Table of contents

Installing External S-TAP

A project administrator can install the External S-TAP service on IBM® Cloud Pak for Data.

Before you begin

Required role: To complete this task, you must be an administrator of the project (namespace) where you will deploy External S-TAP.

Before you install External S-TAP, ensure that:

If you are installing multiple services on your cluster, you must run the installations one at a time and wait until the installation completes before installing another service. You cannot run the installations in parallel.

Tip: For a list of all available options, enter the following command:
./cpd-cli install --help

Procedure

  1. Complete the appropriate steps to install External S-TAP on your environment:
  2. Verifying that the installation completed successfully

Installing on clusters connected to the internet

From your installation node:

  1. Change to the directory where you placed the Cloud Pak for Data command-line interface and the repo.yaml file.
  2. Log in to your Red Hat OpenShift cluster as a project administrator:
    oc login OpenShift_URL:port
  3. Run the following command to see a preview of what will be installed when you install the service.
    Important: If you are using the internal Red Hat OpenShift registry and you are using the default self-signed certificate, specify the --insecure-skip-tls-verify flag to prevent x509 errors.
    ./cpd-cli install \
    --repo ./repo.yaml \
    --assembly ibm-estap-prod \
    --arch Cluster_architecture \
    --namespace Project \
    --storageclass Storage_class_name \
    --transfer-image-to Registry_location \
    --cluster-pull-prefix Registry_from_cluster \
    --ask-push-registry-credentials \
    --latest-dependency \
    --dry-run
    Important: By default, this command gets the latest version of the assembly. If you want to install a specific version of External S-TAP, add the following line to your command after the --assembly flag:
    --version Assembly_version \

    The --latest-dependency flag gets the latest version of the dependent assemblies. If you remove the --latest-dependency flag, the installer will get the minimum version of the dependent assemblies.

    Replace the following values:

    Variable Replace with
    Assembly_version
    The version of External S-TAP that you want to install. The assembly versions are listed in System requirements for services.
    Cluster_architecture Specify the architecture of your cluster hardware:
    • For x86-64 hardware, remove this flag or specify x86_64
    Project Use the value provided by your cluster administrator. You should have obtained this information when you completed Preparing to install and upgrade services.
    Storage_class_name Use the value provided by your cluster administrator. You should have obtained this information when you completed Preparing to install and upgrade services.
    Registry_location Use the value provided by your cluster administrator. You should have obtained this information when you completed Preparing to install and upgrade services.
    Registry_from_cluster Use the value provided by your cluster administrator. You should have obtained this information when you completed Preparing to install and upgrade services.
  4. Rerun the previous command without the --dry-run flag to install the service.

Installing on air-gapped clusters

From your installation node:

  1. Change to the directory where you placed the Cloud Pak for Data command-line interface.
  2. Log in to your Red Hat OpenShift cluster as a project administrator:
    oc login OpenShift_URL:port
  3. Run the following command to see a preview of what will be installed when you install the service.
    Important: If you are using the internal Red Hat OpenShift registry:
    • Do not specify the --ask-pull-registry-credentials parameter.
    • If you are using the default self-signed certificate, specify the --insecure-skip-tls-verify flag to prevent x509 errors.
    ./cpd-cli install \
    --assembly ibm-estap-prod \
    --arch Cluster_architecture \
    --namespace Project \
    --storageclass Storage_class_name \
    --cluster-pull-prefix Registry_from_cluster \
    --ask-pull-registry-credentials \
    --load-from Image_directory_location \
    --latest-dependency \
    --dry-run
    Note: If the assembly was downloaded using the delta-images command, remove the --latest-dependency flag from the command. If you don't remove the --latest-dependency flag you will get an error indicating that the flag cannot be used.

    Replace the following values:

    Variable Replace with
    Cluster_architecture Specify the architecture of your cluster hardware:
    • For x86-64 hardware, remove this flag or specify x86_64
    Project Use the value provided by your cluster administrator. You should have obtained this information when you completed Preparing to install and upgrade services.
    Storage_class_name Use the value provided by your cluster administrator. You should have obtained this information when you completed Preparing to install and upgrade services.
    Registry_from_cluster Use the value provided by your cluster administrator. You should have obtained this information when you completed Preparing to install and upgrade services.
    Image_directory_location The location of the cpd-cli-workspace directory.

    Use the value provided by your cluster administrator. You should have obtained this information when you completed Preparing to install and upgrade services.

  4. Rerun the previous command without the --dry-run flag to install the service.

Verifying that the installation completed successfully

From your installation node:

  1. Run the following command:
    ./cpd-cli status \
    --assembly ibm-estap-prod \
    --namespace Project

    Replace Project with the value you used in when you installed External S-TAP.

    • If the installation completed successfully, the status of the assembly and the modules in the assembly is Ready.
    • If the installation failed, contact IBM Support for assistance.

What to do next

After you install the External S-TAP service, provision one or more instances of the External S-TAP as described in Provisioning an instance of Guardium External S-TAP.