Creating a Guardium Insights instance by using a custom resource (CR)

Guardium Insights simplifies your organization's data security architecture and enables access to long-term data security and compliance data. It provides security teams with risk-based views and alerts, along with advanced analytics based on proprietary machine learning technology to uncover hidden threats. Guardium Insights gives security professionals the ability to quickly create data security and audit reports, monitor activity in on-premises and DBaaS sources, and act from a central location.

Before you begin

Before you proceed with the installation, complete the following steps:

  1. Verify that your environment meets the System requirements and prerequisites and Hardware cluster requirements.
  2. Prepare for installation.
  3. Log in to the OpenShift® command-line interface.

Procedure

  1. Create a YAML file that uses the indentation from one of the following examples.
    Version 3.3.x
    apiVersion: gi.ds.isc.ibm.com/v1
    kind: GuardiumInsights
    metadata:
      #name: This must be 10 or less characters
      name: staging
      namespace: staging
    spec:
      ssh-service:
        serviceAnnotations:
          service.beta.kubernetes.io/aws-load-balancer-internal: "false"
      version: 3.4.0
      license:
        accept: true
        licenseType: L-YRPR-ZV3BA6
      guardiumInsightsGlobal:
        image:
          insightsPullSecret: ibm-entitlement-key
          repository: cp.icr.io/cp/ibm-guardium-insights
        backupsupport:
          enabled: "false"
        licenseAccept: true
        # Guardium Insights template size can be defined as below using the size parameter
        size: values-small
        insights:
          ingress:
            hostName: staging.apps.<cluster_name>.guardium-insights.com
            #domainName:  Change this
            domainName: apps.<cluster_name>.guardium-insights.com
          ics:
            #Namespace of where IBM Common Services is running
            namespace: ibm-common-services
        #storageClassName: This must be a ReadWriteMany StorageClass
        storageClassName: rook-cephfs
        #storageClassNameRWO: Must be a ReadWriteOnce StorageClass
        storageClassNameRWO: "ocs-storagecluster-ceph-rbd"
    
    Version 3.4.x and later
    Note: Use the same namespace as your Guardium Insights project. This example uses staging as the namespace.
    
    apiVersion: gi.ds.isc.ibm.com/v1
    kind: GuardiumInsights
    metadata:
      #name: This must be 10 or less characters
      name: staging
      namespace: staging
    spec:
      ssh-service:
        serviceAnnotations:
          service.beta.kubernetes.io/aws-load-balancer-internal: "false"
      version: 3.4.0
      license:
        accept: true
        licenseType: L-YRPR-ZV3BA6
      guardiumInsightsGlobal:
        image:
          insightsPullSecret: ibm-entitlement-key
          repository: cp.icr.io/cp/ibm-guardium-insights
        backupsupport:
          enabled: "false"
        licenseAccept: true
        # Guardium Insights template size can be defined as below using the size parameter
        size: values-small
        insights:
          ingress:
            hostName: staging.apps.<cluster_name>.guardium-insights.com
            #domainName:  Change this
            domainName: apps.<cluster_name>.guardium-insights.com
          ics:
            namespace: staging
            registry: common-service
        #storageClassName: Change this to a ReadWriteMany StorageClass!!!
        storageClassName: efs-test-sc
        storageClassNameRWO: gp3-csi
      dependency-db2:
        image:
          insightsPullSecret: ibm-entitlement-key
        db2instance:
         installAsDefault: true
         dbConfig:
          LOGARCHMETH1: "DISK:/mnt/logs/archive"
         db2Settings:
          encrypt: "YES"
         nodes: 2
         resources:
           requests:
             cpu: "6"
             memory: "48Gi"
           limits:
             cpu: "6"
             memory: "48Gi"
         storage:
         - name: meta
           spec:
             storageClassName: "efs-test-sc"
             accessModes:
             - ReadWriteMany
             resources:
               requests:
                 storage: "1000Gi"
           type: create
         - name: data
           spec:
             storageClassName: "gp3-csi-fast"
             accessModes:
             - ReadWriteOnce
             resources:
               requests:
                 storage: "4000Gi"
           type: template
         - name: archivelogs
           spec:
             storageClassName: "efs-test-sc"
             accessModes:
             - ReadWriteMany
             resources:
               requests:
                 storage: 2000Gi
           type: create
         - name: tempts
           spec:
             storageClassName: "gp3-csi-fast"
             accessModes:
             - ReadWriteOnce
             resources:
               requests:
                 storage: 1000Gi
           type: template
         partitionConfig:
           total: 2
         instance:
          registry:
           DB2_4K_DEVICE_SUPPORT: "ON"
      dependency-kafka:
        kafka:
          storage:
            type: persistent-claim
            size: 250Gi
            class: "gp3-csi"
        zookeeper:
          storage:
            type: persistent-claim
            size: 20Gi
            class: "gp3-csi"
      mini-snif:
        persistentVolumesClaims:
          mini-snif-shared:
            storageClassName: "efs-test-sc"
      universal-connector-manager:
        persistentVolumesClaims:
          universal-connector-manager-shared:
            storageClassName: "efs-test-sc"
      settings-datasources:
        persistentVolumesClaims:
          settings-datasources:
            storageClassName: "efs-test-sc"
      ticketing:
        persistentVolumesClaims:
          ticketing-keystore:
            storageClassName: "efs-test-sc"
      dependency-mongodb:
        storage:
        - metadata:
            name: data-volume
          spec:
            accessModes:
            - ReadWriteOnce
            resources:
              requests:
                storage: 100Gi
            storageClassName: "gp3-csi"
        - metadata:
            name: logs-volume
          spec:
            accessModes:
            - ReadWriteOnce
            resources:
              requests:
                storage: 100Gi
            storageClassName: "gp3-csi"
      dependency-redis:
        persistence:
          enabled: true
          storageClass: "gp3-csi"
      dependency-postgres:
        postgres:
          storage:
            size: 12Gi
            storageClassName: "gp3-csi"
      dependency-s3:
        storageClassName: "gp3-csi"
    
  2. Create the instance by using the example file by using one of the following commands:
    • Version 3.3.x
      oc create -f <guardium-insights-custom-resource-example.yaml>
    • Version 3.4.x and later
      oc apply -f <guardium-insights-custom-resource-example.yaml>
  3. Check the status of the instance creation:
    oc get guardiuminsights
    Before completion, the output is similar to:
    NAME      TYPE      STATUS   REASON                           MESSAGE                                     DESIRED_VERSION   INSTALLED_VERSION
    staging   Running   True     GuardiumInsightsInstallRunning   Running installation of Guardium Insights   3.3.0
    After completion, the output is similar to:
    NAME      TYPE    STATUS   REASON      MESSAGE                    DESIRED_VERSION   INSTALLED_VERSION
    staging   Ready   True     Completed   Completed Reconciliation   3.4.0            3.4.0
    Tip: The displayed versions in the output vary based on the Guardium Insights version that you want to install and the current version on your system.

Results

Limitations:
  • Only one instance of Guardium Insights can be installed on a cluster.
  • This product can run only on amd64 architecture type with AVX enabled hardware.
  • This product's operator supports an OwnNamespace type only for the installation mode.