Installing IBM Cert Manager by using the CLI

This version of documentation is no longer updated. For the latest information, see the following links:
- Continuous Delivery (CD) documentation
- Support Cycle-2 (SC-2) documentation

Prerequisites

An OpenShift Container Platform cluster must be installed. For more information on supported OpenShift Container Platform versions, see Supported OpenShift versions and platforms.

Installing the IBM Cert Manager

1. Create the catalog source for the IBM Cert Manager.

   1. Log in to the cluster by using the oc login command.

   2. Create a YAML file named ibm-cert-manager-catalog.yaml with the following Operator definition:

      apiVersion: operators.coreos.com/v1alpha1
      kind: CatalogSource
      metadata:
        name: ibm-cert-manager-catalog
        namespace: openshift-marketplace
      spec:
        displayName: ibm-cert-manager-4
        publisher: IBM
        sourceType: grpc
        image: icr.io/cpopen/ibm-cert-manager-operator-catalog
        updateStrategy:
          registryPoll:
            interval: 45m
      

   3. Apply this YAML file by running:

      oc apply -f ibm-cert-manager-catalog.yaml
      

   4. Verify that all the operator packages are created:

      oc -n openshift-marketplace get catalogsource ibm-cert-manager-catalog -o jsonpath="{.status.connectionState.lastObservedState}"
      

      Expected output: READY

2. Install the IBM Cert Manager Operator.

   1. Create a YAML file named, def-certmanager.yaml, with the resources definitions that you need.

   2. Apply this YAML file:

      oc apply -f def-certmanager.yaml
      

      apiVersion: v1
      kind: Namespace
      metadata:
        name: ibm-cert-manager
      
      ---
      apiVersion: operators.coreos.com/v1alpha2
      kind: OperatorGroup
      metadata:
        name: operatorgroup
        namespace: ibm-cert-manager
      
      ---
      apiVersion: operators.coreos.com/v1alpha1
      kind: Subscription
      metadata:
        name: ibm-cert-manager-operator
        namespace: ibm-cert-manager
      spec:
        channel: v4.0
        installPlanApproval: Automatic
        name: ibm-cert-manager-operator
        source: ibm-cert-manager-catalog
        sourceNamespace: openshift-marketplace
      

Setting the hardware profile and accepting the license

See the following notes:

• The steps in this section are required only if you need to update the default hardware profile or accept the license.
• spec.license.accept: true is an optional parameter. To enable IBM Support, you must accept the license. For more information about Licensing acceptance, see License Accept.

1. Edit the cert-manager-config resource:

   oc -n ibm-cert-manager edit CertManagerConfig default
   

2. Update the CPU, memory request and limits parameters to set the hardware profile, and add the spec.license.accept: true parameter to accept the license.

   apiVersion: operator.ibm.com/v1
   kind: CertManagerConfig
   metadata:
     labels:
       app.kubernetes.io/instance: ibm-cert-manager-operator
       app.kubernetes.io/managed-by: ibm-cert-manager-operator
       app.kubernetes.io/name: cert-manager
     name: default
   spec:
     license:
       accept: true
     certManagerController:
       resources:
         limits:
           cpu: 80m
           memory: 530Mi
         requests:
           cpu: 20m
           memory: 230Mi
     certManagerWebhook:
       resources:
         limits:
           cpu: 60m
           memory: 100Mi
         requests:
           cpu: 30m
           memory: 40Mi
     certManagerCAInjector:
       resources:
         limits:
           cpu: 100m
           memory: 520Mi
         requests:
           cpu: 20m
           memory: 410Mi
     enableCertRefresh: true
     enableWebhook: true
     version: 4
     imageRegistry: icr.io/cpopen/cpfs
     disableHostNetwork: true