Reauthorizing an instance administrator with the minimum RBAC to upgrade components (Upgrading from Version 5.3 to Version 5.4)

If you gave an instance administrator the minimum role-based access control (RBAC) to install IBM® Software Hub software, you must update the roles that are assigned to the user so that the user has sufficient privileges to upgrade the instance.

Upgrade phase
  • You are not here. Updating your client workstation
  • You are not here. Collecting required information
  • You are not here. Preparing to run an upgrade in a restricted network
  • You are not here. Preparing to run an upgrade from a private container registry
  • You are not here. Upgrading prerequisite software
  • You are not here. Upgrading shared cluster components
  • You are here icon. Preparing to upgrade an instance
  • You are not here. Upgrading an instance
  • You are not here. Setting up IBM Software Hub
Who needs to complete this task?

Cluster administrator A cluster administrator must complete this task.

When do you need to complete this task?
  • If you gave a user the admin role on the project, you can skip this task.
  • If you gave a user the minimum role-based access control (RBAC) to install IBM Software Hub, you must complete this task to give the user has sufficient privileges to upgrade the instance.

    Repeat as needed If you have multiple instances of IBM Software Hub, you must repeat this task for each instance of IBM Software Hub that you plan to upgrade.

Before you begin

Best practice: You can run the commands in this task exactly as written using the installation environment variables. Ensure that you added the new environment variables from Updating your environment variables script.

In addition, ensure that you source the environment variables before you run the commands in this task.

About this task

Use the show-minimum-rbac command to generate the YAML files that you can use to give a user the minimum RBAC to upgrade the components associated with an instance of IBM Software Hub.

You must regenerate and reapply the roles that are assigned to the instance administrator so that the user has sufficient privileges to upgrade the instance.

Procedure

  1. Log the cpd-cli in to the Red Hat® OpenShift® Container Platform cluster: 
    ${CPDM_OC_LOGIN}
    Remember: CPDM_OC_LOGIN is an alias for the cpd-cli manage login-to-ocp command.
  2. Set the ROLE_NAME environment variable to the identifier that you use for minimum RBAC roles associated with this instance of IBM Software Hub. 
    export ROLE_NAME=<role-name>
  3. Run the cpd-cli manage show-minimum-rbac command to generate the YAML files that you can use to create the roles with the minimum RBAC for the components: 
    cpd-cli manage show-minimum-rbac \
--components=${COMPONENTS} \
--release=${VERSION} \
--patch_id=${PATCH_ID} \
--role_name=${ROLE_NAME}
    The command generates the following YAML files in the work directory:
    • ${ROLE_NAME}-cpd-instance-admin.${VERSION}.yaml
    • ${ROLE_NAME}-cpd-instance-crs.${VERSION}.yaml
  4. Change to the work directory.
  5. Create the roles from the YAML files.
    The following command creates the required roles in the specified projects:

    To create the roles, run:

    # Create the roles for the backup and restore orchestration project
# =======================================================================================
oc apply \
-f ${BR_ROLE_NAME}-cpd-instance-admin.${VERSION}.yaml \
--namespace=${PROJECT_CPD_INST_BR_SVC}

oc apply \
-f ${BR_ROLE_NAME}-cpd-instance-crs.${VERSION}.yaml \
--namespace=${PROJECT_CPD_INST_BR_SVC}

# Create the roles for the operators project
# =======================================================================================
oc apply \
-f ${BR_ROLE_NAME}-cpd-instance-admin.${VERSION}.yaml \
--namespace=${PROJECT_CPD_INST_OPERATORS}

oc apply \
-f ${BR_ROLE_NAME}-cpd-instance-crs.${VERSION}.yaml \
--namespace=${PROJECT_CPD_INST_OPERATORS}

oc apply \
-f ${ROLE_NAME}-cpd-instance-admin.${VERSION}.yaml \
--namespace=${PROJECT_CPD_INST_OPERATORS}

oc apply \
-f ${ROLE_NAME}-cpd-instance-crs.${VERSION}.yaml \
--namespace=${PROJECT_CPD_INST_OPERATORS}

# Create the roles for the operands project
# =======================================================================================
oc apply \
-f ${BR_ROLE_NAME}-cpd-instance-admin.${VERSION}.yaml \
--namespace=${PROJECT_CPD_INST_OPERANDS}

oc apply \
-f ${BR_ROLE_NAME}-cpd-instance-crs.${VERSION}.yaml \
--namespace=${PROJECT_CPD_INST_OPERANDS}

oc apply \
-f ${ROLE_NAME}-cpd-instance-admin.${VERSION}.yaml \
--namespace=${PROJECT_CPD_INST_OPERANDS}

oc apply \
-f ${ROLE_NAME}-cpd-instance-crs.${VERSION}.yaml \
--namespace=${PROJECT_CPD_INST_OPERANDS}

# If there are tethered projects, create the roles in the tethered projects
# =======================================================================================
if [ -n "${PROJECT_CPD_INSTANCE_TETHERED}" ]; then
    IFS=',' read -ra TETHERED_NS_LIST <<< "${PROJECT_CPD_INSTANCE_TETHERED}"
    
    for TETHERED_NS in "${TETHERED_NS_LIST[@]}"; do
      oc apply \
      -f ${BR_ROLE_NAME}-cpd-instance-admin.${VERSION}.yaml \
      --namespace=${TETHERED_NS}

      oc apply \
      -f ${BR_ROLE_NAME}-cpd-instance-crs.${VERSION}.yaml \
      --namespace=${TETHERED_NS}

      oc apply \
      -f ${ROLE_NAME}-cpd-instance-admin.${VERSION}.yaml \
      --namespace=${TETHERED_NS}

      oc apply \
      -f ${ROLE_NAME}-cpd-instance-crs.${VERSION}.yaml \
      --namespace=${TETHERED_NS}
    done
fi
  6. Set the INSTANCE_ADMIN environment variable to the username of the Red Hat OpenShift Container Platform user that you want to give administration privileges to. 
    export INSTANCE_ADMIN=<user>
  7. Assign the user the roles that you created in the previous step.
    Tip: The following commands use the oc adm policy add-role-to-user <role-name> <user-name> command. Alternatively, you can use the oc adm policy add-role-to-group <role-name> <group-name> command to authorize a group of Red Hat OpenShift Container Platform users.

    To assign the roles, run:

    # Assign the required roles in the backup and restore orchestration project
# =======================================================================================
oc adm policy add-role-to-user ${BR_ROLE_NAME}-cpd-instance-admin ${INSTANCE_ADMIN} \
--namespace=${PROJECT_CPD_INST_BR_SVC} \
--role-namespace=${PROJECT_CPD_INST_BR_SVC}

oc adm policy add-role-to-user ${BR_ROLE_NAME}-cpd-instance-crs ${INSTANCE_ADMIN} \
--namespace=${PROJECT_CPD_INST_BR_SVC} \
--role-namespace=${PROJECT_CPD_INST_BR_SVC}

# Assign the required roles in the operators project
# =======================================================================================
oc adm policy add-role-to-user ${BR_ROLE_NAME}-cpd-instance-admin ${INSTANCE_ADMIN} \
--namespace=${PROJECT_CPD_INST_OPERATORS} \
--role-namespace=${PROJECT_CPD_INST_OPERATORS}

oc adm policy add-role-to-user ${BR_ROLE_NAME}-cpd-instance-crs ${INSTANCE_ADMIN} \
--namespace=${PROJECT_CPD_INST_OPERATORS} \
--role-namespace=${PROJECT_CPD_INST_OPERATORS}

oc adm policy add-role-to-user ${ROLE_NAME}-cpd-instance-admin ${INSTANCE_ADMIN} \
--namespace=${PROJECT_CPD_INST_OPERATORS} \
--role-namespace=${PROJECT_CPD_INST_OPERATORS}

oc adm policy add-role-to-user ${ROLE_NAME}-cpd-instance-crs ${INSTANCE_ADMIN} \
--namespace=${PROJECT_CPD_INST_OPERATORS} \
--role-namespace=${PROJECT_CPD_INST_OPERATORS}

# Assign the required roles in the operands project
# =======================================================================================
oc adm policy add-role-to-user ${BR_ROLE_NAME}-cpd-instance-admin ${INSTANCE_ADMIN} \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--role-namespace=${PROJECT_CPD_INST_OPERANDS}

oc adm policy add-role-to-user ${BR_ROLE_NAME}-cpd-instance-crs ${INSTANCE_ADMIN} \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--role-namespace=${PROJECT_CPD_INST_OPERANDS}

oc adm policy add-role-to-user ${ROLE_NAME}-cpd-instance-admin ${INSTANCE_ADMIN} \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--role-namespace=${PROJECT_CPD_INST_OPERANDS}

oc adm policy add-role-to-user ${ROLE_NAME}-cpd-instance-crs ${INSTANCE_ADMIN} \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--role-namespace=${PROJECT_CPD_INST_OPERANDS}

# If there are tethered projects, assign the required roles in the tethered projects
# =======================================================================================
if [ -n "${PROJECT_CPD_INSTANCE_TETHERED}" ]; then
    IFS=',' read -ra TETHERED_NS_LIST <<< "${PROJECT_CPD_INSTANCE_TETHERED}"
    
    for TETHERED_NS in "${TETHERED_NS_LIST[@]}"; do
      oc adm policy add-role-to-user ${BR_ROLE_NAME}-cpd-instance-admin ${INSTANCE_ADMIN} \
      --namespace=${TETHERED_NS} \
      --role-namespace=${TETHERED_NS}

      oc adm policy add-role-to-user ${BR_ROLE_NAME}-cpd-instance-crs ${INSTANCE_ADMIN} \
      --namespace=${TETHERED_NS} \
      --role-namespace=${TETHERED_NS}

      oc adm policy add-role-to-user ${ROLE_NAME}-cpd-instance-admin ${INSTANCE_ADMIN} \
      --namespace=${TETHERED_NS} \
      --role-namespace=${TETHERED_NS}

      oc adm policy add-role-to-user ${ROLE_NAME}-cpd-instance-crs ${INSTANCE_ADMIN} \
      --namespace=${TETHERED_NS} \
      --role-namespace=${TETHERED_NS}
    done
fi

What to do next

Now that you've reauthorized the instance administrator, you're ready to complete Upgrading privileged monitors (Upgrading from Version 5.3 to Version 5.4).