Preparing a namespace for the operator

All instances of an operator need a namespace on all Kubernetes clusters. Depending on your platform type, either prepare the namespace on OCP or on ROKS.

About this task

If you plan to use the Operator Hub in the OCP console, then you must create the necessary namespace for the operator. You can create a namespace before or when you run the cluster setup script.

Note: If you plan to run the cluster setup script, you do not need to create the project beforehand. If you prefer, you can create a new project by using the script.

Procedure

  1. Log in to your cluster.
    Use the oc command line interface for OpenShift container platforms.
    To log in to your OCP cluster.
    oc login https://<cluster-ip>:<port> -u <cluster-admin> -p <password>

    Where the <cluster-ip>:<port> is the IP address and port number of the cluster, and the <password> is your password for your <cluster-admin> user.

    Tip: You can copy the oc login command from the console. Login to the OCP console using valid credentials, click the user drop-down menu and then click Copy Login command. Click Display token, and copy the token for the oc login command.

    The following command shows an example cluster URL and port.

    oc login https://api.ocp4616-cp4ba.cp.example.com:6443 -u admin -p admin_pwd
    
    To log in to your ROKS cluster.
    oc login --token=<token> --server=https://<cluster-ip>:<port>

    Where the <token> is your API token for your user on the cluster, and <cluster-ip>:<port> is the IP address and port number of the cluster.

    The following example command shows that the token is an almost-unique fixed-size 256-bit (32-byte) hash.

    oc login --token=sha256~5a0GogeS4oEUfG5yFCcPE2Qf-rz5exEUiFaZ4V0Iy1Y --server=https://api.ocp4616-cp4ba.cp.example.com:6443
    
  2. Create a namespace for the operator deployment.

    You can use an existing project in the cluster or create a new namespace. You can create a project in the OpenShift console or on the OCP CLI by running the following command.

    oc new-project <project_name> --description="<description>" --display-name="<display_name>"

    If you do create a project, change the scope in the OpenShift cluster to the new project (cp4ba-project).

    oc project <project_name>
    Note: If you plan to use the All namespaces option to install the operator, then you must have another project in addition to openshift-operators in the cluster before you create the deployment. If you do not have a project for the deployment, then create one. The only way that you can install Cloud Pak for Business Automation in All Namespaces is by using the OCP console.
  3. Optional: If you plan to include Business Automation Insights as an option in your CP4BA deployment and you want to use an external certificate instead of the default CP4BA root CA, then create an Issuer resource with the name cp4ba-tls-issuer.

    For the CP4BA deployment to connect to Kafka and OpenSearch securely, it must have a certificate. An Issuer identifies which certificate authority (CA) in the namespace to issue a certificate, so you must create an Issuer for cert-manager to use an external certificate before you install a CP4BA deployment.

    1. Use the following YAML to set the namespace and secret name for the Issuer.
      apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: cp4ba-tls-issuer
        namespace: <project_name>
      spec:
        ca:
          secretName: <secret_name> 
    2. Run the following command to create the Secret.
      oc create secret generic <secret_name>  \
      --from-file=tls.crt=custom_ca_crt.pem \
      --from-file=ca.crt=custom_ca_crt.pem \
      --from-file=tls.key=custom_ca_key.pem 
      Note: The secret contains the actual TLS certificate. For more information about certificates, see Managing certificates.

    The CP4BA operator checks the namespace for the cp4ba-tls-issuer resource, and if it exists, it then creates the necessary certificates for Kafka and OpenSearch.

What to do next

You can now check that you have access to the container images. For more information, see Getting access to images from the public IBM Entitled Registry.