Installing IBM Cert Manager and Licensing by script


Set the required cluster permissions to run the script. For more information, see Additional cluster permissions for running scripts .


  1. Create the CatalogSource. For more information, see Installing IBM Cloud Pak foundational services by using the OpenShift console.

  2. Log in to the cluster as an administrator with the oc login command.

  3. Go to the ${installer-scripts}/cp3pt0-deployment directory in the downloaded CASE bundle. To download the scripts, see Downloading scripts for additional configuration from specific version CASE bundle.

    cd ${installer-scripts}/cp3pt0-deployment
  4. Run the following command to read the script usage instructions:

    ./ -h
    Usage: --license-accept [OPTIONS]...
    Install Cloud Pak 3 pre-reqs if they do not already exist: ibm-cert-manager-operator and optionally ibm-licensing-operator
    The ibm-cert-manager-operator will be installed in namespace ibm-cert-manager
    The ibm-licensing-operator will be installed in namespace ibm-licensing
    The --license-accept must be provided.
      --oc string                                    File path to oc CLI. Default uses oc in your PATH
      --operator-namespace string                    Namespace to migrate Cloud Pak 2 Foundational services
      --enable-licensing                             Set this flag to install ibm-licensing-operator
      --enable-private-catalog                       Set this flag to use namespace scoped CatalogSource. Default is in openshift-marketplace namespace
      --cert-manager-source string                   CatalogSource name of ibm-cert-manager-operator. This assumes your CatalogSource is already created. Default is ibm-cert-manager-catalog
      --licensing-source string                      CatalogSource name of ibm-licensing. This assumes your CatalogSource is already created. Default is ibm-licensing-catalog
      -cmNs, --cert-manager-namespace string         Set custom namespace for ibm-cert-manager-operator. Default is ibm-cert-manager
      -licensingNs, --licensing-namespace string     Set custom namespace for ibm-licensing-operator. Default is ibm-licensing
      --license-accept                               Set this flag to accept the license agreement.
      -c, --channel string                           Channel for Subscription(s). Default is v4.2
      -i, --install-mode string                      InstallPlan Approval Mode. Default is Automatic. Set to Manual for manual approval mode
      -h, --help                                     Print usage information
  5. If you need to migrate IBM Cert Manager and IBM License Service v3.x.x from the existing IBM Cloud Pak, run the following command:

    ./ --license-accept --operator-namespace <Cloud Pak 2 Foundational Service Namespace> --enable-licensing

    To migrate cert-manager only, run the following command:

    ./ --license-accept --operator-namespace <Cloud Pak 2 Foundational Service Namespace>

    See the following notes:

    • You can skip this step if you download the script from CASE bundle v4.1.x or later in Step 2. The script determines the migration path automatically based on the version of the IBM Cert Manager and IBM License service installed in the cluster in the next step.

    • Ensure that the catalog sources of the IBM Cert Manager and IBM License Service exist in the openshift-marketplace and ibm-licensing namespaces.

    • To determine <Cloud Pak 2 Foundational Service Namespace>, run the following command:

      $ oc get csv -A | grep ibm-cert-manager-operator.v3 | awk '{print $1}'
  6. If you need to install the new IBM Cert Manager and IBM License Service, run the following command:

    ./ --license-accept --enable-licensing

    To install IBM Cert Manager only, run the following command:

    ./ --license-accept
  7. Verify that the following components are installed in the cluster.

    • Make sure that the IBM Cert-Manager Operator is installed in the ibm-cert-manager namespace.

      $ oc get subscription -n ibm-cert-manager
      $ oc get csv -n ibm-cert-manager

      The following output is displayed:

      NAME                        PACKAGE                     SOURCE                CHANNEL
      ibm-cert-manager-operator   ibm-cert-manager-operator   opencloud-operators   v4.2
      NAME                               DISPLAY            VERSION   REPLACES   PHASE
      ibm-cert-manager-operator.v4.2.10   IBM Cert Manager   4.2.10                Succeeded
    • Make sure that the IBM Cert-Manager-Config Operand is created.

      $ oc get certmanagerconfig -A

      The following output is displayed:

      NAME      AGE
      default   75m
    • Make sure that the IBM Cert-Manager Pods are running in ibm-cert-manager namespace.

      $ oc get pods -n ibm-cert-manager

      The following output is displayed:

      NAME                                         READY   STATUS    RESTARTS   AGE
      cert-manager-cainjector-7cfcd9948-lwh2n      1/1     Running   0          76m
      cert-manager-controller-7759f789f5-2jldr     1/1     Running   0          76m
      cert-manager-webhook-86b9b4b757-dvxg6        1/1     Running   0          76m
      ibm-cert-manager-operator-747fdbf467-cc4ss   1/1     Running   0          77m
    • Make sure that the IBM Licensing Operator is installed in the ibm-licensing namespace. (If it is migrated, IBM Licensing Operator is installed in the control-namespace).

      $ oc get subscription -n ibm-licensing
      $ oc get csv -n ibm-licensing
      NAME                         PACKAGE                      SOURCE                CHANNEL
      ibm-licensing-operator-app   ibm-licensing-operator-app   opencloud-operators   v4.2
      NAME                               DISPLAY            VERSION   REPLACES   PHASE
      ibm-licensing-operator.v4.2.10      IBM Licensing      4.2.10                Succeeded