Installing Guardium Insights
Procedure
- The default username to access the console is
cpadmin
. To retrieve the password, use these commands:oc get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_username}' -n $NAMESPACE | base64 -d | awk '{print $1}' oc get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_password}' -n $NAMESPACE | base64 -d | awk '{print $1}'
The output that you receive, for example
EwK9dj_example_password_lZSzVsA
, is the password that is used for accessing the console. To change the default username (cpadmin
) or password, see Changing the cluster administrator access credentials. - Set these environment variables:
export NAMESPACE=staging export ICS_USER=admin export ICS_PASS=<ics_password> export CP_REPO_USER=cp export CP_REPO_PASS=<entitlement_key>
Where
<ics_password>
is the password that you retrieved to access the console and<entitlement_key>
is the entitlement key, as described in Obtain your entitlement key. - Create a namespace for the Guardium® Insights instance. This namespace must be 10 or fewer
characters in length.
- Version 3.3.x
kubectl create namespace $NAMESPACE || true oc project $NAMESPACE
- Version 3.4.x and later
oc create namespace ${NAMESPACE} oc project ${NAMESPACE}
- Version 3.3.x
- Run the pre-install script. This script
sets up secrets and parameters for the Guardium Insights
instance.
- Version 3.3.x
oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --namespace ${NAMESPACE} \ --inventory install \ --action pre-install \ --tolerance 1 \ --args "-n ${NAMESPACE} -h <DB_worker_host> -l true -t false"
- Version 3.4
export GI_INVENTORY_SETUP=install oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --inventory $GI_INVENTORY_SETUP \ --action pre-install \ --namespace $NAMESPACE \ --args "-n ${NAMESPACE} -h <DB worker host> -l true -q true -t false"
- Version 3.4.1 and later
export GI_INVENTORY_SETUP=install oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --inventory $GI_INVENTORY_SETUP \ --action pre-install \ --namespace $NAMESPACE \ --args "-n ${NAMESPACE} -h <DB worker host> -l true -t false"
<DB_worker_host>
is the worker node name on which you want to host Db2®. - Version 3.3.x
- Install the catalog.
- Version 3.3.x
oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --namespace openshift-marketplace \ --inventory install \ --action install-catalog \ --args "--inputDir ${LOCAL_CASE_DIR}" \ --tolerance 1
- Version 3.4.x and later
oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --inventory $GI_INVENTORY_SETUP \ --action install-catalog \ --namespace openshift-marketplace \ --args "--inputDir ${LOCAL_CASE_DIR}" \ --tolerance 1
To verify that the catalogs are installed, issue this command:
The output is similar to:oc get pod -n openshift-marketplace
NAME READY STATUS RESTARTS AGE ibm-cloud-databases-redis-operator-catalog-x2rr4 1/1 Running 0 41s ibm-db2uoperator-catalog-mzvd7 1/1 Running 0 73s ibm-guardium-insights-operator-catalog-n8qkr 1/1 Running 0 16s
- Version 3.3.x
- Install the operator.
- Version 3.3.x
oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --namespace ${NAMESPACE} \ --inventory install \ --action install-operator \ --tolerance 1 \ --args "--registry cp.icr.io --user ${CP_REPO_USER} --pass ${CP_REPO_PASS} --secret ibm-entitlement-key --inputDir ${LOCAL_CASE_DIR}"
- Version 3.4.x and later
oc ibm-pak launch $CASE_NAME --version $CASE_VERSION --inventory $GI_INVENTORY_SETUP --action install-operator --namespace $NAMESPACE --args "--registry cp.icr.io --user ${CP_REPO_USER} --pass ${CP_REPO_PASS} --secret ibm-entitlement-key --inputDir ${LOCAL_CASE_DIR} --tolerance 1"
To verify that the operators are installed, issue this command:- Version 3.3.x
oc get pods
- Version 3.4.x and later
oc get pods –n staging
NAME READY STATUS RESTARTS AGE db2u-day2-ops-controller-manager-5488d5c844-8z568 1/1 Running 0 2m59s db2u-operator-manager-5fc886d4bc-mvg98 1/1 Running 0 2m59s ibm-cloud-databases-redis-operator-6d668d7b88-p69hm 1/1 Running 0 74s mongodb-kubernetes-operator-856bc86746-8vsrg 1/1 Running 0 49s
- Version 3.3.x
- Issue this command:
oc get storageclass
The output is similar to:
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE managed-premium (default) kubernetes.io/azure-disk Delete WaitForFirstConsumer true 2d13h ocs-storagecluster-ceph-rbd openshift-storage.rbd.csi.ceph.com Delete Immediate true 2d11h ocs-storagecluster-cephfs openshift-storage.cephfs.csi.ceph.com Delete Immediate true 2d11h openshift-storage.noobaa.io openshift-storage.noobaa.io/obc Delete Immediate false 2d11h
- Create a file.yaml file similar to this:
apiVersion: gi.ds.isc.ibm.com/v1 kind: GuardiumInsights metadata: #name: This must be 10 or less characters name: staging #Provide the name of the namespace in which you want to install the CR. namespace: staging spec: version: 3.4.0 license: accept: true licenseType: "L-YRPR-ZV3BA6" connections: insightsEnv: FEATURE_STAP_STREAMING: "false" guardiumInsightsGlobal: backupsupport: enabled: true name: <GI_Backup_PVC> storageClassName: managed-nfs-storage size: 500Gi dev: “false” licenseAccept: true # Guardium Insights template size can be defined as below using the size parameter size: values-small image: insightsPullSecret: ibm-entitlement-key repository: cp.icr.io/cp/ibm-guardium-insights insights: ingress: #hostName: Change this, ex: staging.apps.gi-devops-ocp46-41.cp.fyre.ibm.com hostName: <host_name> #domainName: Change this domainName: <domain_name> ics: namespace: ibm-common-services registry: common-service #storageClassName: Change this to a ReadWriteMany StorageClass storageClassName: “ocs-storagecluster-cephfs” #storageClassNameRWO: Must be a ReadWriteOnce StorageClass storageClassNameRWO: "ocs-storagecluster-ceph-rbd" dependency-db2: image: insightsPullSecret: “ibm-entitlement-key” db2: size: 2 resources: requests: cpu: “6" memory: “48Gi” limits: cpu: “6" memory: “48Gi” storage: - name: meta spec: storageClassName: “ocs-storagecluster-cephfs” accessModes: - ReadWriteMany resources: requests: storage: “1000Gi” type: create - name: data spec: storageClassName: "ocs-storagecluster-ceph-rbd" accessModes: - ReadWriteOnce resources: requests: storage: “4000Gi” type: template mln: distribution: 0:0 total: 2 dependency-kafka: kafka: storage: type: persistent-claim size: 250Gi class: "ocs-storagecluster-ceph-rbd" zookeeper: storage: type: persistent-claim size: 20Gi class: "ocs-storagecluster-ceph-rbd" mini-snif: persistentVolumesClaims: mini-snif-shared: storageClassName: “ocs-storagecluster-cephfs” universal-connector-manager: persistentVolumesClaims: universal-connector-manager-shared: storageClassName: “ocs-storagecluster-cephfs” settings-datasources: persistentVolumesClaims: settings-datasources: storageClassName: “ocs-storagecluster-cephfs” ticketing: persistentVolumesClaims: ticketing-keystore: storageClassName: “ocs-storagecluster-cephfs” dependency-s3: storageClassName: ocs-storagecluster-ceph-rbd dependency-security: networkPolicy: egresses: egress-required-allow: egress: - to: - ipBlock: cidr: 0.0.0.0/0 - ports: - port: 5353 protocol: UDP - port: 5353 protocol: TCP - port: 53 protocol: UDP - port: 53 protocol: TCP - port: 443 protocol: UDP - port: 443 protocol: TCP
In this file, replace
<host_name>
and<domain_name>
with your environment's host and domain name. - Apply the .yaml
file:
oc apply -f file.yaml
The output is similar to:
NAME TYPE STATUS REASON MESSAGE DESIRED_VERSION INSTALLED_VERSION staging Running True Reconciling Starting to Reconcile 3.5.0
Tip: The displayed versions in the output vary based on the Guardium Insights version that you want to install and the current version on your system. - Wait for approximately one hour and then
validate the Guardium Insights installation:
oc get guardiuminsights
The output is similar to:
NAME TYPE STATUS REASON MESSAGE DESIRED_VERSION INSTALLED_VERSION gi-sample Ready True Complete Completed Reconciliation 3.4.0 3.5.0
Tip: The displayed versions in the output vary based on the Guardium Insights version that you want to install and the current version on your system.And issue this command to verify that the
StorageClass
has aBound
status:oc get pvc
The output is similar to:
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE c-gi-sample-db2-meta Bound pvc-2f13e641-5aae-40a7-9b0d-95f4fc6a8143 1000Gi RWX ocs-storagecluster-cephfs 31d data-c-gi-sample-db2-db2u-0 Bound pvc-443c804f-7f70-4693-b7ed-ba1013930b4a 4000Gi RWO ocs-storagecluster-cephfs 31d data-c-gi-sample-db2-db2u-1 Bound pvc-27e3d353-489a-43b6-8ae9-d500d9d91cf4 4000Gi RWO ocs-storagecluster-cephfs 31d data-c-gi-sample-redis-m-0 Bound pvc-2a803a06-5eae-412f-81b1-2767d8e36e85 20Gi RWO ocs-storagecluster-cephfs 31d data-c-gi-sample-redis-m-1 Bound pvc-ff0ca61c-1209-4d20-96fc-78887abad27d 20Gi RWO ocs-storagecluster-cephfs 31d data-c-gi-sample-redis-s-0 Bound pvc-b1ddb497-d13d-48e2-bba2-f5141def9484 20Gi RWO ocs-storagecluster-cephfs 31d data-c-gi-sample-redis-s-1 Bound pvc-688772f5-ebb9-4619-bf70-b5ee561ab158 20Gi RWO ocs-storagecluster-cephfs 31d data-gi-sample-kafka-0 Bound pvc-32339849-adb6-4677-b1bf-998643b5c4d3 250Gi RWO ocs-storagecluster-ceph-rbd 31d data-gi-sample-kafka-1 Bound pvc-0c479b89-4c62-4754-a5af-12c885afe553 250Gi RWO ocs-storagecluster-ceph-rbd 31d data-gi-sample-zookeeper-0 Bound pvc-e436f03b-fe40-4b79-81a3-fb6c76a7a953 20Gi RWO ocs-storagecluster-ceph-rbd 31d data-gi-sample-zookeeper-1 Bound pvc-8bb4ac61-332d-4500-948a-b1858f6cd555 20Gi RWO ocs-storagecluster-ceph-rbd 31d data-staging-kafka-0 Bound pvc-56664beb-48c7-49fd-81b9-5557c4c1fbb7 250Gi RWO ocs-storagecluster-ceph-rbd 31d data-staging-kafka-1 Bound pvc-dd36280e-364b-4c74-b225-0b72fc1e3af7 250Gi RWO ocs-storagecluster-ceph-rbd 31d data-staging-zookeeper-0 Bound pvc-3b4edb7e-fad9-4ff9-849d-02ed38219329 20Gi RWO ocs-storagecluster-ceph-rbd 31d data-staging-zookeeper-1 Bound pvc-9ccc3feb-1ae9-4a9d-a970-5d374c8ee2da 20Gi RWO ocs-storagecluster-ceph-rbd 31d data-volume-gi-sample-mongodb-0 Bound pvc-275b737f-a380-41e1-a232-3389599c2448 100Gi RWO ocs-storagecluster-cephfs 31d data-volume-gi-sample-mongodb-1 Bound pvc-dd8b7f46-8b9b-4099-b0bd-b1f55652b2c9 100Gi RWO ocs-storagecluster-cephfs 31d gi-sampledjm6enctbcion3yyrvfum9-mini-snif-shared Bound pvc-f9becd16-7158-41f9-b1f1-93308337d2b5 50Gi RWX ocs-storagecluster-cephfs 31d logs-volume-gi-sample-mongodb-0 Bound pvc-43d29f78-4559-44e2-8927-ab4895807aee 100Gi RWO ocs-storagecluster-cephfs 31d logs-volume-gi-sample-mongodb-1 Bound pvc-256617cc-ec37-4581-8145-f6bbe0b162c6 100Gi RWO ocs-storagecluster-cephfs 31d mini-snif-i-gi-sampledjm6enctbcion3yyrvfum9-mini-snif-0 Bound pvc-37e9748f-2306-4abe-b273-2de4c988a326 50Gi RWO ocs-storagecluster-cephfs 31d settings-datasources Bound pvc-ec2b30a6-0e10-4931-84d2-59dba5799d10 50Mi RWX ocs-storagecluster-cephfs 31d ticketing-keystore Bound pvc-4ca2e152-3767-4956-90af-c1a15adde109 2Mi RWX ocs-storagecluster-cephfs 31d universal-connector-manager-shared Bound pvc-a2016cf2-df8a-4a6a-9de9-bcce9cdb1704 50Gi RWX ocs-storagecluster-cephfs 31d
Finally, verify that you can log in to the Guardium Insights user interface.