Online manual installation of Guardium Insights
Before you begin
Version 3.4.x and later This content only applies to Guardium Insights Version 3.4.x and later.
- Verify that your environment meets the System requirements and prerequisites and Hardware cluster requirements.
- Prepare for installation.
- Log in to the OpenShift® command-line interface.
- Downloading the Guardium Insights CASE file and set up your environment for dependencies.
Procedure
- Log in to your Red Hat®
OpenShift cluster instance.
oc login -u <KUBE_USER> -p <KUBE_PASS> [--insecure-skip-tls-verify=true]
For example,oc login api.example.ibm.com:6443 -u kubeadmin -p xxxxx-xxxxx-xxxxx-xxxxx
- Set these environment variables:
export CP_REPO_USER=<entitlement_user> export CP_REPO_PASS=<entitlement_key> export NAMESPACE=<guardium_insights_namespace> export CASE_NAME=ibm-guardium-insights export CASE_VERSION=2.2.10 #<YOUR_CASE_VERSION> export LOCAL_CASE_DIR=$HOME/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION
- <entitlement_user> and <entitlement_key> are the entitlement user and key, as described in Obtain your entitlement key.
- <guardium_insights_namespace> is the namespace that you create in step 4. This namespace must be 10 or fewer characters in length.
- Install the IBM® Certificate Manager and IBM Common Services by completing the steps 4-13 that are outlined in Installing IBM Cloud Pak® foundational services.
- Create the Guardium Insights namespace and then switch to it:
oc create namespace ${NAMESPACE} oc project ${NAMESPACE}
Note: If IBM Common Services is already created and installed, you do not need to create the namespace in this step (Guardium Insights uses the same namespace). - Install the Guardium Insights operator and
related components:
- Run the pre-install script. This script
sets up secrets and parameters for the Guardium Insights
instance.
oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --namespace ${NAMESPACE} \ --inventory install \ --action preInstall \ --tolerance 1 \ --args "-n ${NAMESPACE} -h <DB_worker_host> -l <true/false> -q <true/false>"
The pre-install script supports these parameters:Table 1. Parameters for preInstall.sh Name Description Type -n
or--i-namespace
Guardium Insights OpenShift namespace (this value must be 10 or fewer characters) Mandatory -h
or--host-datanodes
Specify the comma-delimited host names of the data nodes that you designate for data computation (you can determine the host names by running oc get nodes
).Important: When you manage Hardware cluster requirements, use the larger set of Guardium Insights nodes as your data nodes. To determine which node has the most free requests, issue theoc describe nodes
command and then look in theAllocation
section.Mandatory -l
or--label-datanodes
If you specify true
, the data nodes are labeled as dedicated for data service usage. If you specifyfalse
, labeling is skipped. The default value istrue
.Mandatory -t
or--taint-datanodes
If you specify true
, the data nodes are tainted and dedicated for data service usage. If you specifyfalse
, tainting is skipped. Do not usefalse
to skip tainting for production deployments.Optional -k
or--ingress-keystore
The path of the TLS certificate that is associated with the Guardium Insights application domain.
If you supply a custom ingress, provide the path to its key file. This file can contain only newline (
\n
) delimiters. If you do not supply a custom ingress, a default ofnone
is assumed.For more information, see Domain name and TLS certificates.
Optional -f
or--ingress-cert
The path of the TLS key that is associated with the Guardium Insights application domain.
If you supply a custom ingress, provide the path to its cert file. This file can contain only newline (
\n
) delimiters. If you do not include this, a default ofnone
is assumed.For more information, see Domain name and TLS certificates.
Optional -c
or--ingress-ca
The path of the custom TLS certificate that is associated with the Guardium Insights application domain.
If you supply a custom ingress, provide the path to its certificate authority (CA) file. This file can contain only newline (
\n
) delimiters. If you do not include this, a default ofnone
is assumed.For more information, see Domain name and TLS certificates.
Optional Version 3.4 -q
or--custom-scc
If you specify true
, Guardium Insights pods use a customscc
with a default name ofgi-odf-scc
. If you pass in another value, it applies that value as thescc
name. For a list of available SCCs, runoc get scc
. Guardium Insights normally runs in restricted-v2 SCC. Defaults tofalse
with no customscc
applied.Important: This parameter is only required for Guardium Insights installations that use the storage classes that are provided by OpenShift Data Foundation (ODF) Version 4.14 on non-ROSA and non-ARO deployments.Optional -help
or--help
Displays the preInstall.sh parameters. Optional - Install the catalogs.
oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --inventory install \ --action install-catalog \ --namespace openshift-marketplace \ --args "--inputDir ${LOCAL_CASE_DIR}"
To verify that the catalogs are installed, run the following command.oc get pod -n openshift-marketplace
The output is similar to:ibm-cloud-databases-redis-operator-catalog-ms97x 1/1 Running 0 12m ibm-db2uoperator-catalog-k8pwc 1/1 Running 0 13m
- Install the operators.
oc ibm-pak launch $CASE_NAME \ --version $CASE_VERSION \ --inventory install \ --action install-operator \ --namespace ${NAMESPACE} \ --args "--registry cp.icr.io --user ${CP_REPO_USER} --pass ${CP_REPO_PASS} --secret ibm-entitlement-key --inputDir ${LOCAL_CASE_DIR}"
- Verify that the operators are installed by running the following
command.
oc get pods -n $NAMESPACE
The output is similar to:NAME READY STATUS RESTARTS AGE db2u-day2-ops-controller-manager-5488d5c844-vvhgt 1/1 Running 0 24h db2u-operator-manager-5fc886d4bc-wwcrv 1/1 Running 0 24h ibm-cloud-databases-redis-operator-6d668d7b88-z7fzh 1/1 Running 0 24h ibm-guardium-insights-operator-75d6c489fd-qfkss 1/1 Running 0 24h mongodb-kubernetes-operator-856bc86746-lfk69 1/1 Running 0 24h
- Run the pre-install script. This script
sets up secrets and parameters for the Guardium Insights
instance.