OpenShift Cluster, IBM Common Services and Guardium Insights installation automation on bare metal

---

Automates OCP installation for releases: 4.6, 4.7, 4.8, 4.9

Automates ICS installation for releases: 3.7.4, 3.8.1, 3.9.1, 3.10.0, 3.11.0, 3.12.1, 3.13.0, 3.14.2, 3,15.0

Automates GI installation for releases: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.2, 3.1.3

Supports installation with direct access to the Internet, using proxy and air-gapped (restricted) approach

Implemented OCP architectures:

3 masters and 3+n workers with OCS or rook-ceph

3 masters only with OCS or rook-ceph

3 masters and 3+n workers and OCS tainted on 3 additional infra nodes

Bastion setup requires Fedora 34 or 35 as a operating system

---

Examples of use at this link: https://guardiumnotes.wordpress.com/2021/09/09/automation-of-openshift-and-guardium-insights-installation-on-bare-metal/

---

Release description:

v0.7.1

Hardcoded ens192 NIC interface reference in stage1 playbook removed

Rook-Ceph support for OCP 4.6 and 4.7 removed because the latest Ceph releases supports only OCP 4.8+

Incorrect reference to subdirectory in rook-uninstall.sh corrected

---

Files:

init.sh - configures installation parameters

playbook/install_all.yaml - Ansible playbook to manage installation flow

Playbook install_all.yaml accept option -e "skip_phase=X", where X:

• 1 - skips bastion preparation and continue from stage2
• 2 - skips all steps before storage setup on OCP
• 3 - skips all OCP installation steps and installs configured applications (ICS, GI, LDAP)
• 4 - skips all OCP installation steps and ICS
• 5 - skips all OCP installation steps, ICS and GI
• 6 - skips all OCP installation steps, ICS, GI and LDAP

playbook/15-uninstall-gi.yaml - Ansible playbook to uninstall GI

playbook/21-shutdown-gi.yaml - Ansible playbook to shutdown GI instance for administration purposes on CPFS and OCP level

playbook/22-start-gi.yaml - Ansible playbook to start GI instance after shutdown with playbook 21

variables.sh - shell script with OCP environment variables, should loaded after login to bastion (. variables.sh)

prepare-scripts/prepare-air-gap-os-files.sh - script to gather software and OS packaged to setup bastion in air-gapped environment

prepare-scripts/prepare-air-gap-coreos.sh - script to gather OCP installation tools and container images to install OCP in air-gapped environment

prepare-scripts/prepare-air-gap-olm.sh - script to gather OLM catalogs and selected operator images to install OCP in air-gapped environment

prepare-scripts/prepare-air-gap-rook.sh - script to gather Rook-Ceph images to install Rook in the air-gapped environment

prepare-scripts/prepare-air-gap-ics.sh - script to gather ICS images to install ICS in air-gapped environment

prepare-scripts/prepare-air-gap-gi.sh - script to gather GI images to install GI in air-gapped environment

prepare-scripts/prepare-air-gap-additions.sh - script to gather additional images to install some services on OCP (for instance: openldap)

scripts/login_to_ocp.sh - logs admin to OCP cluster with new token

scripts/ics-uninstall.sh - native DEV team script to remove ICS instances

---

Releases history:

v0.7.0

Support GI 3.1.3 and ICS 3.15

init.sh modified to evaluate inputs and provides more readable output

Playbooks modified, only one playbook must be manually started, the others will be started automatically based on installation decisions

Playbook install_all.yaml accept option -e "skip_phase=X", where X:

• 1 - skips bastion preparation and continue from stage2
• 2 - skips all steps before storage setup on OCP
• 3 - skips all OCP installation steps and installs configured applications (ICS, GI, LDAP)
• 4 - skips all OCP installation steps and ICS
• 5 - skips all OCP installation steps, ICS and GI
• 6 - skips all OCP installation steps, ICS, GI and LDAP

Implemented installation flow to support multi-subnet location of OCP nodes. DHCP Relay must be set on routers and points the bastion.

Possible selection different ICS version than default for GI installation (except air-gapped approach)

v0.6.2

Solved bug with rook-ceph installation when nodes are not dedicated

Identified bug with OCS installation on cluster with more that 3 workers, in this case storage must be assigned to first 3 nodes - will be solved in next release

v0.6.1

Solved bug with requesting proxy parameters for non-proxy installations

Solved incorrect message for non-tainted DB2 installations

v0.6.0

added support for patches related to log4j2 vulnerabilities (support CPFS 3.14.2, GI 3.1.2)

added playbooks to safely stop and start GI instance

ICS uninstallation playbook modified to cover complex uninstallation cases

Added init.sh variables GI_META_STORAGE_SIZE, GI_ACTIVELOGS_STORAGE_SIZE, GI_MONGO_DATA_STORAGE_SIZE, GI_MONGO_METADATA_STORAGE_SIZE, GI_KAFKA_STORAGE_SIZE and GI_ZOOKEEPER_STORAGE_SIZE to override default sizes of PVC define in GI templates (all values refers to storage size in GB's)

Added init.sh variable GI_DB2_TAINTED to separate DB2 nodes from other GI services (OCP cluster must have 3 additional workers besides dedicated for DB2)

Added init.sh variables GI_ROOK_NODES, GI_ICS_NODES, GI_GI_NODES to install Rook-Ceph, ICS and GI on defined node list

init.sh rewritten to be more readable and provides evaluation of most inserted values

update rook-ceph operator to version 1.8.2 (rook images must be recreated for air-gapped installation)

Solved problem with GPG keys during OLM images mirror

Solved problem with reference to device name instead logical name on bastion in playbook 2

Solved problem with an occasional appearance of error during insertion secret for htpasswd authentication in OCP

v0.5.2

Bug with parsing comma separated value of db2 nodes, ldap domain and ldap user list solved

GI deployment modified to reflect correct distribution of nodes

v0.5.1

Solved problem with git branch conflict

v0.5

added support for Guardium Insights 3.1

added init.sh variable to enable STAP direct streaming (available for GI 3.1+ installations) GI_STAP_STREAMING

added support OpenLDAP as application worked on OCP cluster, additional init.sh variable introduced GI_LDAP_DEPLOYMENT

added optional replacement OCP ingress certificate, 4 additional init.sh variables: GI_OCP_IN, GI_OCP_IN_CA, GI_OCP_IN_CERT, GI_OCP_IN_KEY

added optional replacement CPFS (ICS) endpoint certificate, 4 additional init.sh variables: GI_ICS_IN, GI_ICS_IN_CA, GI_ICS_IN_CERT, GI_ICS_IN_KEY

added optional replacement GI endpoint certificate, 4 additional init.sh variables: GI_IN, GI_IN_CA, GI_IN_CERT, GI_IN_KEY

modified rook-ceph deployment for air-gapped environment to use imagecontentsourcepolicy (requires rook registry archive rebuilding), update rook-ceph operator to version 1.7.8

Tested support Fedora35 as bastion

v0.4

init.sh changed to provide simpler decision model for installation flow - all archives for air-gapped installation MUST be rebuild

added support for OCP 4.8 and 4.9

added support for ICS 3.11.0, 3.12.1, 3.13.0

added playbooks for deinstallation of GI and ICS

README.md finally updated