Installing the IBM Cloud Pak catalogs and operators

You can install the Cloud Pak for Business Automation operators with IBM catalogs in the OpenShift console.

About this task

IBM provides operators to OpenShift in the form of a catalog. A catalog is added to an OpenShift cluster by using a CatalogSource resource. After you apply a CatalogSource resource, the IBM catalog appears in the OCP OperatorHub under All items > Business Automation.

Procedure

  1. Log in to your OCP or ROKS cluster as a cluster administrator.

    To allow a non-administrator user to create the Cloud Pak operators you must create an OperatorGroup.

    1. As a cluster administrator, grant administrator ClusterRoleBinding with administrator ClusterRole to the non-administrator user:
      oc create clusterrolebinding <binding-name> --clusterrole=admin --user=<username>

      Where <username> is the non-administrator user and <binding-name> is the ClusterRoleBinding name.

    2. Create a ClusterRoleBinding with "aggregate-olm-view" ClusterRole for the user:
      oc create clusterrolebinding user-aggregate-olm-view --clusterrole=aggregate-olm-view --user=<username>
    3. The cluster administrator then creates an OperatorGroup in the namespace where the non-administrator user is going to deploy the operators.

      The following operator-group.yaml file assigns spec.targetNamespaces to match the target namespace.

      apiVersion: operators.coreos.com/v1alpha2
      kind: OperatorGroup
      metadata:
        name: my-user-operatorgroup  
        namespace: cp4ba-starter
      spec:  
        targetNamespaces:  
        - cp4ba-starter

      Where cp4ba-starter is the namespace you created for the CP4BA deployment.

    4. Apply the OperatorGroup by running the following command:
      oc create -n cp4ba-starter -f operator-group.yaml
  2. Create two new projects in the OCP console. One project for the Certificate Manager catalog (ibm-cert-manager) and one project the License Manager catalog (ibm-licensing).
  3. Add the CatalogSource resources to Operator Hub for the versions that you want to install. Each interim fix has a specific version and unique digest, which are needed for the new catalog sources.
    To import the YAML into your cluster in the OCP Admin console:
    1. Click the plus icon at the top of the console. The Import YAML editor opens.

      Icon for importing YAML

    2. You can import the entire catalog source YAML into the editor from the corresponding catalog_source.yaml file, and click Create. You can also paste the individual CatalogSource resource definitions one-by-one into the editor.
      Note: You can find the CatalogSource YAML in the catalog_source.yaml file, which is located in the cert-kubernetes/descriptors/op-olm directory.

      For more information about downloading cert-kubernetes, see Preparing a client to connect to the cluster.

    The following example of the catalog sources does not show the real digests for 24.0.0 and its corresponding dependencies. The example does show the names and the number and version of the catalog sources that you need to create for each new installation that you want to use. Replace XXXXXXXXXXXX with the digest for each catalog source and replace the <namespace> placeholder with openshift-marketplace for the global catalog namespace (GCN) or your target CP4BA namespace (cp4ba-starter) for a private catalog.

    For the Certificate Manager and License Manager catalogs change the namespace to a global catalog openshift-marketplace or leave the defaults for separate private catalogs.

    # CP4BA Multi-pattern Catalog 24.0.0 
    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      name: ibm-cp4a-operator-catalog
      namespace: <namespace>
    spec:
      displayName: ibm-cp4a-operator
      publisher: IBM
      sourceType: grpc
      image: icr.io/cpopen/ibm-cp-automation-catalog@sha256:XXXXXXXXXXXX
      updateStrategy:
        registryPoll:
          interval: 45m
    # IBM FileNet Content Manager Catalog 24.0.0
    apiVersion: operators.coreos.com/v1alpha1 
    kind: CatalogSource 
    metadata: 
      name: ibm-fncm-operator-catalog
      namespace: <namespace> 
    spec: 
      displayName: ibm-fncm-operator 
      publisher: IBM 
      sourceType: grpc 
      image: icr.io/cpopen/ibm-fncm-catalog@sha256:XXXXXXXXXXXX 
      updateStrategy: 
        registryPoll: 
        interval: 45m 
    # IBM Cloud Pak foundational services 4.6.2
    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      name: ibm-cs-install-catalog-v4-6-2
      namespace: <namespace>
      annotations:
        bedrock_catalogsource_priority: '1'
    spec:
      displayName: IBM CS Install Operators
      publisher: IBM
      sourceType: grpc
      image: icr.io/cpopen/ibm-cs-install-catalog@sha256:XXXXXXXXXXXX
      updateStrategy:
        registryPoll:
          interval: 45m
      priority: 100    
    # IBM Business Teams Service Catalog 3.33.1
     apiVersion: operators.coreos.com/v1alpha1
     kind: CatalogSource
     metadata:
      annotations:
        bedrock_catalogsource_priority: '1'
      name: bts-operator
      namespace: <namespace>
     spec:
      displayName: BTS Operator
      publisher: IBM
      sourceType: grpc
      image: quay.io/opencloudio/ibm-bts-operator-catalog@sha256:XXXXXXXXXXXX
      updateStrategy:
        registryPoll:
          interval: 45m
    # Cloud Native PostgresSQL Catalog 1.18.12 (4.25.0)
     apiVersion: operators.coreos.com/v1alpha1
     kind: CatalogSource
     metadata:
      annotations:
        bedrock_catalogsource_priority: '1'
      name: cloud-native-postgresql-catalog
      namespace: <namespace>
     spec:
      displayName: Cloud Native Postgresql Catalog
      publisher: IBM
      sourceType: grpc
      image: icr.io/cpopen/ibm-cpd-cloud-native-postgresql-operator-catalog@sha256:XXXXXXXXXXXX
      updateStrategy:
        registryPoll:
          interval: 45m
    # IBM CS Flink Operator Catalog 1.18.1 (2.0.1)
    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      name: ibm-opencontent-flink
      namespace: <namespace>
    spec:
      displayName: IBM CS Opencontent Flink Catalog
      publisher: IBM
      sourceType: grpc
      image: icr.io/cpopen/ibm-opencontent-flink-operator-catalog@sha256:XXXXXXXXXXXX
      updateStrategy:
        registryPoll:
          interval: 45m
      priority: 100
    # IBM CS Opensearch Operator Catalog 1.1.21
    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      name: ibm-cs-opensearch-catalog
      namespace: <namespace>
    spec:
      displayName: IBM CS Opencontent Opensearch Catalog
      publisher: IBM
      sourceType: grpc
      image: icr.io/cpopen/opencontent-elasticsearch-operator-catalog@sha256:XXXXXXXXXXXX
      updateStrategy:
        registryPoll:
          interval: 45m
      priority: 100
    # IBM Certificate Manager Catalog 4.2.4
    apiVersion: operators.coreos.com/v1alpha1 
    kind: CatalogSource 
    metadata: 
      name: ibm-cert-manager-catalog 
      namespace: openshift-marketplace 
    spec: 
      displayName: ibm-cert-manager-4.2.4 
      publisher: IBM 
      sourceType: grpc 
      image: icr.io/cpopen/ibm-cert-manager-operator-catalog@sha256:XXXXXXXXXXXX
      updateStrategy: 
        registryPoll: 
        interval: 45m 
    # IBM Licensing Catalog 4.2.4
    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      name: ibm-licensing-catalog
      namespace: openshift-marketplace
    spec:
      displayName: ibm-licensing-4.2.4
      publisher: IBM
      image: icr.io/cpopen/ibm-licensing-catalog@sha256:XXXXXXXXXXXX
      sourceType: grpc
      updateStrategy:
        registryPoll:
          interval: 45m 
    # IBM CS IM Operator Catalog 4.5.1
    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      name: ibm-iam-operator-catalog
      namespace: <namespace>
      annotations:
        bedrock_catalogsource_priority: '1'
    spec:
      displayName: IBM IAM Operator Catalog
      publisher: IBM
      sourceType: grpc
      image: icr.io/cpopen/ibm-iam-operator-catalog@sha256:XXXXXXXXXXXX
      updateStrategy:
        registryPoll:
          interval: 45m
      priority: 100
    # IBM Zen Operator Catalog 5.1.4
    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      name: ibm-zen-operator-catalog
      namespace: <namespace>
      annotations:
        bedrock_catalogsource_priority: '1'
    spec:
      displayName: IBM Zen Operator Catalog
      publisher: IBM
      sourceType: grpc
      image: icr.io/cpopen/ibm-zen-operator-catalog@sha256:XXXXXXXXXXXX
      updateStrategy:
        registryPoll:
          interval: 45m
      priority: 100
    # IBM Events Operator Catalog 5.0.1
    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      name: ibm-events-operator-catalog
      namespace: <namespace>
      annotations:
        bedrock_catalogsource_priority: '1'
    spec:
      displayName: IBM Events Operator Catalog
      publisher: IBM
      sourceType: grpc
      image: icr.io/cpopen/ibm-events-operator-catalog@sha256:XXXXXXXXXXXX
      updateStrategy:
        registryPoll:
          interval: 45m
      priority: 100
  4. Install the IBM Certificate Manager and IBM License Service operators from the Operator Hub.
    1. In the All Items field, enter IBM Cert Manager. The IBM Cert Manager catalog is displayed.
    2. Click the IBM Cert Manager tile. The IBM Cert Manager window is displayed.
    3. Click Install. The Install Operator page is displayed.
    4. Set the Update Channel to v4.2.
    5. Set the Installation Mode to All namespaces on the cluster (default).
    6. Set the Installed Namespace to the ibm-cert-manager(Operator recommended) namespace.
    7. Set the Update approval to Automatic.
    8. Click Install.
    9. In the All Items field, enter IBM Licensing. The IBM Licensing catalog is displayed.
    10. Click the IBM Licensing tile. The IBM Licensing window is displayed.
    11. Click Install. The Install Operator page is displayed.
    12. Set the Update Channel to v4.2.
    13. Set the Installation Mode to A specific namespace on the cluster.
    14. Set the Installed Namespace to the ibm-licensing namespace.
    15. Set the Update approval to Automatic.
    16. Click Install.
  5. Either an admin user or a non-admin user can now login to the OpenShift console, click Operators to open the OperatorHub, and then enter cp4ba in the Filter by keyword box under All items.
  6. Click the IBM Cloud Pak® for Business Automation (CP4BA) multi-pattern (ibm-cp4a-operator) catalog item, and click Install.
    1. In the Create Operator Subscription wizard, select the channel (v24.0 for 24.0.0).
    2. The default mode is All namespaces on the cluster, but choose A specific namespace on the cluster under Installation Mode and select a namespace from the Installed Namespace drop-down list to install in a single or the operator's own namespace.
      Attention: All namespaces is not recommended by IBM for new installations. If you do want to install in the All namespaces mode, create the "ibm-common-services" namespace for Cloud Pak foundational services and then make sure that the shared_configuration section in the custom resource includes the following parameters and values.
      shared_configuration:
          sc_common_service:
              operator_namespace: "openshift-operators"
              services_namespace: "ibm-common-services"

      Select the <NAMESPACE> that you created and prepared for the CP4BA deployment. For more information, see Preparing the image pull secrets.

      Important: If there are existing operators installed in the openshift-operators namespace, then you must continue to use the All namespaces on the cluster option. If there are existing operators installed in specific namespaces but not in the openshift-operators namespace, then you must continue to use the A specific namespace on the cluster option.

      The oc get csv -A command shows all the operator installations.

    3. Click Install.

      You can now see the message The operator is being installed. This may take a few minutes.

    4. When you see the message change to Installed operator - ready for use, click View Operator.
      View operator
  7. Verify the Cloud Pak for Business Automation operators successfully installed and all the pods are running.
    1. On the left panel in the OpenShift console, click Workloads > Pods, and switch to the project where you installed the operator.
    2. On the left panel, click Operators > Installed Operators.
    3. Make sure that all the following operators have the status "Succeeded" in your selected <NAMESPACE>.
      Note: The version number (24.0.0) shown below the installed operators corresponds to the channel for Cloud Pak for Business Automation 24.0.0.

      At this point, the OLM is now aware of the operators. A ClusterServiceVersion (CSV) for the operators appear in the target namespace, and APIs provided by the operators are available to use.

    Tip: If the Cloud Pak operator is inactive for some time, you can delete the operator pod and let it reconcile.

What to do next

You can monitor the operator logs with the following commands. Where the <NAMESPACE> is the project (cp4ba-starter) that you created and prepared for the operator. For an all namespaces installation, the namespace is always openshift-operators.

oc project <NAMESPACE>
oc logs -f deployment/ibm-cp4a-operator -c operator

Grant permissions to non-admin user to create a CP4BA deployment

If you want to allow a non-admin user to create a CP4BA deployment, then you can get the role and cluster role names of the operator to give access to a specified user after the operator is deployed successfully.

oc get role | grep ibm-cp4a-operator | sort -t"t" -k1r | awk 'NR==1{print $1}'
oc get clusterrole | grep ibm-cp4a-operator | sort -t"t" -k1r | awk 'NR==1{print $1}'

Run the following commands for each specified user that you want to give permission to create a CP4BA deployment.

oc project <NAMESPACE>
oc adm policy add-role-to-user edit <user_name> 
oc adm policy add-role-to-user registry-editor <user_name>
oc adm policy add-role-to-user <role_name> <user_name>
oc adm policy add-cluster-role-to-user <cluster_role_name> <user_name>
oc adm policy add-cluster-role-to-user icp4aclusters.icp4a.ibm.com-v1-crdview <user_name>

Where <role_name> and <cluster_role_name> are the names of the role and clusterrole that you got from the oc get commands, and the <NAMESPACE> is the project (cp4ba-starter) that you created and prepared for the CP4BA deployment.

Go to and complete the next step in Installing the capabilities in the Red Hat OpenShift console.