Installing and configuring the TRIRIGA Application Suite GIS Operator

The IBM® TRIRIGA® Application Suite GIS Operator manages the deployment of the IBM TRIRIGA Application Suite Location Service for Esri instance. TRIRIGA Application Suite Location Service for Esri provides a complete enterprise Geographic Information System (GIS) implementation that runs on Red Hat® OpenShift® Container Platform.

Prerequisites

  • Ensure that you have the following environment:

    Any 64-bit Intel or AMD x86 Red Hat OpenShift Container Platform 4.12 or higher cluster, included, but not limited to:

    • Any customer-managed cluster

    • Any IBM Cloud® managed cluster (ROKS and satellite)

  • The maximum number of the memory map areas (vm.max_map_count) of the nodes of the Red Hat OpenShift Container Platform cluster must be at least 262144.

  • The Red Hat OpenShift Container Platform cluster must be equipped with at least one StorageClass able to grant read/write permission to the Linux® root group and to support Kubernetes ReadWriteMany or ReadWriteOnce access mode. Review the following considerations about the StorageClasses to be adopted:

    • Set the reclaimPolicy field to Delete to simplify administration. This option cleans up the associated PV when a PVC is deleted (for example, when you undeploy the software).

    • Use a separate StorageClass for the hosted backup store configuration with its reclaimPolicy field set to Retain so that the PV persists when you undeploy and redeploy.

    • Set the allowVolumeExpansion field on the StorageClass to true if your storage provider supports the expansion of PVs.

    • For clusters that span multiple availability zones, set the volumeBindingMode to WaitForFirstConsumer for the associated storage class to avoid node-volume affinity conflicts.

  • The cert-manager Operator for Red Hat OpenShift must be deployed on the target cluster, managing the certificates.cert-manager.io/v1 and issuers.cert-manager.io/v1 custom resource definitions. For more information, see cert-manager Operator for Red Hat OpenShift. The cert-manager Operator for Red Hat OpenShift is available in the Red Hat OpenShift-provided Operators catalog (registry.redhat.io/redhat/redhat-operator-index), see https://docs.openshift.com/container-platform/4.16/operators/understanding/olm-rh-catalogs.html.

  • An IBM Entitled Registry key.

  • An IBM TRIRIGA Application Suite Location Service for Esri authorization file, which you can download from your IBM Passport Advantage®

Installing the TRIRIGA Application Suite GIS Operator

Complete the following steps to install the TRIRIGA Application Suite GIS Operator.

  1. Create a Red Hat OpenShift Container Platform project, assuming a name ibm-tas-gis.

    oc new-project ibm-tas-gis

  2. Create the tas-gis-operatorgroup by entering the following command:

    cat <<EOF | oc create -f -
apiVersion: operators.coreos.com/v1alpha2
kind: OperatorGroup
metadata:
  name: tas-gis-operator-group
  namespace: ibm-tas-gis
spec:
  targetNamespaces:
    - ibm-tas-gis
EOF

  3. Create an image pull secret called ibm-entitlement-key, or ibm-entitlement, to access the IBM Entitled registry.

    oc create secret docker-registry ibm-entitlement-key --docker-server=cp.icr.io --docker-username=cp --docker-password=<apikey> --docker-email=<email address> -n ibm-tas-gis

  4. Install the TRIRIGA Application Suite GIS Operator. You can use the OperatorHub UI or create a subscription by using the oc CLI as shown.

    cat <<EOF | oc create -f -
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: ibm-tas-gis-subscription
  namespace: ibm-tas-gis
spec:
  channel: v11.6
  installPlanApproval: Automatic
  name: ibm-tas-gis-operator
  source: ibm-operator-catalog
  sourceNamespace: openshift-marketplace
  startingCSV: ibm-tas-gis-operator.v11.6.0
EOF

    Where installPlanApproval can be set as follows:

    • You can decide on the approval strategy by setting the subscription installPlanApproval to either Automatic or Manual.

      By default, the installPlanApproval is set to Automatic when working with the OperatorHub UI or if you don't specify a value in the Subscription spec. If the approval strategy is set to Automatic, the operator is automatically installed or upgraded when a new version is available.

      If you set the installPlanApproval parameter to Manual, the operator is not automatically installed or upgraded. Instead, you get an installation plan that needs to be manually approved. With Manual approval, you can plan for any activity that you need to complete before the installation or upgrade of the operator.

    • If you install the TRIRIGA Application Suite GIS Operator in a namespace where another operator is installed with installPlanApproval: Manual in its subscription, then the operator inherits this setting. The approval plan is set to Manual and the GIS operator is not automatically installed or upgraded.

    • If you install the TRIRIGA Application Suite GIS Operator operator with installPlanApproval set to Manual, this setting is applied to all installed operators, or operators installed in the future, in the same namespace.

    • You can initially set installPlanApproval to Automatic and switch to Manual when the TRIRIGA Application Suite GIS Operator installation completes. Then you can control when updates are applied and plan for any activity that you need to complete before the operator upgrade.

Completing basic configuration

Complete the following basic configuration to get up and running.

  1. Create a secret to hold the TRIRIGA Application Suite Location Service for Esri authorization file, which you can download from your IBM Passport Advantage account. Enter the following commands, assuming a tas-gis-authorization-secret name.
    cat <<EOF | oc apply -f - 
kind: Secret
apiVersion: v1
metadata:
  namespace: ibm-tas-gis
  name: tas-gis-authorization-secret
stringData:
  authorization.json: |
    ...
    Authorization file in json format
    ...
EOF

  2. Create a Locservice instance.

    Note: Only one Locservice instance can be created in a namespace and it must be named arcgis.

    You can use the OperatorHub UI or create an instance by using the oc CLI as shown.

    cat <<EOF | oc create -f -
apiVersion: gis.tas.ibm.com/v1
kind: Locservice
metadata:
  name: arcgis
  namespace: ibm-tas-gis
spec:
  license:
    accept: true
  version: 11.6.0
  settings:    
    profile: standard-availability
    admin:
      security_question: 
        question: 'What city were you born in?'
        answer: my-city
      email: my-emailv@my-domain.com
      first_name: my-first-name
      last_name: my-first-name
      username: my-username
    authorization_secret: tas-gis-authorization-secret
    k8s_availability_topology_key: kubernetes.io/hostname
    storage:
      indexer:
        class: my-storage-class
        size: 16
      memory:
        class: my-storage-class
        size: 16
      object:
        class: my-storage-class
        size: 32
      prometheus:
        class: my-storage-class
        size: 30
      queue:
        class: my-storage-class
        size: 16
      relational:
        class: my-storage-class
        size: 20
      sharing:
        class: my-storage-class
        size: 16
    logging:
      level: warning
      retention_days: 60
EOF

Completing advanced configuration

Complete the following advanced configuration steps.

TRIRIGA Application Suite GIS Operator route: termination, domain name, and certificates

If you don’t want to use the default URL of the cluster, or if you want to use different certificates, you can configure the IBM® TRIRIGA Application Suite URL and certificates.

All TRIRIGA Application Suite GIS Operator HTTPS endpoints are exposed by using a secure Red Hat OpenShift route. The default termination of this route is passthrough and the TLS certificate that is used to secure is self-signed. You can retrieve the certificate of the certificate authority that is used to sign it from the data['ca.crt'] field of the arcgis-tas-gis-setup-tls-cert secret. The fully qualified domain name of the IBM® TRIRIGA Application Suite Location Service route has the form arcgis-<namespace>.<domain>, where domain is the default subdomain of Red Hat OpenShift Container Platform cluster.

You can choose a route with reencrypt termination type by setting the Locservice custom resource (CR) field spec.route.termination to reencrypt. In this case, you can provide a custom domain to be used for the route by setting the spec.route.domain CR field equal to your custom domain. The value must be matched by the following regular expression: ^((?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,})$. The fully qualified domain name of the IBM® TRIRIGA Application Suite Location Service route assumes the form arcgis-<namespace>.<custom-domain>. If the spec.route.domain field is missing or empty, the default subdomain of Red Hat OpenShift Container Platform cluster is used as with passthrough. If you use a custom domain, it is your responsibility to ensure that the DNS provider is correctly configured

When the termination type is reencrypt, you can also use your own certificate to secure the IBM® TRIRIGA Application Suite Location Service route by setting the CR spec.route.tls_certificates field to the name of a Kubernetes secret of type TLS. The ca.crt field of this secret can be empty, but must be present, while the tls.key and tls.crt fields are required. If you use your own certificate, you must ensure that it can secure the arcgis-<namespace>.<domain> endpoint, where <domain> is your custom domain, if you have provided it, or the default cluster subdomain. If the spec.route.tls_certificates CR field is missing or empty, the route is secured with the default cluster certificate.

TLS cipher suites

By default, the TRIRIGA Application Suite Location Service for Esri supports the following TLS cipher suites.

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_AES_128_CCM_SHA256

  • TLS_AES_128_CCM_8_SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

You can add other cipher suites by editing the Locservice CR spec.tls_ciphers field. The spec.tls_ciphers field consists of a string of cipher suite identifiers that are separated by a colon (:).

Initial TRIRIGA Application Suite Location Service for Esri admin user password

The TRIRIGA Application Suite GIS Operator generates an initial password for the TRIRIGA Application Suite Location Service for Esri admin user to be used for the first access to the service. This password is stored in the Admin Password field of the arcgis-tas-gis-setup-admin-secret secret.

Red Hat OpenShift Security Context Constraints requirements

Esri ArcGIS Enterprise workloads have a hardcoded fsGroup value to initialize volume permissions on newly provisioned block storage persistent volumes. This fsGroup must be allowed by a Security Context Constraint (SCC) since the default is to run as an arbitrary range. To allow fsGroup, update a copy of the restricted or restricted-v2 SCC with the following section:

fsGroup:
  ranges:
    - max: 117932853
      min: 117932853
  type: MustRunAs
groups:
  - 'system:serviceaccounts:<target-namespace>'

See the following example, assuming that your target namespace is ibm-tas-gis.

cat <<EOF | oc create -f -
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: restricted-v2-gis
fsGroup:
  type: MustRunAs
  ranges:
  - min: 117932853
    max: 117932853
groups:
  - 'system:serviceaccounts:ibm-tas-gis' 
allowHostPorts: false
priority: null
requiredDropCapabilities:
  - ALL
allowPrivilegedContainer: false
runAsUser:
  type: MustRunAsRange
users: []
allowHostDirVolumePlugin: false
seccompProfiles:
  - runtime/default
allowHostIPC: false
seLinuxContext:
  type: MustRunAs
readOnlyRootFilesystem: false
defaultAddCapabilities: null
supplementalGroups:
  type: RunAsAny
volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - ephemeral
  - nfs
  - persistentVolumeClaim
  - projected
  - secret
allowHostPID: false
allowHostNetwork: false
allowPrivilegeEscalation: false
allowedCapabilities:
  - NET_BIND_SERVICE

Custom resource status

The TRIRIGA Application Suite GIS Operator maintains a status subresource for each Locservice.gis.tas.ibm.com instance that it manages. This status includes both Kubernetes conditions and properties.

Conditions
Running
True while the operator is running the reconciliation for the custom resource CR instance.
Successful
True when the reconciliation cycle for the CR instance finishes without errors. The operator then waits for the next reconciliation action, either the reconcile period, dependent watches triggers, or the resource is updated.
Failed
True if there are errors during the reconciliation run for the CR instance. Error messages from the errors are reported. The error messages are the raw output from the run for reconciliation. Intermittent failures are often resolved when the operator reruns the reconciliation loop.
Initialized
True when the arcgis-tas-deploygismgr-pod pod exists and has successfully completed reconciliation.
Ready
True when the arcgis-tas-deploygismgr-pod pod exists and has successfully completed reconciliation.
Properties
tasGisOperatorVersion
Version of the TRIRIGA Application Suite GIS Operator that does the reconciliation.
tasGisVersionTag
The TRIRIGA Application Suite opearand tag.
operandImages
A list of operand images that are in use.
tasGisAdminUrl
The TRIRIGA Application Suite GIS instance administrative URL.
tasGisHomeUrl
The TRIRIGA Application Suite GIS instance home URL.
tasGisManagerUrl
TRIRIGA Application Suite GIS instance manager URL.

The arcgis-tas-gis-tririgaproxycfg-secret secret

The TRIRIGA Application Suite GIS Operator creates an arcgis-tas-gis-tririgaproxycfg-secret secret to host the relevant information to integrate the deployed TRIRIGA Application Suite Location Service for Esri instance with a IBM TRIRIGA server. The secret contains two fields:
ca.crt
A certificate authority certificate to be added to the integration truststore of the IBM TRIRIGA server, when the Location service is using a certificate that is not signed by a public certificate authority. For more information, see Additional CA certificates.
tririga_proxy_cfg.xml
A file that contains the information that is needed to create or update the Esri Token in the IBM TRIRIGA server. For more information about configuring the proxy server, see Configuring Indoor Maps.

Upgrade, rollback, and uninstallation

Upgrade

The Operator Lifecycle Manager manages upgrades to the TRIRIGA Application Suite GIS Operator. The subscription of an installed TRIRIGA Application Suite GIS Operator specifies the update channel in the IBM Operator Catalog source, which is used to track and receive updates for the Operator. You can change the update channel in the subscription to have the operator track and receive updates from a newer channel.

If the approval strategy in the subscription is set to automatic, the upgrade process initiates when a new TRIRIGA Application Suite GIS Operator version is available in the selected channel. If the approval strategy is set to manual, you must manually approve pending upgrades.

For more information about how Operator Lifecycle Manager manages upgrades, see Updating installed Operators.

Rollback

This is the first version of the TRIRIGA Application Suite GIS Operator, so no previous version is available.

Uninstallation

To uninstall the TRIRIGA Application Suite Location Service for Esri deployment from a project, delete the locservice.gis.tas.ibm.com/arcgis CR.

To uninstall the TRIRIGA Application Suite GIS Operator from a project:

  • Delete the locservice.gis.tas.ibm.com/arcgis CR.

  • Delete the TRIRIGA Application Suite GIS Operator subscription from the project.

When the TRIRIGA Application Suite GIS Operator is uninstalled from all namespaces, you can delete the Locservice CustomResourceDefinition from the cluster.

Deploying to a disconnected Red Hat OpenShift Container Platform cluster (Air-gap)

Red Hat OpenShift Container Platform clusters that are installed on restricted networks, also known as disconnected clusters, cannot access icr.io and cp.icr.io registries where the TRIRIGA Application Suite images are available. You can enable Operator Lifecycle Manager (OLM) operations by using a local registry, where you can mirror the TRIRIGA Application Suite GIS Operator images.

Before you begin

  • A client workstation with unrestricted network access and that has:

    • oc cli version 4.10.0 or greater

    • podman version 3.4.0 or greater

  • A mirror registry that supports Docker v2-2, accessible from both the client workstation and the disconnected target cluster.

About this task

For more information about air-gap deployment of the cert-manager Operator forRed Hat OpenShift, see the Red Hat OpenShift user documentation.

Procedure

  1. Log in to the cp.icr.io registry with your ibm-entitlement-key credentials. 
    podman login --authfile ./auths.json cp.icr.io
  2. Log in to the mirror registry with your credentials. 
    podman login --authfile ./auths.json <mirror_registry>
  3. Mirror TRIRIGA Application Suite GIS Operator related images to the mirror server.
    Enter the following command:
    oc adm catalog mirror \
   icr.io/cpopen/ibm-tas-gis-operator-catalog:1.6.0 \
   <mirror_registry>:<port>/<namespace> \
   -a ./auths.json

    • Add the --insecure flag if you don't want to configure trust for the target registry.

    • Add the --manifests-only flag to generate only the manifests that are required for mirroring without mirroring the image content to a registry. This option can be useful to review what is mirrored before you proceed.

    The last output line is: wrote mirroring manifests to manifests-ibm-tas-catalog-<random_number>

    The manifests directory contains the following files:

    • The catalogSource.yaml file is a basic definition for a CatalogSource object that is prepopulated with your index image tag and other relevant metadata. You can use the catalogSource.yaml file unchanged or modified to add the catalog source to your cluster.

    • The imageContentSourcePolicy.yaml file defines an ImageContentSourcePolicy object that can configure nodes to translate between the image references stored in Operator manifests and the mirrored registry.

    • The mapping.txt file contains all the source images and where to map them in the target registry.

  4. Configure nodes to translate between manifests and the mirrored registry.

    Create an ImageContentSourcePolicy object that can configure nodes to translate between the image references stored in Operator manifests and the mirrored registry.

    oc create -f manifests-ibm-tas-gis-operator-catalog-<random_number>/imageContentSourcePolicy.yaml
  5. Create a CatalogSource object to reference the mirrored index image. 
    oc create -f manifests-ibm-tas-gis-catalog-<random_number>/catalogSource.yaml
  6. You can now deploy the TRIRIGA Application Suite GIS Operator by using the normal procedure.