Install the cert-manager Operator for OpenShift on IBM Power Virtual Server

Let's kick things up a notch!

We're now all set to install the cert-manager Operator for Red Hat OpenShift on our cluster. As of the time of publishing, the installation documentation primarily outlines the steps using the OpenShift web console, this learning path will guide you through the CLI installation (Figure 1), with some Operator Lifecycle Manager(OLM) explanations. Pick your flavor, and feel free to choose the method that best suits your use case and preferences, as both lead to the same result.

In order to get the full benefit from taking this lesson, you need to:

• Export KUBECONFIG or use oc login to access your cluster, as accomplished at the end of Lesson 2. 

  $ export KUBECONFIG=<path-to-kubeconfig>

In this lesson, you will:

• Understand and leverage Operator Lifecycle Manager (OLM) resources for streamlined operator management.
• Use OLM to install cert-manager Operator for Red Hat OpenShift on IBM Power VS.

Review Operator Lifecycle Manager (OLM) resources

In OpenShift, a catalog source serves as a carefully curated repository of operators, akin to an app store. It provides a comprehensive listing of operators along with their descriptions, versions, and compatibility information. By default, the redhat-operators catalog source is included with the cluster in openshift-marketplace namespace, featuring the presence of the openshift-cert-manager-operator:

$ oc get catalogsources redhat-operators -n openshift-marketplace

Within OLM, the PackageManifest is your operator's info card. It includes details such as the package name, available channels, source repository (catalog aource), install modes, version details, etc., which simplifies operator installation within your OpenShift cluster. Let's check the details for openshift-cert-manager-operator:

$ oc describe packagemanifest openshift-cert-manager-operator -n openshift-marketplace

Have you observed the labels? They provide information about the supported architectures and the source catalog:

$ oc get packagemanifest openshift-cert-manager-operator -n openshift-marketplace -o json | jq .metadata.labels

{
  "catalog": "redhat-operators",
  "catalog-namespace": "openshift-marketplace",
  "hypershift.openshift.io/managed": "true",
  "operatorframework.io/arch.amd64": "supported",
  "operatorframework.io/arch.arm64": "supported",
  "operatorframework.io/arch.ppc64le": "supported",
  "operatorframework.io/arch.s390x": "supported",
  "operatorframework.io/os.linux": "supported",
  "provider": "Red Hat",
  "provider-url": ""
}

Take a look at the defaultChannel:

$ oc get packagemanifest openshift-cert-manager-operator -n openshift-marketplace -o json | jq .status.defaultChannel

"stable-v1"

Make a note of this information as we'll use it when creating the Subscription.

Install cert-manager Operator for OpenShift via CLI

To set up cert-manager for Red Hat OpenShift, follow these steps:

1. Create a new project cert-manager-operator. This will be the operator namespace:

   $ oc new-project cert-manager-operator

2. Next, we'll create the OperatorGroup to help OLM specify the target namespaces where the operator should be deployed and watch for its resources:

   $ oc create -f - <<EOF 
   apiVersion: operators.coreos.com/v1
   kind: OperatorGroup
   metadata:
     name: openshift-cert-manager-operator
     namespace: cert-manager-operator
   spec:
     targetNamespaces:
     - "cert-manager-operator"
   EOF

3. Finally, create a Subscription to install your operator. Ensure that the information in the spec is sourced from the PackageManifest as needed:

   $ oc create -f - <<EOF
   apiVersion: operators.coreos.com/v1alpha1
   kind: Subscription
   metadata:
     name: openshift-cert-manager-operator
     namespace: cert-manager-operator
   spec:
     channel: stable-v1
     name: openshift-cert-manager-operator
     source: redhat-operators
     sourceNamespace: openshift-marketplace
     installPlanApproval: Automatic
     startingCSV: cert-manager-operator.v1.13.0
   EOF

4. You can do a quick verification by following the commands and sample outputs below:

   oc get subscription -n cert-manager-operator
   NAME                              PACKAGE                           SOURCE             CHANNEL
   openshift-cert-manager-operator   openshift-cert-manager-operator   redhat-operators   stable-v1
   
   oc get csv -n cert-manager-operator
   NAME                            DISPLAY                                       VERSION   REPLACES                        PHASE
   cert-manager-operator.v1.13.0   cert-manager Operator for Red Hat OpenShift   1.13.0    cert-manager-operator.v1.12.1   Succeeded
   
   oc get pods -n cert-manager-operator
   NAME                                                        READY   STATUS    RESTARTS   AGE
   cert-manager-operator-controller-manager-695b4d46cb-r4hld   2/2     Running   0          7m4s
   
   oc get pods -n cert-manager
   NAME                                       READY   STATUS    RESTARTS   AGE
   cert-manager-58b7f649c4-dp6l4              1/1     Running   0          7m1s
   cert-manager-cainjector-5565b8f897-gx25h   1/1     Running   0          7m37s
   cert-manager-webhook-9bc98cbdd-f972x       1/1     Running   0          7m40s

Well done! You've successfully installed the openshift-cert-manager-operator in your cluster, and it is prepared to handle certificate services.