Installing operators
Install operators for API Connect, DataPower, and common services so that you can deploy the API Connect subsystems in a shared namespace on OpenShift.
Before you begin
The API Connect operator and operand must be at compatible release and fix pack levels. Table 1 lists the current version of the operator and operand for API Connect.
API Connect (operand) | Operator channel version | Highest operator version |
---|---|---|
10.0.9.0 | v6.0 | 6.0.0 |
API Connect Operator version | API Connect version |
---|---|
6.0.0 |
|
5.3.0 |
|
5.2.0 |
|
The API Connect operator pods in your operator namespace must have network access to the namespace where your API Connect subsystems are installed. Do not configure OpenShift network policies that block communication between any of these namespaces:
- API Connect operator
- API Connect subsystems (operands)
- cert-manager
- openshift-operator-lifecycle-manager
- ibm-common-services
Procedure
- Download the IBM Catalog Management Plug-in for IBM Cloud Paks version
1.1.0 or later from GitHub. Air-gapped: If you are in an air-gapped environment, then skip this step and instead follow the steps in Air-gapped installation, and then continue from step 3.
The
ibm-pak
plug-in enables you to access hosted product images, and to runoc ibm-pak
commands against the cluster. To confirm thatibm-pak
is installed, run the following command and verify that the response lists the command usage:oc ibm-pak --help
- Obtain an entitlement key for the Entitled Registry:
Air-gapped: If you are in an air-gapped environment, then skip this step and instead follow the steps in Air-gapped installation, and then continue from step 3.
- Log in to the IBM Container Library.
- In the Container software library, select Get entitlement key.
- After the Access your container software heading, click Copy key.
- Copy the key to a safe location.
-
Create the namespace where API Connect will be installed, either by
selecting Home > Projects > Create Project in the UI, or with the following command:
oc create ns <APIC-namespace>
The namespace where you install API Connect must meet the following requirements:- Red Hat OpenShift: Only one top-level CR
(
APIConnectCluster
) can be deployed in each namespace. - Cloud Pak for Integration: Only one API Connect capability can be deployed in each namespace.
- Red Hat OpenShift restricts the use of default namespaces for installing
non-cluster services. The following namespaces cannot be used to install API
Connect:
default
kube-system
kube-public
openshift-node
openshift-infra
openshift
- Red Hat OpenShift: Only one top-level CR
(
-
If you are installing the operator into a single namespace, create an OperatorGroup object
specifying that namespace.
Attention: If you are installing the operator into all namespaces, skip this step because the
openshift-operators
namespace already has an appropriate Operator group in place.- Create the apiconnect-operator-group.yaml file with an
OperatorGroup object that identifies the namespace in which RBAC permissions for the IBM API Connect
Operator will be generated, and where the CSV will be available:
apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: <operator-group-name> namespace: <APIC-namespace> spec: targetNamespaces: - <APIC-namespace>
- Apply the OperatorGroup object with the following command:
oc apply -f apiconnect-operator-group.yaml
- Create the apiconnect-operator-group.yaml file with an
OperatorGroup object that identifies the namespace in which RBAC permissions for the IBM API Connect
Operator will be generated, and where the CSV will be available:
- If you are installing the operator in all namespaces, then create the
common services namespace:
oc create ns ibm-common-services
-
Create a pull secret in the namespaces where you want to install API Connect.
Air-gapped: If you are in an air-gapped environment, then skip this step as it is covered in Air-gapped installation.
- Open the Red Hat OpenShift web console, click Workloads > Secrets.
- Ensure that the Project is set to the namespace where you intend to install API Connect.
- Click Create and select Image pull secret.
- Set the following parameters for the secret:
- Set Secret name to
ibm-entitlement-key
. - Set Authentication type to
Image registry credentials
. - Set Registry server address to
cp.icr.io
. - Set Username to
cp
. - Set Password to the entitlement key generated in Step 2.
- Click Create to create the secret.
- Set Secret name to
Note: If your Red Hat OpenShift platform is Red Hat OpenShift on IBM Cloud (ROKS), you might need to reload your worker nodes after the image pull secret is created. You can reload the worker nodes either from the Red Hat OpenShift web console or from the command line with the following command:ibmcloud oc worker reload
For information on using the
reload
command, see the Red Hat OpenShift on IBM Cloud documentation. - Add the API Connect catalog sources to your
cluster. Air-gapped: If you are in an air-gapped environment, then skip this step as it is covered in Air-gapped installation.
Adding catalog sources to your Red Hat OpenShift cluster adds the IBM operators to the list of operators you can install. For most connected and air-gapped clusters, applying individual catalog sources is the most effective way to fully control software versioning on the cluster.
- Generate the catalog source files:
- Log into your cluster using the
oc login
command and your user credentials:oc login <openshift_url> -u <username> -p <password> -n <APIC-namespace>
- Export the variables for the command line to use:
export CASE_NAME=ibm-apiconnect export CASE_VERSION=6.0.0 export ARCH=amd64
For information on API Connect CASE versions and their corresponding operators and operands, see Operator, CASE, and platform requirements.
- Download the files for the operators required by API
Connect:
oc ibm-pak get ${CASE_NAME} --version ${CASE_VERSION}
- Generate the catalog sources for API
Connect:
oc ibm-pak generate mirror-manifests ${CASE_NAME} icr.io --version ${CASE_VERSION}
- Optionally get the catalog sources and save them in another directory in case you need to
replicate this installation in the future:
Get the catalog sources:
cat ~/.ibm-pak/data/mirror/${CASE_NAME}/${CASE_VERSION}/catalog-sources.yaml
- Log into your cluster using the
- Apply the catalog sources:
- Apply the catalog
sources:
oc apply -f ~/.ibm-pak/data/mirror/${CASE_NAME}/${CASE_VERSION}/catalog-sources.yaml
- Confirm that the catalog sources have been created in the
openshift-marketplace
namespace:oc get catalogsource -n openshift-marketplace
- Apply the catalog
sources:
- Generate the catalog source files:
- Add the IBM Cloud Pak foundational services
(common services) catalog sources to your cluster. Air-gapped: If you are in an air-gapped environment, then skip this step as it is covered in Air-gapped installation.
- Generate the catalog source files:
- Log into your cluster using the
oc login
command and your user credentials:oc login <openshift_url> -u <username> -p <password> -n <APIC-namespace>
- Export the variables for the command line to use; substituting the appropriate CASE
version:
export CASE_NAME=ibm-cp-common-services export CASE_VERSION=<case version> export ARCH=amd64
Set <case version> to the value specified for Foundational services CASE version in Operator, CASE, and platform requirements, for your deployment type.
- Download the files for the operators required by IBM Cloud Pak foundational
services (common
services):
oc ibm-pak get ${CASE_NAME} --version ${CASE_VERSION}
- Generate the catalog
sources:
oc ibm-pak generate mirror-manifests ${CASE_NAME} icr.io --version ${CASE_VERSION}
- Optionally get the catalog sources and save them in another directory in case you need to
replicate this installation in the future:
Get the catalog sources:
cat ~/.ibm-pak/data/mirror/${CASE_NAME}/${CASE_VERSION}/catalog-sources.yaml
This command might not return anything if there are no architecture-specific catalog sources.
- Log into your cluster using the
- Apply the catalog sources:
- Apply the catalog
sources:
oc apply -f ~/.ibm-pak/data/mirror/${CASE_NAME}/${CASE_VERSION}/catalog-sources.yaml
- Confirm that the catalog sources have been created in the
openshift-marketplace
namespace:oc get catalogsource -n openshift-marketplace
- Apply the catalog
sources:
- Generate the catalog source files:
-
Create the
apiconnect
subscription.- Create the
apiconnect
subscription with the appropriate channel by creating a file calledapic-sub.yaml
and pasting in the following contents, updating the namespace as required:
WhereapiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: ibm-apiconnect namespace: <namespace> spec: channel: v6.0 name: ibm-apiconnect source: ibm-apiconnect-catalog sourceNamespace: openshift-marketplace
<namespace>
is one of the following values:openshift-operators
if you are installing the operator in all namespaces- The namespace created in step 3 if you are installing the operator in a single namespace
- Apply the subscription with the following command:
oc apply -f apic-sub.yaml
- Select Operators > Installed
Operators, and ensure that Project: All Projects
is selected.
If any operators such as
ibm-apiconnect
orIBM DataPower Gateway
show the status of "Upgrade available", approve the upgrade by completing the following steps:- Click Upgrade available.
- Click Preview InstallPlan.
- Click Approve.
- Wait for the
IBM API Connect
andIBM DataPower Gateway
operators to install.
The
IBM DataPower Gateway
operator is a prerequisite to API Connect and must not be removed.
- Create the
- Install cert manager by completing the following steps:
- Log in to the OpenShift Container Platform web console.
- Navigate to
Operators > OperatorHub.
- In the filter box, type:
cert-manager Operator for Red Hat OpenShift
. - Select cert-manager Operator for Red Hat OpenShift and click
Install.
- On the Install Operator page, complete the following steps:
- Update the Update channel if needed. The channel defaults to
stable-v1
, which installs the latest stable release of the cert-manager Operator for Red Hat OpenShift. - Select the Installed Namespace for the operator.
The default operator namespace is
cert-manager-operator
; if that namespace doesn't exist, it is created for you. - Select an Update approval strategy:
- Automatic: allow Operator Lifecycle Manager (OLM) to automatically update the operator when a new version is available.
- Manual: require a user with the appropriate credentials to approve all operator updates.
- Click Install.
- Update the Update channel if needed. The channel defaults to
- Verify the cert-manager installation by completing the following steps:
- Click to Operators > Installed Operators.
- Verify that
cert-manager Operator for Red Hat OpenShift
is listed with a Status ofSucceeded
in thecert-manager-operator
namespace. - Verify that cert-manager pods are up and running by running the following
command:
oc get pods -n cert-manager
For a successful installation, the response looks like the following example:
NAME READY STATUS RESTARTS AGE cert-manager-bd7fbb9fc-wvbbt 1/1 Running 0 3m39s cert-manager-cainjector-56cc5f9868-7g9z7 1/1 Running 0 4m5s cert-manager-webhook-d4f79d7f7-9dg9w 1/1 Running 0 4m9s
- Log in to the OpenShift Container Platform web console.
- Create the
ibm-common-services-operator
subscription, if it does not already exist.- Create a file called common-services-sub.yaml and paste in the
following contents:
apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: ibm-common-service-operator namespace: <namespace> spec: channel: v4.6 name: ibm-common-service-operator source: opencloud-operators sourceNamespace: openshift-marketplace
Where:
<namespace>
is one of the following values:openshift-operators
if you are installing the operator in all namespaces- The namespace created in step 3 if you are installing the operator in a single namespace
- Apply the subscription with the following command:
oc apply -f common-services-sub.yaml
- Select Operators > Installed
Operators, and ensure that Project: All Projects
is selected.
If any operators such as
ibm-apiconnect
,IBM Cloud Pak foundational services
, orOperand Deployment Lifecycle Manager
show the status of "Upgrade available", approve the upgrade by completing the following steps:- Click Upgrade available.
- Click Preview InstallPlan.
- Click Approve.
- Check the
ibm-common-services
namespace and ensure that all operators with a status of "Upgrade available" are approved. - Wait for the
IBM Cloud Pak foundational services
andOperand Deployment Lifecycle Manager
operators to install.
- Create a file called common-services-sub.yaml and paste in the
following contents: