Installing IBM Cert Manager by using the CLI

Prerequisites

An OpenShift Container Platform cluster must be installed. For more information on supported OpenShift Container Platform versions, see Supported OpenShift versions and platforms.

Installing the IBM Cert Manager

  1. Create the catalog source for the IBM Cert Manager.

    1. Log in to the cluster by using the oc login command.
    2. Create a YAML file named ibm-cert-manager-catalog.yaml with the following Operator definition:

      apiVersion: operators.coreos.com/v1alpha1
      kind: CatalogSource
      metadata:
        name: ibm-cert-manager-catalog
        namespace: openshift-marketplace
      spec:
        displayName: ibm-cert-manager-4.2.2
        publisher: IBM
        sourceType: grpc
        image: icr.io/cpopen/ibm-cert-manager-operator-catalog
        updateStrategy:
          registryPoll:
            interval: 45m
      
    3. Apply this YAML file by running:

      oc apply -f ibm-cert-manager-catalog.yaml
      
    4. Verify that all the operator packages are created:

      oc -n openshift-marketplace get catalogsource ibm-cert-manager-catalog -o jsonpath="{.status.connectionState.lastObservedState}"
      

      Expected output: READY

  2. Install the IBM Cert Manager Operator.

    1. Create a YAML file named, def-certmanager.yaml, with the resources definitions that you need.
    2. Apply this YAML file:

      oc apply -f def-certmanager.yaml
      
      apiVersion: v1
      kind: Namespace
      metadata:
        name: ibm-cert-manager
      
      ---
      apiVersion: operators.coreos.com/v1alpha2
      kind: OperatorGroup
      metadata:
        name: operatorgroup
        namespace: ibm-cert-manager
      
      ---
      apiVersion: operators.coreos.com/v1alpha1
      kind: Subscription
      metadata:
        name: ibm-cert-manager-operator
        namespace: ibm-cert-manager
      spec:
        channel: v4.2
        installPlanApproval: Automatic
        name: ibm-cert-manager-operator
        source: ibm-cert-manager-catalog
        sourceNamespace: openshift-marketplace
      

Setting the hardware profile and accepting the license

See the following notes:

  1. Edit the cert-manager-config resource:

    oc -n ibm-cert-manager edit CertManagerConfig default
    
  2. Update the CPU, memory request and limits parameters to set the hardware profile, and add the spec.license.accept: true parameter to accept the license.

    apiVersion: operator.ibm.com/v1
    kind: CertManagerConfig
    metadata:
      labels:
        app.kubernetes.io/instance: ibm-cert-manager-operator
        app.kubernetes.io/managed-by: ibm-cert-manager-operator
        app.kubernetes.io/name: cert-manager
      name: default
    spec:
      license:
        accept: true
      certManagerController:
        resources:
          limits:
            cpu: 80m
            memory: 530Mi
          requests:
            cpu: 20m
            memory: 230Mi
      certManagerWebhook:
        resources:
          limits:
            cpu: 60m
            memory: 100Mi
          requests:
            cpu: 30m
            memory: 40Mi
      certManagerCAInjector:
        resources:
          limits:
            cpu: 100m
            memory: 520Mi
          requests:
            cpu: 20m
            memory: 410Mi
      enableCertRefresh: true
      enableWebhook: true
      version: 4.2.2
      imageRegistry: icr.io/cpopen/cpfs
      disableHostNetwork: true