Hello.
I am trying to install Cloud Pak for Security 1.3.0.1 on my OpenShift (three Master nodes and two Worker Nodes) according to the following article: https://www.ibm.com/support/knowledgecenter/en/SSTDPP_1.3.0/cp4s_v1r3/docs/security-pak/csinstall_online.html
I have done all five steps from Installing Common services part of that article but ICP GUI doesn't open. 
One worker node was set as Proxy+Master and another worker was set as Management
The output of oc get pods --namespace kube-system shows all pods in Running and Completed state.
Here is what I have:
[root@centos ~]# oc get route -n kube-system | grep console
icp-console icp-console.apps.os1.oc.local management-ingress <all> passthrough/Redirect None
I tried to access that cp-console icp-console.apps.os1.oc.local via https:// and https://:8443, besided that I tried to access proxy in web via https:// and https://:8443 but got the same issue.

I see the followng errors for cp-console icp-console.apps.os1.oc.local What can lead to such errors and how to solve this issue?
2020/09/29 07:13:12 [error] 69#69: *560 upstream timed out (110: Connection timed out) while connecting to upstream, client: 10.128.4.35, server: _, request: "GET /oidc/keys HTTP/1.1", upstream: "https://172.30.127.183:9443/iam/oidc/keys/", host: "iam-token-service:10443"
2020/09/29 07:13:12 [error] 69#69: *562 upstream timed out (110: Connection timed out) while connecting to upstream, client: 10.128.4.14, server: _, request: "GET /v1/health HTTP/1.1", upstream: "https://172.30.127.183:9443/v1/health", host: "iam-token-service:10443"
2020/09/29 07:13:13 [error] 68#68: *564 upstream timed out (110: Connection timed out) while connecting to upstream, client: 10.128.4.26, server: _, request: "GET /v1 HTTP/1.1", upstream: "https://172.30.127.183:9443/v1", host: "iam-token-service:10443"
2020/09/29 07:13:13 [error] 65#65: *566 upstream timed out (110: Connection timed out) while connecting to upstream, client: 10.128.4.26, server: _, request: "GET /oidc/keys HTTP/1.1", upstream: "https://172.30.127.183:9443/iam/o

------------------------------
Igor Volkov
------------------------------

Hi Igor,


In order to install Cloud Pak for Security, you will need 3 worker nodes and 3 master nodes. Please see requirements page for more details: https://www.ibm.com/support/knowledgecenter/en/SSTDPP_1.3.0/cp4s_v1r3/docs/security-pak/hardware.html

Also, We have just released Cloud Pak for Security V1.4. If you would like to talk more on the requirements, please let me (mehul.amin@ibm.com) know if you would like to get on webex. We can look into the problem you are currently experiencing and also chat about latest version and requirements to keep your deployment up to date.

Thanks,
Mehul Amin
mehul.amin@ibm.com

------------------------------
Mehul Amin
------------------------------

Original Message:
Sent: Tue September 29, 2020 11:01 AM
From: Igor Volkov
Subject: Cloud Pak for Security installation issue

Hello.
I am trying to install Cloud Pak for Security 1.3.0.1 on my OpenShift (three Master nodes and two Worker Nodes) according to the following article: https://www.ibm.com/support/knowledgecenter/en/SSTDPP_1.3.0/cp4s_v1r3/docs/security-pak/csinstall_online.html
I have done all five steps from Installing Common services part of that article but ICP GUI doesn't open. 
One worker node was set as Proxy+Master and another worker was set as Management
The output of oc get pods --namespace kube-system shows all pods in Running and Completed state.
Here is what I have:
[root@centos ~]# oc get route -n kube-system | grep console
icp-console icp-console.apps.os1.oc.local management-ingress <all> passthrough/Redirect None
I tried to access that cp-console icp-console.apps.os1.oc.local via https:// and https://:8443, besided that I tried to access proxy in web via https:// and https://:8443 but got the same issue.

I see the followng errors for cp-console icp-console.apps.os1.oc.local What can lead to such errors and how to solve this issue?
2020/09/29 07:13:12 [error] 69#69: *560 upstream timed out (110: Connection timed out) while connecting to upstream, client: 10.128.4.35, server: _, request: "GET /oidc/keys HTTP/1.1", upstream: "https://172.30.127.183:9443/iam/oidc/keys/", host: "iam-token-service:10443"
2020/09/29 07:13:12 [error] 69#69: *562 upstream timed out (110: Connection timed out) while connecting to upstream, client: 10.128.4.14, server: _, request: "GET /v1/health HTTP/1.1", upstream: "https://172.30.127.183:9443/v1/health", host: "iam-token-service:10443"
2020/09/29 07:13:13 [error] 68#68: *564 upstream timed out (110: Connection timed out) while connecting to upstream, client: 10.128.4.26, server: _, request: "GET /v1 HTTP/1.1", upstream: "https://172.30.127.183:9443/v1", host: "iam-token-service:10443"
2020/09/29 07:13:13 [error] 65#65: *566 upstream timed out (110: Connection timed out) while connecting to upstream, client: 10.128.4.26, server: _, request: "GET /oidc/keys HTTP/1.1", upstream: "https://172.30.127.183:9443/iam/o

------------------------------
Igor Volkov
------------------------------

Hello Igor,

As per cloud Pak for security hardware requirements, you will need 3 master and 3 worker nodes. Hardware requirements: https://www.ibm.com/support/knowledgecenter/en/SSTDPP_1.4.0/platform/docs/security-pak/hardware.html

Also, Cloud Pak for Security Version 1.4 has been released. Would you like to get on webex to talk through requirements and latest feature functionality?  We can tackle above problem along and also talk about new features if you would like. I can be reached at Mehul.Amin@ibm.com. Please let me know when would be best time to get on webex to talk more.

Thanks!

------------------------------
Mehul Amin
------------------------------

Original Message:
Sent: Tue September 29, 2020 11:01 AM
From: Igor Volkov
Subject: Cloud Pak for Security installation issue

Hello.
I am trying to install Cloud Pak for Security 1.3.0.1 on my OpenShift (three Master nodes and two Worker Nodes) according to the following article: https://www.ibm.com/support/knowledgecenter/en/SSTDPP_1.3.0/cp4s_v1r3/docs/security-pak/csinstall_online.html
I have done all five steps from Installing Common services part of that article but ICP GUI doesn't open. 
One worker node was set as Proxy+Master and another worker was set as Management
The output of oc get pods --namespace kube-system shows all pods in Running and Completed state.
Here is what I have:
[root@centos ~]# oc get route -n kube-system | grep console
icp-console icp-console.apps.os1.oc.local management-ingress <all> passthrough/Redirect None
I tried to access that cp-console icp-console.apps.os1.oc.local via https:// and https://:8443, besided that I tried to access proxy in web via https:// and https://:8443 but got the same issue.

I see the followng errors for cp-console icp-console.apps.os1.oc.local What can lead to such errors and how to solve this issue?
2020/09/29 07:13:12 [error] 69#69: *560 upstream timed out (110: Connection timed out) while connecting to upstream, client: 10.128.4.35, server: _, request: "GET /oidc/keys HTTP/1.1", upstream: "https://172.30.127.183:9443/iam/oidc/keys/", host: "iam-token-service:10443"
2020/09/29 07:13:12 [error] 69#69: *562 upstream timed out (110: Connection timed out) while connecting to upstream, client: 10.128.4.14, server: _, request: "GET /v1/health HTTP/1.1", upstream: "https://172.30.127.183:9443/v1/health", host: "iam-token-service:10443"
2020/09/29 07:13:13 [error] 68#68: *564 upstream timed out (110: Connection timed out) while connecting to upstream, client: 10.128.4.26, server: _, request: "GET /v1 HTTP/1.1", upstream: "https://172.30.127.183:9443/v1", host: "iam-token-service:10443"
2020/09/29 07:13:13 [error] 65#65: *566 upstream timed out (110: Connection timed out) while connecting to upstream, client: 10.128.4.26, server: _, request: "GET /oidc/keys HTTP/1.1", upstream: "https://172.30.127.183:9443/iam/o

------------------------------
Igor Volkov
------------------------------

Hi Mehul.
Well, that's the matter of available resources. Currently we have resources for deploying two workers and three masters. Besides that, the error message I get doesn't seem to be related to lack of the third worker. It would be perfect to have a webex session where we could discuss it and look at the issue. I haven't found any information about the need to deploy each component (master, proxy, management) only on one worker. Is there any mutually used resources (and ports) by proxy, management, master that might affect each other and cause issue when more than one component (e.g. master and proxy or management and master) works on a worker that might cause the error message I sent you earlier? 
I also wanted to mention that during installation we see such messaged for some components:

TASK [waitfor : Waiting for MongoDB to start] ***********************************************************************************************************************************************
FAILED - RETRYING: Waiting for MongoDB to start (100 retries left).
 

TASK [waitfor : Waiting for auth-pdp to start] **********************************************************************************************************************************************
FAILED - RETRYING: Waiting for auth-pdp to start (100 retries left).

What could lead to such messages?

Best regards,
Igor.

------------------------------
Igor Volkov
------------------------------

Original Message:
Sent: Wed September 30, 2020 03:38 PM
From: Mehul Amin
Subject: Cloud Pak for Security installation issue

Hello Igor,

As per cloud Pak for security hardware requirements, you will need 3 master and 3 worker nodes. Hardware requirements: https://www.ibm.com/support/knowledgecenter/en/SSTDPP_1.4.0/platform/docs/security-pak/hardware.html

Also, Cloud Pak for Security Version 1.4 has been released. Would you like to get on webex to talk through requirements and latest feature functionality?  We can tackle above problem along and also talk about new features if you would like. I can be reached at Mehul.Amin@ibm.com. Please let me know when would be best time to get on webex to talk more.

Thanks!

------------------------------
Mehul Amin

Original Message:
Sent: Tue September 29, 2020 11:01 AM
From: Igor Volkov
Subject: Cloud Pak for Security installation issue

Hello.
I am trying to install Cloud Pak for Security 1.3.0.1 on my OpenShift (three Master nodes and two Worker Nodes) according to the following article: https://www.ibm.com/support/knowledgecenter/en/SSTDPP_1.3.0/cp4s_v1r3/docs/security-pak/csinstall_online.html
I have done all five steps from Installing Common services part of that article but ICP GUI doesn't open. 
One worker node was set as Proxy+Master and another worker was set as Management
The output of oc get pods --namespace kube-system shows all pods in Running and Completed state.
Here is what I have:
[root@centos ~]# oc get route -n kube-system | grep console
icp-console icp-console.apps.os1.oc.local management-ingress <all> passthrough/Redirect None
I tried to access that cp-console icp-console.apps.os1.oc.local via https:// and https://:8443, besided that I tried to access proxy in web via https:// and https://:8443 but got the same issue.

I see the followng errors for cp-console icp-console.apps.os1.oc.local What can lead to such errors and how to solve this issue?
2020/09/29 07:13:12 [error] 69#69: *560 upstream timed out (110: Connection timed out) while connecting to upstream, client: 10.128.4.35, server: _, request: "GET /oidc/keys HTTP/1.1", upstream: "https://172.30.127.183:9443/iam/oidc/keys/", host: "iam-token-service:10443"
2020/09/29 07:13:12 [error] 69#69: *562 upstream timed out (110: Connection timed out) while connecting to upstream, client: 10.128.4.14, server: _, request: "GET /v1/health HTTP/1.1", upstream: "https://172.30.127.183:9443/v1/health", host: "iam-token-service:10443"
2020/09/29 07:13:13 [error] 68#68: *564 upstream timed out (110: Connection timed out) while connecting to upstream, client: 10.128.4.26, server: _, request: "GET /v1 HTTP/1.1", upstream: "https://172.30.127.183:9443/v1", host: "iam-token-service:10443"
2020/09/29 07:13:13 [error] 65#65: *566 upstream timed out (110: Connection timed out) while connecting to upstream, client: 10.128.4.26, server: _, request: "GET /oidc/keys HTTP/1.1", upstream: "https://172.30.127.183:9443/iam/o

------------------------------
Igor Volkov
------------------------------

Hi Igor,

Lets have a webex to take a look at deployment and figure out the root cause. I will send out webex.

------------------------------
Mehul Amin
------------------------------

Original Message:
Sent: Thu October 01, 2020 12:20 PM
From: Igor Volkov
Subject: Cloud Pak for Security installation issue

Hi Mehul.
Well, that's the matter of available resources. Currently we have resources for deploying two workers and three masters. Besides that, the error message I get doesn't seem to be related to lack of the third worker. It would be perfect to have a webex session where we could discuss it and look at the issue. I haven't found any information about the need to deploy each component (master, proxy, management) only on one worker. Is there any mutually used resources (and ports) by proxy, management, master that might affect each other and cause issue when more than one component (e.g. master and proxy or management and master) works on a worker that might cause the error message I sent you earlier? 
I also wanted to mention that during installation we see such messaged for some components:

TASK [waitfor : Waiting for MongoDB to start] ***********************************************************************************************************************************************
FAILED - RETRYING: Waiting for MongoDB to start (100 retries left).
 

TASK [waitfor : Waiting for auth-pdp to start] **********************************************************************************************************************************************
FAILED - RETRYING: Waiting for auth-pdp to start (100 retries left).

What could lead to such messages?

Best regards,
Igor.

------------------------------
Igor Volkov

Original Message:
Sent: Wed September 30, 2020 03:38 PM
From: Mehul Amin
Subject: Cloud Pak for Security installation issue

Hello Igor,

As per cloud Pak for security hardware requirements, you will need 3 master and 3 worker nodes. Hardware requirements: https://www.ibm.com/support/knowledgecenter/en/SSTDPP_1.4.0/platform/docs/security-pak/hardware.html

Also, Cloud Pak for Security Version 1.4 has been released. Would you like to get on webex to talk through requirements and latest feature functionality?  We can tackle above problem along and also talk about new features if you would like. I can be reached at Mehul.Amin@ibm.com. Please let me know when would be best time to get on webex to talk more.

Thanks!

------------------------------
Mehul Amin

Original Message:
Sent: Tue September 29, 2020 11:01 AM
From: Igor Volkov
Subject: Cloud Pak for Security installation issue

Hello.
I am trying to install Cloud Pak for Security 1.3.0.1 on my OpenShift (three Master nodes and two Worker Nodes) according to the following article: https://www.ibm.com/support/knowledgecenter/en/SSTDPP_1.3.0/cp4s_v1r3/docs/security-pak/csinstall_online.html
I have done all five steps from Installing Common services part of that article but ICP GUI doesn't open. 
One worker node was set as Proxy+Master and another worker was set as Management
The output of oc get pods --namespace kube-system shows all pods in Running and Completed state.
Here is what I have:
[root@centos ~]# oc get route -n kube-system | grep console
icp-console icp-console.apps.os1.oc.local management-ingress <all> passthrough/Redirect None
I tried to access that cp-console icp-console.apps.os1.oc.local via https:// and https://:8443, besided that I tried to access proxy in web via https:// and https://:8443 but got the same issue.

I see the followng errors for cp-console icp-console.apps.os1.oc.local What can lead to such errors and how to solve this issue?
2020/09/29 07:13:12 [error] 69#69: *560 upstream timed out (110: Connection timed out) while connecting to upstream, client: 10.128.4.35, server: _, request: "GET /oidc/keys HTTP/1.1", upstream: "https://172.30.127.183:9443/iam/oidc/keys/", host: "iam-token-service:10443"
2020/09/29 07:13:12 [error] 69#69: *562 upstream timed out (110: Connection timed out) while connecting to upstream, client: 10.128.4.14, server: _, request: "GET /v1/health HTTP/1.1", upstream: "https://172.30.127.183:9443/v1/health", host: "iam-token-service:10443"
2020/09/29 07:13:13 [error] 68#68: *564 upstream timed out (110: Connection timed out) while connecting to upstream, client: 10.128.4.26, server: _, request: "GET /v1 HTTP/1.1", upstream: "https://172.30.127.183:9443/v1", host: "iam-token-service:10443"
2020/09/29 07:13:13 [error] 65#65: *566 upstream timed out (110: Connection timed out) while connecting to upstream, client: 10.128.4.26, server: _, request: "GET /oidc/keys HTTP/1.1", upstream: "https://172.30.127.183:9443/iam/o

------------------------------
Igor Volkov
------------------------------