Basic configuration

Install IBM TRIRIGA Application Suite to get up and running with the suite and take advantage of Application Points usage.

Before you begin

Ensure that you have completed the following tasks:

Procedure

  1. Create the new TRIRIGA Application Suite project by running the following command:
    
    oc new-project ibm-tas
    
  2. Enable the IBM Operator Catalog by running the following command:
    
    cat <<EOF |oc apply -f -
    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      name: ibm-operator-catalog
      namespace: openshift-marketplace
    spec:
      displayName: "IBM Operator Catalog" 
      publisher: IBM
      sourceType: grpc
      image: icr.io/cpopen/ibm-operator-catalog:latest
      updateStrategy:
        registryPoll:
          interval: 45m
    EOF
    
  3. Install the TRIRIGA Application Suite operator.
    1. Create the operator group by running the following command:
      
      cat <<EOF |oc apply -f -
      apiVersion: operators.coreos.com/v1alpha2
      kind: OperatorGroup
      metadata:
        name: tas-operator-group
        namespace: ibm-tas
      spec:
        targetNamespaces:
          - ibm-tas
      EOF
      
    2. Install the TRIRIGA Application Suite operator by running the following command:
      
      cat <<EOF | oc create -f -
      apiVersion: operators.coreos.com/v1alpha1
      kind: Subscription
      metadata:
        name: tririga
        namespace: ibm-tas
      spec:
        channel: v11.5
        installPlanApproval: Automatic
        name: tririga
        source: ibm-operator-catalog
        sourceNamespace: openshift-marketplace
        startingCSV: ibm-tririga.v11.5.0
      EOF
      
  4. Create the IBM entitlement secret.
    1. Obtain your IBM entitlement registry from the Container software library. Click Copy key and substitute the value as <ENTITLEMENT_KEY> in the next step of this task.
    2. Create the secret by running the following command:
      
      oc create secret docker-registry ibm-entitlement --docker-server=cp.icr.io --docker-username=cp --docker-password="$ENTITLEMENT_KEY" -n ibm-tas
      
  5. Create a database secret.

    Replace <DBA-USERNAME>, <DBA_PASSWORD>, <DB_USERNAME>, <DB_PASSWORD> with the respective values for the database.

    Add the certificate that is used for SSL connectivity to the database.
    
    cat <<EOF | oc create -f -
    apiVersion: v1
    kind: Secret
    metadata:
      name: tas-db-secret
      namespace: ibm-tas
    stringData:
      DBA_USERNAME: <DBA_USERNAME>
      DBA_PASSWORD: <DBA_PASSWORD>
      DB_USERNAME: <DB_USERNAME>
      DB_PASSWORD: <DB_PASSWORD>
      ca.crt: |
         -----BEGIN CERTIFICATE-----
         ...
         SSL Certificate obtained from the Database
         ...
         -----END CERTIFICATE-----
    EOF
    
  6. Create an SLS secret.
    • If the IBM Suite License Service instance you are using enforces client authentication where spec.settings.auth.enforce=true in the SLS service custom resource (CR):
      • Use the following template:
        
        cat <<EOF | oc create -f -
        kind: Secret
        apiVersion: v1
        metadata:
          name: tas-sls-secret
        stringData:
          url: https://sls.ibm-sls.svc.cluster.local
          ca.crt: |
            -----BEGIN CERTIFICATE-----
            ...
            CA Certifificate needed to trust SLS server
            ...
            -----END CERTIFICATE-----  
          registrationKey: your_sls_client_registration_key
          api.crt: |
            -----BEGIN CERTIFICATE-----
            ...
            SLS api server certificate
            ...
            -----END CERTIFICATE-----  
        EOF     
      • Replace the url, ca.crt and registrationKey field values in the template with the values in the sls-suite-registration ConfigMap present in the namespace of your IBM Suite License Service instance.
      • Replace the api.crt field value with the tls.crt field of the sls-cert-api secret present in the namespace of your IBM Suite License Service instance. The api.crt field is required only when your IBM Suite License Service instance is installed in a remote cluster and you need to access it through an Openshift route. As Suite License Service does not create an externally accessible route by default, you can trigger its creation by setting the spec.domain property of the IBM Suite License Service CR equal to the dns subdomain of the fully qualified hostname of the route to be created.
    • If the IBM Suite License Service instance you are using does not enforce client authentication where spec.settings.auth.enforce=false in the SLS service CR:
      • Use the following template:
        
        cat <<EOF | oc create -f -
        kind: Secret
        apiVersion: v1
        metadata:
          name: tas-sls-secret
        stringData:
          url: https://sls.ibm-sls.svc.cluster.local
          ca.crt: |
            -----BEGIN CERTIFICATE-----
            ...
            CA Certifificate needed to trust SLS server
            ...
            -----END CERTIFICATE-----  
          tls.crt: |
            -----BEGIN CERTIFICATE-----
            ...
            Client Certificate
            ...
            -----END CERTIFICATE-----  
          tls.key: |
            -----BEGIN RSA KEY-----
            ...
            Client Key
            ...
            -----END RSA KEY----- 
          api.crt: |
            -----BEGIN CERTIFICATE-----
            ...
            SLS api server certificate
            ...
            -----END CERTIFICATE-----  
        EOF     
      • Replace the tls.crt, tls.key and ca.crt field values in the above template with the values in the sls-cert-client secret present in the namespace of your IBM Suite License Service instance.
      • Replace the api.crt field value with the tls.crt field of the sls-cert-api secret present in the namespace of your IBM Suite License Service instance. The api.crt field is required only when your IBM Suite License Service instance is installed in a remote cluster and you need to access it through an OpenShift route. As Suite License Service does not create an externally accessible route by default, you can trigger its creation by setting the spec.domain property of the IBM Suite License Service CR equal to the DNS subdomain of the fully qualified hostname of the route to be created.
      • Adjust the url field value to match the url exposed by your IBM Suite License Service instance.
        Warning: Starting with 11.2 version, IBM TRIRIGA Application Suite is capable of interacting with IBM Suite License Service instances enforcing client authentication. Use of IBM Suite License Service in not enforcing client authentication mode for IBM TRIRIGA Application Suite is deprecated and support for it might be removed in future releases. New instances of IBM TRIRIGA Application Suite must use an instance of IBM Suite License Service enforcing client authentication, and the existing instances of IBM TRIRIGA Application Suite must migrate as soon as possible to an instance of IBM Suite License Service enforcing client authentication.
  7. Create a UDS secret.
    Important: In June 2024, IBM User Data Services (UDS) was sunset and replaced with IBM Data Reporter Operator (DRO), which is built on a more robust technology and with a smaller footprint. IBM TRIRIGA Application Suite 11.5 or earlier with UDS installed continues to run but no longer automatically sends usage and metering data to IBM. New installations of 11.5 or earlier can skip installing UDS, but a secret with UDS information is still required by the TRIRIGA Application Suite CR or the TRIRIGA Application Suite operator will fail.
    If you have UDS installed, create the secret with the following command:
    • Replace <uds-api-key> with the value of uds-api-key secret in ibm-common-services.

    • Replace the ca-bundle.pem with the tls.crt value copied from the event-api-certs secret in the ibm-common-services project.

    
    cat <<EOF |oc apply -f -
    apiVersion: v1
    kind: Secret
    metadata:
      name: tas-uds-secret
      namespace: ibm-tas
    stringData:
      api_url: https://event-api-service.ibm-common-services.svc:8443
      api_key: <uds-api-key>
      ca-bundle.pem: |
        -----BEGIN CERTIFICATE-----
        ...
        Content of tls.crt of secret `event-api-certs` in ibm-common-services project
        ...
        -----END CERTIFICATE-----
    EOF
    
    If you don't have UDS installed, create a UDS secret by entering the following command. You can use placeholder information but it must be syntactically correct or the TRIRIGA Application Suite operator will fail.
    • The secret must contain the api_key and api_url fields. You can omit the ca-bundle.pem field.

    • The api_url must be in the format: https://<api_host>. The <api_host> value must be the same value that you set for the spec.uds.uds_host field when you create the Tririga CR.

    • <api-key> can have a placeholder value for the <uds-api-key>. For example, 9smgEVm1yTqZ3l3e3L4JIgYgYGxNaByf9hZtk5Z9fyr1e8BDWL6LDsZSSpSDcLtb.

    cat <<EOF |oc apply -f -
    apiVersion: v1
    kind: Secret
    metadata:
      name: tas-uds-secret
      namespace: ibm-tas
    stringData:
      api_url: https://<api_host>
      api_key: <uds-api-key>
    EOF
  8. Create the TRIRIGA Application Suite CR.

    The parameter values in the following table are provided as an example. You can provide the parameter values based on your configuration:

    Parameter Value
    spec.env.size Specify the size as small, medium, large based on your environment.
    spec.env.use Specify the use based on your requirements. For example, development or production.
    spec.db.db_secret Provide a name of the database secret based on Step 5. For example, the database name is tas-db-secret.
    spec.db.dbtype Provide a database type based on your environment. For example, the database type is db2.
    spec.db.dbdnsname Provide a database hostname.
    spec.db.dbport Provide a database port.
    spec.db.dbname Provide a database name.
    spec.db.sid Provide a SID value:
    • If dbtype is Oracle: Oracle DB sid
    • if dbtype is db2: DB2 schema name
      Note: If the schema name is not specified, the schema name is assumed to be equal to the value of the DB_USERNAME property of the db_secret secret.
    • if dbtype is mssql: Not required
    spec.db.maxconnpoolsize Maximum number of physical connections for the application server database connection pool. Default is 100 and the minimum is 100.
    spec.jvm.javamin Minimum heap size value based on your Java environment. For example, 4096.
    spec.jvm.javamax Maximum heap size value based on your Java environment. For example, 8192.
    spec.rt.contextpath Specify the context path where the TAS Operator is installed based on the value that you provide in Step 3.b. For example, the context path in this instance is tririga.
    spec.rt.domain Provide the domain. For example, the domain is default.
    spec.rt.routes_crt Provide a route certificate based on the domain.
    spec.sls.sls_host Provide a SLS host as per Step 6. For example, the SLS host in this instance is sls.ibm-sls.svc.cluster.local.
    spec.sls.sls_secret Provide a SLS secret as per Step 6. For example, the SLS secret in this instance is tas-sls-secret.
    spec.uds.uds_host Provide the value that you set for <api_host> in the UDS secret in Step 7.
    spec.uds.uds_secret Provide the UDS secret that you created in Step 7. For example, tas-uds-secret.
    spec.storage.*.class ibmc-file-gold-gid for IBM Cloud, or ocs-storagecluster-cephfs. The storage class can vary based on your environment.
    Note: The OCP cluster must be equipped with a StorageClass able to grant read-write permission to the Linux root group and to support Kubernates ReadWriteMany or ReadWriteOnce access mode.
    spec.storage.*.size Provide a size based on your requirements for logs, configurations, and user files. For example, 30.
    spec.storage.*.mode Supported access mode are ReadWriteOnce and ReadWriteMany.
    
    cat <<EOF |oc apply -f -
    apiVersion: tririga.ibm.com/v1
    kind: Tririga
    metadata:
      name: my-tririga
      namespace: ibm-tas
    spec:
      env:
        size: <SIZE>
        use: <USE>
      license:
        accept: true
      db:
        db_secret: 'tas-db-secret'
        dbtype: db2
        dbdnsname: <DB_HOST>
        dbport: <DB_PORT>
        dbname: <DB_NAME>
        sid: <SID>
      jvm:
        javamin: 4096
        javamax: 8192
      rt:
        contextpath: tririga
        domain: default
        routes_crt: ''
      sls:
        sls_host: sls.ibm-sls.svc.cluster.local
        sls_secret: 'tas-sls-secret'
      uds:
        uds_host: event-api-service.ibm-bas.svc:8443
        uds_secret: 'tas-uds-secret'
      storage:
        log:
          class: <STORAGE_CLASS>
          size: 30
          mode: 'ReadWriteOnce'
        config: 
          class: <STORAGE_CLASS>
          size: 1
          mode: 'ReadWriteOnce'
        userfiles: 
          class: <STORAGE_CLASS>
          size: 50
          mode: 'ReadWriteOnce'
      version: 1.0.0
    EOF
    
  9. Get the TRIRIGA URL by running the following command:
    
    host=$(oc get route -n ibm-tas my-tririga | grep my-tririga | awk '{print $2}')
    context=$(oc get route -n ibm-tas my-tririga | grep my-tririga | awk '{print $3}')
    echo "TRIRIGA URL"
    echo https://$host$context/index.html
    echo "TRIRIGA Admin Console URL"
    echo https://$host$context/html/en/default/admin