All instances of an operator need a namespace on all Kubernetes clusters. Depending on
your platform type, either prepare the namespace on OCP or on ROKS.
About this task
If you plan to use the Operator Hub in the OCP console, then you must create the necessary
namespace for the operator. You can create a namespace before or when you run the cluster setup script.
Note: If you plan to run the cluster setup script, you do not need to create the project beforehand. If you prefer, you
can create a new project by using the script.
Procedure
-
Log in to your cluster.
Use the oc command line interface for OpenShift container platforms.
To log in to your OCP
cluster.
oc login https://<cluster-ip>:<port> -u <cluster-admin> -p <password>
Where
the <cluster-ip>:<port> is the IP address and port number of the
cluster, and the <password> is your password for your
<cluster-admin> user.
Tip: You can copy the oc
login command from the console. Login to the OCP console using valid credentials, click
the user drop-down menu and then click Copy Login command. Click
Display token, and copy the token for the oc login
command.
The following command shows an example cluster URL and
port.
oc login https://api.ocp4616-cp4ba.cp.example.com:6443 -u admin -p admin_pwd
To log in to your ROKS
cluster.
oc login --token=<token> --server=https://<cluster-ip>:<port>
Where
the <token> is your API token for your user on the cluster, and
<cluster-ip>:<port> is the IP address and port number of the cluster.
The following example command shows that the token is an almost-unique fixed-size 256-bit
(32-byte)
hash.
oc login --token=sha256~5a0GogeS4oEUfG5yFCcPE2Qf-rz5exEUiFaZ4V0Iy1Y --server=https://api.ocp4616-cp4ba.cp.example.com:6443
-
Create a namespace for the operator deployment.
You can use an existing project in the cluster or create a new namespace. You can create a
project in the OpenShift console or on the OCP CLI by running the following command.
oc new-project <project_name> --description="<description>" --display-name="<display_name>"
If you do create a project, change the scope in the OpenShift cluster to the new project
(cp4ba-project).
oc project <project_name>
Note: If you plan to use the All namespaces
option to install
the operator, then you must have another project in addition to openshift-operators
in the cluster before you create the deployment. If you do not have a project for the deployment,
then create one. The only way that you can install Cloud Pak for Business Automation in All
Namespaces
is by using the OCP console.
- Optional: If you plan to include Business Automation Insights as an option in your
CP4BA deployment and you want to use an external certificate instead of the default CP4BA root CA,
then create an
Issuer
resource with the name cp4ba-tls-issuer
.
For the CP4BA deployment to connect to Kafka and OpenSearch securely, it must have a certificate.
An Issuer
identifies which certificate authority (CA) in the namespace to issue a
certificate, so you must create an Issuer
for cert-manager
to use
an external certificate before you install a CP4BA deployment.
- Use the following YAML to set the namespace and secret name for the
Issuer
.apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: cp4ba-tls-issuer
namespace: <project_name>
spec:
ca:
secretName: <secret_name>
- Run the following command to create the
Secret
.oc create secret generic <secret_name> \
--from-file=tls.crt=custom_ca_crt.pem \
--from-file=ca.crt=custom_ca_crt.pem \
--from-file=tls.key=custom_ca_key.pem
Note: The secret contains the actual TLS
certificate. For more information about certificates, see
Managing
certificates.
The CP4BA operator checks the namespace for the cp4ba-tls-issuer
resource, and
if it exists, it then creates the necessary certificates for Kafka and OpenSearch.
What to do next
You can now check that you have access to the container images. For more information, see Getting access to images from the public IBM Entitled Registry.