WatsonX Governance Installation
The following ports should be opened to allow access to Cloud Pak for Data:
HTTP - Port 80
HTTPS - Port 443
An additional port will need to be opened for the DB2Warehouse isntance, but that port is not known until the instance is created.
Resource Requirements
Minimal cluster sizing
The cluster needs a minimal of 6 worker nodes with each node having 16 vCPU and 64GB RAM. Each node will also need a local disk of 300GB which will be used for ephemeral storage.
Recommended cluster sizing
We recommended that the cluster has at least 7 work nodes with each node having 16 vCPU and 64GB RAM. Each node will also need a local disk of 300GB which will be used for ephemeral storage.
Storage Requirements
Support Storage Platforms:
The following platforms are supported for Cloud pak for data:
- OpenShift Data Foundation
- IBM Storage Fusion Data Foundation
- IBM Storage Fusion Global Data Platform
- IBM Storage Scale Container Native
- Portworx
- NFS
- Amazon Elastic Block Store
- Amazon Elastic File System
- NetApp Trident
Storage sizing
Cloud Pak for Data requires atleast 500GB of storage.
Installing CP4D Cli
Download binary
CP4D CLI can be found at the following link.
https://github.com/IBM/cpd-cli/releases/download/v14.0.3/cpd-cli-darwin-EE-14.0.3.tgz
This binary is for linux, if running from a windows machine, please use the linux binary but run it from Windows Subsystem for Linux.
Also as of this writing the latest version of the cli is 14.0.3.
wget https://github.com/IBM/cpd-cli/releases/download/v14.0.3/cpd-cli-darwin-EE-14.0.3.tgz
Extract the files:
tar xzvf https://github.com/IBM/cpd-cli/releases/download/v14.0.0/cpd-cli-linux-EE-14.0.3.tgz
This will create the following directory:
cpd-cli-darwin-EE-14.0.3-875
Configure environmental vars
The following creates a CPD env file
cat<<EOF> cpd_vars_5.sh
#===============================================================================
# Cloud Pak for Data installation variables
#===============================================================================
# ------------------------------------------------------------------------------
# Client workstation
# ------------------------------------------------------------------------------
# Set the following variables if you want to override the default behavior of the Cloud Pak for Data CLI.
#
# To export these variables, you must uncomment each command in this section.
# export CPD_CLI_MANAGE_WORKSPACE=<enter a fully qualified directory>
# export OLM_UTILS_LAUNCH_ARGS=<enter launch arguments>
# ------------------------------------------------------------------------------
# Cluster
# ------------------------------------------------------------------------------
export OCP_URL=<enter your Red Hat OpenShift Container Platform URL>
export OPENSHIFT_TYPE=<enter your deployment type>
export IMAGE_ARCH=<enter your cluster architecture>
# export OCP_USERNAME=<enter your username>
# export OCP_PASSWORD=<enter your password>
# export OCP_TOKEN=<enter your token>
export SERVER_ARGUMENTS="--server=${OCP_URL}"
# export LOGIN_ARGUMENTS="--username=${OCP_USERNAME} --password=${OCP_PASSWORD}"
# export LOGIN_ARGUMENTS="--token=${OCP_TOKEN}"
export CPDM_OC_LOGIN="cpd-cli manage login-to-ocp ${SERVER_ARGUMENTS} ${LOGIN_ARGUMENTS}"
export OC_LOGIN="oc login ${OCP_URL} ${LOGIN_ARGUMENTS}"
# ------------------------------------------------------------------------------
# Proxy server
# ------------------------------------------------------------------------------
# export PROXY_HOST=<enter your proxy server hostname>
# export PROXY_PORT=<enter your proxy server port number>
# export PROXY_USER=<enter your proxy server username>
# export PROXY_PASSWORD=<enter your proxy server password>
# ------------------------------------------------------------------------------
# Projects
# ------------------------------------------------------------------------------
export PROJECT_CERT_MANAGER=<enter your certificate manager project>
export PROJECT_LICENSE_SERVICE=<enter your License Service project>
export PROJECT_SCHEDULING_SERVICE=<enter your scheduling service project>
# export PROJECT_IBM_EVENTS=<enter your IBM Events Operator project>
# export PROJECT_PRIVILEGED_MONITORING_SERVICE=<enter your privileged monitoring service project>
export PROJECT_CPD_INST_OPERATORS=<enter your Cloud Pak for Data operator project>
export PROJECT_CPD_INST_OPERANDS=<enter your Cloud Pak for Data operand project>
# export PROJECT_CPD_INSTANCE_TETHERED=<enter your tethered project>
# export PROJECT_CPD_INSTANCE_TETHERED_LIST=<a comma-separated list of tethered projects>
# ------------------------------------------------------------------------------
# Storage
# ------------------------------------------------------------------------------
export STG_CLASS_BLOCK=<RWO-storage-class-name>
export STG_CLASS_FILE=<RWX-storage-class-name>
# ------------------------------------------------------------------------------
# IBM Entitled Registry
# ------------------------------------------------------------------------------
export IBM_ENTITLEMENT_KEY=<enter your IBM entitlement API key>
# ------------------------------------------------------------------------------
# Private container registry
# ------------------------------------------------------------------------------
# Set the following variables if you mirror images to a private container registry.
#
# To export these variables, you must uncomment each command in this section.
# export PRIVATE_REGISTRY_LOCATION=<enter the location of your private container registry>
# export PRIVATE_REGISTRY_PUSH_USER=<enter the username of a user that can push to the registry>
# export PRIVATE_REGISTRY_PUSH_PASSWORD=<enter the password of the user that can push to the registry>
# export PRIVATE_REGISTRY_PULL_USER=<enter the username of a user that can pull from the registry>
# export PRIVATE_REGISTRY_PULL_PASSWORD=<enter the password of the user that can pull from the registry>
# ------------------------------------------------------------------------------
# Cloud Pak for Data version
# ------------------------------------------------------------------------------
export VERSION=5.0.3
# ------------------------------------------------------------------------------
# Components
# ------------------------------------------------------------------------------
export COMPONENTS=ibm-cert-manager,ibm-licensing,scheduler,cpfs,cpd_platform
# export COMPONENTS_TO_SKIP=<component-ID-1>,<component-ID-2>
# ------------------------------------------------------------------------------
# watsonx Orchestrate
# ------------------------------------------------------------------------------
# export PROJECT_IBM_APP_CONNECT=<enter your IBM App Connect in containers project>
# export AC_CASE_VERSION=<version>
# export AC_CHANNEL_VERSION=<version>
EOF
You will need to open the resultant cpd_vars_5.sh
file and update the following vars:
OCP_URL
OCP_PASSWORD
IBM_ENTITLEMENT_KEY
By default we set our storage classes to the nfs-client
storage class. Your mileage may vary.
The OCP_URL
can be pulled with this command:
oc cluster-info
Kubernetes control plane is running at https://api.ibmworkshops.com:6443
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
The kubeadmin password can be found in the build directory for the cluster under auth/kubeadmin-password
Login to the cluster with cpd-cli
Source the env file
source cpd_vars_5.sh
login with cpd-cli
cpd-cli manage login-to-ocp \
--username=${OCP_USERNAME} \
--password=${OCP_PASSWORD} \
--server=${OCP_URL}
Retrieve the entitlement key
The key can be retrieved from here
Mirroring CPD Images to Private Registry
Workstation can reach internet and cluster:
When the workstation is connected to the internet, run the following command to update the olm-utils-v3 image on the workstation:
cpd-cli manage restart-container
Workstation used for install cannot reach internet:
Save the olm-utils-v3 image
Run the following command to save the olm-utils-v3 image to the client workstation:
cpd-cli manage save-image --from=icr.io/cpopen/cpd/olm-utils-v3:latest
Transfer olm-utils-v3 to install workstation
Run the following command to load the olm-utils-v3 image on the client workstation:
cpd-cli manage load-image --source-image=icr.io/cpopen/cpd/olm-utils-v3:latest
Set the OLM_UTILS_IMAGE environment variable to ensure that the cpd-cli uses the version of the image on the client workstation:
export OLM_UTILS_IMAGE=icr.io/cpopen/cpd/olm-utils-v3:latest
Downloading CASE packages
Run the appropriate command depending on the site from which you plan to download the CASE packages:
cpd-cli manage case-download \
--components=${COMPONENTS} \
--release=${VERSION}
Change the permissions of the work directory
chown -R 1001 ./work
chmod -R 775 ./work
Restart the container
cpd-cli manage restart-container
Log into IBM Entitled Registry:
cpd-cli manage login-entitled-registry ${IBM_ENTITLEMENT_KEY}
Download the CASE packages
cpd-cli manage list-images \
--components=${COMPONENTS} \
--release=${VERSION} \
--inspect_source_registry=true
Mirror the images to the intermediary container registry
The command automatically sets up an intermediary container registry on the client workstation. The address of the intermediary container registry is 127.0.0.1:12443.
cpd-cli manage mirror-images \
--components=${COMPONENTS} \
--release=${VERSION} \
--target_registry=127.0.0.1:12443 \
--arch=${IMAGE_ARCH} \
--case_download=false
Confirm that the images were mirrored to the intermediary container registry
cpd-cli manage list-images \
--components=${COMPONENTS} \
--release=${VERSION} \
--target_registry=127.0.0.1:12443 \
--case_download=false
Move images to registry in restricted network
Login in to Private Registry with CPD CLI
cpd-cli manage login-private-registry \
${PRIVATE_REGISTRY_LOCATION} \
${PRIVATE_REGISTRY_PUSH_USER} \
${PRIVATE_REGISTRY_PUSH_PASSWORD}
Mirror images from intermediate registry to restricted registry
cpd-cli manage mirror-images \
--components=${COMPONENTS} \
--release=${VERSION} \
--source_registry=127.0.0.1:12443 \
--target_registry=${PRIVATE_REGISTRY_LOCATION} \
--arch=${IMAGE_ARCH} \
--case_download=false
Confirm images are on restricted registry
cpd-cli manage list-images \
--components=${COMPONENTS} \
--release=${VERSION} \
--target_registry=${PRIVATE_REGISTRY_LOCATION} \
--case_download=false
Configure image content source policy
If you mirror images to a private container registry, you must tell your cluster where to find the software images by creating an image content source policy or image digest mirror set.
Create or update the required image content source policy or image digest mirror set:
cpd-cli manage apply-icsp \
--registry=${PRIVATE_REGISTRY_LOCATION}
Get status of nodes
oc get nodes
Pull olm-utils-v3 image from private container registry
export OLM_UTILS_IMAGE=${PRIVATE_REGISTRY_LOCATION}/cpopen/cpd/olm-utils-v3:${VERSION}
Installing CP4D
Authorizing instances
This step creates all required projects, creates the NamespaceScope operator in the operators project, and binds the applied role to the service account of the NamespaceScope operator.
cpd-cli manage authorize-instance-topology \
--cpd_operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS}
This was successful
Installation of shared components
These two tasks come from here: https://www.ibm.com/docs/en/cloud-paks/cp-data/4.8.x?topic=cluster-installing-shared-components
If you are unable to access github, include the following flags to the next two commands as well as any apply-olm
command below
--case_download=true \
--from_oci=true
cpd-cli manage apply-cluster-components \
--release=${VERSION} \
--license_acceptance=true \
--cert_manager_ns=${PROJECT_CERT_MANAGER} \
--licensing_ns=${PROJECT_LICENSE_SERVICE}
Install the scheduler
cpd-cli manage apply-scheduler \
--release=${VERSION} \
--license_acceptance=true \
--scheduler_ns=${PROJECT_SCHEDULING_SERVICE}
Setup instance topology
cpd-cli manage setup-instance-topology \
--release=${VERSION} \
--cpd_operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--license_acceptance=true \
--block_storage_class=${STG_CLASS_BLOCK}
Installation of primary CPD components
This installs the operators in the operators project for the instance.
cpd-cli manage apply-olm \
--release=${VERSION} \
--cpd_operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--components=${COMPONENTS}
Installing the Cloud Pak for Data control plane and services
This installs the operands in the operands project for the instance:
cpd-cli manage apply-cr \
--release=${VERSION} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--components=${COMPONENTS} \
--block_storage_class=${STG_CLASS_BLOCK} \
--file_storage_class=${STG_CLASS_FILE} \
--license_acceptance=true
This is a big one, so it might take a little while. When it completes, verify the operands are up:
cpd-cli manage get-cr-status \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS}
This should return a Completed
status.
The routes should be created and ready at this point. You can retrieve the web-url for the client with the following command:
cpd-cli manage get-cpd-instance-details \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--get_admin_initial_credentials=true
Installing our Cartridges
Source the env file
source cpd_vars_5.sh
Login with cpd-cli
cpd-cli manage login-to-ocp \
--username=${OCP_USERNAME} \
--password=${OCP_PASSWORD} \
--server=${OCP_URL}
Apply necessary Security Constraints
The apply-db2-kubelet command makes the following changes to the cluster nodes:
allowedUnsafeSysctls:
- "kernel.msg*"
- "kernel.shm*"
- "kernel.sem"
cpd-cli manage apply-db2-kubelet
This might take a bit as the workers will be getting bounced.
Watsonx Governance
Create or update 'install-options.yml' in the {CPD-CLI_DIRECTORY}/cpd-cli-workspace/olm-utils-workspace/work
################################################################################
# watsonx.governance parameters
###############################################################################
custom_spec:
watsonx_governance:
installType: all
enableFactsheet: true
enableOpenpages: true
enableOpenscale: true
Apply the olm for Watsonx Governance:
cpd-cli manage apply-olm --release=${VERSION} \
--cpd_operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--components=watsonx_governance
And run the install command
cpd-cli manage apply-cr \
--components=watsonx_governance \
--release=${VERSION} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--block_storage_class=${STG_CLASS_BLOCK} \
--file_storage_class=${STG_CLASS_FILE} \
--param-file=/tmp/work/install-options.yml \
--license_acceptance=true
Validate the installation
cpd-cli manage get-cr-status \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--components=watsonx_governance
Apply the olm for DB2 Warehouse:
cpd-cli manage apply-olm --release=${VERSION} \
--cpd_operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--components=db2wh
And run the install command
cpd-cli manage apply-cr \
--components=db2wh \
--release=${VERSION} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--block_storage_class=${STG_CLASS_BLOCK} \
--file_storage_class=${STG_CLASS_FILE} \
--param-file=/tmp/work/install-options.yml \
--license_acceptance=true
Validate the installation
cpd-cli manage get-cr-status \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--components=db2wh
Apply the olm for Database Management Console (DMC):
cpd-cli manage apply-olm --release=${VERSION} \
--cpd_operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--components=dmc
And run the install command
cpd-cli manage apply-cr \
--components=dmc \
--release=${VERSION} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--block_storage_class=${STG_CLASS_BLOCK} \
--file_storage_class=${STG_CLASS_FILE} \
--param-file=/tmp/work/install-options.yml \
--license_acceptance=true
Validate the installation
cpd-cli manage get-cr-status \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--components=dmc