Installing Guardium Insights operator and related components

Procedure

  1. Obtain the CASE bundle.
    1. Your cp.icr.io login credentials are CP_REPO_USER="cp" and CP_REPO_PASS=entitlement key that is available at https://myibm.ibm.com/products-services/containerlibrary.
    2. Set the following environment variables.
      export CP_REPO_USER=<Your Username to cp.icr.io>
export CP_REPO_PASS=<Your Password / Entitlement Key to cp.icr.io>
export NAMESPACE=<your chosen namespace>
    3. Create the following environment variables with the installer image name and the version.
      For example, to use version 3.4.0, specify the 2.4.0 bundle file.
      export CASE_NAME=ibm-guardium-insights
export CASE_VERSION=2.4.0
export LOCAL_CASE_DIR=$HOME/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION
      Important: If you do not specify the CASE version, it downloads the latest CASE.
    4. Save the CASE bundle locally.
      oc ibm-pak get $CASE_NAME \
--version $CASE_VERSION \
--skip-verify
      Important: If you encounter the following error, you may experience a temporary communication problem with the remote repository. Wait a few minutes and try again.
      No Case registries found for case ibm-cert-manager->=1.3.0 <1.3.1.tgz with the given repository URL information
FAILED
  2. Install the Guardium® Insights operator and related components.
    1. Switch the namespace in which you installed IBM® Common Services in the previous step for your installation, and change the context into it with this command.
      kubectl config set-context --current --namespace=${NAMESPACE}
      For example, the namespace can be staging.
    2. Set the inventory setup.
      export GI_INVENTORY_SETUP=install
    3. To disable prerequisite checks, run the following command.
      export IBMPAK_LAUNCH_SKIP_PREREQ_CHECK=true
    4. Label the Db2 nodes by running the per-install command.
      oc ibm-pak launch $CASE_NAME \
   --version $CASE_VERSION \
   --inventory $GI_INVENTORY_SETUP \
   --action pre-install \
   --namespace $NAMESPACE \
   --args "-n ${NAMESPACE} -h <DB worker host> -l <true/false> -e true"

      The parameters that are used in this script are described in Online manual installation of Guardium Insights.

      1. Obtain the running nodes.
        NODES=$(kubectl get nodes -o jsonpath='{.items[*].metadata.name}')
NODES=$(echo $NODES | tr ' ' ',')
echo $NODES
      2. Export the node information.

        Version 3.4.x

        export CASE_NAME=ibm-guardium-insights
export CASE_VERSION=2.4.0
export LOCAL_CASE_DIR=$HOME/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION
export NAMESPACE=openshift-marketplace
export GI_INVENTORY_SETUP=install
export IBMPAK_LAUNCH_SKIP_PREREQ_CHECK=true
kubectl config set-context --current --namespace=${NAMESPACE}
        Version 3.5.x and later
        export CASE_NAME=ibm-guardium-insights
export CASE_VERSION=2.5.0
export LOCAL_CASE_DIR=$HOME/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION
export NAMESPACE=<your namespace>
export GI_INVENTORY_SETUP=install
export IBMPAK_LAUNCH_SKIP_PREREQ_CHECK=true
kubectl config set-context --current --namespace=${NAMESPACE}
      3. Use the node information in the following command.
        oc ibm-pak launch $CASE_NAME \
   --version $CASE_VERSION \
   --inventory $GI_INVENTORY_SETUP \
   --action pre-install \
   --namespace $NAMESPACE \
   --args "-n ${NAMESPACE} -h ${NODES} -t false -l true -e true"
      4. To confirm successful labeling, run the following command.
        oc get nodes --no-headers -o custom-columns=":metadata.name" | xargs -I {} sh -c 'oc describe node {} | grep db2 | grep -v $NAMESPACE'

        You receive icp4data=database-db2wh in response.

  3. Install the catalogs.
    1. Run the following command.

      Version 3.4.x

      oc ibm-pak launch $CASE_NAME \
   --version $CASE_VERSION \
   --inventory $GI_INVENTORY_SETUP \
   --action install-catalog \
   --namespace $NAMESPACE \
   --args "--inputDir ${LOCAL_CASE_DIR}"
      Version 3.5.x and later
      oc ibm-pak launch $CASE_NAME \
   --version $CASE_VERSION \
   --inventory $GI_INVENTORY_SETUP \
   --action install-catalog \
   --namespace openshift-marketplace \
   --args "--inputDir ${LOCAL_CASE_DIR}"
    2. Verify that the catalogs are installed.

      Version 3.4.x

      oc get catsrc
NAME                                         DISPLAY                                   TYPE   PUBLISHER   AGE
certified-operators                          Certified Operators                       grpc   Red Hat     29h
community-operators                          Community Operators                       grpc   Red Hat     29h
ibm-cloud-databases-redis-operator-catalog   ibm-cloud-databases-redis-1.6.5           grpc   IBM         29h
ibm-db2uoperator-catalog                     ibm-db2uoperator-5.1.4                    grpc   IBM         29h
ibm-guardium-insights-operator-catalog       ibm-guardium-insights-2.4.0-linux-amd64   grpc   IBM         29h
opencloud-operators                          IBMCS Operators                           grpc   IBM         29h
redhat-marketplace                           Red Hat Marketplace                       grpc   Red Hat     29h
redhat-operators                             Red Hat Operators                         grpc   Red Hat     29h
      Version 3.5.x and later
      oc get catsrc -n openshift-marketplace
NAME                                         DISPLAY                                   TYPE   PUBLISHER   AGE
certified-operators                          Certified Operators                       grpc   Red Hat     29h
community-operators                          Community Operators                       grpc   Red Hat     29h
ibm-cloud-databases-redis-operator-catalog   ibm-cloud-databases-redis-1.6.5           grpc   IBM         29h
ibm-db2uoperator-catalog                     ibm-db2uoperator-5.1.4                    grpc   IBM         29h
ibm-guardium-insights-operator-catalog       ibm-guardium-insights-2.4.0-linux-amd64   grpc   IBM         29h
opencloud-operators                          IBMCS Operators                           grpc   IBM         29h
redhat-marketplace                           Red Hat Marketplace                       grpc   Red Hat     29h
redhat-operators                             Red Hat Operators                         grpc   Red Hat     29h
    3. Version 3.4.x If the CatalogSource (catsrc) is installed in the openshift-marketplace namespace, skip this step. If it is installed the openshift-marketplace namespace, you may need to change the catsrc namespace.
      The following example uses a staging namespace. You can change this value as needed.
      Use the following commands to change the namespace.
      oc get catsrc ibm-db2uoperator-catalog -n openshift-marketplace -o json | jq 'del(.metadata.resourceVersion)' | jq 'del(.metadata.annotations)' | jq 'del(.metadata.creationTimestamp)' | jq 'del(.metadata.generation)' | jq 'del(.metadata.resourceVersion)' | jq 'del(.metadata.uid)' | jq 'del(.status)' | jq '.metadata.namespace = "staging"' | oc apply -f -

oc get catsrc ibm-redis-cp-operator-catalog -n openshift-marketplace -o json | jq 'del(.metadata.resourceVersion)' | jq 'del(.metadata.annotations)' | jq 'del(.metadata.creationTimestamp)' | jq 'del(.metadata.generation)' | jq 'del(.metadata.resourceVersion)' | jq 'del(.metadata.uid)' | jq 'del(.status)' | jq '.metadata.namespace = "staging"' | oc apply -f -

      And then delete all CatalogSource and Subscription objects that are not in openshift-marketplace.

      oc get catsrc --all-namespaces -o jsonpath='{range .items[*]}{.metadata.namespace}{" "}{.metadata.name}{"\n"}{end}' | grep -v -e $NAMESPACE -e cert-manager -e operatorhubio | awk '{print "oc delete catsrc "$2" -n "$1}' | sh
      The commands will:
      1. List all CatalogSource objects across all namespaces.
      2. Filter out the objects that are in the openshift-marketplace namespace.
      3. Format the remaining objects into oc delete commands.
      4. Execute the delete commands.
  4. Install the operators.
    1. Run the following command.
      oc ibm-pak launch $CASE_NAME \
   --version $CASE_VERSION \
   --inventory $GI_INVENTORY_SETUP \
   --action install-operator \
   --namespace ${NAMESPACE} \
   --args "--registry cp.icr.io --user ${CP_REPO_USER} --pass ${CP_REPO_PASS} --secret ibm-entitlement-key --inputDir ${LOCAL_CASE_DIR}"
    2. Verify that the operators are installed.
      oc get sub
      The expected output is similar to:
      NAME                                              PACKAGE                              SOURCE                                       CHANNEL
ibm-redis-cp-operator-catalog-subscription        ibm-cloud-databases-redis-operator   ibm-redis-cp-operator-catalog                v1.1
ibm-db2uoperator-catalog-subscription             db2u-operator                        ibm-db2uoperator-catalog                     v110509.0
ibm-guardium-insights-operator-subscription       ibm-guardium-insights-operator       ibm-guardium-insights-operator-catalog       v3.3
    3. Version 3.4.x If the sourceNamespace of the Subscription is set to openshift-marketplace despite the namespace itself being installed in the namespace that you want, change the sourceNamespace to match your wanted namespace.
      The following example uses a staging namespace. You can change this value as needed.

      Run the following commands.

      oc get subscription ibm-db2uoperator-catalog-subscription -n openshift-marketplace -o json | jq 'del(.metadata.resourceVersion, .metadata.annotations, .metadata.creationTimestamp, .metadata.generation, .metadata.uid, .status) | .metadata.namespace = "staging" | .spec.sourceNamespace = "staging"' | oc apply -f -

oc get subscription ibm-redis-cp-operator-catalog-subscription -n openshift-marketplace -o json | jq 'del(.metadata.resourceVersion, .metadata.annotations, .metadata.creationTimestamp, .metadata.generation, .metadata.uid, .status) | .metadata.namespace = "staging" | .spec.sourceNamespace = "staging"' | oc apply -f -

      And then delete the Subscription objects.

      oc get sub --all-namespaces -o jsonpath='{range .items[*]}{.metadata.namespace}{" "}{.metadata.name}{"\n"}{end}' | grep -v -e $NAMESPACE -e cert-manager -e operatorhubio | awk '{print "oc delete sub "$2" -n "$1}' | sh
    4. If the Guardium Insights image is published yet, you encounter the following messages.
      Waiting for Successful State
Waiting for Successful State
Waiting for Successful State

      In this case, run oc get catsrc, and then delete the Guardium Insights operator by using the oc delete catsrc ibm-guardium-insights-operator-catalog command to continue the installation.

      oc get csv          
NAME                                    DISPLAY                                                         VERSION      REPLACES                           PHASE
db2u-operator.v110509.0.1               IBM Db2                                                         110509.0.1                                      Succeeded
ibm-redis-cp.v1.1.9                     IBM Operator for Redis                                          1.1.9        ibm-cloud-databases-redis.v1.6.4   Succeeded
ibm-guardium-insights-operator.v3.4.0   IBM Security Guardium Insights for IBM Cloud Pak for Security   3.4.0                                           Succeeded
      oc get pods
      Example output:
      NAME                                                      READY      STATUS       RESTARTS      AGE
db2u-day2-ops-controller-manager-5488d5c844-vvhgt     1/1     Running   0          24h
db2u-operator-manager-5fc886d4bc-wwcrv                1/1     Running   0          24h
ibm-cloud-databases-redis-operator-6d668d7b88-z7fzh   1/1     Running   0          24h
ibm-guardium-insights-operator-75d6c489fd-qfkss       1/1     Running   0          24h
mongodb-kubernetes-operator-856bc86746-lfk69          1/1     Running   0          24h