Basic configuration
Install IBM TRIRIGA Application Suite to get up and running with the suite and take advantage of Application Points usage.
Before you begin
- Installing and preparing the database, either as DB2 Warehouse on IBM Cloud Pak For Data or an external database.
- Installing IBM Suite Licensing Service.
- Installing IBM User Data Services.
Procedure
- Create the new TRIRIGA
Application Suite project by running the following
command:
oc new-project ibm-tas
- Enable the IBM Operator Catalog by running the following command:
cat <<EOF |oc apply -f - apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: name: ibm-operator-catalog namespace: openshift-marketplace spec: displayName: "IBM Operator Catalog" publisher: IBM sourceType: grpc image: icr.io/cpopen/ibm-operator-catalog:latest updateStrategy: registryPoll: interval: 45m EOF
- Install the TRIRIGA
Application Suite operator.
- Create the operator group by running the following command:
cat <<EOF |oc apply -f - apiVersion: operators.coreos.com/v1alpha2 kind: OperatorGroup metadata: name: tas-operator-group namespace: ibm-tas spec: targetNamespaces: - ibm-tas EOF
- Install the TRIRIGA
Application Suite operator by running the
following command:
cat <<EOF | oc create -f - apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: tririga namespace: ibm-tas spec: channel: v11.5 installPlanApproval: Automatic name: tririga source: ibm-operator-catalog sourceNamespace: openshift-marketplace startingCSV: ibm-tririga.v11.5.0 EOF
- Create the operator group by running the following command:
- Create the IBM entitlement secret.
- Obtain your IBM entitlement registry from the Container software library. Click Copy key and substitute the value
as
<ENTITLEMENT_KEY>
in the next step of this task. - Create the secret by running the following command:
oc create secret docker-registry ibm-entitlement --docker-server=cp.icr.io --docker-username=cp --docker-password="$ENTITLEMENT_KEY" -n ibm-tas
- Obtain your IBM entitlement registry from the Container software library. Click Copy key and substitute the value
as
-
Create a database secret.
Replace
<DBA-USERNAME>
,<DBA_PASSWORD>
,<DB_USERNAME>
,<DB_PASSWORD>
with the respective values for the database.Add the certificate that is used for SSL connectivity to the database.cat <<EOF | oc create -f - apiVersion: v1 kind: Secret metadata: name: tas-db-secret namespace: ibm-tas stringData: DBA_USERNAME: <DBA_USERNAME> DBA_PASSWORD: <DBA_PASSWORD> DB_USERNAME: <DB_USERNAME> DB_PASSWORD: <DB_PASSWORD> ca.crt: | -----BEGIN CERTIFICATE----- ... SSL Certificate obtained from the Database ... -----END CERTIFICATE----- EOF
-
Create an SLS secret.
- If the IBM Suite License Service instance you are using enforces client authentication where
spec.settings.auth.enforce=true
in the SLS service custom resource (CR):- Use the following template:
cat <<EOF | oc create -f - kind: Secret apiVersion: v1 metadata: name: tas-sls-secret stringData: url: https://sls.ibm-sls.svc.cluster.local ca.crt: | -----BEGIN CERTIFICATE----- ... CA Certifificate needed to trust SLS server ... -----END CERTIFICATE----- registrationKey: your_sls_client_registration_key api.crt: | -----BEGIN CERTIFICATE----- ... SLS api server certificate ... -----END CERTIFICATE----- EOF
- Replace the
url
,ca.crt
andregistrationKey
field values in the template with the values in thesls-suite-registration
ConfigMap present in the namespace of your IBM Suite License Service instance. - Replace the
api.crt
field value with thetls.crt
field of thesls-cert-api
secret present in the namespace of your IBM Suite License Service instance. Theapi.crt
field is required only when your IBM Suite License Service instance is installed in a remote cluster and you need to access it through an Openshift route. As Suite License Service does not create an externally accessible route by default, you can trigger its creation by setting thespec.domain
property of the IBM Suite License Service CR equal to the dns subdomain of the fully qualified hostname of the route to be created.
- Use the following template:
- If the IBM Suite License Service instance you are using does not enforce client authentication
where
spec.settings.auth.enforce=false
in the SLS service CR:- Use the following template:
cat <<EOF | oc create -f - kind: Secret apiVersion: v1 metadata: name: tas-sls-secret stringData: url: https://sls.ibm-sls.svc.cluster.local ca.crt: | -----BEGIN CERTIFICATE----- ... CA Certifificate needed to trust SLS server ... -----END CERTIFICATE----- tls.crt: | -----BEGIN CERTIFICATE----- ... Client Certificate ... -----END CERTIFICATE----- tls.key: | -----BEGIN RSA KEY----- ... Client Key ... -----END RSA KEY----- api.crt: | -----BEGIN CERTIFICATE----- ... SLS api server certificate ... -----END CERTIFICATE----- EOF
- Replace the
tls.crt
,tls.key
andca.crt
field values in the above template with the values in thesls-cert-client
secret present in the namespace of your IBM Suite License Service instance. - Replace the
api.crt
field value with thetls.crt
field of thesls-cert-api
secret present in the namespace of your IBM Suite License Service instance. Theapi.crt
field is required only when your IBM Suite License Service instance is installed in a remote cluster and you need to access it through an OpenShift route. As Suite License Service does not create an externally accessible route by default, you can trigger its creation by setting thespec.domain
property of the IBM Suite License Service CR equal to the DNS subdomain of the fully qualified hostname of the route to be created. - Adjust the
url
field value to match theurl
exposed by your IBM Suite License Service instance.Warning: Starting with 11.2 version, IBM TRIRIGA Application Suite is capable of interacting with IBM Suite License Service instances enforcing client authentication. Use of IBM Suite License Service in not enforcing client authentication mode for IBM TRIRIGA Application Suite is deprecated and support for it might be removed in future releases. New instances of IBM TRIRIGA Application Suite must use an instance of IBM Suite License Service enforcing client authentication, and the existing instances of IBM TRIRIGA Application Suite must migrate as soon as possible to an instance of IBM Suite License Service enforcing client authentication.
- Use the following template:
- If the IBM Suite License Service instance you are using enforces client authentication where
- Create a UDS secret. Important: In June 2024, IBM User Data Services (UDS) was sunset and replaced with IBM Data Reporter Operator (DRO), which is built on a more robust technology and with a smaller footprint. IBM TRIRIGA Application Suite 11.5 or earlier with UDS installed continues to run but no longer automatically sends usage and metering data to IBM. New installations of 11.5 or earlier can skip installing UDS, but a secret with UDS information is still required by the TRIRIGA Application Suite CR or the TRIRIGA Application Suite operator will fail.If you have UDS installed, create the secret with the following command:
-
Replace
<uds-api-key>
with the value ofuds-api-key
secret inibm-common-services
. -
Replace the
ca-bundle.pem
with thetls.crt
value copied from theevent-api-certs
secret in theibm-common-services
project.
cat <<EOF |oc apply -f - apiVersion: v1 kind: Secret metadata: name: tas-uds-secret namespace: ibm-tas stringData: api_url: https://event-api-service.ibm-common-services.svc:8443 api_key: <uds-api-key> ca-bundle.pem: | -----BEGIN CERTIFICATE----- ... Content of tls.crt of secret `event-api-certs` in ibm-common-services project ... -----END CERTIFICATE----- EOF
If you don't have UDS installed, create a UDS secret by entering the following command. You can use placeholder information but it must be syntactically correct or the TRIRIGA Application Suite operator will fail.-
The secret must contain the
api_key
andapi_url
fields. You can omit theca-bundle.pem
field. -
The
api_url
must be in the format:https://<api_host>
. The<api_host>
value must be the same value that you set for thespec.uds.uds_host
field when you create the Tririga CR. -
<api-key>
can have a placeholder value for the<uds-api-key>
. For example,9smgEVm1yTqZ3l3e3L4JIgYgYGxNaByf9hZtk5Z9fyr1e8BDWL6LDsZSSpSDcLtb
.
cat <<EOF |oc apply -f - apiVersion: v1 kind: Secret metadata: name: tas-uds-secret namespace: ibm-tas stringData: api_url: https://<api_host> api_key: <uds-api-key> EOF
-
- Create the TRIRIGA Application Suite CR.
The parameter values in the following table are provided as an example. You can provide the parameter values based on your configuration:
Parameter Value spec.env.size Specify the size as small
,medium
,large
based on your environment.spec.env.use Specify the use based on your requirements. For example, development
orproduction
.spec.db.db_secret Provide a name of the database secret based on Step 5. For example, the database name is tas-db-secret
.spec.db.dbtype Provide a database type based on your environment. For example, the database type is db2
.spec.db.dbdnsname Provide a database hostname. spec.db.dbport Provide a database port. spec.db.dbname Provide a database name. spec.db.sid Provide a SID value: - If dbtype is Oracle: Oracle DB sid
- if dbtype is db2: DB2 schema nameNote: If the schema name is not specified, the schema name is assumed to be equal to the value of the DB_USERNAME property of the db_secret secret.
- if dbtype is mssql: Not required
spec.db.maxconnpoolsize Maximum number of physical connections for the application server database connection pool. Default is 100 and the minimum is 100. spec.jvm.javamin Minimum heap size value based on your Java environment. For example, 4096
.spec.jvm.javamax Maximum heap size value based on your Java environment. For example, 8192
.spec.rt.contextpath Specify the context path where the TAS Operator is installed based on the value that you provide in Step 3.b. For example, the context path in this instance is tririga
.spec.rt.domain Provide the domain. For example, the domain is default
.spec.rt.routes_crt Provide a route certificate based on the domain. spec.sls.sls_host Provide a SLS host as per Step 6. For example, the SLS host in this instance is sls.ibm-sls.svc.cluster.local
.spec.sls.sls_secret Provide a SLS secret as per Step 6. For example, the SLS secret in this instance is tas-sls-secret
.spec.uds.uds_host Provide the value that you set for <api_host>
in the UDS secret in Step 7.spec.uds.uds_secret Provide the UDS secret that you created in Step 7. For example, tas-uds-secret
.spec.storage.*.class ibmc-file-gold-gid
for IBM Cloud, orocs-storagecluster-cephfs
. The storage class can vary based on your environment.Note: The OCP cluster must be equipped with a StorageClass able to grant read-write permission to the Linux root group and to support Kubernates ReadWriteMany or ReadWriteOnce access mode.spec.storage.*.size Provide a size based on your requirements for logs, configurations, and user files. For example, 30
.spec.storage.*.mode Supported access mode are ReadWriteOnce
andReadWriteMany
.cat <<EOF |oc apply -f - apiVersion: tririga.ibm.com/v1 kind: Tririga metadata: name: my-tririga namespace: ibm-tas spec: env: size: <SIZE> use: <USE> license: accept: true db: db_secret: 'tas-db-secret' dbtype: db2 dbdnsname: <DB_HOST> dbport: <DB_PORT> dbname: <DB_NAME> sid: <SID> jvm: javamin: 4096 javamax: 8192 rt: contextpath: tririga domain: default routes_crt: '' sls: sls_host: sls.ibm-sls.svc.cluster.local sls_secret: 'tas-sls-secret' uds: uds_host: event-api-service.ibm-bas.svc:8443 uds_secret: 'tas-uds-secret' storage: log: class: <STORAGE_CLASS> size: 30 mode: 'ReadWriteOnce' config: class: <STORAGE_CLASS> size: 1 mode: 'ReadWriteOnce' userfiles: class: <STORAGE_CLASS> size: 50 mode: 'ReadWriteOnce' version: 1.0.0 EOF
- Get the TRIRIGA URL by running the following command:
host=$(oc get route -n ibm-tas my-tririga | grep my-tririga | awk '{print $2}') context=$(oc get route -n ibm-tas my-tririga | grep my-tririga | awk '{print $3}') echo "TRIRIGA URL" echo https://$host$context/index.html echo "TRIRIGA Admin Console URL" echo https://$host$context/html/en/default/admin