Installing IBM Cloud Pak for AIOps in an air-gapped environment (offline) using a bastion host

If your cluster is not connected to the internet, you can deploy a production installation of IBM Cloud Pak® for AIOps on your Red Hat® OpenShift® Container Platform cluster by using a bastion host.

In this scenario, your air-gapped (offline) environment has a target registry, and a Red Hat OpenShift cluster on which IBM Cloud Pak for AIOps is to be installed. The bastion host has access to the internet and to the offline environment. IBM Cloud Pak for AIOps images are mirrored from the internet through the bastion server to the target registry in the offline environment. IBM Cloud Pak for AIOps can then be installed in the offline environment by using the target registry.

Before you begin

You must know whether you are deploying a base deployment or a extended deployment of IBM Cloud Pak for AIOps. For more information, see Incremental adoption.
Review the Planning section. Your environment must meet the system requirements.
Ensure that you are logged in to your Red Hat OpenShift cluster with oc login for any steps that use the Red Hat OpenShift command-line interface (CLI).
The following commands must be run as a root user or by a user with sudo access: yum install podman and podman login. The rest of the procedure can be run as a non-root user.
If you require details about the permissions that are needed by the IBM Cloud Pak for AIOps operators, see Permissions (IBM Cloud Pak for AIOps).
A user with cluster-admin privileges is needed for the following operations:

Important: If IBM Sales representatives and Business Partners supplied you with a custom profile ConfigMap to customize your deployment, then you must follow their instructions to apply it during installation. The custom profile cannot be applied after installation, and attempting to do so can break your IBM Cloud Pak for AIOps deployment. For more information about custom sizing, see Custom sizing.

The following procedure is based on an Red Hat OpenShift 4.15 environment and includes links for that version. If your environment uses a different supported version of Red Hat OpenShift, ensure that you follow the Red Hat OpenShift documentation for that version.

1. Set up the mirroring environment

Prerequisites

Allow access to the following sites and ports:

Table 1. Sites and ports that must be accessible
Site	Description
`icr.io` `cp.icr.io` `dd0.icr.io` `dd2.icr.io` `dd4.icr.io` `dd6.icr.io`	Allow access to these hosts on port 443 to enable access to the `IBM Cloud Container Registry`, CASE OCI artifact, and IBM Cloud Pak® foundational services catalog source.
`dd1-icr.ibm-zh.com` `dd3-icr.ibm-zh.com` `dd5-icr.ibm-zh.com` `dd7-icr.ibm-zh.com`	If you are located in China, also allow access to these hosts on port 443.
`github.com`	Github houses CASE files, IBM Cloud Pak tools and scripts.
`redhat.com`	Red Hat OpenShift registries that are required for Red Hat OpenShift, and for Red Hat OpenShift upgrades. For more information, see Configuring your firewall for OpenShift Container Platform.

1.1 Download documentation and scripts for offline access

Download the following documentation and scripts that you might need to access during your IBM Cloud Pak for AIOps installation, and copy them to your air-gapped environment.

IBM Cloud Pak for AIOps 4.6.0 documentation

Download the Cloud Pak for AIOps 4.6.0 PDF (this documentation) so that you can access it offline.
IBM Cloud Pak for AIOps 4.6.0 scripts
- The prerequisite checker script verifies whether your Red Hat OpenShift cluster is correctly set up for a IBM Cloud Pak for AIOps installation. You will need to run this script in step 5.7 Verify cluster readiness. Download this script from github.com/IBM.
- An uninstall script can be downloaded from github.com/IBM.
- (Optional) The status checker script can be used in step 5.9 Install IBM Cloud Pak for AIOps to give information about the status of your deployment. The use of this script is optional, as status can be found directly from the ibm-aiops-orchestrator custom resource. This script can be downloaded from github.com/IBM.
Red Hat OpenShift documentation

The Red Hat OpenShift documentation can be downloaded for offline access from Red Hat. The Security and compliance, Installing, CLI Tools, Images, and Operators sections are referenced by this documentation.

1.2 Install and configure Red Hat OpenShift

IBM Cloud Pak for AIOps requires Red Hat OpenShift to be installed and running on your target cluster. You must have administrative access to your Red Hat OpenShift cluster.

For more information about the supported versions of Red Hat OpenShift, see Supported Red Hat OpenShift Container Platform versions.

Install Red Hat OpenShift by using the instructions in the Red Hat OpenShift documentation . Information about installing a cluster in a restricted network is given in Mirroring images for a disconnected installation .
Install the Red Hat OpenShift command line interface (oc) on your cluster's boot node and run oc login. For more information, see the instructions in Getting started with the Red Hat OpenShift CLI.
Ensure that the clocks on your Red Hat OpenShift cluster are synchronized. Each Red Hat OpenShift node in the cluster must have access to an NTP server. Red Hat OpenShift nodes use NTP to synchronize their clocks. IBM Cloud Pak for AIOps runs on Red Hat OpenShift and also has this requirement. Discrepancies between the clocks on the Red Hat OpenShift nodes can cause IBM Cloud Pak for AIOps to experience operational issues. See the Red Hat OpenShift documentation for information about how to use a MachineConfig custom resource to configure chrony to connect to your NTP servers.
Optionally configure a custom certificate for IBM Cloud Pak for AIOps to use. You can use either of the following methods:
- Configure a custom certificate for the Red Hat OpenShift cluster. Follow the instructions in the Red Hat OpenShift documentation Replacing the default ingress certificate.
- If you would like to use a custom certificate for the IBM Cloud Pak for AIOps console only, then after installation is complete follow the instructions in Using a custom certificate.

1.3 Set up a target registry

You must have a local Docker type production-grade registry available to store the IBM Cloud Pak for AIOps images in. The registry must meet the following requirements:

supports Docker Manifest V2, Schema 2.
supports multi-architecture images.
is accessible from the Red Hat OpenShift cluster nodes.
allows path separators in the image name.
you have the username and password for a user who can read from and write to the registry.
must have 113 GB of storage to hold all the software that is to be transferred to the target registry.

If you do not already have a suitable production-grade registry available, then you must install and configure one. For more information, see About the mirror registry Opens in a new tab in the Red Hat OpenShift documentation.

Important: Do not use the Red Hat OpenShift image registry as your target registry. The Red Hat OpenShift registry does not support multi-architecture images or path separators in the image name.

1.4 Prepare a host

Prepare a bastion host that can connect to the internet and to the air-gapped network with access to the Red Hat OpenShift cluster and the target registry. Your host must be on a Linux® x86_64 or Mac platform with any operating system that the IBM Cloud Pak® CLI and the Red Hat OpenShift CLI support. If you are on a Windows® platform, you must run the actions in a Linux® x86_64 VM or from a Windows Subsystem for Linux (WSL) terminal.

Complete the following steps on your host.

Install Podman.

To install Podman, see the Podman Installation Instructions.

Note: Docker is not shipped or supported for Red Hat Enterprise Linux (RHEL) 8. The Podman container engine replaced docker as the preferred, maintained, and supported container runtime of choice for Red Hat Enterprise Linux 8 systems. For more information, see Running containers without Docker in the Red Hat documentation.
Install the Red Hat OpenShift CLI tool, oc.

oc is required for Red Hat OpenShift management. For more information, see Getting started with the OpenShift CLI in the Red Hat OpenShift documentation.

1.5 Install the IBM Catalog Management Plug-in for IBM Cloud Pak®

The IBM Catalog Management Plug-in for IBM Cloud Pak (ibm-pak-plugin) is used for the deployment of IBM Cloud Paks® in a disconnected environment. It simplifies the process for discovering required IBM product images and uses standard tools for registry and cluster access. The ibm-pak-plugin also extends the Red Hat OpenShift CLI (oc) capability to streamline the process of delivering installation images to the IBM Cloud Pak in an air-gapped environment.

Download and install the most recent version of the ibm-pak-plugin for your host operating system from github.com/IBM.
Run the following command to extract the files.
```
tar -xf oc-ibm_pak-linux-amd64.tar.gz
```
Run the following command to move the file to the /usr/local/bin directory.
```
mv oc-ibm_pak-linux-amd64 /usr/local/bin/oc-ibm_pak
```
Note: If you are installing as a non-root user, you must use sudo.
Confirm that the ibm-pak-plugin is installed by running the following command.
```
oc ibm-pak --help
```
Expected result: The ibm-pak-plugin usage is displayed.

2. Download the CASE

Set environment variables on the bastion host, and connect to the internet so that you can download the IBM Cloud Pak for AIOps CASE files.

Note: Save a copy of your environment variable values to a file that you can use as a reference when you are completing your air-gapped installation tasks.

Create the following environment variables.

export CASE_NAME=ibm-cp-waiops
export CASE_VERSION=1.12.0
export CASE_INVENTORY_SETUP=cpwaiopsSetup
export TARGET_REGISTRY_HOST=<IP_or_FQDN_of_target_registry>
export TARGET_REGISTRY_PORT=<port_number_of_target_registry>
export TARGET_REGISTRY=$TARGET_REGISTRY_HOST:$TARGET_REGISTRY_PORT
export TARGET_REGISTRY_USER=<username>
export TARGET_REGISTRY_PASSWORD=<password>

The target registry is the registry where the IBM Cloud Pak for AIOps images are mirrored to, and accessed from by the Red Hat OpenShift cluster, as setup in 1.3 Set up a target registry.

If your bastion host must connect to the internet through a proxy, then also set the following environment variables.

export https_proxy=http://proxy-server-hostname:port
export http_proxy=http://proxy-server-hostname:port

Connect your host to the internet and disconnect it from the local air-gapped network.
Download the IBM Cloud Pak for AIOps installer and image inventory to your host.
```
oc ibm-pak get ${CASE_NAME} --version ${CASE_VERSION}
```
The CASE is downloaded to ~/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION. The logs files are available at ~/.ibm-pak/logs/oc-ibm_pak.log.

Note: If you do not specify the CASE version, then the latest CASE is downloaded. The root directory that is used by ibm-pak-plugin is ~/.ibm-pak. If required, the root directory can be configured by setting the IBMPAK_HOME environment variable.

3. Mirror images

Complete the following steps to mirror the IBM Cloud Pak for AIOps, IBM Cloud Pak foundational services Cert Manager, and IBM Cloud Pak foundational services License Service images from the internet to the target registry in the air-gapped environment.

3.1. Generate mirror manifests

Run the following command to generate mirror manifests to be used when mirroring the images to the target registry.

oc ibm-pak generate mirror-manifests ${CASE_NAME} ${TARGET_REGISTRY} --version ${CASE_VERSION}

A new directory named ~/.ibm-pak/mirror is created when you issue the oc ibm-pak generate mirror-manifests command. The files images-mapping.txt and image-content-source-policy.yaml are generated at ~/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION.

3.2. Authenticate with the registries

Log in to the registries to generate an authentication file containing the registry credentials, and then create an environment variable that has the location of the authentication file. This file is used later to enable the oc image mirror command to pull the images from the IBM Entitled Registry, and push them to the target registry.

Get the authentication credentials for the IBM Entitled Registry.
1. To obtain the entitlement key that is assigned to your IBMid, log in to MyIBM Container Software Library with the IBMid and password details that are associated with the entitled software.
2. In the Entitlement keys section, select Copy key to copy the entitlement key.
Run the following command to create an environment variable that contains your entitlement key.
```
export ENTITLED_REGISTRY_PASSWORD=<key>
```
Where <key> is the entitlement key that you copied in the previous step.
Store the authentication credentials for the IBM Entitled Registry and the target registry.

Run the following commands:
```
podman login cp.icr.io -u cp -p ${ENTITLED_REGISTRY_PASSWORD}
podman login ${TARGET_REGISTRY} -u ${TARGET_REGISTRY_USER} -p ${TARGET_REGISTRY_PASSWORD}
export REGISTRY_AUTH_FILE=${XDG_RUNTIME_DIR}/containers/auth.json
unset ENTITLED_REGISTRY_PASSWORD
```
Note: The authentication file is usually at ${XDG_RUNTIME_DIR}/containers/auth.json. For more information, see the Options section in the Podman documentation.

3.3. Mirror the images

Complete these steps on your host that is connected to both the local registry and the Red Hat OpenShift cluster.

Mirror images to the target registry.

nohup oc image mirror \
-f ~/.ibm-pak/data/mirror/${CASE_NAME}/${CASE_VERSION}/images-mapping.txt \
-a ${REGISTRY_AUTH_FILE} \
--filter-by-os '.*' \
--insecure \
--skip-multiple-scopes \
--max-per-registry=1 > my-mirror-progress.txt 2>&1 &

The UNIX command nohup is used to ensure that the mirroring process continues even if there is a loss of network connection, and redirection of output to a file provides improved monitoring and error visibility.

Run the following command if you want to see the progress of the mirroring:

tail -f my-mirror-progress.txt

Note: If an error occurs during mirroring, the mirror command can be rerun.

3.4 Configure the cluster

Log in to your Red Hat OpenShift cluster.

You can identify your specific oc login command by clicking the user menu in the upper left of the Red Hat OpenShift console, and then clicking Copy Login Command.

Example:
```
oc login <server> -u <cluster username> -p <cluster pass>
```
Update the global image pull secret for your Red Hat OpenShift cluster.

Follow the steps in the Red Hat OpenShift documentation topic Updating the global cluster pull secret.

These steps enable your cluster to have authentication credentials in place to pull images from your TARGET_REGISTRY as specified in the image-content-source-policy.yaml, which you will apply to your cluster in the next step.
Create the ImageContentSourcePolicy.

Run the following command to create the ImageContentSourcePolicy.
```
oc apply -f  ~/.ibm-pak/data/mirror/${CASE_NAME}/${CASE_VERSION}/image-content-source-policy.yaml
```
Verify that the ImageContentSourcePolicy resource is created.
```
oc get imageContentSourcePolicy
```
Verify your cluster node status.
```
oc get MachineConfigPool -w
```
Important: After the ImageContentsourcePolicy and global image pull secret are applied, the configuration of your nodes will be updated sequentially. Wait until all the MachineConfigPools are updated before you proceed to the next step.

(Optional) If you use an insecure registry, you must add the target registry to the cluster's insecureRegistries list.

oc patch image.config.openshift.io/cluster --type=merge \
-p '{"spec":{"registrySources":{"insecureRegistries":["'${TARGET_REGISTRY}'"]}}}'

4. Configure storage

The storage configuration must satisfy your sizing requirements. Two storage classes are needed for installing IBM Cloud Pak for AIOps. For more information, see Storage.

5. Install IBM Cloud Pak for AIOps

Now that the images are mirrored to your air-gapped environment, you can deploy IBM Cloud Pak for AIOps to that environment. To install IBM Cloud Pak for AIOps, complete the following steps.

5.1 Create the catalog source
5.2 Create environment variables
5.3 Create a custom project
5.4 Configure usage data collection
5.5 Install Cert Manager
5.6 Install the License Service
5.7 Verify cluster readiness
5.8 Install the operator
5.9 Install IBM Cloud Pak for AIOps
5.10 Create an EgressFirewall
5.11 Access the Cloud Pak for AIOps console

5.1 Create the catalog source

Now that the images are mirrored to your air-gapped environment, you can deploy IBM Cloud Pak for AIOps to that environment

Create and configure the catalog source.

oc ibm-pak launch \
${CASE_NAME} \
--version ${CASE_VERSION} \
--action install-catalog \
--inventory ${CASE_INVENTORY_SETUP} \
--namespace openshift-marketplace \
--args "--registry ${TARGET_REGISTRY} --recursive \
--inputDir ~/.ibm-pak/data/cases/${CASE_NAME}/${CASE_VERSION}"

Verify that the CatalogSource is installed.

Run the following commands.

oc get catalogsource -n openshift-marketplace
oc get pods -n openshift-marketplace

Example output:

# oc get catalogsource -n openshift-marketplace
NAME                                         DISPLAY                                      TYPE   PUBLISHER   AGE
aiops-analytics-operator-catalog             IBM AIOps Analytics Product Catalog          grpc   IBM         126m
aiops-lifecycle-operator-catalog             IBM AIOps Lifecycle Product Catalog          grpc   IBM         126m
certified-operators                          Certified Operators                          grpc   Red Hat     27h
cloud-native-postgresql-catalog              Cloud Native Postgresql Catalog              grpc   IBM         126m
community-operators                          Community Operators                          grpc   Red Hat     27h
ibm-aiops-ir-core-operators                  IBM AIOps Issue Resolution Core Operators    grpc   IBM         126m
ibm-aiopsedge-case                           aiopsedge index                              grpc   IBM         47m
ibm-asm-catalog                              IBM Agile Service Manager Catalog            grpc   IBM         126m
ibm-cert-manager-catalog                     IBM Cert Manager                             grpc   IBM         45m
ibm-cloud-databases-redis-operator-catalog   ibm-cloud-databases-redis-operator-catalog   grpc   IBM         126m
ibm-cp-waiops-catalog                        IBM Cloud Pak for AIOps Catalog              grpc   IBM         126m
ibm-cp-waiops-elastic-catalog                IBM CP4AIOps - Elastic                       grpc   IBM         126m
ibm-cp-waiops-flink-catalog                  IBM CP4AIOps - Flink                         grpc   IBM         126m
ibm-licensing-catalog                        IBM License Service                          grpc   IBM         45m
ibm-redis-cp-operator-catalog                IBM Redis CP Catalog                         grpc   IBM         47m
ibm-secure-tunnel-operator-catalog           IBM Secure Tunnel operator Catalog           grpc   IBM         126m
ibm-watson-ai-manager-catalog                ibm-watson-ai-manager-catalog                grpc   IBM         126m
ibm-watson-aiops-ui-catalog                  IBM WAIOps UI Catalog                        grpc   IBM         126m
opencloud-operators                          IBMCS Operators                              grpc   IBM         126m
redhat-marketplace                           Red Hat Marketplace                          grpc   Red Hat     27h
redhat-operators                             Red Hat Operators                            grpc   Red Hat     27h

# oc get pods -n openshift-marketplace
NAME                                                              READY   STATUS      RESTARTS   AGE
0935b4423e67bb338b8687eeee2898674099d8fc158ffb50b8bc1fba0a692g2   0/1     Completed   0          24h
 1a64439d8a73c4c057540c5e6f4329f15aeaa15b5cc9f254df9ab9dd7bjqzpt   0/1     Completed   0          24h
6766646cfd55d8f1be544bc968431245406bd8d357bcc6c75efb34bb50bc829   0/1     Completed   0          24h
aiops-analytics-operator-catalog-cvwcc                            1/1     Running     0          3m45s
aiops-lifecycle-operator-catalog-2kv2l                            1/1     Running     0          3m46s
certified-operators-vn8ql                                         1/1     Running     0          86m
cloud-native-postgresql-catalog-m6c42                             1/1     Running     0          3m32s
community-operators-h59qg                                         1/1     Running     0          65m
e370676c5b33f2c041ba1d3a7bdc078b247d7d4e6fd61841e5d197770e9n2sf   0/1     Completed   0          24h
f8ea7cf3f9611828a4809f2eaaf2ae944796f25e2ea7c23bb389c7509cpjxf7   0/1     Completed   0          24h
ibm-aiops-ir-core-operators-k69f9                                 1/1     Running     0          3m49s
ibm-aiopsedge-case-wl2nx                                          1/1     Running     0          3m41s
ibm-asm-catalog-qgz4l                                             1/1     Running     0          3m51s
ibm-cloud-databases-redis-operator-catalog-tp7jd                  1/1     Running     0          3m35s
ibm-cp-waiops-catalog-khjmt                                       1/1     Running     0          3m32s
ibm-cp-waiops-elastic-catalog-ptv77                               1/1     Running     0          3m30s
ibm-cp-waiops-flink-catalog-fhs69                                 1/1     Running     0          3m29s
ibm-secure-tunnel-operator-catalog-76fvf                          1/1     Running     0          3m39s
ibm-watson-ai-manager-catalog-bz66v                               1/1     Running     0          3m53s
ibm-watson-aiops-ui-catalog-9srhm                                 1/1     Running     0          3m55s
marketplace-operator-7dd7c98f68-2t5r9                             1/1     Running     0          25h
opencloud-operators-79j9k                                         1/1     Running     0          3m43s
redhat-marketplace-wc674                                          1/1     Running     0          24h
redhat-operators-rc4b2                                            1/1     Running     0          6h55m

5.2 Create environment variables

Create and then source a shell script named waiops_var.sh that defines the environment variables that will be used to provide installation parameters for your deployment. Use the following codeblock as a template, replacing the brackets < ... > with values for your environment.

You can use the following table to find the values to set for your storage environment variables.

Table 2. Storage provider classes
Storage provider	RWX-storage-class-name	RWO-storage-class-name
IBM Cloud®	ibmc-file-gold-gid	ibmc-block-gold
Red Hat® OpenShift® Data Foundation	ocs-storagecluster-cephfs	ocs-storagecluster-ceph-rbd
IBM Storage Fusion Data Foundation	ocs-storagecluster-cephfs	ocs-storagecluster-ceph-rbd
IBM Storage Fusion Global Data Platform	If you are using IBM Storage Fusion, use ibm-spectrum-scale-sc. If you are using IBM Storage Fusion HCI System, use ibm-storage-fusion-cp-sc	If you are using IBM Storage Fusion, use ibm-spectrum-scale-sc. If you are using IBM Storage Fusion HCI System, use ibm-storage-fusion-cp-sc
IBM Storage Scale Container Native	ibm-spectrum-scale-sc	ibm-spectrum-scale-sc
Portworx	px-csi-aiops	px-csi-aiops
Portworx (multi-zone HA)	px-csi-aiops-mz	px-csi-aiops-mz
AWS native storage	efs-sc	gp3-csi

#============================================================================================================
# Cloud Pak for AIOps installation variables
#============================================================================================================

export CP4AIOPS_NAME=ibm-cp-aiops
export CP4AIOPS_SIZE=large # Set to small if you only require a starter non-production deployment.
export SECURE_TUNNEL=false # Set to `true` to install Secure Tunnel, otherwise set to `false`.
export PROJECT_CP4AIOPS=cp4aiops
export ACCEPT_LICENSE=false # Set to `true` to agree to the license terms, otherwise install will fail.
export CATALOG_SRC_CP4AIOPS=ibm-cp-waiops-catalog

# -----------------------------------------------------------------------------------------------------------
# Incremental adoption - set your deployment type
# Set to `true` to install an extended deployment with log anomaly detection and ticket analysis capabilities
# Set to `false` to install a base deployment without log anomaly detection and ticket analysis capabilities
# -----------------------------------------------------------------------------------------------------------
export LOG_ANOMALY=false 

# -------------------------------------------------------------------------------------------------------
# Storage
# -------------------------------------------------------------------------------------------------------
export STG_CLASS=<RWX-storage-class-name>
export STG_CLASS_BLOCK=<RWO-storage-class-name>

# -------------------------------------------------------------------------------------------------------
# Your customer details
# -------------------------------------------------------------------------------------------------------
export CUSTOMER_NAME=<your company name>
export CUSTOMER_ICN=<your IBM Customer Number>
export CUSTOMER_ENVIRONMENT=<Set to `trial`, `poc`, or `production`>

# -------------------------------------------------------------------------------------------------------
# `OwnNamespace` installation mode:  leave INSTALL_MODE_NAMESPACE as it is.
# `AllNamespaces` installation mode: change to export INSTALL_MODE_NAMESPACE=openshift-operators
# -------------------------------------------------------------------------------------------------------
export INSTALL_MODE_NAMESPACE=${PROJECT_CP4AIOPS}

# -------------------------------------------------------------------------------------------------------
# Topology resource group terminology
# Specify `application` or `service` as the terminology to be used for collections of topology resource
# groups. The default is `application`.
# -------------------------------------------------------------------------------------------------------
export TOPOLOGY_TERMINOLOGY=application

You can update your deployment type after installation. For more information, see Updating the deployment type.

If you need help with deciding on the values to set for these environment variables, see the following topics.

LOG_ANOMALY: Incremental adoption
CP4AIOPS_SIZE: Sizing
SECURE_TUNNEL: Secure Tunnel
INSTALL_MODE_NAMESPACE: Operator installation mode

Note: You can set a different value for $PROJECT_CP4AIOPS, $CP4AIOPS_NAME if you want. However, you must not use the default, kube-system, kube-public, openshift-node, openshift-infra, or openshift projects (namespaces) for $PROJECT_CP4AIOPS. This is because IBM Cloud Pak for AIOps uses Security Context Constraints (SCC), and SCCs cannot be assigned to pods created in one of the default Red Hat OpenShift projects (namespaces).

Run the following command to source your script and set the environment variables:

. ./waiops_var.sh

5.3 Create a custom project (namespace)

Run the following command to create a project (namespace) to deploy IBM Cloud Pak for AIOps into.

oc create namespace ${PROJECT_CP4AIOPS}

5.4. Configure usage data collection

To help the development of IBM Cloud Pak for AIOps, daily aggregated usage data is collected to analyse how IBM Cloud Pak for AIOps is used. The collection of usage data is enabled by default, but can be disabled. Usage data is collected by the cp4waiops-metricsprocessor pod, and stored in the cp4waiops-metricsprocessor pod's logs. This usage data is sent to IBM when MustGather output is sent to IBM, as the MustGather includes the output from the cp4waiops-metricsprocessor pod's logs. The usage data is then sent to and stored in IBM controlled GDPR-compliant systems. The usage data that is collected is numeric, or is about the deployment type and platform. It does not include email addresses, passwords, or specific details. Only the following data is collected:

Current number of applications
Current number of alerts (all severities aggregated)
Current number of incidents (all priorities aggregated)
Current number of policies (includes predefined and user created)
Current number of runbooks run since installation
Current number of integrations of each type (For example ServiceNow, Instana, Falcon Logscale)
Secure tunnel enablement: whether connection (which controls whether you can create a secure tunnel) is enabled in the Installation custom resource
Deployment type: base deployment or extended deployment
Deployment platform: Red Hat® OpenShift® Container Platform or Linux®

Configuring the collection of usage data

If you do not want to disable the collection of usage data, run the following command to configure the usage data with your customer details.

oc create secret generic aiops-metrics-processor -n ${PROJECT_CP4AIOPS} --from-literal=customerName=${CUSTOMER_NAME} --from-literal=customerICN=${CUSTOMER_ICN} --from-literal=environment=${CUSTOMER_ENVIRONMENT}

Important: Usage data without your customer details is still collected even if you do not create this secret. If you do not want any usage data collected, then you must run the command given in Disabling the collection of usage data.

Disabling the collection of usage data

If you want to disable the collection of usage data, run the following command.

oc create secret generic aiops-metrics-processor -n ${PROJECT_CP4AIOPS} --from-literal=customerName=${CUSTOMER_NAME} --from-literal=customerICN=${CUSTOMER_ICN} --from-literal=environment=${CUSTOMER_ENVIRONMENT} --from-literal=enableCollection=false

Note: You can update your usage data collection preferences after installation. For more information, see Updating usage data collection preferences.

5.5 Install Cert Manager

Skip this step if you already have a certificate manager installed on the Red Hat OpenShift cluster that you are installing IBM Cloud Pak for AIOps on. If you do not have a certificate manager then you must install one.

The IBM Cloud Pak® foundational services Cert Manager is recommended. For more information about IBM Cloud Pak® foundational services Cert Manager hardware requirements, see IBM Certificate Manager (cert-manager) hardware requirements Opens in a new tab in the IBM Cloud Pak foundational services documentation.

The Red Hat OpenShift Cert Manager v1.17.x or lower is also supported. You must not use Red Hat OpenShift Cert Manager v1.18.0 or higher, because the default private key rotation behavior introduced in v1.18.0 is not compatible with IBM Cloud Pak for AIOps. For more information, see cert-manager Operator for Red Hat OpenShift in the Red Hat OpenShift documentation.

The IBM Cloud Pak® foundational services Cert Manager can be installed with the following steps.

Run the following command to create the resource definitions that you need:

cat << EOF | oc apply -f -
apiVersion: v1
kind: Namespace
metadata:
  name: ibm-cert-manager
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: ibm-cert-manager-operator-group
  namespace: ibm-cert-manager
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: ibm-cert-manager-operator
  namespace: ibm-cert-manager
spec:
  channel: v4.2
  installPlanApproval: Automatic
  name: ibm-cert-manager-operator
  source: ibm-cert-manager-catalog
  sourceNamespace: openshift-marketplace
EOF

Run the following command to ensure that the IBM Cloud Pak® foundational services Cert Manager pods have a STATUS of Running before proceeding to the next step.

oc -n ibm-cert-manager get pods

Example output for a successful IBM Cloud Pak® foundational services Cert Manager installation:

NAME                                        READY   STATUS    RESTARTS   AGE
cert-manager-cainjector-674854c49d-vstq4    1/1     Running   0          8d
cert-manager-controller-646d4bd6fd-zwmqm    1/1     Running   0          8d
cert-manager-webhook-8598787c8-s4lkt        1/1     Running   0          8d
ibm-cert-manager-operator-c96957695-dkxnm   1/1     Running   0          8d

5.6 Install the License Service

Skip this step if the IBM Cloud Pak® foundational services License Service is already installed on the Red Hat OpenShift cluster that you are installing IBM Cloud Pak for AIOps on.

IBM Cloud Pak for AIOps requires the installation of the IBM Cloud Pak foundational services License Service. You must install the IBM Cloud Pak foundational services License Service on the Red Hat OpenShift cluster that you are installing IBM Cloud Pak for AIOps on.

Run the following command to create the resource definitions that you need:

cat << EOF | oc apply -f -
apiVersion: v1
kind: Namespace
metadata:
  name: ibm-licensing
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: ibm-licensing-operator-group
  namespace: ibm-licensing
spec:
  targetNamespaces:
  - ibm-licensing
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: ibm-licensing-operator-app
  namespace: ibm-licensing
spec:
  channel: v4.2
  installPlanApproval: Automatic
  name: ibm-licensing-operator-app
  source: ibm-licensing-catalog
  sourceNamespace: openshift-marketplace
EOF

Run the following command to ensure that the IBM Cloud Pak® foundational services License Server pods have a STATUS of Running before proceeding to the next step.

oc -n ibm-licensing get pods

Example output for a successful IBM Cloud Pak® foundational services License Service installation:

NAME                                              READY   STATUS    RESTARTS   AGE
ibm-licensing-operator-db4cd746c-xzmlf            1/1     Running   0          8d
ibm-licensing-service-instance-596b99588f-76cc5   1/1     Running   0          8d

For more information about the IBM Cloud Pak® foundational services License Service, see License Service Opens in a new tab in the IBM Cloud Pak foundational services documentation.

5.7 Verify cluster readiness

Run the prerequisite checker script that you downloaded in step 1.1 Download documentation and scripts for offline access to verify whether your Red Hat OpenShift cluster is correctly set up for an IBM Cloud Pak for AIOps installation.

Run the script with the following command:

./prereq.sh -n ${PROJECT_CP4AIOPS}

Example output:

# ./prereq.sh -n cp4aiops
[INFO] Starting IBM Cloud Pak for AIOps prerequisite checker v4.6...

CLI: oc

[INFO] =================================Platform Version Check=================================
[INFO] Checking Platform Type....
[INFO] You are using Openshift Container Platform
[INFO] OCP version 4.14.21 is compatible but only nodes with AMD64 architectures are supported at this time. 
[INFO] =================================Openshift Container Platform Version Check=================================

[INFO] =================================Entitlement Pull Secret=================================
[INFO] Checking whether the Entitlement secret or Global pull secret is configured correctly.
[INFO] Checking if the job 'cp4aiops-entitlement-key-test-job' already exists.
[INFO] The job with name 'cp4aiops-entitlement-key-test-job' was not found, so moving ahead and creating it.
[INFO] Creating the job 'cp4aiops-entitlement-key-test-job' 
job.batch/cp4aiops-entitlement-key-test-job created
[INFO] Verifying if the job 'cp4aiops-entitlement-key-test-job' completed successfully..
[INFO] SUCCESS! Entitlement secret is configured correctly.
job.batch "cp4aiops-entitlement-key-test-job" deleted
[INFO] =================================Entitlement Pull Secret=================================

[INFO] =================================Storage Provider=================================
[INFO] Checking storage providers
[INFO] No IBM Storage Fusion Found... Skipping configuration check.

[INFO] No Portworx StorageClusters found with "Running" or "Online" status. Skipping configuration check for Portworx.
[INFO] Openshift Data Foundation found.
[INFO] No IBM Cloud Storage found... Skipping configuration check for IBM Cloud Storage Check.

Checking Openshift Data Foundation Configuration...
Verifying if Red Hat Openshift Data Foundation pods are in "Running" or "Completed" status
[INFO] Pods in openshift-storage project are "Running" or "Completed"
[WARNING] ocs-storagecluster-ceph-rbd does not exist. 
[INFO] One of more warnings found when checking for Storage Providers.
[INFO] =================================Storage Provider=================================

[INFO] =================================Cert Manager Check=================================
[INFO] Checking for Cert Manager operator

[INFO] Successfully functioning cert-manager found.

CLUSTERSERVICEVERSION             NAMESPACE
ibm-cert-manager-operator.v4.2.4  auto-openldap

[INFO] =================================Cert Manager Check=================================

[INFO] =================================Licensing Service Operator Check=================================
[INFO] Checking for Licensing Service operator

[INFO] Successfully functioning licensing service operator found.

CLUSTERSERVICEVERSION          NAMESPACE
ibm-licensing-operator.v4.2.4  ibm-licensing

[INFO] =================================Licensing Service Operator Check=================================

[INFO] =================================Starter or Large Install Resources=================================
[INFO] Checking for cluster resources

[INFO] ==================================Resource Summary====================================================
[INFO]                                                      Nodes           vCPU              Memory(GB)
[INFO] Small (Non-HA) Base (available/required)            [  17 / 3 ]     [  124 / 47 ]     [  136 / 123 ]
[INFO]     (+ Log Anomaly Detection & Ticket Analysis)     [  17 / 3 ]     [  124 / 55 ]     [  136 / 136 ]

[INFO] Large (HA) Base (available/required)                [  17 / 6 ]     [  124 / 130 ]    [  136 / 310 ]
[INFO]     (+ Log Anomaly Detection & Ticket Analysis)     [  17 / 6 ]     [  124 / 156 ]    [  136 / 368 ]
[INFO] ==================================Resource Summary====================================================
[INFO] Cluster currently has resources available to create a starter install of Cloud Pak for AIOps

[INFO] =================================Prerequisite Checker Tool Summary=================================
      [  PASS  ] Openshift Container Platform Version Check 
      [  PASS  ] Entitlement Pull Secret
      [  WARNING  ] Storage Provider
      [  PASS  ] Small (Non-HA) Base Install Resources
      [  FAIL  ] Large (HA) Base Install Resources
      [  PASS  ] Cert Manager Operator Installed
      [  PASS  ] Licensing Service Operator Installed
[INFO] =================================Prerequisite Checker Tool Summary=================================

Note: If you are not using IBM Cloud Pak® foundational services Cert Manager, then ignore any errors that are returned by the Cert Manager check.

5.8 Install the operator

For more information about installing operators, see Adding Operators Opens in a new tab to a cluster in the Red Hat OpenShift documentation.

For more information about the operators which are installed with IBM Cloud Pak for AIOps, see Operator Details.

Create an OperatorGroup.

Important: Skip this step if you are installing using the 'All Namespaces' installation mode. Check that you set INSTALL_MODE_NAMESPACE correctly in step 5.2, and proceed to the next step, Install the IBM Cloud Pak for AIOps operator.

If you are installing using the 'OwnNamespace' installation mode, then you must create an operator group in your custom project (namespace), or the IBM Cloud Pak for AIOps operator will not install. There might be an operator group for managing a namespace for given APIs. If there is an operator group for the namespace, do not create a second one.

Create the Operator group by running the following command:
```
cat << EOF | oc apply -f -
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: cp4aiops-operator-group
  namespace: ${PROJECT_CP4AIOPS}
spec:
  targetNamespaces:
    - "${PROJECT_CP4AIOPS}"
EOF
```

Install the IBM Cloud Pak for AIOps operator.

Run the following command.

cat << EOF | oc apply -f -
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: ibm-aiops-orchestrator
  namespace: $INSTALL_MODE_NAMESPACE
spec:
  channel: v4.6
  installPlanApproval: Automatic
  name: ibm-aiops-orchestrator
  source: ${CATALOG_SRC_CP4AIOPS}
  sourceNamespace: openshift-marketplace
EOF

Warning: installPlanApproval must not be changed to Manual. Manual approval, which requires the manual review and approval of the generated InstallPlans, is not supported. Incorrect timing or ordering of manual approvals of InstallPlans can result in a failed installation.

After a few minutes, the IBM Cloud Pak for AIOps operator is installed. Verify that the all of the components have a state of Succeeded by running the following command:

oc get csv -n ${INSTALL_MODE_NAMESPACE} | egrep "ibm-aiops-orchestrator"

Example output:

$ oc get csv -n ${INSTALL_MODE_NAMESPACE} | egrep "ibm-aiops-orchestrator"
ibm-aiops-orchestrator.v4.6.0         IBM Cloud Pak for AIOps               4.6.0   Succeeded

5.9 Install IBM Cloud Pak for AIOps

Create an instance of the IBM Cloud Pak for AIOps custom resource. A maximum of one IBM Cloud Pak for AIOps custom resource is allowed per cluster.

Use the following YAML to create an instance of the IBM Cloud Pak for AIOps custom resource.

cat << EOF | oc apply -f -
apiVersion: orchestrator.aiops.ibm.com/v1alpha1
kind: Installation
metadata:
  name: ${CP4AIOPS_NAME}
  namespace: ${PROJECT_CP4AIOPS}
spec:
  size: ${CP4AIOPS_SIZE}
  storageClass: ${STG_CLASS}
  storageClassLargeBlock: ${STG_CLASS_BLOCK}
  imagePullSecret:
  topologyModel: ${TOPOLOGY_TERMINOLOGY}
  license:
    accept: ${ACCEPT_LICENSE}
  pakModules:
  - name: aiopsFoundation
    enabled: true
  - name: applicationManager
    enabled: true
  - name: aiManager
    enabled: true
  - name: connection
    enabled: ${SECURE_TUNNEL}
  - name: logAnomalyDetection
    enabled: ${LOG_ANOMALY}
EOF

Warning: The pakModules aiopsFoundation, applicationManager, and aiManager must be enabled as in the preceding YAML. Do not change these values to false.

Verify your installation.

Run the following command to check that the PHASE of your installation is Updating.
```
oc get installations.orchestrator.aiops.ibm.com -n ${PROJECT_CP4AIOPS}
```
Example output:
```
NAME           PHASE     LICENSE    STORAGECLASS   STORAGECLASSLARGEBLOCK   AGE
ibm-cp-aiops   Updating  Accepted   rook-cephfs    rook-ceph-block          3m
```
It takes around 60-90 minutes for the installation to complete (subject to the speed with which images can be pulled). When installation is complete and successful, the PHASE of your installation changes to Running. If your installation phase does not change to Running, then use the following command to find out which components are not ready:
```
oc get installation.orchestrator.aiops.ibm.com -o yaml -n ${PROJECT_CP4AIOPS} | grep 'Not Ready'
```
Example output:
```
lifecycleservice: Not Ready
zenservice: Not Ready
```
To see details about why a component is Not Ready run the following command, where <component> is the component that is not ready, for example zenservice.
```
oc get <component> -o yaml -n ${PROJECT_CP4AIOPS}
```
(Optional) If you downloaded the status checker script earlier in step 1.1 Download documentation and scripts for offline access, then you can also run this script to see information about the status of your deployment.

If the installation fails, or is not complete and is not progressing, then see Troubleshooting installation and upgrade and Known Issues to help you identify any installation problems.

5.10 Create an EgressFirewall

There is no egress firewall policy defined when you install IBM Cloud Pak for AIOps, so outgoing traffic from workload pods to the internal and external network is unrestricted.

To create a more secure environment, use the following steps.

Create an EgressFirewall on your Red Hat OpenShift cluster to limit egress from the IBM Cloud Pak for AIOps project (namespace).

For more information about creating an EgressFirewall, see Configuring an egress firewall for a project.

Note: You can have only one EgressFirewall per project/namespace.
Configure exceptions to the EgressFirewall.

Edit your EgressFirewall to add exceptions for the following IBM Cloud Pak for AIOps components that have egress dependencies, otherwise these IBM Cloud Pak for AIOps components fail when they attempt egress.
1. Allow egress to any external services, such as the following integrations:
  - Kubernetes
  - GitHub
  - Microsoft® Teams
  - ServiceNow
  - Slack
  - VMware® vCenter
2. Configure your EgressFirewall to allow traffic for your GitHub, Kubernetes, ServiceNow, and VMware vCenter integrations.
  
  Edit your EgressFirewall to allow or deny egress, as in the following example:
```
kind: EgressFirewall
metadata:
  name: default
spec:
  egress:
  - type: Allow
    to:
      cidrSelector: <1.2.3.0/24>
  - type: Allow
    to:
      dnsName: <www.github.com>
  - type: Allow
    to:
      dnsName: <www.developer.kubernetes.com>
  - type: Allow
    to:
      dnsName: <www.developer.servicenow.com>
  - type: Allow
    to:
      dnsName: <www.developer.vcenter.com>
  - type: Deny
    to:
      cidrSelector: <0.0.0.0/0>
```
  Substitute values for `dnsName` and `cidrSelector` that are the DNS names and addresses of your GitHub, Kubernetes, ServiceNow, or VMware vCenter sources.

5.11 Access the Cloud Pak for AIOps console

After you successfully install IBM Cloud Pak for AIOps, get the URL for accessing the Cloud Pak for AIOps console.

Use the following command to get the URL to access the Cloud Pak for AIOps console:
```
oc get route -n ${PROJECT_CP4AIOPS} cpd -o jsonpath='{.spec.host}'
```
The following output is a sample output:
```
cpd-cp4aiops.apps.mycluster.mydomain
```
Based on the sample output, your console URL would be https://cpd-cp4aiops.apps.mycluster.mydomain
Enter the URL in your browser to open the Cloud Pak for AIOps console. Log in with your username and password.

Find the IBM Cloud Pak for AIOps console username and password

The default username to access the Cloud Pak for AIOps console is admin. You can check the default username and their password with the following commands.

Note: This information is for the IBM provided credentials (admin only) authentication type.

Find the default username.

oc -n ${PROJECT_CP4AIOPS} get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_username}' | base64 -d && echo

Get the password for the admin username.
```
oc -n ${PROJECT_CP4AIOPS} get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_password}' | base64 -d
```
The following extract shows a sample output:
```
EwK9dj9fwPZHyHTyu9TyIgh9klZSzVsA
```
Based on the sample output, your password would be EwK9dj9fwPZHyHTyu9TyIgh9klZSzVsA.

Important: You can change this default password at any time. For more information, see Changing the cluster administrator password.

What to do next

Define integrations and applications with Defining.
You can install and integrate with IBM Cognos® Analytics. For more information, see Installing IBM Cognos Analytics.
If you have an existing on-premises IBM Tivoli Netcool/OMNIbus deployment, then you can connect it to IBM Cloud Pak for AIOps through an integration. For more information, see Creating IBM Tivoli Netcool/OMNIbus integrations.
If you have an existing on-premises IBM Tivoli Netcool/Impact deployment, then you can connect it to IBM Cloud Pak for AIOps through an integration. For more information, see Creating IBM Tivoli Netcool/Impact integrations.
Familiarize yourself with backup and restore procedures. It is recommended that you take regular backups of your IBM Cloud Pak for AIOps deployment. For more information, see Backup and restore.
For more information about health checks and monitoring, see Health checks and monitoring.