Installing Data Privacy (Masking flow)

An instance administrator can install Data Privacy on IBM® Software Hub Version 5.2.

Who needs to complete this task?

Instance administrator To install Data Privacy, you must be an instance administrator. An instance administrator has permission to install software in the following projects:

The operators project for the instance

The operators for this instance of Data Privacy are installed in the operators project.

In the installation commands, the ${PROJECT_CPD_INST_OPERATORS} environment variable refers to the operators project.

The operands project for the instance

The custom resources for the control plane and Data Privacy are installed in the operands project.

In the installation commands, the ${PROJECT_CPD_INST_OPERANDS} environment variable refers to the operands project.

When do you need to complete this task?

Review the following options to determine whether you need to complete this task:

  • If you want to install multiple services at the same time, follow the process in Running a batch installation of solutions and services instead.
  • If you didn't install Data Privacy as part of a batch installation, complete this task to add Data Privacy to your environment.

    Repeat as needed If you are responsible for multiple instances of IBM Software Hub, you can repeat this task to install more instances of Data Privacy on the cluster.

Information you need to complete this task

Review the following information before you install Data Privacy:

Version requirements

All of the components that are associated with an instance of IBM Software Hub must be installed at the same release. For example, if the IBM Software Hub control plane is installed at Version 5.2.2, you must install Data Privacy at Version 5.2.2.

Environment variables

The commands in this task use environment variables so that you can run the commands exactly as written.

  • If you don't have the script that defines the environment variables, see Setting up installation environment variables.
  • To use the environment variables from the script, you must source the environment variables before you run the commands in this task. For example, run:
    source ./cpd_vars.sh
Security context constraint

Data Privacy works with the default Red Hat® OpenShift® Container Platform security context constraint, restricted-v2.

Storage requirements

Data Privacy leverages the storage that is provisioned when you install IBM Knowledge Catalog, IBM Knowledge Catalog Premium, or IBM Knowledge Catalog Standard.

Before you begin

This task assumes that the following prerequisites are met:

System requirements
This task assumes that the cluster meets the minimum requirements for Data Privacy.
Where to find more information
If this task is not complete, see System requirements.
Workstation
This task assumes that the workstation from which you will run the installation is set up as a client workstation and has the following command-line interfaces:
  • IBM Software Hub CLI: cpd-cli
  • OpenShift CLI: oc
Where to find more information
If this task is not complete, see Setting up a client workstation.
Control plane
This task assumes that the IBM Software Hub control plane is installed.
Where to find more information
If this task is not complete, see Installing an instance of IBM Software Hub.
Private container registry
If your environment uses a private container registry (for example, your cluster is air-gapped), this task assumes that the following tasks are complete:
  1. The Data Privacy software images are mirrored to the private container registry.
    Where to find more information
    If this task is not complete, see Mirroring images to a private container registry.
  2. The cpd-cli is configured to pull the olm-utils-v3 image from the private container registry.
    Where to find more information
    If this task is not complete, see Pulling the olm-utils-v3 image from the private container registry.

Prerequisite services

Before you install Data Privacy, ensure that the following services are installed and running:

Procedure

Complete the following tasks to install Data Privacy:

  1. Installing the service
  2. Validating the installation
  3. What to do next

Installing the service

To install Data Privacy:

  1. Log the cpd-cli in to the Red Hat OpenShift Container Platform cluster:
    ${CPDM_OC_LOGIN}
    Remember: CPDM_OC_LOGIN is an alias for the cpd-cli manage login-to-ocp command.
  2. Run the following command to create the required OLM objects for Data Privacy in the operators project for the instance:
    cpd-cli manage apply-olm \
--release=${VERSION} \
--cpd_operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--components=dp
    Wait for the cpd-cli to return the following message before you proceed to the next step:
    [SUCCESS]... The apply-olm command ran successfully

    If the apply-olm fails, see Troubleshooting the apply-olm command during installation or upgrade.

  3. Create the custom resource for Data Privacy.

    The command that you run depends on the storage on your cluster.

    Red Hat OpenShift Data Foundation storage

    Run the following command to create the custom resource.

    cpd-cli manage apply-cr \
--components=dp \
--release=${VERSION} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--block_storage_class=${STG_CLASS_BLOCK} \
--file_storage_class=${STG_CLASS_FILE} \
--license_acceptance=true
    IBM Fusion Data Foundation storage

    Run the following command to create the custom resource.

    cpd-cli manage apply-cr \
--components=dp \
--release=${VERSION} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--block_storage_class=${STG_CLASS_BLOCK} \
--file_storage_class=${STG_CLASS_FILE} \
--license_acceptance=true
    IBM Fusion Global Data Platform storage
    Remember: When you use IBM Fusion Global Data Platform storage, both ${STG_CLASS_BLOCK} and ${STG_CLASS_FILE} point to the same storage class, typically ibm-spectrum-scale-sc or ibm-storage-fusion-cp-sc.

    Run the following command to create the custom resource.

    cpd-cli manage apply-cr \
--components=dp \
--release=${VERSION} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--block_storage_class=${STG_CLASS_BLOCK} \
--file_storage_class=${STG_CLASS_FILE} \
--license_acceptance=true
    IBM Storage Scale Container Native storage
    Remember: When you use IBM Storage Scale Container Native storage, both ${STG_CLASS_BLOCK} and ${STG_CLASS_FILE} point to the same storage class, typically ibm-spectrum-scale-sc.

    Run the following command to create the custom resource.

    cpd-cli manage apply-cr \
--components=dp \
--release=${VERSION} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--block_storage_class=${STG_CLASS_BLOCK} \
--file_storage_class=${STG_CLASS_FILE} \
--license_acceptance=true
    Portworx storage

    Run the following command to create the custom resource.

    cpd-cli manage apply-cr \
--components=dp \
--release=${VERSION} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--storage_vendor=portworx \
--license_acceptance=true
    NFS storage
    Remember: When you use NFS storage, both ${STG_CLASS_BLOCK} and ${STG_CLASS_FILE} point to the same storage class, typically managed-nfs-storage.

    Run the following command to create the custom resource.

    cpd-cli manage apply-cr \
--components=dp \
--release=${VERSION} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--block_storage_class=${STG_CLASS_BLOCK} \
--file_storage_class=${STG_CLASS_FILE} \
--license_acceptance=true
    AWS with EFS storage only
    Remember: When you use EFS storage, both ${STG_CLASS_BLOCK} and ${STG_CLASS_FILE} point to the same storage class, typically efs-nfs-client.

    Run the following command to create the custom resource.

    cpd-cli manage apply-cr \
--components=dp \
--release=${VERSION} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--block_storage_class=${STG_CLASS_BLOCK} \
--file_storage_class=${STG_CLASS_FILE} \
--license_acceptance=true
    AWS with EFS and EBS storage

    Run the following command to create the custom resource.

    cpd-cli manage apply-cr \
--components=dp \
--release=${VERSION} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--block_storage_class=${STG_CLASS_BLOCK} \
--file_storage_class=${STG_CLASS_FILE} \
--license_acceptance=true
    NetApp Trident
    Remember: When you use NetApp Trident storage, both ${STG_CLASS_BLOCK} and ${STG_CLASS_FILE} point to the same storage class, typically ontap-nas.

    Run the following command to create the custom resource.

    cpd-cli manage apply-cr \
--components=dp \
--release=${VERSION} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--block_storage_class=${STG_CLASS_BLOCK} \
--file_storage_class=${STG_CLASS_FILE} \
--license_acceptance=true

Validating the installation

Data Privacy is installed when the apply-cr command returns:
[SUCCESS]... The apply-cr command ran successfully

If you want to confirm that the custom resource status is Completed, you can run the cpd-cli manage get-cr-status command:

cpd-cli manage get-cr-status \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--components=dp

What to do next

Your next steps depend on the version of IBM Software Hub that you installed:

Version 5.2.1 or later

Data Privacy is ready to use. To get started with Data Privacy, see Masking data with Masking flow.

Version 5.2.0
  1. Install the services that you need on this instance of IBM Software Hub
  2. Apply the IBM Software Hub Version 5.2.0 - Day 0 patch

    You must apply the patch to each instance of IBM Software Hub Version 5.2.0 that you install.

After you complete the preceding steps, Data Privacy is ready to use. To get started with Data Privacy, see Masking data with Masking flow.