Upgrading the operator by running a script

You can upgrade the operator by running a script to the new version before you apply your custom resource upgrades.

About this task

Upgrade the Cloud Pak operator by changing the channel from v21.2 to v21.3. You can change the channel by running the upgradeOperator.sh script.


  1. Log in to the target cluster.
    oc login https://<CLUSTERIP>:<port> -u <ADMINISTRATOR>
    oc project <project_name>

    Where <project_name> is the target namespace.

  2. Download the cert-kubernetes repository to a Linux® based machine (RHEL, CentOS, and macOS).

    For more information about downloading cert-kubernetes, see Preparing a client to connect to the cluster.

    Use the tar -xvzf command to extract the archives.

    tar -xvzf ibm-cp-automation-3.2.x.tgz
    cd ibm-cp-automation/inventory/cp4aOperatorSdk/files/deploy/crs
    tar -xvzf cert-k8s-21.0.3.tar

    Where x is 0-6. If you use interim fix 7 or later the upgrade hangs and the operator must be deleted and re-installed.

  3. Optional: If you have static storage on OCP, provide group write permission to the persistent volume (PV) of the operator.
    • According to the PV path definition (/root/operator), run the following commands.
      chown -R :65534 /root/operator
      chmod -R g+rw /root/operator

      Group ownership must be set to the anongid option given in the NFS export definition of the NFS server associated with the PV. The default anongid value is 65534.

      Remove the .OPERATOR_TYPE file if it exists from a previous deployment.

      rm -f /<hostPath>/.OPERATOR_TYPE

      Where <path> is the value in your PV (root/operator).

  4. Upgrade the icp4a-operator on your cluster.

    Use the upgradeOperator.sh script to deploy the operator manifest descriptors.

    ./scripts/upgradeOperator.sh -n <project_name> -a accept

    Where <project_name> is the target namespace, and accept means that you accept the cert-kubernetes/LICENSE.

    Use the script -h parameter for more information.

    ./scripts/upgradeOperator.sh -h

    The -i parameter is needed only if you loaded the images to a private image registry. If you did not use the admin.registrykey secret, the -p parameter is needed. The secret name must be the secret that is used to access the registry.

    Note: If you plan to use a non-administrator user to install the operator, you must add the user to the ibm-cp4-operator role.
    oc adm policy add-role-to-user ibm-cp4a-operator <user_name>
    The script is finished when the following message is displayed:
    All descriptors have been successfully applied. Monitor the pod status with 'kubectl get pods -w'.
    Tip: If you see a timeout message "Timeout Waiting for CP4BA operator to start", run the upgradeOperator.sh script again. If the upgradeOperator.sh script times-out again, wait at least 15 minutes before you begin Troubleshooting.
  5. If you have any subscriptions set to manual, then you must approve any pending operator updates.

    It is not recommended to set subscriptions to manual because it can make the upgrade more error prone if some of the many operator updates are not approved. By default, all subscriptions are set to automatic.

What to do next

To pin the version that you upgraded to, go to and complete the steps in Upgrading operator subscriptions.