Installing Guardium Insights

Procedure

  1. The default username to access the console is cpadmin. To retrieve the password, use these commands:
    oc get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_username}' -n $NAMESPACE | base64 -d | awk '{print $1}'
    oc get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_password}' -n $NAMESPACE | base64 -d | awk '{print $1}'

    The output that you receive, for example EwK9dj_example_password_lZSzVsA, is the password that is used for accessing the console. To change the default username (cpadmin) or password, see Changing the cluster administrator access credentials.

  2. Set these environment variables:
    
      export NAMESPACE=staging
      export ICS_USER=admin
      export ICS_PASS=<ics_password>
      export CP_REPO_USER=cp
      export CP_REPO_PASS=<entitlement_key>

    Where <ics_password> is the password that you retrieved to access the console and <entitlement_key> is the entitlement key, as described in Obtain your entitlement key.

  3. Create a namespace for the Guardium® Insights instance. This namespace must be 10 or fewer characters in length.
    • Version 3.3.x
      
        kubectl create namespace $NAMESPACE || true
        oc project $NAMESPACE
    • Version 3.4.x and later
      oc create namespace ${NAMESPACE}
      oc project ${NAMESPACE}
  4. Run the pre-install script. This script sets up secrets and parameters for the Guardium Insights instance.
    • Version 3.3.x
      oc ibm-pak launch $CASE_NAME \
        --version $CASE_VERSION \
        --namespace ${NAMESPACE} \
        --inventory install     \
        --action pre-install    \
        --tolerance 1 \
        --args "-n ${NAMESPACE} -h <DB_worker_host> -l true -t false"
    • Version 3.4
      export GI_INVENTORY_SETUP=install
      oc ibm-pak launch $CASE_NAME \
      --version $CASE_VERSION \
      --inventory $GI_INVENTORY_SETUP \
      --action pre-install \
      --namespace $NAMESPACE \
      --args "-n ${NAMESPACE} -h <DB worker host> -l true -q true -t false"
    • Version 3.4.1 and later
      export GI_INVENTORY_SETUP=install
      oc ibm-pak launch $CASE_NAME \
      --version $CASE_VERSION \
      --inventory $GI_INVENTORY_SETUP \
      --action pre-install \
      --namespace $NAMESPACE \
      --args "-n ${NAMESPACE} -h <DB worker host> -l true -t false"
    <DB_worker_host> is the worker node name on which you want to host Db2®.
  5. Install the catalog.
    • Version 3.3.x
      oc ibm-pak launch $CASE_NAME \
        --version $CASE_VERSION \
        --namespace openshift-marketplace \
        --inventory install \
        --action install-catalog \
        --args "--inputDir ${LOCAL_CASE_DIR}" \
        --tolerance 1
    • Version 3.4.x and later
      oc ibm-pak launch $CASE_NAME \
         --version $CASE_VERSION \
         --inventory $GI_INVENTORY_SETUP \
         --action install-catalog \
         --namespace openshift-marketplace \
         --args "--inputDir ${LOCAL_CASE_DIR}" \
      --tolerance 1
    To verify that the catalogs are installed, issue this command:
    oc get pod -n openshift-marketplace
    The output is similar to:
    NAME                                               READY   STATUS    RESTARTS   AGE
    ibm-cloud-databases-redis-operator-catalog-x2rr4   1/1     Running   0          41s
    ibm-db2uoperator-catalog-mzvd7                     1/1     Running   0          73s
    ibm-guardium-insights-operator-catalog-n8qkr       1/1     Running   0          16s
  6. Install the operator.
    • Version 3.3.x
      oc ibm-pak launch $CASE_NAME \
        --version $CASE_VERSION \
        --namespace ${NAMESPACE} \
        --inventory install \
        --action install-operator \
        --tolerance 1 \
        --args "--registry cp.icr.io --user ${CP_REPO_USER} --pass ${CP_REPO_PASS} --secret ibm-entitlement-key --inputDir ${LOCAL_CASE_DIR}"
    • Version 3.4.x and later
      oc ibm-pak launch $CASE_NAME
       --version $CASE_VERSION
       --inventory $GI_INVENTORY_SETUP
       --action install-operator
       --namespace $NAMESPACE
       --args "--registry cp.icr.io --user ${CP_REPO_USER} --pass ${CP_REPO_PASS} --secret ibm-entitlement-key --inputDir ${LOCAL_CASE_DIR} --tolerance 1"
    To verify that the operators are installed, issue this command:
    • Version 3.3.x
      oc get pods
    • Version 3.4.x and later
      oc get pods –n staging
    The output is similar to:
    NAME                                                  READY   STATUS    RESTARTS   AGE
    db2u-day2-ops-controller-manager-5488d5c844-8z568     1/1     Running   0          2m59s
    db2u-operator-manager-5fc886d4bc-mvg98                1/1     Running   0          2m59s
    ibm-cloud-databases-redis-operator-6d668d7b88-p69hm   1/1     Running   0          74s
    mongodb-kubernetes-operator-856bc86746-8vsrg          1/1     Running   0          49s
  7. Issue this command:
    oc get storageclass

    The output is similar to:

    NAME                          PROVISIONER                             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
    managed-premium (default)     kubernetes.io/azure-disk                Delete          WaitForFirstConsumer   true                   2d13h
    ocs-storagecluster-ceph-rbd   openshift-storage.rbd.csi.ceph.com      Delete          Immediate              true                   2d11h
    ocs-storagecluster-cephfs     openshift-storage.cephfs.csi.ceph.com   Delete          Immediate              true                   2d11h
    openshift-storage.noobaa.io   openshift-storage.noobaa.io/obc         Delete          Immediate              false                  2d11h
  8. Create a file.yaml file similar to this:
    apiVersion: gi.ds.isc.ibm.com/v1
    kind: GuardiumInsights
    metadata:
      #name: This must be 10 or less characters
      name: staging
      #Provide the name of the namespace in which you want to install the CR.
      namespace: staging
    spec:
      version: 3.4.0
      license:
        accept: true
        licenseType: "L-YRPR-ZV3BA6"
      connections:
         insightsEnv:
           FEATURE_STAP_STREAMING: "false"
       guardiumInsightsGlobal:
         backupsupport:
           enabled: true
           name: <GI_Backup_PVC>
           storageClassName: managed-nfs-storage
           size: 500Gi
        dev: “false”
        licenseAccept: true
        # Guardium Insights template size can be defined as below using the size parameter
        size: values-small
        image:
          insightsPullSecret: ibm-entitlement-key
          repository: cp.icr.io/cp/ibm-guardium-insights
        insights:
          ingress:
            #hostName: Change this, ex: staging.apps.gi-devops-ocp46-41.cp.fyre.ibm.com
            hostName: <host_name>
            #domainName:  Change this
            domainName: <domain_name>
          ics:
            namespace: ibm-common-services
            registry: common-service
        #storageClassName: Change this to a ReadWriteMany StorageClass
        storageClassName: “ocs-storagecluster-cephfs”
        #storageClassNameRWO: Must be a ReadWriteOnce StorageClass
        storageClassNameRWO: "ocs-storagecluster-ceph-rbd"
      dependency-db2:
        image:
          insightsPullSecret: “ibm-entitlement-key”
        db2:
         size: 2
         resources:
           requests:
             cpu: “6"
             memory: “48Gi”
           limits:
             cpu: “6"
             memory: “48Gi”
         storage:
         - name: meta
           spec:
             storageClassName: “ocs-storagecluster-cephfs”
             accessModes:
             - ReadWriteMany
             resources:
               requests:
                 storage: “1000Gi”
           type: create
         - name: data
           spec:
             storageClassName: "ocs-storagecluster-ceph-rbd"
             accessModes:
             - ReadWriteOnce
             resources:
               requests:
                 storage: “4000Gi”
           type: template
         mln:
           distribution: 0:0
           total: 2
      dependency-kafka:
        kafka:
          storage:
            type: persistent-claim
            size: 250Gi
            class: "ocs-storagecluster-ceph-rbd"
        zookeeper:
          storage:
            type: persistent-claim
            size: 20Gi
            class: "ocs-storagecluster-ceph-rbd"
      mini-snif:
        persistentVolumesClaims:
          mini-snif-shared:
            storageClassName: “ocs-storagecluster-cephfs”
      universal-connector-manager:
        persistentVolumesClaims:
          universal-connector-manager-shared:
            storageClassName: “ocs-storagecluster-cephfs”
      settings-datasources:
        persistentVolumesClaims:
          settings-datasources:
            storageClassName: “ocs-storagecluster-cephfs”
      ticketing:
        persistentVolumesClaims:
          ticketing-keystore:
            storageClassName: “ocs-storagecluster-cephfs”
      dependency-s3:
        storageClassName: ocs-storagecluster-ceph-rbd
      dependency-security:
        networkPolicy:
          egresses:
            egress-required-allow:
              egress:
              - to:
                - ipBlock:
                    cidr: 0.0.0.0/0
              - ports:
                - port: 5353
                  protocol: UDP
                - port: 5353
                  protocol: TCP
                - port: 53
                  protocol: UDP
                - port: 53
                  protocol: TCP
                - port: 443
                  protocol: UDP
                - port: 443
                  protocol: TCP

    In this file, replace <host_name> and <domain_name> with your environment's host and domain name.

  9. Apply the .yaml file:
    oc apply -f file.yaml

    The output is similar to:

    NAME      TYPE      STATUS   REASON        MESSAGE                 DESIRED_VERSION   INSTALLED_VERSION
    staging   Running   True     Reconciling   Starting to Reconcile   3.5.0
    Tip: The displayed versions in the output vary based on the Guardium Insights version that you want to install and the current version on your system.
  10. Wait for approximately one hour and then validate the Guardium Insights installation:
    oc get guardiuminsights

    The output is similar to:

    NAME        TYPE    STATUS   REASON     MESSAGE                    DESIRED_VERSION   INSTALLED_VERSION
    gi-sample   Ready   True     Complete   Completed Reconciliation   3.4.0             3.5.0
    Tip: The displayed versions in the output vary based on the Guardium Insights version that you want to install and the current version on your system.

    And issue this command to verify that the StorageClass has a Bound status:

    oc get pvc

    The output is similar to:

    NAME                                                      STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS                  AGE
    c-gi-sample-db2-meta                                      Bound    pvc-2f13e641-5aae-40a7-9b0d-95f4fc6a8143   1000Gi     RWX            ocs-storagecluster-cephfs     31d
    data-c-gi-sample-db2-db2u-0                               Bound    pvc-443c804f-7f70-4693-b7ed-ba1013930b4a   4000Gi     RWO            ocs-storagecluster-cephfs     31d
    data-c-gi-sample-db2-db2u-1                               Bound    pvc-27e3d353-489a-43b6-8ae9-d500d9d91cf4   4000Gi     RWO            ocs-storagecluster-cephfs     31d
    data-c-gi-sample-redis-m-0                                Bound    pvc-2a803a06-5eae-412f-81b1-2767d8e36e85   20Gi       RWO            ocs-storagecluster-cephfs     31d
    data-c-gi-sample-redis-m-1                                Bound    pvc-ff0ca61c-1209-4d20-96fc-78887abad27d   20Gi       RWO            ocs-storagecluster-cephfs     31d
    data-c-gi-sample-redis-s-0                                Bound    pvc-b1ddb497-d13d-48e2-bba2-f5141def9484   20Gi       RWO            ocs-storagecluster-cephfs     31d
    data-c-gi-sample-redis-s-1                                Bound    pvc-688772f5-ebb9-4619-bf70-b5ee561ab158   20Gi       RWO            ocs-storagecluster-cephfs     31d
    data-gi-sample-kafka-0                                    Bound    pvc-32339849-adb6-4677-b1bf-998643b5c4d3   250Gi      RWO            ocs-storagecluster-ceph-rbd   31d
    data-gi-sample-kafka-1                                    Bound    pvc-0c479b89-4c62-4754-a5af-12c885afe553   250Gi      RWO            ocs-storagecluster-ceph-rbd   31d
    data-gi-sample-zookeeper-0                                Bound    pvc-e436f03b-fe40-4b79-81a3-fb6c76a7a953   20Gi       RWO            ocs-storagecluster-ceph-rbd   31d
    data-gi-sample-zookeeper-1                                Bound    pvc-8bb4ac61-332d-4500-948a-b1858f6cd555   20Gi       RWO            ocs-storagecluster-ceph-rbd   31d
    data-staging-kafka-0                                      Bound    pvc-56664beb-48c7-49fd-81b9-5557c4c1fbb7   250Gi      RWO            ocs-storagecluster-ceph-rbd   31d
    data-staging-kafka-1                                      Bound    pvc-dd36280e-364b-4c74-b225-0b72fc1e3af7   250Gi      RWO            ocs-storagecluster-ceph-rbd   31d
    data-staging-zookeeper-0                                  Bound    pvc-3b4edb7e-fad9-4ff9-849d-02ed38219329   20Gi       RWO            ocs-storagecluster-ceph-rbd   31d
    data-staging-zookeeper-1                                  Bound    pvc-9ccc3feb-1ae9-4a9d-a970-5d374c8ee2da   20Gi       RWO            ocs-storagecluster-ceph-rbd   31d
    data-volume-gi-sample-mongodb-0                           Bound    pvc-275b737f-a380-41e1-a232-3389599c2448   100Gi      RWO            ocs-storagecluster-cephfs     31d
    data-volume-gi-sample-mongodb-1                           Bound    pvc-dd8b7f46-8b9b-4099-b0bd-b1f55652b2c9   100Gi      RWO            ocs-storagecluster-cephfs     31d
    gi-sampledjm6enctbcion3yyrvfum9-mini-snif-shared          Bound    pvc-f9becd16-7158-41f9-b1f1-93308337d2b5   50Gi       RWX            ocs-storagecluster-cephfs     31d
    logs-volume-gi-sample-mongodb-0                           Bound    pvc-43d29f78-4559-44e2-8927-ab4895807aee   100Gi      RWO            ocs-storagecluster-cephfs     31d
    logs-volume-gi-sample-mongodb-1                           Bound    pvc-256617cc-ec37-4581-8145-f6bbe0b162c6   100Gi      RWO            ocs-storagecluster-cephfs     31d
    mini-snif-i-gi-sampledjm6enctbcion3yyrvfum9-mini-snif-0   Bound    pvc-37e9748f-2306-4abe-b273-2de4c988a326   50Gi       RWO            ocs-storagecluster-cephfs     31d
    settings-datasources                                      Bound    pvc-ec2b30a6-0e10-4931-84d2-59dba5799d10   50Mi       RWX            ocs-storagecluster-cephfs     31d
    ticketing-keystore                                        Bound    pvc-4ca2e152-3767-4956-90af-c1a15adde109   2Mi        RWX            ocs-storagecluster-cephfs     31d
    universal-connector-manager-shared                        Bound    pvc-a2016cf2-df8a-4a6a-9de9-bcce9cdb1704   50Gi       RWX            ocs-storagecluster-cephfs     31d

    Finally, verify that you can log in to the Guardium Insights user interface.