Online manual installation of Guardium Insights

Before you begin

Version 3.4.x and later This content only applies to Guardium Insights Version 3.4.x and later.

Before you proceed with the installation, complete these steps:
  1. Verify that your environment meets the System requirements and prerequisites and Hardware cluster requirements.
  2. Prepare for installation.
  3. Log in to the OpenShift® command-line interface.
  4. Downloading the Guardium Insights CASE file and set up your environment for dependencies.

Procedure

  1. Log in to your Red Hat® OpenShift cluster instance.
    oc login -u <KUBE_USER> -p <KUBE_PASS> [--insecure-skip-tls-verify=true]
    For example,
    oc login api.example.ibm.com:6443 -u kubeadmin -p xxxxx-xxxxx-xxxxx-xxxxx
  2. Set these environment variables:
    export CP_REPO_USER=<entitlement_user>
    export CP_REPO_PASS=<entitlement_key>
    export NAMESPACE=<guardium_insights_namespace>
    export CASE_NAME=ibm-guardium-insights
    export CASE_VERSION=2.2.10   #<YOUR_CASE_VERSION>
    export LOCAL_CASE_DIR=$HOME/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION
    • <entitlement_user> and <entitlement_key> are the entitlement user and key, as described in Obtain your entitlement key.
    • <guardium_insights_namespace> is the namespace that you create in step 4. This namespace must be 10 or fewer characters in length.
  3. Install the IBM® Certificate Manager and IBM Common Services by completing the steps 4-13 that are outlined in Installing IBM Cloud Pak® foundational services.
  4. Create the Guardium Insights namespace and then switch to it:
    oc create namespace ${NAMESPACE}
    oc project ${NAMESPACE} 
    Note: If IBM Common Services is already created and installed, you do not need to create the namespace in this step (Guardium Insights uses the same namespace).
  5. Install the Guardium Insights operator and related components:
    1. Run the pre-install script. This script sets up secrets and parameters for the Guardium Insights instance.
      oc ibm-pak launch $CASE_NAME \
      --version $CASE_VERSION \
      --namespace ${NAMESPACE} \
      --inventory install \
      --action preInstall \
      --tolerance 1 \
      --args "-n ${NAMESPACE} -h <DB_worker_host> -l <true/false> -q <true/false>"
      The pre-install script supports these parameters:
      Table 1. Parameters for preInstall.sh
      Name Description Type
      -n or --i-namespace Guardium Insights OpenShift namespace (this value must be 10 or fewer characters) Mandatory
      -h or --host-datanodes Specify the comma-delimited host names of the data nodes that you designate for data computation (you can determine the host names by running oc get nodes).
      Important: When you manage Hardware cluster requirements, use the larger set of Guardium Insights nodes as your data nodes. To determine which node has the most free requests, issue the oc describe nodes command and then look in the Allocation section.
      Mandatory
      -l or --label-datanodes If you specify true, the data nodes are labeled as dedicated for data service usage. If you specify false, labeling is skipped. The default value is true. Mandatory
      -t or --taint-datanodes If you specify true, the data nodes are tainted and dedicated for data service usage. If you specify false, tainting is skipped. Do not use false to skip tainting for production deployments. Optional
      -k or --ingress-keystore

      The path of the TLS certificate that is associated with the Guardium Insights application domain.

      If you supply a custom ingress, provide the path to its key file. This file can contain only newline (\n) delimiters. If you do not supply a custom ingress, a default of none is assumed.

      For more information, see Domain name and TLS certificates.

      Optional
      -f or --ingress-cert

      The path of the TLS key that is associated with the Guardium Insights application domain.

      If you supply a custom ingress, provide the path to its cert file. This file can contain only newline (\n) delimiters. If you do not include this, a default of none is assumed.

      For more information, see Domain name and TLS certificates.

      Optional
      -c or --ingress-ca

      The path of the custom TLS certificate that is associated with the Guardium Insights application domain.

      If you supply a custom ingress, provide the path to its certificate authority (CA) file. This file can contain only newline (\n) delimiters. If you do not include this, a default of none is assumed.

      For more information, see Domain name and TLS certificates.

      Optional
      Version 3.4-q or --custom-scc If you specify true, Guardium Insights pods use a custom scc with a default name of gi-odf-scc. If you pass in another value, it applies that value as the scc name. For a list of available SCCs, run oc get scc. Guardium Insights normally runs in restricted-v2 SCC. Defaults to false with no custom scc applied.
      Important: This parameter is only required for Guardium Insights installations that use the storage classes that are provided by OpenShift Data Foundation (ODF) Version 4.14 on non-ROSA and non-ARO deployments.
      Optional
      -help or --help Displays the preInstall.sh parameters. Optional
    2. Install the catalogs.
      oc ibm-pak launch $CASE_NAME \
        --version $CASE_VERSION \
        --inventory install \
        --action install-catalog \
        --namespace openshift-marketplace \
        --args "--inputDir ${LOCAL_CASE_DIR}"
      To verify that the catalogs are installed, run the following command.
      oc get pod -n openshift-marketplace
      The output is similar to:
      ibm-cloud-databases-redis-operator-catalog-ms97x                  1/1     Running     0          12m
      ibm-db2uoperator-catalog-k8pwc                                    1/1     Running     0          13m
    3. Install the operators.
      oc ibm-pak launch $CASE_NAME \
      --version $CASE_VERSION \
      --inventory install \
      --action install-operator \
      --namespace ${NAMESPACE} \
      --args "--registry cp.icr.io --user ${CP_REPO_USER} --pass ${CP_REPO_PASS} --secret ibm-entitlement-key --inputDir ${LOCAL_CASE_DIR}"
    4. Verify that the operators are installed by running the following command.
      oc get pods -n $NAMESPACE
      The output is similar to:
      
      NAME                                                READY STATUS  RESTARTS AGE
      
      db2u-day2-ops-controller-manager-5488d5c844-vvhgt   1/1   Running 0        24h
      db2u-operator-manager-5fc886d4bc-wwcrv              1/1   Running 0        24h
      ibm-cloud-databases-redis-operator-6d668d7b88-z7fzh 1/1   Running 0        24h
      ibm-guardium-insights-operator-75d6c489fd-qfkss     1/1   Running 0        24h
      mongodb-kubernetes-operator-856bc86746-lfk69        1/1   Running 0        24h
      

What to do next

Follow the Creating a Guardium Insights instance by using a custom resource (CR).