Installing IBM Cert Manager by using the CLI

Prerequisites

An OpenShift Container Platform cluster must be installed. For more information on supported OpenShift Container Platform versions, see Supported OpenShift versions and platforms.

Installing the IBM Cert Manager

1. Create cert-manager catalog source.

   1. Log in to the cluster by using the oc login command.

   2. Create a YAML file named ibm-cert-manager-catalog with the following Operator definition:

      apiVersion: operators.coreos.com/v1alpha1
      kind: CatalogSource
      metadata:
        name: ibm-cert-manager-catalog
        namespace: openshift-marketplace
      spec:
        displayName: ibm-cert-manager-4.2.1
        publisher: IBM
        sourceType: grpc
        image: icr.io/cpopen/ibm-cert-manager-operator-catalog
        updateStrategy:
          registryPoll:
            interval: 45m
      

   3. Apply this YAML file by running:

      oc apply -f ibm-cert-manager-catalog.yaml
      

   4. Verify that all the operator packages are created:

      oc -n openshift-marketplace get catalogsource ibm-cert-manager-catalog -o jsonpath="{.status.connectionState.lastObservedState}"
      

      Expected output: READY

2. Install the IBM Cert Manager Operator.

   1. Create a YAML file named, def-certmanager.yaml, with the resources definitions that you need.
   2. Apply this YAML file:

   oc apply -f def-certmanager.yaml
   

   apiVersion: v1
   kind: Namespace
   metadata:
     name: ibm-cert-manager
   
   ---
   apiVersion: operators.coreos.com/v1alpha2
   kind: OperatorGroup
   metadata:
     name: operatorgroup
     namespace: ibm-cert-manager
   
   ---
   apiVersion: operators.coreos.com/v1alpha1
   kind: Subscription
   metadata:
     name: ibm-cert-manager-operator
     namespace: ibm-cert-manager
   spec:
     channel: v4.2
     installPlanApproval: Automatic
     name: ibm-cert-manager-operator
     source: ibm-cert-manager-catalog
     sourceNamespace: openshift-marketplace
   

Setting the hardware profile and accepting the license

1. Edit the cert-manager-config resource:

   oc -n ibm-cert-manager edit CertManagerConfig default
   

2. Update the CPU, memory request and limits parameters to set the hardware profile, and add the spec.license.accept: true parameter to accept the license.

   apiVersion: operator.ibm.com/v1
   kind: CertManagerConfig
   metadata:
     labels:
       app.kubernetes.io/instance: ibm-cert-manager-operator
       app.kubernetes.io/managed-by: ibm-cert-manager-operator
       app.kubernetes.io/name: cert-manager
     name: default
   spec:
     license:
       accept: true
     certManagerController:
       resources:
         limits:
           cpu: 80m
           memory: 530Mi
         requests:
           cpu: 20m
           memory: 230Mi
     certManagerWebhook:
       resources:
         limits:
           cpu: 60m
           memory: 100Mi
         requests:
           cpu: 30m
           memory: 40Mi
     certManagerCAInjector:
       resources:
         limits:
           cpu: 100m
           memory: 520Mi
         requests:
           cpu: 20m
           memory: 410Mi
     enableCertRefresh: true
     enableWebhook: true
     version: 4.2.1
     imageRegistry: icr.io/cpopen/cpfs
     disableHostNetwork: true