Patching Guardium Insights to version 3.4.x

Apply a patch to upgrade to the next minor version in Guardium® Insights version 3.4.x.

About this task

In the following instructions, <current_version> refers to the version of Guardium Insights that is installed on your system, and <new_version> refers to the version of Guardium Insights that you are upgrading to.

Procedure

  1. Download the catalog and operator from the CASE files to your local directory. 
    export ICS_USER=<ICS Admin User>
export ICS_PASS=<ICS PASS>
export NAMESPACE=<Namespace where GI is installed>
export CP_REPO_USER=cp
export CP_REPO_PASS=<cp key for ER>
export CASE_NAME=ibm-guardium-insights
export CASE_VERSION=<CASE_VERSION>
export LOCAL_CASE_DIR=$HOME/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION

oc ibm-pak get $CASE_NAME \
--version $CASE_VERSION \
--skip-verify
    Specify the CASE_VERSION for the version of Guardium Insights you are deploying.
  2. Log in to your Red Hat® OpenShift® cluster instance. 
    oc login -u <KUBE_USER> -p <KUBE_PASS> [--insecure-skip-tls-verify=true]
    For example, 
    oc login api.example.ibm.com:6443 -u kubeadmin -p xxxxx-xxxxx-xxxxx-xxxxx
  3. Verify that Guardium Insights is reconciled to the previous version by running the following command. 
    oc get guardiuminsights

    The following output example displays that the reconciliation is complete.

    NAME      TYPE    STATUS   REASON     MESSAGE                    DESIRED_VERSION    INSTALLED_VERSION
staging   Ready   True     Complete   Completed Reconciliation   <current_version>  <current_version>
  4. Determine the version of IBM Cloud Pak® foundational services that is installed on your system by running the following command. 
    oc get csv -n ibm-common-services | grep foundational

    Note the <version_number> variable in the output.

    ibm-common-service-operator.<version_number> IBM Cloud Pak foundational services <version_number> ibm-common-service-operator.<version_number> Succeeded

    Guardium Insights requires IBM Cloud Pak foundational services Version 4.5.x (where x is the latest released version). If the version_number in the output is 4.5.x (where x is the latest released version), you can skip step 5.

  5. Upgrade IBM® Common Services in the same namespace as your Guardium Insights installation.
    1. Export the namespace where Guardium Insights is installed. 
      export NAMESPACE=<GI-NAMESPACE>
    2. Set the environment variable for --inventory parameter. 
      export ICS_INVENTORY_SETUP=ibmCommonServiceOperatorSetup
    3. Install the IBM Common Services catalog. 
      oc ibm-pak launch $CASE_NAME \
--version $CASE_VERSION \
--action install-catalog \
--inventory $ICS_INVENTORY_SETUP \
--namespace ${NAMESPACE} \
--args "--registry icr.io --recursive \
--inputDir ${LOCAL_CASE_DIR}" 
  6. If you are using an OpenShift Data Foundation (ODF) storage class, run the preinstall script for the Guardium Insights version that you are on.
    • Version 3.4 
      oc ibm-pak launch $CASE_NAME \
--version $CASE_VERSION \
--namespace ${NAMESPACE} \
--inventory install     \
--action preInstall    \
--tolerance 1 \
--args "-n ${NAMESPACE} -h <DB_worker_host> -l true -q true"
    • Version 3.4.1 and later 
      oc ibm-pak launch $CASE_NAME \
--version $CASE_VERSION \
--namespace ${NAMESPACE} \
--inventory install     \
--action preInstall    \
--tolerance 1 \
--args "-n ${NAMESPACE} -h <DB_worker_host> -l true"
    Important: When you run the preinstall script during a Guardium Insights patch, the Db2® worker node (<DB_worker_host>) must match the same set of nodes that were set during installation. If there is more than one, provide them in a comma-separated list.
  7. Install the catalog. 
    oc ibm-pak launch $CASE_NAME \
--version $CASE_VERSION \
--namespace openshift-marketplace \
--inventory install \
--action install-catalog \
--args "--inputDir ${LOCAL_CASE_DIR}" --tolerance 1
  8. Install the operator. 
    oc ibm-pak launch $CASE_NAME \
--version $CASE_VERSION \
--namespace ${NAMESPACE} \
--inventory install \
--action install-operator \
--tolerance 1 \
--args "--registry cp.icr.io --user ${CP_REPO_USER} --pass ${CP_REPO_PASS} --secret ibm-entitlement-key --inputDir ${LOCAL_CASE_DIR}"
  9. If you are using OpenShift Data Foundation (ODF) Version 4.14 as one of your storage classes, complete the following steps.
    1. Add the following information to the Guardium Insights custom resource (CR) file. 
      spec:
ssh-service:
  serviceAccount: insights-odf-ssh-service-sa
      Important: When you run the preinstall script during a Guardium Insights patch, the Db2 worker node (<DB_worker_host>) must match the same set of nodes that were set during installation. If there is more than one, provide them in a comma-separated list.
  10. Update the Guardium Insights version in the custom resource (CR) file by completing the following steps.
    1. To edit the guardiuminsights CR file, run the following command. 
      oc edit guardiuminsights
    2. Locate the Version value. 
      Version: <current_version>
    3. Change the Version value to the new version. 
      Version: <new_version>
    4. Save and exit the file.
      When you exit the file, the following message is displayed. 
      guardiuminsights.gi.ds.isc.ibm.com/staging edited
  11. To verify that your environment was upgraded, complete the following steps.
    1. Log in to check the version of Guardium Insights.
    2. Verify the system reconciliation status by running the following command. 
      oc get guardiuminsights

      When the upgrade is complete, the output is similar to the following example.

      
NAME      TYPE    STATUS   REASON     MESSAGE                    DESIRED_VERSION   INSTALLED_VERSION
staging   Ready   True     Complete   Completed Reconciliation   <new_version>     <new_version>
    3. Verify that the pods are in a Running or Completed state by running the following command.
      Draft comment: Rose.Kaur@ibm.com
      Should the pods be in a "Running" state or "Completed" state? Can we also get a output example for this?
      oc get pods
  12. To remove an unused mount point from the Guardium Insights user interface services that might cause stability problems, use only one of the following methods.
    1. To edit the deployment file, run the following command. 
      oc edit deployment <gi_installation_name>-insights

      Locate and delete the following fields in the file, and then save the changes.

      - mountPath: /node_app/src/static/insights_exports
name: db2-scratch-mount
subPath: scratch/insights-exports
    2. To remap the extra mount to an unused location, run the following command. 
      oc get deployment -oyaml <gi install name>-insights | sed 's#/node_app/src/static/insights_exports#/tmp/ignore#g' | oc replace -f -