc04489bfb1a87155z4js   0/1     Completed   0          57m
    e04d42e5f1898a59ea3103b040095971020047bff23e3aa45ede0c420btpbcc   0/1     Completed   0          57m
    e5f0e904e92c2e7522f80c968aea047e84ae922b5f443410fc1c550e9fd66hr   0/1     Completed   0          59m
    e6853075795a3dcc7b72f48fea5eb37cf7e7edeca72df4002aa34fcf60gqwrc   0/1     Completed   0          57m
    e6ccece3fa4ce0d95ed677dcfafc8973c0c0f1a00b6214e850fe9e7befgf9fp   0/1     Completed   0          57m
    ec4e1bf3195e6d7402e02aacd7dd07531cb69183d7dad5bd0d9bf3ff53j5lgz   0/1     Completed   0          57m
    ibm-cloud-databases-redis-operator-catalog-qbv5d                  1/1     Running     0          74s
    ibm-db2uoperator-catalog-4gf4k                                    1/1     Running     0          2m8s
    marketplace-operator-74d56ff548-nm7fl                             1/1     Running     0          28h
    opencloud-operators-wn542                                         1/1     Running     0          64m
    redhat-marketplace-779fk                                          1/1     Running     0          28h
    redhat-operators-q65mz                                            1/1     Running     0          19h
  8. Install the operators.
    oc ibm-pak launch $CASE_NAME \
    --version $CASE_VERSION \
    --inventory install \
    --action install-operator \
    --namespace ${NAMESPACE} \
    --args "--registry cp.icr.io --user ${CP_REPO_USER} --pass ${CP_REPO_PASS} --secret ibm-entitlement-key --inputDir ${LOCAL_CASE_DIR}"
    The expected output is similar to:
    Welcome to the CASE launcher
    Attempting to retrieve and extract the CASE from the specified location
    [✓] CASE has been retrieved and extracted
    Attempting to validate the CASE
    Skipping CASE validation...
    Attempting to locate the launch inventory item, script, and action in the specified CASE
    …………...
    deployment.apps/guardiuminsights-controller-manager created
    [✓] CASE launch script completed successfully
    OK
    [✓] CASE launch script completed successfully
    OK
  9. Issue the following command.
    oc get pods
    The expected output is similar to:
    NAME     READY   STATUS    RESTARTS   AGE
    guardiuminsights-controller-manager-55774fbfdb-bhd8n   1/1     Running   0          65s
    ibm-cloud-databases-redis-operator-776b974f5f-hctf6    1/1     Running   0          2m50s
    mongodb-kubernetes-operator-758c495c44-mtqzf           1/1     Running   0          2m11s
  10. Create a <filename>.yaml file by using the following example. Replace the host name, domain name, and class for your current environment. For the storageClassName, use the RWX/FileSystem storageClassName.
    apiVersion: gi.ds.isc.ibm.com/v1
    kind: GuardiumInsights
    metadata:
      #name: This must be 10 or less characters
      name: staging
      #Provide the name of the namespace in which you want to install the CR.
      namespace: staging
    spec:
      version: 3.4.0
      license:
        accept: true
        licenseType: "L-YRPR-ZV3BA6"
      connections:
         insightsEnv:
           FEATURE_STAP_STREAMING: "false"
      guardiumInsightsGlobal:
        backupsupport:
           enabled: true
           name: <GI_Backup_PVC>
           storageClassName: ocs-storagecluster-cephfs
           size: 500Gi
        size: values-small
        image:
          insightsPullSecret: ibm-entitlement-key
          repository: cp.icr.io/cp/ibm-guardium-insights
        insights:
          ingress:
            hostName: staging.apps.sysgcp.ibmguardiuminsights.com
            domainName: apps.sysgcp.ibmguardiuminsights.com
          ics:
            namespace: ibm-common-services
            registry: common-service
        #storageClassName: Must be a ReadWriteMany StorageClass
        storageClassName: ocs-storagecluster-cephfs
        #storageClassNameRWO: Must be a ReadWriteOnce StorageClass
        storageClassNameRWO: "ocs-storagecluster-ceph-rbd"
      dependency-db2:
        image:
          insightsPullSecret: ibm-entitlement-key
        db2:
         size: 2
         resources:
           requests:
             cpu: "6"
             memory: "28Gi"
           limits:
             cpu: "6"
             memory: "28Gi"
         storage:
         - name: meta
           spec:
             storageClassName: "ocs-storagecluster-cephfs"
             accessModes:
             - ReadWriteMany
             resources:
               requests:
                 storage: "1000Gi"
           type: create
         - name: data
           spec:
             storageClassName: "ocs-storagecluster-cephfs"
             accessModes:
             - ReadWriteOnce
             resources:
               requests:
                 storage: "4000Gi"
           type: template
         mln:
           distribution: 0:0
           total: 2
      dependency-kafka:
        kafka:
          storage:
            type: persistent-claim
            size: 250Gi
            class: "ocs-storagecluster-ceph-rbd"
        zookeeper:
          storage:
            type: persistent-claim
            size: 20Gi
            class: "ocs-storagecluster-ceph-rbd"
      mini-snif:
        persistentVolumesClaims:
          mini-snif-shared:
            storageClassName: "ocs-storagecluster-cephfs"
      universal-connector-manager:
        persistentVolumesClaims:
          universal-connector-manager-shared:
            storageClassName: "ocs-storagecluster-cephfs"
      settings-datasources:
        persistentVolumesClaims:
          settings-datasources:
            storageClassName: "ocs-storagecluster-cephfs"
      ticketing:
        persistentVolumesClaims:
          ticketing-keystore:
            storageClassName: "ocs-storagecluster-cephfs"
  11. Apply the YAML file.
    oc apply -f <filename>.yaml
  12. To monitor the Guardium® Insights CR, run the following command.
    oc get guardiuminsights -w