Setting up the cluster in the OpenShift console

Edit online

You can install the Cloud Pak for Business Automation operators with the IBM catalogs in the Red Hat OpenShift console. By configuring a namespace-scoped Cloud Pak foundational services for your Cloud Pak for Business Automation deployment, you can install multiple CP4BA instances in the same cluster each with their own foundational services.

About this task

The recommended way to install Cloud Pak for Business Automation is by running the scripts. The scripts guide you through the process step-by-step, create SQL scripts for you to create databases, generate YAML files for the required Kubernetes secrets, and check the external resources during the installation. For more information, see (Recommended) Setting up the cluster by running a script.

IBM provides operators to OpenShift in the form of a catalog. A catalog is added to an OpenShift cluster by using a CatalogSource resource. After you apply a CatalogSource resource, the IBM catalog appears in the OCP OperatorHub under All items > Business Automation.

Procedure

Log in to your OCP or ROKS cluster as a cluster administrator.
To allow a non-administrator user to create the Cloud Pak operators, you must create an OperatorGroup.
1. As a cluster administrator, grant administrator ClusterRoleBinding with administrator ClusterRole to the non-administrator user:
```
oc create clusterrolebinding <binding-name> --clusterrole=admin --user=<username>
```
  Where <username> is the non-administrator user and <binding-name> is the ClusterRoleBinding name.
2. Create a ClusterRoleBinding with "aggregate-olm-view" ClusterRole for the user:
```
oc create clusterrolebinding user-aggregate-olm-view --clusterrole=aggregate-olm-view --user=<username>
```
3. The cluster administrator then creates an OperatorGroup in the namespace where the non-administrator user is going to deploy the operators.
  Apply the OperatorGroup by running the following command:
```
oc create -n cp4ba-project -f operator_group.yaml
```
  The following operator_group.yaml file assigns spec.targetNamespaces to match the target namespace.
```
apiVersion: operators.coreos.com/v1alpha2
kind: OperatorGroup
metadata:
  name: my-user-operatorgroup  
  namespace: cp4ba-project
spec:  
  targetNamespaces:  
  - cp4ba-project
```
  Where cp4ba-project is the namespace that you created for the CP4BA deployment.
Create two new projects in the OCP console: one project for the Certificate Manager catalog (ibm-cert-manager) and one project for the License Manager catalog (ibm-licensing).

Add the CatalogSource resources to Operator Hub for the versions that you want to install. Each interim fix has a specific version and unique digest, which are needed for the new catalog sources.

To import the YAML into your cluster in the OCP Admin console:

Click the plus icon at the top of the console. The Import YAML editor opens.
You can import the entire catalog source YAML into the editor from the corresponding catalog_source.yaml file, and click Create. You can also paste the individual CatalogSource resource definitions one-by-one into the editor.

Note: You can find the CatalogSource YAML in the catalog_source.yaml file, which is located in the cert-kubernetes package in the cert-kubernetes/descriptors/op-olm directory.
For more information about downloading cert-kubernetes, see Preparing a client to connect to the cluster.

The following example of the catalog sources does not show the real digests for 24.0.0 and its corresponding dependencies. The example does show the names and the number and version of the catalog sources that you need to create for each new installation that you want to use. Replace XXXXXXXXXXXX with the digest for each catalog source and replace the <namespace> placeholder with openshift-marketplace for the global catalog namespace (GCN) or your target CP4BA namespace (cp4ba-project) for a private catalog.

For the Certificate Manager and License Manager catalogs, set the openshift-marketplace namespace to use a global catalog. For private catalogs, set the recommended namespaces of ibm-cert-manager and ibm-licensing.

# CP4BA Multi-pattern Catalog 24.0.0 
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: ibm-cp4a-operator-catalog
  namespace: <namespace>
spec:
  displayName: ibm-cp4a-operator
  publisher: IBM
  sourceType: grpc
  image: icr.io/cpopen/ibm-cp-automation-catalog@sha256:XXXXXXXXXXXX
  updateStrategy:
    registryPoll:
      interval: 45m

# IBM FileNet Content Manager Catalog 24.0.0
apiVersion: operators.coreos.com/v1alpha1 
kind: CatalogSource 
metadata: 
  name: ibm-fncm-operator-catalog
  namespace: <namespace> 
spec: 
  displayName: ibm-fncm-operator 
  publisher: IBM 
  sourceType: grpc 
  image: icr.io/cpopen/ibm-fncm-catalog@sha256:XXXXXXXXXXXX 
  updateStrategy: 
    registryPoll: 
    interval: 45m

# IBM Cloud Pak foundational services 4.6.2
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: ibm-cs-install-catalog-v4-6-2
  namespace: <namespace>
  annotations:
    bedrock_catalogsource_priority: '1'
spec:
  displayName: IBM CS Install Operators
  publisher: IBM
  sourceType: grpc
  image: icr.io/cpopen/ibm-cs-install-catalog@sha256:XXXXXXXXXXXX
  updateStrategy:
    registryPoll:
      interval: 45m
  priority: 100

# IBM Business Teams Service Catalog 3.33.1
 apiVersion: operators.coreos.com/v1alpha1
 kind: CatalogSource
 metadata:
  annotations:
    bedrock_catalogsource_priority: '1'
  name: bts-operator
  namespace: <namespace>
 spec:
  displayName: BTS Operator
  publisher: IBM
  sourceType: grpc
  image: quay.io/opencloudio/ibm-bts-operator-catalog@sha256:XXXXXXXXXXXX
  updateStrategy:
    registryPoll:
      interval: 45m

# Cloud Native PostgresSQL Catalog 1.18.12 (4.25.0)
 apiVersion: operators.coreos.com/v1alpha1
 kind: CatalogSource
 metadata:
  annotations:
    bedrock_catalogsource_priority: '1'
  name: cloud-native-postgresql-catalog
  namespace: <namespace>
 spec:
  displayName: Cloud Native Postgresql Catalog
  publisher: IBM
  sourceType: grpc
  image: icr.io/cpopen/ibm-cpd-cloud-native-postgresql-operator-catalog@sha256:XXXXXXXXXXXX
  updateStrategy:
    registryPoll:
      interval: 45m

# IBM CS Flink Operator Catalog 1.18.1 (2.0.1)
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: ibm-opencontent-flink
  namespace: <namespace>
spec:
  displayName: IBM CS Opencontent Flink Catalog
  publisher: IBM
  sourceType: grpc
  image: icr.io/cpopen/ibm-opencontent-flink-operator-catalog@sha256:XXXXXXXXXXXX
  updateStrategy:
    registryPoll:
      interval: 45m
  priority: 100

# IBM CS Opensearch Operator Catalog 1.1.21
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: ibm-cs-opensearch-catalog
  namespace: <namespace>
spec:
  displayName: IBM CS Opencontent Opensearch Catalog
  publisher: IBM
  sourceType: grpc
  image: icr.io/cpopen/opencontent-elasticsearch-operator-catalog@sha256:XXXXXXXXXXXX
  updateStrategy:
    registryPoll:
      interval: 45m
  priority: 100

# IBM Certificate Manager Catalog 4.2.4
apiVersion: operators.coreos.com/v1alpha1 
kind: CatalogSource 
metadata: 
  name: ibm-cert-manager-catalog 
  namespace: ibm-cert-manager 
spec: 
  displayName: ibm-cert-manager-4.2.4 
  publisher: IBM 
  sourceType: grpc 
  image: icr.io/cpopen/ibm-cert-manager-operator-catalog@sha256:XXXXXXXXXXXX
  updateStrategy: 
    registryPoll: 
    interval: 45m

# IBM Licensing Catalog 4.2.4
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: ibm-licensing-catalog
  namespace: ibm-licensing
spec:
  displayName: ibm-licensing-4.2.4
  publisher: IBM
  image: icr.io/cpopen/ibm-licensing-catalog@sha256:XXXXXXXXXXXX
  sourceType: grpc
  updateStrategy:
    registryPoll:
      interval: 45m

# IBM CS IM Operator Catalog 4.5.1
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: ibm-iam-operator-catalog
  namespace: <namespace>
  annotations:
    bedrock_catalogsource_priority: '1'
spec:
  displayName: IBM IAM Operator Catalog
  publisher: IBM
  sourceType: grpc
  image: icr.io/cpopen/ibm-iam-operator-catalog@sha256:XXXXXXXXXXXX
  updateStrategy:
    registryPoll:
      interval: 45m
  priority: 100

# IBM Zen Operator Catalog 5.1.4
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: ibm-zen-operator-catalog
  namespace: <namespace>
  annotations:
    bedrock_catalogsource_priority: '1'
spec:
  displayName: IBM Zen Operator Catalog
  publisher: IBM
  sourceType: grpc
  image: icr.io/cpopen/ibm-zen-operator-catalog@sha256:XXXXXXXXXXXX
  updateStrategy:
    registryPoll:
      interval: 45m
  priority: 100

# IBM Events Operator Catalog 5.0.1
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: ibm-events-operator-catalog
  namespace: <namespace>
  annotations:
    bedrock_catalogsource_priority: '1'
spec:
  displayName: IBM Events Operator Catalog
  publisher: IBM
  sourceType: grpc
  image: icr.io/cpopen/ibm-events-operator-catalog@sha256:XXXXXXXXXXXX
  updateStrategy:
    registryPoll:
      interval: 45m
  priority: 100

Install the IBM Certificate Manager and IBM License Service operators from the Operator Hub.
1. In the All Items field, enter IBM Cert Manager. The IBM Cert Manager catalog is displayed.
2. Click the IBM Cert Manager tile. The IBM Cert Manager window is displayed.
3. Click Install. The Install Operator page is displayed.
4. Set the Update Channel to v4.2.
5. Set the Installation Mode to All namespaces on the cluster (default).
6. Set the Installed Namespace to the ibm-cert-manager(Operator recommended) namespace.
7. Set the Update approval to Automatic.
8. Click Install.
9. In the All Items field, enter IBM Licensing. The IBM Licensing catalog is displayed.
10. Click the IBM Licensing tile. The IBM Licensing window is displayed.
11. Click Install. The Install Operator page is displayed.
12. Set the Update Channel to v4.2.
13. Set the Installation Mode to A specific namespace on the cluster.
14. Set the Installed Namespace to the ibm-licensing namespace.
15. Set the Update approval to Automatic.
16. Click Install.
Either an admin user or a non-admin user can now login to the OpenShift console, click Operators to open the OperatorHub, and then enter cp4ba in the Filter by keyword box under All items.
Click the IBM Cloud Pak® for Business Automation (CP4BA) multi-pattern (ibm-cp4a-operator) catalog item, and click Install.
1. In the configuration panel, fill in all the required fields.
  Select the channel (v24.0 for 24.0.0).
  
  If you set any subscriptions to manual, then you must approve any pending operator updates. It is not recommended to set subscriptions to manual because it can make the installation error prone when some of the dependency operators are not approved. By default, all subscriptions are set to automatic.
  Tip: Subscriptions for the Cloud Pak foundational services operators are created when they are "needed". Some subscriptions are created during the installation of the operators. If other subscriptions are needed, they are created during the installation of the CP4BA deployment. Business Teams Service, for example, is installed only "if it is needed". To check for subscriptions that are waiting for approval, get the install plans by running the following command.
```
oc get installPlan
```
  The default mode is All namespaces on the cluster, but choose A specific namespace on the cluster under Installation Mode and select a namespace from the Installed Namespace menu to install in a single or the operator's own namespace.
  Attention: All namespaces is not recommended by IBM for new installations. If you do want to install in the All namespaces mode, create the "ibm-common-services" namespace for Cloud Pak foundational services and then make sure that you create a ConfigMap (ibm-cp4ba-common-config) with the following YAML.
```
kind: ConfigMap
apiVersion: v1
metadata:
  name: ibm-cp4ba-common-config
  namespace: <namespace>
data:
  operators_namespace: "openshift-operators"
  services_namespace: "ibm-common-services"
```
  If you do not want to install in the All namespaces mode, create a ConfigMap (ibm-cp4ba-common-config) in the namespace that you created and prepared for the operator (cp4ba-project).
```
kind: ConfigMap
apiVersion: v1
metadata:
  name: ibm-cp4ba-common-config
  namespace: <namespace>
data:
  operators_namespace: "<namespace>"
  services_namespace: "<namespace>"
```
  Set the <namespace> that you created and prepared for the operator (cp4ba-project). For more information, see Preparing a namespace for the operator.
  Important: Before you install the operators, check for existing installations of the Cloud Pak for Business Automation operators. If there are existing operators installed in the openshift-operators namespace, then you must continue to use the All namespaces on the cluster option. If there are existing operators that are installed in specific namespaces but not in the openshift-operators namespace, then you must continue to use the A specific namespace on the cluster option.
  The oc get csv -A command shows all the operator installations.
2. Click Install.
3. In the Installed Operators view, verify the status of the IBM Cloud Pak for Business Automation installation.
Verify the Cloud Pak for Business Automation operators successfully installed.
1. On the left panel in the OpenShift console, click Workloads > Pods, and switch to the project where you installed the operator. Verify that all the pods are running.
2. On the left panel, click Operators > Installed Operators.
3. Make sure that all operators have the status "Succeeded" in your selected <NAMESPACE>.
  Note: The version number (24.0.0) shown below the installed operators corresponds to the channel for Cloud Pak for Business Automation 24.0.0.
  
  The OLM is now aware of the operators. A ClusterServiceVersion (CSV) for the operators appear in the target namespace, and APIs provided by the operators are available to use.
Tip: If the Cloud Pak operator is inactive for some time, you can delete the operator pod and force it to reconcile.

What to do next

You can monitor the operator logs with the following commands. Where the <NAMESPACE> is the project (cp4ba-project) that you created and prepared for the operator. For an all namespaces installation, the namespace is always openshift-operators.

oc project <NAMESPACE>
oc logs -f deployment/ibm-cp4a-operator -c operator

Grant permissions to non-admin user to create a CP4BA deployment

If you want to allow a non-admin user to create a CP4BA deployment, then you can get the role and cluster role names of the operator to give access to a specified user. To get the names after the operator is deployed successfully, use the following command.

oc get role | grep ibm-cp4a-operator | sort -t"t" -k1r | awk 'NR==1{print $1}'

Run the following commands for each specified user that you want to give permission to create a CP4BA deployment.

oc project <NAMESPACE>
oc adm policy add-role-to-user edit <user_name> 
oc adm policy add-role-to-user registry-editor <user_name>
oc adm policy add-role-to-user <role_name> <user_name> 
oc adm policy add-cluster-role-to-user icp4aclusters.icp4a.ibm.com-v1-crdview <user_name>

Where <role_name> is the name of the role that you got from running the oc get command, and the <NAMESPACE> is the project (cp4ba-project) that you created and prepared for the CP4BA deployment.

You can see the list of operators that are installed in your cluster on the Operators > Installed Operators page. For more information about foundational services, see IBM Cloud Pak foundational services.

To verify the foundational services installation, check whether all the pods in the namespace that is used for the CP4BA deployment are running. Use the following command:

oc get pods -n <namespace>

You can also use the following command to verify whether the services are successfully installed:

oc -n <namespace> get csv

Continue to prepare everything that you need for each capability that you want to install in Preparing your chosen capabilities.