Installing Guardium Insights
Procedure
-
Obtain the CASE bundle. If you already obtained the CASE bundle when you installed ICS, skip
this step.
export CASE_NAME=ibm-guardium-insights export CASE_VERSION=2.2.9 export LOCAL_CASE_DIR=$HOME/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION
- Save the CASE bundle. If you already saved the CASE bundle when you installed ICS, skip
this step.
oc ibm-pak get $CASE_NAME \ --version $CASE_VERSION \ --skip-verify
The expected output is similar to:Downloading and extracting the CASE ... - Success Retrieving CASE version ... - Success Validating the CASE ... [warn] - certifications/ibmdefault.yaml: validation error: Certification file name [ibmdefault] not currently in supported list: [ibmmc, ibmccs, ibmccscp, ibmccp, ecomc, ecoccs] [warn] - certifications/ibmdefault.yaml: validation error: The certification file ibmdefault.yaml is not listed under the certifications parameter in case.yaml [warn] - certifications/ibmdefault.yaml: the specified certifications file does not exist in the certifications/files directory: ExternalSecurityReport.pdf [WARNING]: open /root/offline/ibm-guardium-insights/signature.yaml: no such file or directory - Success Creating inventory ... - Success Finding inventory items - Success Resolving inventory items ... Parsing inventory items [WARNING]: Ignoring the following digest error: Cannot validate digest for a case in the inventory item ibmCommonServiceOperatorSetup. Inventory Item ibmCommonServiceOperatorSetup is not found in the digest map Validating the signature for the ibm-cp-common-services CASE... Validating the signature for the ibm-auditlogging CASE... Validating the signature for the ibm-cert-manager CASE... Validating the signature for the ibm-cs-commonui CASE... Validating the signature for the ibm-events-operator CASE... Validating the signature for the ibm-cs-healthcheck CASE... Validating the signature for the ibm-cs-iam CASE... Validating the signature for the ibm-zen CASE... Validating the signature for the ibm-licensing CASE... Validating the signature for the ibm-management-ingress CASE... Validating the signature for the ibm-cs-mongodb CASE... Validating the signature for the ibm-cs-monitoring CASE... Validating the signature for the ibm-platform-api-operator CASE... [WARNING]: Ignoring the following digest error: Cannot validate digest for a case in the inventory item redisOperator. Inventory Item redisOperator is not found in the digest map Validating the signature for the ibm-cloud-databases-redis CASE... - Success
- Set the variables.
export NAMESPACE=staging export ICS_USER=admin export ICS_PASS=<new password> export CP_REPO_USER=cp export CP_REPO_PASS=<ibm_entitlement_key>
You can obtain the <ibm_entitlement_key> at https://myibm.ibm.com/products-services/containerlibrary.
- Create the namespace.
oc create namespace $NAMESPACE oc project $NAMESPACE
- Run the preinstall script.
oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --namespace ${NAMESPACE} \ --inventory install \ --action pre-install \ --tolerance 1 \ --args "-n ${NAMESPACE} -a ${ICS_USER} -p ${ICS_PASS} -h sysgcp-xsbvp-worker-c-g48np.c.aesthetic-frame-155821.internal,sysgcp-xsbvp-worker-c-jv9f4.c.aesthetic-frame-155821.internal -t false -l true"
Where, for the-h
parameter, list the worker node names on which you want to host Db2.The expected output is similar to:Welcome to the CASE launcher Attempting to retrieve and extract the CASE from the specified location [✓] CASE has been retrieved and extracted Attempting to validate the CASE Skipping CASE validation... Attempting to locate the launch inventory item, script, and action in the specified CASE [✓] Found the specified launch inventory item, action, and script for the CASE Attempting to check the cluster and machine for required prerequisites for launching the item Checking for required prereqs... Prerequisite Result Cluster Kubernetes version must be >=1.16.0 true openshift Kubernetes version must be >=1.14.6 true Kubernetes node resource must match a set of expressions defined in prereqs.yaml true Client openssl CLI must meet the following regex: OpenSSL 1.1.1* true Client cloudctl CLI must meet the following regex: [a-zA-Z]* v3.(1[0-9]|[4-9]).[1-9]* true Required prereqs result: OK Checking user permissions... Kubernetes RBAC Prerequisite Verbs Result Reason *.*/ * true User permissions result: OK [✓] Cluster and Client Prerequisites have been met for the CASE Running the CASE install launch script with the following action context: preInstall Executing inventory item install, action preInstall : launch.sh -------------Installing dependent GI preinstall: /Users/myUsername/gcp-ocp4.6/ibm-guardium-insights-case-bundle/stable/ibm-guardium-insights-bundle/case/ibm-guardium-insights------------- PRE-INSTALL VALUES: -n staging -h testgcp-lnt5j-worker-d-2tcfb.c.aesthetic-frame-155821.internal -l true Warning : One or more optional parameters not passed, default values will be used OpenSSL is working with parameters -pbkdf2 #####IBM Guardium Insights Pre-installation: Starting Preparation##### Already on project "staging" on server "https://api.testgcp.ibmguardiuminsights.com:6443". node/testgcp-lnt5j-worker-d-2tcfb.c.aesthetic-frame-155821.internal labeled Skipping data node(s) tainting. Node testgcp-lnt5j-worker-d-2tcfb.c.aesthetic-frame-155821.internal already labelled. #####IBM Guardium Insights Pre-installation: Ingress Certificate Recreation##### Overwrite existing secrets mode: no -------------------------------------------------------------- Starting: IBM Guardium Insights: Ingress creation script. Generating certificates since some of the 3 arguments are not set Creating TLS secret Ingress Secret insights-ingressca not found. Creating secret. secret/insights-ingressca created Completed: IBM Guardium Insights : Ingress creation script. -------------------------------------------------------------- [✓] CASE launch script completed successfully OK
- Install the catalogs.
oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --inventory install \ --action install-catalog \ --namespace openshift-marketplace \ --args "--inputDir ${LOCAL_CASE_DIR}"
The expected output is similar to:Welcome to the CASE launcher Attempting to retrieve and extract the CASE from the specified location [✓] CASE has been retrieved and extracted Attempting to validate the CASE Skipping CASE validation... Attempting to locate the launch inventory item, script, and action in the specified CASE [✓] Found the specified launch inventory item, action, and script for the CASE Attempting to check the cluster and machine for required prerequisites for launching the item Checking for required prereqs... Prerequisite Result Kubernetes node resource must match a set of expressions defined in prereqs.yaml true Client oc CLI must meet the following regex: [a-zA-Z]* 4.[3-9]*.[0-9]* true Client cloudctl CLI must meet the following regex: [a-zA-Z]* v3.(1[0-9]|[4-9]).[1-9]* true Required prereqs result: OK Checking user permissions... Kubernetes RBAC Prerequisite Verbs Result Reason *.*/ * true User permissions result: OK [✓] Cluster and Client Prerequisites have been met for the CASE Running the CASE install launch script with the following action context: installCatalog Executing inventory item install, action installCatalog : launch.sh -------------Installing catalog source------------- -------------Installing dependent catalog source: ibm-db2uoperator------------- Welcome to the CASE launcher Attempting to retrieve and extract the CASE from the specified location [✓] CASE has been retrieved and extracted Attempting to validate the CASE Skipping CASE validation... Attempting to locate the launch inventory item, script, and action in the specified CASE [✓] Found the specified launch inventory item, action, and script for the CASE Attempting to check the cluster and machine for required prerequisites for launching the item Checking for required prereqs... Prerequisite Result Client oc CLI must meet the following regex: [a-zA-Z]* 4.[3-9]*.[0-9]* true Required prereqs result: OK Checking user permissions... No user rules specified. [✓] Cluster and Client Prerequisites have been met for the CASE Running the CASE db2uOperatorSetup launch script with the following action context: installCatalog Executing inventory item db2uOperatorSetup, action installCatalog : launch.sh Checking arguments for install catalog action catalogsource.operators.coreos.com/ibm-db2uoperator-catalog created apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: name: ibm-db2uoperator-catalog namespace: openshift-marketplace spec: displayName: IBM Db2U Catalog image: docker.io/ibmcom/ibm-db2uoperator-catalog@sha256:5347c6f194868eb7531bd15cf584dabb0dc82b8674409e8ffbbea2c5bc4bcafe imagePullPolicy: Always publisher: IBM sourceType: grpc updateStrategy: registryPoll: interval: 45m ibm-db2uoperator-catalog {"connectionState":{"address":"ibm-db2uoperator-catalog.openshift-marketplace.svc:50051","lastConnect":"2021-12-01T10:17:01Z","lastObservedState":"CONNECTING"},"registryService":{"createdAt":"2021-12-01T10:16:59Z","port":"50051","protocol":"grpc","serviceName":"ibm-db2uoperator-catalog","serviceNamespace":"openshift-marketplace"}} {"connectionState":{"address":"ibm-db2uoperator-catalog.openshift-marketplace.svc:50051","lastConnect":"2021-12-01T10:17:18Z","lastObservedState":"READY"},"registryService":{"createdAt":"2021-12-01T10:16:59Z","port":"50051","protocol":"grpc","serviceName":"ibm-db2uoperator-catalog","serviceNamespace":"openshift-marketplace"}} [✓] CASE launch script completed successfully OK -------------Installing dependent catalog source: ibm-cloud-databases-redis------------- Welcome to the CASE launcher Attempting to retrieve and extract the CASE from the specified location [✓] CASE has been retrieved and extracted Attempting to validate the CASE Skipping CASE validation... Attempting to locate the launch inventory item, script, and action in the specified CASE [✓] Found the specified launch inventory item, action, and script for the CASE Attempting to check the cluster and machine for required prerequisites for launching the item Checking for required prereqs... Prerequisite Result Kubernetes node resource must match a set of expressions defined in prereqs.yaml true openshift Kubernetes version must be >=1.14.6 true Client oc CLI must meet the following regex: [a-zA-Z]* 4.[3-9]*.[0-9]* true Required prereqs result: OK Checking user permissions... No user rules specified. [✓] Cluster and Client Prerequisites have been met for the CASE Running the CASE redisOperator launch script with the following action context: installCatalog Executing inventory item redisOperator, action installCatalog : launch.sh Checking arguments for install catalog action -------------Installing catalog source------------- apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: name: ibm-cloud-databases-redis-operator-catalog namespace: openshift-marketplace spec: displayName: ibm-cloud-databases-redis-operator-catalog publisher: IBM sourceType: grpc image: icr.io/cpopen/ibm-cloud-databases-redis-catalog@sha256:bb65ca87c987b040b0a8cea4cf44af9bf1a0110442f249529032dd580cc29b36 updateStrategy: registryPoll: interval: 45m catalogsource.operators.coreos.com/ibm-cloud-databases-redis-operator-catalog created done [✓] CASE launch script completed successfully OK -------------Installing dependent catalog source: mongodbOperator------------- Welcome to the CASE launcher Attempting to retrieve and extract the CASE from the specified location [✓] CASE has been retrieved and extracted Attempting to validate the CASE Skipping CASE validation... Attempting to locate the launch inventory item, script, and action in the specified CASE [✓] Found the specified launch inventory item, action, and script for the CASE Attempting to check the cluster and machine for required prerequisites for launching the item Checking for required prereqs... Prerequisite Result Kubernetes node resource must match a set of expressions defined in prereqs.yaml true openshift Kubernetes version must be >=1.14.6 true Client oc CLI must meet the following regex: [a-zA-Z]* 4.[3-9]*.[0-9]* true Required prereqs result: OK Checking user permissions... No user rules specified. [✓] Cluster and Client Prerequisites have been met for the CASE Running the CASE mongodbOperator launch script with the following action context: installCatalog Executing inventory item mongodbOperator, action installCatalog : launch.sh No Actions required for this CASE [✓] CASE launch script completed successfully OK -------------Installing dependent catalog source: guardiumInsightsOperator------------- Welcome to the CASE launcher Attempting to retrieve and extract the CASE from the specified location [✓] CASE has been retrieved and extracted Attempting to validate the CASE Skipping CASE validation... Attempting to locate the launch inventory item, script, and action in the specified CASE [✓] Found the specified launch inventory item, action, and script for the CASE Attempting to check the cluster and machine for required prerequisites for launching the item Checking for required prereqs... Prerequisite Result Kubernetes node resource must match a set of expressions defined in prereqs.yaml true openshift Kubernetes version must be >=1.14.6 true Client oc CLI must meet the following regex: [a-zA-Z]* 4.[3-9]*.[0-9]* true Required prereqs result: OK Checking user permissions... No user rules specified. [✓] Cluster and Client Prerequisites have been met for the CASE Running the CASE guardiumInsightsOperator launch script with the following action context: installCatalog Executing inventory item guardiumInsightsOperator, action installCatalog : launch.sh No Actions required for this CASE [✓] CASE launch script completed successfully OK done [✓] CASE launch script completed successfully OK
- Run the following command.
oc get pod -n openshift-marketplace
The expected output is similar to:NAME READY STATUS RESTARTS AGE 3d79bc1fdd5b502dd48a21a7bde619cf1ab0fb24c2ba37b78c9db5e41dg7p74 0/1 Completed 0 58m 432bf90a0a2ae4daeff1a8d8ad57ae936b47a6cd0b71a8dc1127c454casfd8j 0/1 Completed 0 57m 5079f0b764665fdecef84a6f50c13c55710e81531ddacdbac8faa0b248779sf 0/1 Completed 0 57m 602e82c9094e8c088d892ad6cf734efa67fa7a2fbb7404a9c1e996bfe247b47 0/1 Completed 0 55m 67f545ebc1376cc60c655f177193079eb4920e08de78e9bb203fbd909e2v9p9 0/1 Completed 0 57m 9692f8fbb670c2be83f95c021ca853588c2e4782515fa272d22969327amv2pl 0/1 Completed 0 59m acd7307aefe424b9030adbbd46641b0dbee3809e0cbc93604382e8db87m495s 0/1 Completed 0 57m acde7109b852622a0ba3377ccaa17fb33f852e65eb9f41dfbbd58a243af59ks 0/1 Completed 0 3h1m ad4622529533b14b1f7f21c19f3289861c17cad62c7a116f82596321fa4sp7w 0/1 Completed 0 57m b10d3e3c379419f2b9dabf78bc64372a00af14efabc9e87218b7f0e3d9x7vt6 0/1 Completed 0 57m bc7521b428f293bfff65fe56d17fba5d849836d1915f8666271cf153ecrrl45 0/1 Completed 0 57m certified-operators-glvts 1/1 Running 0 6h16m community-operators-2g87n 1/1 Running 0 13h dea584dca6d9d0ae177887936345eb3a316f48a0f3bc04489bfb1a87155z4js 0/1 Completed 0 57m e04d42e5f1898a59ea3103b040095971020047bff23e3aa45ede0c420btpbcc 0/1 Completed 0 57m e5f0e904e92c2e7522f80c968aea047e84ae922b5f443410fc1c550e9fd66hr 0/1 Completed 0 59m e6853075795a3dcc7b72f48fea5eb37cf7e7edeca72df4002aa34fcf60gqwrc 0/1 Completed 0 57m e6ccece3fa4ce0d95ed677dcfafc8973c0c0f1a00b6214e850fe9e7befgf9fp 0/1 Completed 0 57m ec4e1bf3195e6d7402e02aacd7dd07531cb69183d7dad5bd0d9bf3ff53j5lgz 0/1 Completed 0 57m ibm-cloud-databases-redis-operator-catalog-qbv5d 1/1 Running 0 74s ibm-db2uoperator-catalog-4gf4k 1/1 Running 0 2m8s marketplace-operator-74d56ff548-nm7fl 1/1 Running 0 28h opencloud-operators-wn542 1/1 Running 0 64m redhat-marketplace-779fk 1/1 Running 0 28h redhat-operators-q65mz 1/1 Running 0 19h
- Install the operators.
oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --inventory install \ --action install-operator \ --namespace ${NAMESPACE} \ --args "--registry cp.icr.io --user ${CP_REPO_USER} --pass ${CP_REPO_PASS} --secret ibm-entitlement-key --inputDir ${LOCAL_CASE_DIR}"
The expected output is similar to:Welcome to the CASE launcher Attempting to retrieve and extract the CASE from the specified location [✓] CASE has been retrieved and extracted Attempting to validate the CASE Skipping CASE validation... Attempting to locate the launch inventory item, script, and action in the specified CASE …………... deployment.apps/guardiuminsights-controller-manager created [✓] CASE launch script completed successfully OK [✓] CASE launch script completed successfully OK
- Issue the following command.
oc get pods
The expected output is similar to:NAME READY STATUS RESTARTS AGE guardiuminsights-controller-manager-55774fbfdb-bhd8n 1/1 Running 0 65s ibm-cloud-databases-redis-operator-776b974f5f-hctf6 1/1 Running 0 2m50s mongodb-kubernetes-operator-758c495c44-mtqzf 1/1 Running 0 2m11s
- Create a <filename>.yaml file by using the following example.
Replace the host name, domain name, and class for your current environment. For the
storageClassName
, use the RWX/FileSystemstorageClassName
.apiVersion: gi.ds.isc.ibm.com/v1 kind: GuardiumInsights metadata: #name: This must be 10 or less characters name: staging #Provide the name of the namespace in which you want to install the CR. namespace: staging spec: version: 3.4.0 license: accept: true licenseType: "L-YRPR-ZV3BA6" connections: insightsEnv: FEATURE_STAP_STREAMING: "false" guardiumInsightsGlobal: backupsupport: enabled: true name: <GI_Backup_PVC> storageClassName: ocs-storagecluster-cephfs size: 500Gi size: values-small image: insightsPullSecret: ibm-entitlement-key repository: cp.icr.io/cp/ibm-guardium-insights insights: ingress: hostName: staging.apps.sysgcp.ibmguardiuminsights.com domainName: apps.sysgcp.ibmguardiuminsights.com ics: namespace: ibm-common-services registry: common-service #storageClassName: Must be a ReadWriteMany StorageClass storageClassName: ocs-storagecluster-cephfs #storageClassNameRWO: Must be a ReadWriteOnce StorageClass storageClassNameRWO: "ocs-storagecluster-ceph-rbd" dependency-db2: image: insightsPullSecret: ibm-entitlement-key db2: size: 2 resources: requests: cpu: "6" memory: "28Gi" limits: cpu: "6" memory: "28Gi" storage: - name: meta spec: storageClassName: "ocs-storagecluster-cephfs" accessModes: - ReadWriteMany resources: requests: storage: "1000Gi" type: create - name: data spec: storageClassName: "ocs-storagecluster-cephfs" accessModes: - ReadWriteOnce resources: requests: storage: "4000Gi" type: template mln: distribution: 0:0 total: 2 dependency-kafka: kafka: storage: type: persistent-claim size: 250Gi class: "ocs-storagecluster-ceph-rbd" zookeeper: storage: type: persistent-claim size: 20Gi class: "ocs-storagecluster-ceph-rbd" mini-snif: persistentVolumesClaims: mini-snif-shared: storageClassName: "ocs-storagecluster-cephfs" universal-connector-manager: persistentVolumesClaims: universal-connector-manager-shared: storageClassName: "ocs-storagecluster-cephfs" settings-datasources: persistentVolumesClaims: settings-datasources: storageClassName: "ocs-storagecluster-cephfs" ticketing: persistentVolumesClaims: ticketing-keystore: storageClassName: "ocs-storagecluster-cephfs"
- Apply the YAML file.
oc apply -f <filename>.yaml
- To monitor the Guardium® Insights CR, run the
following command.
oc get guardiuminsights -w