Deployment on-premises¶

Overview¶

Deployment of IBM Spectrum Protect Plus (SPP) in an on-premises environment is detailed here. The graphic below shows SPP deployment across two geographical locations with data copy to cloud storage.

SPP-topology

Installing vSnap server¶

Every installation of IBM Spectrum® Protect Plus v10.1.8 and earlier requires at least one vSnap server, which is the primary backup destination. The vSnap server can be a physical server, a virtual server in a VMware environment or a virtual server in a Hyper-V environment. The vSnap server is installed, registered in SPP and initialized.

The vSnap server requirement will be lifted in v10.1.9.

A physical vSnap server is installed
Any vSnap server that is deployed virtually or installed physically must be registered in IBM Spectrum Protect Plus so that it can be recognized as a backup storage provider.
The initialization process prepares a new vSnap server for use by loading and configuring software components and initializing the internal configuration. This is a one-time process.

Installing container backup support¶

To protect persistent volumes of containers and cluster-scoped and namespace-scoped resources, you must install and configure IBM Spectrum® Protect Plus Container Backup Support in a Kubernetes or Red Hat® OpenShift® Container Platform environment.

Ensure that IBM Spectrum Protect Plus vSnap server is registered with an IP address or fully qualified domain name (FQDN). FQDN is recommended.

The installation process for Container Backup Support uses a Helm 3 chart. The installation script that is provided with the installation package requires that the Helm 3 binary file is renamed to helm3.
To protect OpenShift cluster-scoped resources and namespace-scoped resources, you must use the OpenShift APIs for Data Protection (OADP) operator to install and configure the Velero tool in a dedicated namespace. The suggested name for the IBM Spectrum Protect Plus Velero namespace is spp-velero.
1. The MinIO Object Store serves as an S3 object store for snapshot backups. The MinIO Pod is integrated in the Container Backup Support (BaaS) installation package and is deployed to the BaaS namespace. This Pod claims a persistent volume with a size of 10 GB, and uses the default Storage Class (minioStorageClass) based on the cluster configuration.
Configuration parameters of the Container Backup Support Helm chart is specified in 2 files: baas-options.sh and baas-values.yaml

Deploy¶

The official IBM Spectrum Protect Plus deployment instructions can be found here. There are 3 parts - SPP Server setup, Backup as a Service (Baas) operator and setting up the vSnap server, which is a manual process. We strongly recommend using a GitOps approach for installing the SPP server and Baas.

To deploy IBM Spectrum Protect Plus on an OpenShift cluster, we use the IBM Cloud Native Toolkit GitOps Framework. There are only five steps you need to take:

Prereqs - Make sure you have a Red Hat OpenShift cluster and are able to use the Red Hat OpenShift CLI against it.
Sealed Secrets - Provide the private key used to seal the secrets provided with the API Connect GitOps repository.
Red Hat OpenShift GitOps Operator - Install the Red Hat OpenShift GitOps operator which provides the GitOps tools needed for installing and managing SPP instances through the GitOps approach already explained.
IBM Spectrum Protect Plus - Deploy an instance of Spectrum Protect Plus on your cluster.
IBM Spectrum Protect Plus UI - Validate the installation of your Spectrum Protect Plus instance by making sure you are able to log into the dashboard.

1 - Prereqs¶

Get a clean RedHat OpenShift cluster. This RedHat OpenShift cluster must be composed of six worker nodes where three of these will be entirely dedicated to OpenShift Data Foundation. The storage nodes must be 16 CPUs and 64 GB RAM at least.

2 - Sealed Secrets¶

Create the sealed-secrets project. This project will host the Sealed Secrets operator that will allow us to decrypt sealed secrets stored in GitHub.
```
oc new-project sealed-secrets
```
Download the private key sealed-secrets-ibm-demo-key.yaml used to seal any secret contained in this demonstration and apply it to the cluster. In our case, we have included a demo IBM Entitlement Key within the API Connect GitOps GitHub repository so that we are able to pull down IBM Software.
```
oc apply -f sealed-secrets-ibm-demo-key.yaml
```
IMPORTANT: DO NOT CHECK THE FILE INTO GIT. The private key MUST NOT be checked into GitHub under any circumstances. Please, remove the private key from your workstation to avoid any issues.
```
rm sealed-secrets-ibm-demo-key.yaml
```

3 - Red Hat OpenShift GitOps Operator¶

Clone the following GitHub repository that contains the GitOps structure that the Cloud Native Toolkit GitOps Framework understands.
```
git clone https://github.com/cloud-native-toolkit-demos/multi-tenancy-gitops-process-mining.git
```
Change directory into multi-tenancy-gitops-process-mining.
```
cd multi-tenancy-gitops-process-mining
```
Install the Red Hat OpenShift GitOps operator on your RedHat OpenShift cluster and wait for it to be available:
- If your Red Hat OpenShift cluster version is 4.6
```
oc apply -f setup/ocp46/
while ! kubectl wait --for=condition=Established crd applications.argoproj.io; do sleep 30; done
```
- If your Red Hat OpenShift cluster version is 4.7
```
oc apply -f setup/ocp47/
while ! kubectl wait --for=condition=Established crd applications.argoproj.io; do sleep 30; done
```
Once the above command returns, you can open your Red Hat OpenShift Web Console and check out that the RedHat OpenShift GitOps operator has been successfully installed in the openshift-gitops project.

As you can see in the image, the Red Hat OpenShift GitOps operator also installs the Red Hat OpenShift Pipelines operator and ArgoCD (which will be that GitOps tool that synchronizes the Infrastructure/Configuration as Code we have stored in GitHub with the state of the Red Hat OpenShift cluster).

Important: The Red Hat OpenShift Pipelines operator gets installed by the RedHat OpenShift GitOps Subscription only for RedHat OpenShift version 4.6. If your RedHat OpenShift cluster is version 4.7, you will need to install the Red Hat OpenShift Pipelines operator as part of the GitOps process explained in this section. For getting such Red Hat OpenShift Pipelines operator installed, you would need to specify that in the kustomize.yaml file for the services layer here.
Open the ArgoCD web console by clicking on the ArgoCD console link you can see at the top of your Red Hat OpenShift web console and log in.

You can find your ArgoCD login password by executing: * If your RedHat OpenShift cluster version is 4.6
```
oc extract secrets/argocd-cluster-cluster --keys=admin.password -n openshift-gitops --to=-
```
* If your RedHat OpenShift cluster version is 4.7
```
oc extract secrets/openshift-gitops-cluster --keys=admin.password -n openshift-gitops --to=-
```
Once you login, you should see that your ArgoCD web console is empty as we have not deployed any Argo Application yet.

4 - IBM Spectrum Protect Plus¶

Install the ArgoCD Bootstrap Application
```
oc apply -n openshift-gitops -f 0-bootstrap/argocd/bootstrap.yaml
```
This ArgoCD Bootstrap Application will bootstrap the deployment of IBM Spectrum Protect Plus based on the configuration you have defined in the GitOps GitHub repository we cloned earlier. You can see that we integrate Kustomize for configuration management in the GitOps approach.

As soon as you create this ArgoCD Bootstrap Application, the rest of the ArgoCD Applications and the respective Red Hat Openshift managed resources start to get created as a result of the synchronization process the GitOps approach is based on. You can see these ArgoCD Applications being created in the ArgoCD web console.
If you go to the Operators -> Installed Operators section of your Red Hat OpenShift cluster web console and select the openshift-storage project in the Project drop down list at the top, you will see that the OpenShift Container Storage operator (which has been recently renamed to OpenShift Data Foundation) is being installed.
If you go to the Workloads -> Pods section of your Red Hat OpenShift cluster web console you should see pods being created as a result of the OpenShift Container Storage operator being told to create an OpenShift Container Storage Cluster.
After some time, you should see the OpenShift Container Storage operator successfully installed

and the following new Storage Classes available on the Storage -> Storage Classes section of your Red Hat OpenShift cluster web console

that will be used by the IBM Spectrum Protect Plus operator to create an IBM Spectrum Protect Plus instance.
If you go again to the Operators -> Installed Operators section of your Red Hat OpenShift cluster web console and select the openshift-operators project in the Project drop down list at the top, you should see that the IBM Spectrum Protect Plus operator has been successfully installed as well as the IBM Automation Foundation Core and IBM Cloud Pak foundational services operators it depends on.
the IBM Spectrum Protect Plus instance should now be Running. Go to the Operators -> Installed Operators section of your Red Hat OpenShift cluster web console. Select the spp project in the Project drop down list at the top because in our IBM Spectrum Process Plus GitOps process we configured the IBM Spectrum Protect Plus instance to be deployed in the spp project. Click on the IBM Spectrum Protect Plus operator and then on the SPP tab, you should see the running instance.
If you go back to the ArgoCD web console, you should see all of the Argo Application in green.

5 - IBM Spectrum Protect Plus UI¶

Now, let's make sure that our IBM Spectrum Protect Plus instance is up and running.

Log into the Spectrum Protect Plus UI using the initial credentials of admin/password. You will be asked to change the user ID and password. In this scenario they were changed to sppadmin/passw0rd
Finally the default IBM Spectrum Protect Plus dashboard is displayed and you can start working with it.