Platform installation and upgrade for CPSH extended capabilities

This section describes the Platform installation for CPSH extended capabilities.

Prerequisites

The Kubernetes cluster should be first initialized with Zarf.

The Platform package includes core components required for your environment such as PostgreSQL, RabbitMQ, Istio, and KEDA.

Before beginning the installation, you must decide which Kubernetes IP networking stack(s) you will use (referred to as IP_STACK_MODE), as this setting affects the entire network configuration of the cluster.

  • ipv4: Uses only IPv4 addresses.

  • ipv6: Uses only IPv6 addresses.

  • dualstack: Uses both IPv4 and IPv6 addresses.

You must also determine how the DGC will communicate with the Kubernetes cluster. The two options are:

  • via http

  • via https

TLS Certificates

If your Certificate Authority (CA) provides separate certificate files, such as cert.pem and chain.pem, you must combine them into a single file named fullchain.pem as follows:

Copy 
cat cert.pem chain.pem > fullchain.pem

When deploying your Istio-enabled Zarf package, you must pass the ISTIO_TLS_CERT, ISTIO_KEY, and ISTIO_GATEWAY_HOST.

Note The following code snippet is an example.

Copy 
zarf --log-level=debug package deploy cpsh-platform-zarf-package/zarf-package-cpsh-platform-${PLATFORM}-${VERSION}.tar.zst \
  --confirm \
  --set TLS_INGRESS_ENABLED=true \
  --set ISTIO_TLS_CERT=/path/to/fullchain.pem \
  --set ISTIO_TLS_KEY=/path/to/privkey.pem \
  --set ISTIO_GATEWAY_HOST="example.hostname.com"

Parameters

  • IP_STACK_MODE: A required variable that is passed to the Zarf deployment. This must be defined as mentioned in the Prerequisites above.

  • TLS_INGRESS_ENABLED: Must be set to true to enable TLS in Istio.

  • ISTIO_TLS_CERT: Path to the certificate file (.crt or fullchain.pem).

  • ISTIO_TLS_KEY: Path to the private key file.

  • ISTIO_GATEWAY_HOST: The DNS hostname your certificate is issued for (must resolve to the ingress of the cluster).

Installation

  1. Download the zarf-package-cpsh-platform-amd64-X.Y.Z.tar.zst Zarf package (where X.Y.Z corresponds to the Collibra Platform release version) into a temporary folder (e.g. /tmp/).
  2. Run the following command to deploy the package:

    3. Copy 
    zarf package deploy /tmp/zarf-package-cpsh-platform-amd64-X.Y.Z.tar.zst

    After the package is deployed, a list of required installations and parameters displays.

  3. Provide the required installation and parameter information.
  4. Verify that the deployment process successfully completes by confirming that the Zarf command execution displays similar to the following:
    Copy
    2025-09-02 16:00:29 INF action succeeded cmd=./zarf tools wait-for cluster cpsh-postgres {.status.read...
    2025-09-02 16:00:30 INF deploying component name=cpsh-priority-classes
    2025-09-02 16:00:30 INF processing Helm chart name=raw-cpsh-platform-cpsh-priority-classes-cpsh-priority-classes version=0.1.1756820767 source=Zarf-generated
    2025-09-02 16:00:31 INF performing Helm install chart=raw-cpsh-platform-cpsh-priority-classes-cpsh-priority-classes
    2025-09-02 16:00:35 INF running health checks chart=raw-cpsh-platform-cpsh-priority-classes-cpsh-priority-classes

Validation

  1. After deployment, check that Istio Gateway is using the cert:

    2. Copy 
    kubectl describe gateway -n istio-system

  2. Execute the following command and verify the certs are being validated:

    3. Copy 
    curl -vI https://${ISTIO_GATEWAY_HOST}

  3. Confirm the certificate chain:

    4. Copy 
    openssl s_client -connect ${ISTIO_GATEWAY_HOST}:443 -showcerts