Preparing your cluster

Prepare your cluster for the deployment of cloud native components on Red Hat® OpenShift® Container Platform.

Complete the following steps to prepare your cluster.
  1. Provision the necessary machines.
    The hardware architecture on which Netcool® Operations Insight® is installed must be with x86 based architecture, like AMD64 and Intel. Kubernetes can have a mixture of worker nodes. For operating system and other detailed system requirements, search for the latest version of the Netcool Operations Insight product in the Software Product Compatibility Reports website: https://www.ibm.com/software/reports/compatibility/clarity/softwareReqsForProduct.htmlexternal link.
  2. Download and install Red Hat OpenShift Container Platform.
    A user with administrative access on the cluster installs Netcool Operations Insight. Ensure that you have access to an administrator account on the target Red Hat OpenShift Container Platform cluster.

    For Red Hat OpenShift Container Platform documentation, see Red Hat OpenShift Container Platform 4.15 external link.

    For Red Hat OpenShift Container Platform videos, see: https://www.youtube.com/user/rhopenshift/videos external link

    Install the Red Hat OpenShift command line interface (oc) on your cluster's boot node. Run the oc login command. For more information, see Getting started with the OpenShift CLI external icon in the Red Hat OpenShift Container Platform documentation.

  3. During Red Hat OpenShift Container Platform installation, if a Red Hat OpenShift proxy is being defined, add the IP address of the Kubernetes service in the noProxy definition of the Proxy object.
    1. To get the list of services, run the following command:
      oc get svc -n default

      The IP address of the Kubernetes service is displayed, for example 172.30.0.1.

    2. To modify the Proxy object, run the oc edit command:
      $ oc edit proxy/cluster
    3. Configure the Kubernetes service IP address in the noProxy parameter for the proxy, as in the following example:
      apiVersion: config.openshift.io/v1
      kind: Proxy
      metadata:
        name: cluster
      spec:
        httpProxy: http://<username>:<pswd>@<ip>:<port>
        httpsProxy: http://<username>:<pswd>@<ip>:<port>
        noProxy: example.com, 172.30.0.1
        readinessEndpoints:
        - http://www.google.com
        - https://www.google.com
        trustedCA:
          name: user-ca-bundle
  4. Create a custom namespace to deploy into.
    oc create namespace namespace
    Where namespace is the name of the custom namespace that you want to create.
    Optional: If you want multiple independent installations of Netcool Operations Insight within the cluster, then create multiple namespaces within your cluster. Run each installation in a separate namespace. Extra disk space and worker nodes are needed to support multiple installations.
  5. Create a docker registry secret to enable your deployment to pull Netcool Operations Insight images from the IBM® Entitled Registry.
    1. Obtain the entitlement key that is assigned to your IBMid, which grants you access to the IBM Entitled Registry. Log in to Container Software and Cloud Pak Access Management external link with the account (username and password) that has entitlement to IBM software. The key that is displayed is the key that you use to access the Entitled Registry.
    2. Select Copy key to copy the entitlement key to the clipboard, in the Entitlement keys section.
    3. Run the following command to create the entitlement key secret:
      oc create secret docker-registry noi-registry-secret 
      --docker-username=cp
      --docker-password=entitlement_key 
      --docker-server=cp.icr.io
      --namespace=namespace
    Where:
    • noi-registry-secret is the name of the entitlement key secret that you are creating to pull the Netcool Operations Insight images from the IBM® Entitled Registry. Suggested value is noi-registry-secret.
    • entitlement_key is the entitlement key that you copied in the previous step.
    • namespace is the namespace that you want to deploy Netcool Operations Insight in.
    Note: This step assumes that the cluster has internet access to: cp.icr.io, which is IBM's Entitled Registry. An exemption is typically made available for this registry, along with other registries. If a connection to these registries is not allowed, due to security constraints, then a production grade Docker 2 compatible image registry must be provided. Install an air-gapped deployment to mirror the external image registries internally. For more information, see Installing IBM Netcool Operations Insight on Red Hat OpenShift in an air-gapped environment (offline) with the oc-ibm_pak plug-in and a bastion host for a full cloud installation, or Installing IBM Netcool Operations Insight on Red Hat OpenShift in an air-gapped environment (offline) with the oc-ibm_pak plug-in and a bastion host for a hybrid installation.
  6. Ensure that your Red Hat OpenShift environment is updated to allow network policies to function correctly.
    In some Red Hat OpenShift Container Platform environments, an extra configuration is needed to allow external traffic to reach the routes. This step is due to the required addition of network policies to secure pod communication traffic. For example, if you are attempting to access a route that returns a 503 Application Not Available error, then a network policy might be blocking the traffic. Check whether the ingresscontroller is configured with the endpointPublishingStrategy: HostNetwork value. Run the following command.
    oc get ingresscontroller default -n openshift-ingress-operator -o yaml
    If endpointPublishingStrategy.type is set to HostNetwork, then the network policy will not work against routes, unless the default namespace contains the selector label. To allow traffic, add a label to the default namespace by running the following command.
    oc patch namespace default --type=json -p '[{"op":"add","path":"/metadata/labels","value":{"network.openshift.io/policy-group":"ingress"}}]'
    For more information, see About network policy external link in the Red Hat OpenShift documentation.
  7. (Optional) You can restrict the Netcool Operations Insight pods in a namespace to run only on worker nodes with a specific tag. You can tag worker nodes by adding the tag env=test or app=noi. For example, you can run the following command.
    oc label nodes <yournode> app=noi
    Then edit the YAML on the Netcool Operations Insight namespace by adding the node-selector to the annotations section. You can run the following command to edit the YAML.
    oc edit ns <namespace-name>
    Output:
    apiVersion: v1
    kind: Namespace
    metadata:
     name: <namespace-name>
     annotations:
       scheduler.alpha.kubernetes.io/node-selector: app=noi
    spec: {}
    status: {}
  8. Ensure that the virtual machine (VM) and Red Hat OpenShift Container Platform components of IBM Netcool Operations Insight are on the same top-level domain, for example, ibm.com. If these components are not on the same top-level domain, then the hybrid setup works only with the SameSite=None attribute, which is less secure than the SameSite=Strict attribute. Hence, it is preferred to use the same top-level domain for the VM and Red Hat OpenShift Container Platform components instead of changing the SameSite attribute. For more information, see https://www.ibm.com/support/pages/node/7086000.