Installing Guardium Insights manually offline
Manually install your Guardium Insights instance in an air-gap or offline environment.
Before you begin
Procedure
- Log in to your Red Hat®
OpenShift® cluster instance.
oc login -u <KUBE_USER> -p <KUBE_PASS> [--insecure-skip-tls-verify=true]
For example,oc login api.example.ibm.com:6443 -u kubeadmin -p xxxxx-xxxxx-xxxxx-xxxxx
- Prepare a private Docker registry that is accessible from both your local machine and the air-gapped cluster.
- Set these environment variables:
export LOCAL_REGISTRY_HOST=<host IP or FQDN:Listening port> export LOCAL_REGISTRY_USER=<Username for your private registry> export LOCAL_REGISTRY_PASS=<Password for your private registry> export CP_REPO_USER=<Your Username to cp.icr.io> export CP_REPO_PASS=<Your Password / Entitlement Key to cp.icr.io> export NAMESPACE=<your chosen namespace>
- Create the Guardium Insights namespace and then switch to it:
oc create namespace ${NAMESPACE} oc project ${NAMESPACE}
Note: If IBM® Common Services is already created and installed, you do not need to create the namespace in this step (Guardium Insights uses the same namespace). - Obtain the case bundle. For the most current version of Guardium Insights and CASE, see https://github.com/IBM/cloud-pak/blob/master/repo/case/ibm-guardium-insights/index.yaml.
- Version 3.3.x Choose the CASE version and specify the
pre-defined local directory that you want to use: For example, to use CASE version
3.2.10
, specify the3.2.10
bundle file.export CASE_NAME=ibm-guardium-insights export CASE_VERSION=3.2.10 #<YOUR_CASE_VERSION> export LOCAL_CASE_DIR=$HOME/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION
- Version 3.3.x Save the CASE bundle locally:
oc ibm-pak get $CASE_NAME \ --version $CASE_VERSION \ --skip-verify
Tips:- If you do not specify the CASE version, the most current version of CASE is downloaded.
- If you encounter an error similar to this example, you might be experiencing a temporary
communication problem with the remote repository. Wait a few minutes and try
again.
No Case registries found for case ibm-cert-manager->=1.3.0 <1.3.1.tgz with the given repository URL information FAILED
- Version 3.3.x Create a namespace for the Guardium Insights installation:
oc create namespace ${NAMESPACE}
- Generate the mirror manifests:
oc ibm-pak generate mirror-manifests \ $CASE_NAME \ $LOCAL_REGISTRY_HOST \ --version $CASE_VERSION
You can use this command to list all images that are mirrored and the publicly accessible registries where those images are pulled from:
oc ibm-pak describe $CASE_NAME --version $CASE_VERSION --list-mirror-images
- Configure your credentials to the
cp.icr.io
external registry. Alternatively, you can usepodman login
.docker login cp.icr.io -u $CP_REPO_USER -p $CP_REPO_PASS
Important: When you log in tocp.icr.io
, you must specify the user ascp
and for the password, specify your entitlement key from the IBM Cloud Container Registry. - Configure internal registry air-gap credentials.
Alternatively, you can use
podman login
.Run this command separately for each registry:
docker login $LOCAL_REGISTRY_HOST -u $LOCAL_REGISTRY_USER -p $LOCAL_REGISTRY_PASS
- Version 3.3.x Choose the CASE version and specify the
pre-defined local directory that you want to use:
- Mirror the installation images to your private registry. Important: The mirroring process depends on network bandwidth and might take up to a few hours to complete.
- Store authentication credentials for all source Docker registries. If you use
docker login
, the authentication file is typically located in $HOME/.docker/config.json on Linux or %USERPROFILE%/.docker/config.json on Windows. After you rundocker login
, export theREGISTRY_AUTH_FILE
to point to that location. For example, on Linux, issue this command:export REGISTRY_AUTH_FILE=$HOME/.docker/config.json
- Mirror the images to the final location:
oc image mirror \ -f $HOME/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/images-mapping.txt \ -a $REGISTRY_AUTH_FILE \ --filter-by-os '.*' \ --insecure \ --skip-multiple-scopes \ --max-per-registry=1 \ --continue-on-error=false > my-mirror-progress.txt
- Store authentication credentials for all source Docker registries.
- Configure the cluster and the content image source policy for air gap
installation. Version 3.3.x Run the following command:
oc apply -f $HOME/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/image-content-source-policy.yaml
Note:- This action causes all nodes to restart. During the restart, nodes show as
Ready,SchedulingDisabled
orNotReady,SchedulingDisabled
. - If your OpenShift Container Platform has issues, the nodes might not restart properly. Verify that the nodes restarted properly before you proceed. For more information, see Understanding node rebooting.
- If you're using an insecure registry (no TLS or a self-signed certificate), configure the
cluster to allow the insecure
registry:
oc patch image.config.openshift.io/cluster --type=merge -p '{"spec":{"registrySources":{"insecureRegistries":["'${LOCAL_REGISTRY_HOST}'"]}}}'
- Update your global pull secret with your
LOCAL_REGISTRY_HOST
,LOCAL_REGISTRY_USERNAME
, andLOCAL_REGISTRY_PASSWORD
. For more information, see Updating the global cluster pull secret (https://docs.openshift.com/container-platform/4.12/openshift_images/managing_images/using-image-pull-secrets.html#images-update-global-pull-secret_using-image-pull-secrets). - Apply the
ImageContentSourcePolicy
:oc apply -f $HOME/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/image-content-source-policy.yaml
Note: This step might cause your cluster nodes to drain and restart sequentially as they apply the configuration changes. - Verify that the
ImageContentSourcePolicy
resource is created:oc get imageContentSourcePolicy
- Verify your cluster node status and wait for all the nodes to restart before you
proceed:
oc get MachineConfigPool $ oc get MachineConfigPool -w NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-53bda7041038b8007b038c08014626dc True False False 3 3 3 0 10d worker rendered-worker-b54afa4063414a9038958c766e8109f7 True False False 3 3 3 0 10d
After theImageContentsourcePolicy
and global image pull secret are applied, the configuration of your nodes will be updated sequentially. Wait until allMachineConfigPools
are in theUPDATED=True
status before proceeding.
- This action causes all nodes to restart. During the restart, nodes show as
- Optional: Version 3.3.x If you are using an
unsecure registry (no TLS or a self-signed certificate), configure the cluster to allow the unsecure
registry:
oc patch image.config.openshift.io/cluster --type=merge -p '{"spec":{"registrySources":{"insecureRegistries":["'${LOCAL_REGISTRY_HOST}'"]}}}'
- Verify that all nodes returned to the
Ready
state:oc get nodes
This process can take a minimum of 5 minutes.
- Version 3.4.x and later Install the IBM Certificate Manager and IBM Common Services by completing steps 4-14 in Installing IBM Cloud Pak® foundational services.
- Install the Guardium Insights operator and
related components:
- Run the pre-install script. This script
sets up secrets and parameters for the Guardium Insights
instance.
oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --namespace ${NAMESPACE} \ --inventory install \ --action preInstall \ --tolerance 1 \ --args "-n ${NAMESPACE} -h <DB_worker_host> -l <true/false> -q <true/false>"
The pre-install script supports these parameters:Table 1. Parameters for preInstall.sh Name Description Type -n
or--i-namespace
Guardium Insights OpenShift namespace (this value must be 10 or fewer characters) Mandatory -h
or--host-datanodes
Specify the comma-delimited host names of the data nodes that you designate for data computation (you can determine the host names by running oc get nodes
).Important: When you manage Hardware cluster requirements, use the larger set of Guardium Insights nodes as your data nodes. To determine which node has the most free requests, issue theoc describe nodes
command and then look in theAllocation
section.Mandatory -l
or--label-datanodes
If you specify true
, the data nodes are labeled as dedicated for data service usage. If you specifyfalse
, labeling is skipped. The default value istrue
.Mandatory -t
or--taint-datanodes
If you specify true
, the data nodes are tainted and dedicated for data service usage. If you specifyfalse
, tainting is skipped. Do not usefalse
to skip tainting for production deployments.Optional -k
or--ingress-keystore
The path of the TLS certificate that is associated with the Guardium Insights application domain.
If you supply a custom ingress, provide the path to its key file. This file can contain only newline (
\n
) delimiters. If you do not supply a custom ingress, a default ofnone
is assumed.For more information, see Domain name and TLS certificates.
Optional -f
or--ingress-cert
The path of the TLS key that is associated with the Guardium Insights application domain.
If you supply a custom ingress, provide the path to its cert file. This file can contain only newline (
\n
) delimiters. If you do not include this, a default ofnone
is assumed.For more information, see Domain name and TLS certificates.
Optional -c
or--ingress-ca
The path of the custom TLS certificate that is associated with the Guardium Insights application domain.
If you supply a custom ingress, provide the path to its certificate authority (CA) file. This file can contain only newline (
\n
) delimiters. If you do not include this, a default ofnone
is assumed.For more information, see Domain name and TLS certificates.
Optional Version 3.4 -q
or--custom-scc
If you specify true
, Guardium Insights pods use a customscc
with a default name ofgi-odf-scc
. If you pass in another value, it applies that value as thescc
name. For a list of available SCCs, runoc get scc
. Guardium Insights normally runs in restricted-v2 SCC. Defaults tofalse
with no customscc
applied.Important: This parameter is only required for Guardium Insights installations that use the storage classes that are provided by OpenShift Data Foundation (ODF) Version 4.14 on non-ROSA and non-ARO deployments.Optional -help
or--help
Displays the preInstall.sh parameters. Optional - Install the catalogs.
oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --namespace openshift-marketplace \ --inventory install \ --action install-catalog \ --tolerance 1 \ --args "--registry ${LOCAL_REGISTRY_HOST} --inputDir ${LOCAL_CASE_DIR}"
To verify that the catalogs are installed, issue this command:
The following example shows a successful output:oc get pod -n openshift-marketplace
ibm-cloud-databases-redis-operator-catalog-ms97x 1/1 Running 0 12m ibm-db2uoperator-catalog-k8pwc 1/1 Running 0 13m
- Install the operators.
oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --namespace ${NAMESPACE} \ --inventory install \ --tolerance 1 \ --action install-operator \ --args "--registry ${LOCAL_REGISTRY_HOST} --user ${LOCAL_REGISTRY_USER} --pass ${LOCAL_REGISTRY_PASS} --secret ibm-entitlement-key --inputDir ${LOCAL_CASE_DIR}"
To verify that the operators are installed, issue this command:
The following example shows a successful output:oc get pods
NAME READY STATUS RESTARTS AGE guardiuminsights-controller-manager-6c5f8c685c-85d7s 1/1 Running 0 6m22s ibm-cloud-databases-redis-operator-54f95f8d48-csrxj 1/1 Running 0 6m20s mongodb-kubernetes-operator-745746b45c-jz7hw 1/1 Running 0 6m37s
- Run the pre-install script. This script
sets up secrets and parameters for the Guardium Insights
instance.