Skip to main content

WatsonX Governance Installation

note

The following ports should be opened to allow access to Cloud Pak for Data:

HTTP - Port 80

HTTPS - Port 443

An additional port will need to be opened for the DB2Warehouse isntance, but that port is not known until the instance is created.

Resource Requirements

Minimal cluster sizing

The cluster needs a minimal of 6 worker nodes with each node having 16 vCPU and 64GB RAM. Each node will also need a local disk of 300GB which will be used for ephemeral storage.

We recommended that the cluster has at least 7 work nodes with each node having 16 vCPU and 64GB RAM. Each node will also need a local disk of 300GB which will be used for ephemeral storage.

Storage Requirements

Support Storage Platforms:

The following platforms are supported for Cloud pak for data:

  • OpenShift Data Foundation
  • IBM Storage Fusion Data Foundation
  • IBM Storage Fusion Global Data Platform
  • IBM Storage Scale Container Native
  • Portworx
  • NFS
  • Amazon Elastic Block Store
  • Amazon Elastic File System
  • NetApp Trident

Storage sizing

Cloud Pak for Data requires atleast 500GB of storage.

Installing CP4D Cli

Download binary

CP4D CLI can be found at the following link.

https://github.com/IBM/cpd-cli/releases/download/v14.0.3/cpd-cli-darwin-EE-14.0.3.tgz

note

This binary is for linux, if running from a windows machine, please use the linux binary but run it from Windows Subsystem for Linux.

Also as of this writing the latest version of the cli is 14.0.3.

wget https://github.com/IBM/cpd-cli/releases/download/v14.0.3/cpd-cli-darwin-EE-14.0.3.tgz

Extract the files:

tar xzvf https://github.com/IBM/cpd-cli/releases/download/v14.0.0/cpd-cli-linux-EE-14.0.3.tgz

This will create the following directory:

cpd-cli-darwin-EE-14.0.3-875

Configure environmental vars

The following creates a CPD env file

cat<<EOF> cpd_vars_5.sh
#===============================================================================
# Cloud Pak for Data installation variables
#===============================================================================

# ------------------------------------------------------------------------------
# Client workstation
# ------------------------------------------------------------------------------
# Set the following variables if you want to override the default behavior of the Cloud Pak for Data CLI.
#
# To export these variables, you must uncomment each command in this section.

# export CPD_CLI_MANAGE_WORKSPACE=<enter a fully qualified directory>
# export OLM_UTILS_LAUNCH_ARGS=<enter launch arguments>


# ------------------------------------------------------------------------------
# Cluster
# ------------------------------------------------------------------------------

export OCP_URL=<enter your Red Hat OpenShift Container Platform URL>
export OPENSHIFT_TYPE=<enter your deployment type>
export IMAGE_ARCH=<enter your cluster architecture>
# export OCP_USERNAME=<enter your username>
# export OCP_PASSWORD=<enter your password>
# export OCP_TOKEN=<enter your token>
export SERVER_ARGUMENTS="--server=${OCP_URL}"
# export LOGIN_ARGUMENTS="--username=${OCP_USERNAME} --password=${OCP_PASSWORD}"
# export LOGIN_ARGUMENTS="--token=${OCP_TOKEN}"
export CPDM_OC_LOGIN="cpd-cli manage login-to-ocp ${SERVER_ARGUMENTS} ${LOGIN_ARGUMENTS}"
export OC_LOGIN="oc login ${OCP_URL} ${LOGIN_ARGUMENTS}"


# ------------------------------------------------------------------------------
# Proxy server
# ------------------------------------------------------------------------------

# export PROXY_HOST=<enter your proxy server hostname>
# export PROXY_PORT=<enter your proxy server port number>
# export PROXY_USER=<enter your proxy server username>
# export PROXY_PASSWORD=<enter your proxy server password>


# ------------------------------------------------------------------------------
# Projects
# ------------------------------------------------------------------------------

export PROJECT_CERT_MANAGER=<enter your certificate manager project>
export PROJECT_LICENSE_SERVICE=<enter your License Service project>
export PROJECT_SCHEDULING_SERVICE=<enter your scheduling service project>
# export PROJECT_IBM_EVENTS=<enter your IBM Events Operator project>
# export PROJECT_PRIVILEGED_MONITORING_SERVICE=<enter your privileged monitoring service project>
export PROJECT_CPD_INST_OPERATORS=<enter your Cloud Pak for Data operator project>
export PROJECT_CPD_INST_OPERANDS=<enter your Cloud Pak for Data operand project>
# export PROJECT_CPD_INSTANCE_TETHERED=<enter your tethered project>
# export PROJECT_CPD_INSTANCE_TETHERED_LIST=<a comma-separated list of tethered projects>



# ------------------------------------------------------------------------------
# Storage
# ------------------------------------------------------------------------------

export STG_CLASS_BLOCK=<RWO-storage-class-name>
export STG_CLASS_FILE=<RWX-storage-class-name>

# ------------------------------------------------------------------------------
# IBM Entitled Registry
# ------------------------------------------------------------------------------

export IBM_ENTITLEMENT_KEY=<enter your IBM entitlement API key>


# ------------------------------------------------------------------------------
# Private container registry
# ------------------------------------------------------------------------------
# Set the following variables if you mirror images to a private container registry.
#
# To export these variables, you must uncomment each command in this section.

# export PRIVATE_REGISTRY_LOCATION=<enter the location of your private container registry>
# export PRIVATE_REGISTRY_PUSH_USER=<enter the username of a user that can push to the registry>
# export PRIVATE_REGISTRY_PUSH_PASSWORD=<enter the password of the user that can push to the registry>
# export PRIVATE_REGISTRY_PULL_USER=<enter the username of a user that can pull from the registry>
# export PRIVATE_REGISTRY_PULL_PASSWORD=<enter the password of the user that can pull from the registry>


# ------------------------------------------------------------------------------
# Cloud Pak for Data version
# ------------------------------------------------------------------------------

export VERSION=5.0.3


# ------------------------------------------------------------------------------
# Components
# ------------------------------------------------------------------------------

export COMPONENTS=ibm-cert-manager,ibm-licensing,scheduler,cpfs,cpd_platform
# export COMPONENTS_TO_SKIP=<component-ID-1>,<component-ID-2>


# ------------------------------------------------------------------------------
# watsonx Orchestrate
# ------------------------------------------------------------------------------
# export PROJECT_IBM_APP_CONNECT=<enter your IBM App Connect in containers project>
# export AC_CASE_VERSION=<version>
# export AC_CHANNEL_VERSION=<version>
EOF

You will need to open the resultant cpd_vars_5.sh file and update the following vars:

OCP_URL
OCP_PASSWORD
IBM_ENTITLEMENT_KEY

By default we set our storage classes to the nfs-client storage class. Your mileage may vary.

The OCP_URL can be pulled with this command:

oc cluster-info
Kubernetes control plane is running at https://api.ibmworkshops.com:6443

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

The kubeadmin password can be found in the build directory for the cluster under auth/kubeadmin-password

Login to the cluster with cpd-cli

Source the env file

source cpd_vars_5.sh

login with cpd-cli

cpd-cli manage login-to-ocp \
--username=${OCP_USERNAME} \
--password=${OCP_PASSWORD} \
--server=${OCP_URL}

Retrieve the entitlement key

The key can be retrieved from here

Mirroring CPD Images to Private Registry

Workstation can reach internet and cluster:

When the workstation is connected to the internet, run the following command to update the olm-utils-v3 image on the workstation:

cpd-cli manage restart-container

Workstation used for install cannot reach internet:

Save the olm-utils-v3 image

Run the following command to save the olm-utils-v3 image to the client workstation:

cpd-cli manage save-image --from=icr.io/cpopen/cpd/olm-utils-v3:latest

Transfer olm-utils-v3 to install workstation

Run the following command to load the olm-utils-v3 image on the client workstation:

cpd-cli manage load-image --source-image=icr.io/cpopen/cpd/olm-utils-v3:latest

Set the OLM_UTILS_IMAGE environment variable to ensure that the cpd-cli uses the version of the image on the client workstation:

export OLM_UTILS_IMAGE=icr.io/cpopen/cpd/olm-utils-v3:latest

Downloading CASE packages

Run the appropriate command depending on the site from which you plan to download the CASE packages:

cpd-cli manage case-download \
--components=${COMPONENTS} \
--release=${VERSION}

Change the permissions of the work directory

chown -R 1001 ./work
chmod -R 775 ./work

Restart the container

cpd-cli manage restart-container

Log into IBM Entitled Registry:

cpd-cli manage login-entitled-registry ${IBM_ENTITLEMENT_KEY}

Download the CASE packages

cpd-cli manage list-images \
--components=${COMPONENTS} \
--release=${VERSION} \
--inspect_source_registry=true

Mirror the images to the intermediary container registry

The command automatically sets up an intermediary container registry on the client workstation. The address of the intermediary container registry is 127.0.0.1:12443.

cpd-cli manage mirror-images \
--components=${COMPONENTS} \
--release=${VERSION} \
--target_registry=127.0.0.1:12443 \
--arch=${IMAGE_ARCH} \
--case_download=false

Confirm that the images were mirrored to the intermediary container registry

cpd-cli manage list-images \
--components=${COMPONENTS} \
--release=${VERSION} \
--target_registry=127.0.0.1:12443 \
--case_download=false

Move images to registry in restricted network

Login in to Private Registry with CPD CLI

cpd-cli manage login-private-registry \
${PRIVATE_REGISTRY_LOCATION} \
${PRIVATE_REGISTRY_PUSH_USER} \
${PRIVATE_REGISTRY_PUSH_PASSWORD}

Mirror images from intermediate registry to restricted registry

cpd-cli manage mirror-images \
--components=${COMPONENTS} \
--release=${VERSION} \
--source_registry=127.0.0.1:12443 \
--target_registry=${PRIVATE_REGISTRY_LOCATION} \
--arch=${IMAGE_ARCH} \
--case_download=false

Confirm images are on restricted registry

cpd-cli manage list-images \
--components=${COMPONENTS} \
--release=${VERSION} \
--target_registry=${PRIVATE_REGISTRY_LOCATION} \
--case_download=false

Configure image content source policy

If you mirror images to a private container registry, you must tell your cluster where to find the software images by creating an image content source policy or image digest mirror set.

Create or update the required image content source policy or image digest mirror set:

cpd-cli manage apply-icsp \
--registry=${PRIVATE_REGISTRY_LOCATION}

Get status of nodes

oc get nodes

Pull olm-utils-v3 image from private container registry

export OLM_UTILS_IMAGE=${PRIVATE_REGISTRY_LOCATION}/cpopen/cpd/olm-utils-v3:${VERSION}

Installing CP4D

Authorizing instances

This step creates all required projects, creates the NamespaceScope operator in the operators project, and binds the applied role to the service account of the NamespaceScope operator.

cpd-cli manage authorize-instance-topology \
--cpd_operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS}

This was successful

Installation of shared components

These two tasks come from here: https://www.ibm.com/docs/en/cloud-paks/cp-data/4.8.x?topic=cluster-installing-shared-components

note

If you are unable to access github, include the following flags to the next two commands as well as any apply-olm command below

--case_download=true \
--from_oci=true
cpd-cli manage apply-cluster-components \
--release=${VERSION} \
--license_acceptance=true \
--cert_manager_ns=${PROJECT_CERT_MANAGER} \
--licensing_ns=${PROJECT_LICENSE_SERVICE}

Install the scheduler

cpd-cli manage apply-scheduler \
--release=${VERSION} \
--license_acceptance=true \
--scheduler_ns=${PROJECT_SCHEDULING_SERVICE}

Setup instance topology

cpd-cli manage setup-instance-topology \
--release=${VERSION} \
--cpd_operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--license_acceptance=true \
--block_storage_class=${STG_CLASS_BLOCK}

Installation of primary CPD components

This installs the operators in the operators project for the instance.

cpd-cli manage apply-olm \
--release=${VERSION} \
--cpd_operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--components=${COMPONENTS}

Installing the Cloud Pak for Data control plane and services

This installs the operands in the operands project for the instance:

cpd-cli manage apply-cr \
--release=${VERSION} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--components=${COMPONENTS} \
--block_storage_class=${STG_CLASS_BLOCK} \
--file_storage_class=${STG_CLASS_FILE} \
--license_acceptance=true

This is a big one, so it might take a little while. When it completes, verify the operands are up:

cpd-cli manage get-cr-status \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS}

This should return a Completed status.

The routes should be created and ready at this point. You can retrieve the web-url for the client with the following command:

cpd-cli manage get-cpd-instance-details \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--get_admin_initial_credentials=true

Installing our Cartridges

Source the env file

source cpd_vars_5.sh

Login with cpd-cli

cpd-cli manage login-to-ocp \
--username=${OCP_USERNAME} \
--password=${OCP_PASSWORD} \
--server=${OCP_URL}

Apply necessary Security Constraints

The apply-db2-kubelet command makes the following changes to the cluster nodes:

allowedUnsafeSysctls:
- "kernel.msg*"
- "kernel.shm*"
- "kernel.sem"
cpd-cli manage apply-db2-kubelet

This might take a bit as the workers will be getting bounced.

Watsonx Governance

Create or update 'install-options.yml' in the {CPD-CLI_DIRECTORY}/cpd-cli-workspace/olm-utils-workspace/work

################################################################################ 
# watsonx.governance parameters
###############################################################################
custom_spec:
watsonx_governance:
installType: all
enableFactsheet: true
enableOpenpages: true
enableOpenscale: true

Apply the olm for Watsonx Governance:

cpd-cli manage apply-olm --release=${VERSION} \ 
--cpd_operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--components=watsonx_governance

And run the install command

cpd-cli manage apply-cr \
--components=watsonx_governance \
--release=${VERSION} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--block_storage_class=${STG_CLASS_BLOCK} \
--file_storage_class=${STG_CLASS_FILE} \
--param-file=/tmp/work/install-options.yml \
--license_acceptance=true

Validate the installation

cpd-cli manage get-cr-status \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--components=watsonx_governance

Apply the olm for DB2 Warehouse:

cpd-cli manage apply-olm --release=${VERSION} \ 
--cpd_operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--components=db2wh

And run the install command

cpd-cli manage apply-cr \
--components=db2wh \
--release=${VERSION} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--block_storage_class=${STG_CLASS_BLOCK} \
--file_storage_class=${STG_CLASS_FILE} \
--param-file=/tmp/work/install-options.yml \
--license_acceptance=true

Validate the installation

cpd-cli manage get-cr-status \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--components=db2wh

Apply the olm for Database Management Console (DMC):

cpd-cli manage apply-olm --release=${VERSION} \ 
--cpd_operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--components=dmc

And run the install command

cpd-cli manage apply-cr \
--components=dmc \
--release=${VERSION} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--block_storage_class=${STG_CLASS_BLOCK} \
--file_storage_class=${STG_CLASS_FILE} \
--param-file=/tmp/work/install-options.yml \
--license_acceptance=true

Validate the installation

cpd-cli manage get-cr-status \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--components=dmc