Setting up the cluster in the OpenShift console

You can install the Cloud Pak for Business Automation operators with the IBM catalogs in the Red Hat OpenShift console. By configuring a namespace-scoped Cloud Pak foundational services for your Cloud Pak for Business Automation deployment, you can install multiple CP4BA instances in the same cluster each with their own foundational services.

About this task

IBM provides operators to OpenShift in the form of a catalog. A catalog is added to an OpenShift cluster by using a CatalogSource resource. After you apply a CatalogSource resource, the IBM catalog appears in the OCP OperatorHub under All items > Business Automation.

Procedure

  1. Log in to your OCP or ROKS cluster as a cluster administrator.

    To allow a non-administrator user to create the Cloud Pak operators, you must create an OperatorGroup.

    1. As a cluster administrator, grant administrator ClusterRoleBinding with administrator ClusterRole to the non-administrator user:
      oc create clusterrolebinding <binding-name> --clusterrole=admin --user=<username>

      Where <username> is the non-administrator user and <binding-name> is the ClusterRoleBinding name.

    2. Create a ClusterRoleBinding with "aggregate-olm-view" ClusterRole for the user:
      oc create clusterrolebinding user-aggregate-olm-view --clusterrole=aggregate-olm-view --user=<username>
    3. The cluster administrator then creates an OperatorGroup in the namespace where the non-administrator user is going to deploy the operators.
      Apply the OperatorGroup by running the following command:
      oc create -n cp4ba-project -f operator-group.yaml

      The following operator-group.yaml file assigns spec.targetNamespaces to match the target namespace.

      apiVersion: operators.coreos.com/v1alpha2
      kind: OperatorGroup
      metadata:
        name: my-user-operatorgroup  
        namespace: cp4ba-project
      spec:  
        targetNamespaces:  
        - cp4ba-project

      Where cp4ba-project is the namespace that you created for the CP4BA deployment.

  2. Create two new projects in the OCP console: one project for the Certificate Manager catalog (ibm-cert-manager) and one project for the License Manager catalog (ibm-licensing).
  3. Add the CatalogSource resources to Operator Hub for the versions that you want to install. Each interim fix has a specific version and unique digest, which are needed for the new catalog sources.
    To import the YAML into your cluster in the OCP Admin console:
    1. Click the plus icon at the top of the console. The Import YAML editor opens.

      Icon for importing YAML

    2. You can import the entire catalog source YAML into the editor from the corresponding catalog_source.yaml file, and click Create. You can also paste the individual CatalogSource resource definitions one-by-one into the editor.
      Note: You can find the CatalogSource YAML in the catalog_source.yaml file, which is located in the CASE package in the ibm-cp-automation/inventory/cp4aOperatorSdk/files/deploy/crs/cert-kubernetes/descriptors/op-olm directory.

      For more information about downloading cert-kubernetes, see Preparing a client to connect to the cluster.

    The following example of the catalog sources does not show the real digests for 23.0.2 and its corresponding dependencies. The example does show the names and the number and version of the catalog sources that you need to create for each new installation that you want to use. Replace XXXXXXXXXXXX with the digest for each catalog source and replace the <namespace> placeholder with openshift-marketplace for the global catalog namespace (GCN) or your target CP4BA namespace (cp4ba-project) for a private catalog.

    For the Certificate Manager and License Manager catalogs change the namespace to a global catalog openshift-marketplace or leave the defaults for separate private catalogs.

    # CP4BA Multi-pattern Catalog 23.0.2 
    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      name: ibm-cp4a-operator-catalog
      namespace: <namespace>
    spec:
      displayName: ibm-cp4a-operator
      publisher: IBM
      sourceType: grpc
      image: icr.io/cpopen/ibm-cp-automation-catalog@sha256:XXXXXXXXXXXX
      updateStrategy:
        registryPoll:
          interval: 45m
    # IBM FileNet Content Manager Catalog 23.0.2
    apiVersion: operators.coreos.com/v1alpha1 
    kind: CatalogSource 
    metadata: 
      name: ibm-fncm-operator-catalog
      namespace: <namespace> 
    spec: 
      displayName: ibm-fncm-operator 
      publisher: IBM 
      sourceType: grpc 
      image: icr.io/cpopen/ibm-fncm-catalog@sha256:XXXXXXXXXXXX 
      updateStrategy: 
        registryPoll: 
        interval: 45m 
    # IBM Cloud foundational services Catalog 4.2
    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      annotations:
        bedrock_catalogsource_priority: '1'
      name: opencloud-operators-v4-2
      namespace: <namespace>
    spec:
      displayName: IBMCS Operators
      publisher: IBM
      sourceType: grpc
      image: icr.io/cpopen/ibm-common-service-catalog@sha256:XXXXXXXXXXXX
      updateStrategy:
        registryPoll:
          interval: 45m
    # IBM Business Teams Service Catalog 3.31
     apiVersion: operators.coreos.com/v1alpha1
     kind: CatalogSource
     metadata:
      annotations:
        bedrock_catalogsource_priority: '1'
      name: bts-operator
      namespace: <namespace>
     spec:
      displayName: BTS Operator
      publisher: IBM
      sourceType: grpc
      image: quay.io/opencloudio/ibm-bts-operator-catalog@sha256:XXXXXXXXXXXX
      updateStrategy:
        registryPoll:
          interval: 45m
    # Cloud Native PostgresSQL Catalog 4.14
     apiVersion: operators.coreos.com/v1alpha1
     kind: CatalogSource
     metadata:
      annotations:
        bedrock_catalogsource_priority: '1'
      name: cloud-native-postgresql-catalog
      namespace: <namespace>
     spec:
      displayName: Cloud Native Postgresql Catalog
      publisher: IBM
      sourceType: grpc
      image: icr.io/cpopen/ibm-cpd-cloud-native-postgresql-operator-catalog@sha256:XXXXXXXXXXXX
      updateStrategy:
        registryPoll:
          interval: 45m
    # IBM CS Flink Operator Catalog 1.3.14 
    apiVersion: operators.coreos.com/v1alpha1 
    kind: CatalogSource 
    metadata: 
      name: ibm-cs-flink-operator-catalog 
      namespace: <namespace> 
    spec: 
      displayName: IBM CS Flink Operator 
      publisher: IBM 
      sourceType: grpc 
      image: icr.io/cpopen/ibm-cs-flink-operator-catalog@sha256:XXXXXXXXXXXX
      updateStrategy: 
        registryPoll: 
          interval: 45m 
    # IBM CS Elastic Operator Catalog 1.3.14 
    apiVersion: operators.coreos.com/v1alpha1 
    kind: CatalogSource 
    metadata: 
      name: ibm-cs-elastic-operator-catalog 
      namespace: <namespace> 
    spec: 
      displayName: IBM CS Elastic Search Operator 
      publisher: IBM 
      sourceType: grpc 
      image: icr.io/cpopen/ibm-cs-elastic-operator-catalog@sha256:XXXXXXXXXXXX 
      updateStrategy: 
        registryPoll: 
          interval: 45m 
    # IBM Certificate Manager Catalog 4.2
    apiVersion: operators.coreos.com/v1alpha1 
    kind: CatalogSource 
    metadata: 
      name: ibm-cert-manager-catalog 
      namespace: ibm-cert-manager 
    spec: 
      displayName: ibm-cert-manager-4.2.0 
      publisher: IBM 
      sourceType: grpc 
      image: icr.io/cpopen/ibm-cert-manager-operator-catalog@sha256:XXXXXXXXXXXX
      updateStrategy: 
        registryPoll: 
        interval: 45m 
    # IBM Licensing Catalog 4.2
    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      name: ibm-licensing-catalog
      namespace: ibm-licensing
    spec:
      displayName: ibm-licensing-4.2.0
      publisher: IBM
      image: icr.io/cpopen/ibm-licensing-catalog@sha256:XXXXXXXXXXXX
      sourceType: grpc
      updateStrategy:
        registryPoll:
          interval: 45m 
  4. Install the IBM Certificate Manager and IBM License Service operators.
    • Option 1: Install IBM Certificate Manager and IBM License Service operators from the OperatorHub in the OCP console.
      1. In the All Items field, enter IBM Cert Manager. The IBM Cert Manager catalog is displayed.
      2. Click the IBM Cert Manager tile. The IBM Cert Manager window is displayed.
      3. Click Install. The Install Operator page is displayed.
      4. Set the Update Channel to v4.2.
      5. Set the Installation Mode to All namespaces on the cluster (default).
      6. Set the Update approval to Automatic.
      7. Click Install.
      8. In the All Items field, enter IBM Licensing. The IBM Licensing catalog is displayed.
      9. Click the IBM Licensing tile. The IBM Licensing window is displayed.
      10. Click Install. The Install Operator page is displayed.
      11. Set the Update Channel to v4.2.
      12. Set the Installation Mode to A specific namespace on the cluster.
      13. Set the Update approval to Automatic.
      14. Click Install.
    • Option 2: Install the IBM Certificate Manager and IBM License Service operators by running a script.
      1. Go to your downloaded cert-kubernetes folder.
        cd cert-kubernetes/scripts/cpfs/installer_scripts/cp3pt0-deployment
      2. Log in to the target cluster from a client.
        oc login https://<CLUSTERIP>:<port> -u <ADMINISTRATOR>
      3. Run the following command if you changed the private catalog for the GCN:
        ./setup_singleton.sh --enable-licensing \ 
        -cmNs ibm-cert-manager -licensingNs ibm-licensing -c v4.2 \
        --license-accept

        Run the following command if you used the default for a private catalog:

        ./setup_singleton.sh --enable-licensing \
        --enable-private-catalog \
        -cmNs ibm-cert-manager -licensingNs ibm-licensing -c v4.2 \
        --license-accept
  5. Either an admin user or a non-admin user can now login to the OpenShift console, click Operators to open the OperatorHub, and then enter cp4ba in the Filter by keyword box under All items.
  6. Click the IBM Cloud Pak® for Business Automation (CP4BA) multi-pattern (ibm-cp4a-operator) catalog item, and click Install.
    1. In the configuration panel, fill in all the required fields.

      Select the channel (v23.2 for 23.0.2).

      If you set any subscriptions to manual, then you must approve any pending operator updates. It is not recommended to set subscriptions to manual because it can make the installation error prone when some of the dependency operators are not approved. By default, all subscriptions are set to automatic.

      Tip: Subscriptions for the Cloud Pak foundational services operators are created when they are "needed". Some subscriptions are created during the installation of the operators. If other subscriptions are needed, they are created during the installation of the CP4BA deployment. Business Teams Service, for example, is installed only "if it is needed". To check for subscriptions that are waiting for approval, get the install plans by running the following command.
      oc get installPlan

      The default mode is All namespaces on the cluster, but choose A specific namespace on the cluster under Installation Mode and select a namespace from the Installed Namespace menu to install in a single or the operator's own namespace.

      Attention: All namespaces is not recommended by IBM for new installations. If you do want to install in the All namespaces mode, create the "ibm-common-services" namespace for Cloud Pak foundational services and then make sure that the shared_configuration section in the custom resource includes the following parameters and values.
      shared_configuration:
        sc_common_service:
          operator_namespace: "openshift-operators"
          services_namespace: "ibm-common-services"

      Select the <NAMESPACE> that you created and prepared for the operator (cp4ba-project). For more information, see Preparing a namespace for the operator.

      Important: Before you install the operators, check for existing installations of the Cloud Pak for Business Automation operators. If there are existing operators installed in the openshift-operators namespace, then you must continue to use the All namespaces on the cluster option. If there are existing operators that are installed in specific namespaces but not in the openshift-operators namespace, then you must continue to use the A specific namespace on the cluster option.

      The oc get csv -A command shows all the operator installations.

    2. Click Install.
    3. In the Installed Operators view, verify the status of the IBM Cloud Pak for Business Automation installation.
  7. Verify the Cloud Pak for Business Automation operators are successfully installed.
    1. On the left panel in the OpenShift console, click Workloads > Pods, and switch to the project where you installed the operator. Verify that all the pods are running.
    2. On the left panel, click Operators > Installed Operators.
    3. Make sure that all operators have the status "Succeeded" in your selected <NAMESPACE>.
      Note: The version number (23.2.0) shown below the installed operators corresponds to the channel for Cloud Pak for Business Automation 23.0.2.

      The OLM is now aware of the operators. A ClusterServiceVersion (CSV) for the operators appear in the target namespace, and APIs provided by the operators are available to use.

    Tip: If the Cloud Pak operator is inactive for some time, you can delete the operator pod and force it to reconcile.

What to do next

You can monitor the operator logs with the following commands. Where the <NAMESPACE> is the project (cp4ba-project) that you created and prepared for the operator. For an all namespaces installation, the namespace is always openshift-operators.

oc project <NAMESPACE>
oc logs -f deployment/ibm-cp4a-operator -c operator

Grant permissions to non-admin user to create a CP4BA deployment

If you want to allow a non-admin user to create a CP4BA deployment, then you can get the role and cluster role names of the operator to give access to a specified user. To get the names after the operator is deployed successfully, use the following command.

oc get role | grep ibm-cp4a-operator | sort -t"t" -k1r | awk 'NR==1{print $1}'

Run the following commands for each specified user that you want to give permission to create a CP4BA deployment.

oc project <NAMESPACE>
oc adm policy add-role-to-user edit <user_name> 
oc adm policy add-role-to-user registry-editor <user_name>
oc adm policy add-role-to-user <role_name> <user_name> 
oc adm policy add-cluster-role-to-user icp4aclusters.icp4a.ibm.com-v1-crdview <user_name>

Where <role_name> is the name of the role that you got from running the oc get command, and the <NAMESPACE> is the project (cp4ba-project) that you created and prepared for the CP4BA deployment.

You can see the list of operators that are installed in your cluster on the Operators > Installed Operators page. For more information about foundational services, see IBM Cloud Pak foundational services.

To verify the foundational services installation, check whether all the pods in the namespace that is used for the CP4BA deployment are running. Use the following command:

oc get pods -n <namespace>

You can also use the following command to verify whether the services are successfully installed:

oc -n <namespace> get csv

Continue to prepare everything that you need for each capability that you want to install in Preparing your chosen capabilities.