The identity configuration management for Kubernetes operator is installed with Operator Lifecycle Manager, which manages the installation, upgrade, and removal of the components that encompass identity configuration management for Kubernetes.

Required access: Cluster administrator

  • By default, the identity configuration management components are installed on worker nodes of your OpenShift Container Platform cluster without any additional configuration. You can install the identity configuration management operator onto worker nodes by using the OpenShift Container Platform OperatorHub web console interface, or by using the OpenShift Container Platform CLI.

  • If you have configured your OpenShift Container Platform cluster with infrastructure nodes, you can install the identity configuration management onto those infrastructure nodes.

Note
 Upgrades are not supported from identity configuration management for Kubernetes v0.1.0. If you have v0.1.0 installed, you will need to uninstall it before installing v0.2.0 or higher.

Prerequisites

Before you install identity configuration management for Kubernetes, see the following requirements:

  • Your RedHat OpenShift Container Platform cluster must have access to the identity configuration management for Kubernetes operator in the OperatorHub catalog from the OpenShift Container Platform console.

  • You need access to the catalog.redhat.com.

  • OpenShift Container Platform version 4.10, 4.9 or 4.8.12 and higher. For 4.8, a minimum of 4.8.12 is required, due to Bugzilla 1969902, must be deployed in your environment, and you must be logged into with the OpenShift Container Platform CLI. See the following install documentation for OpenShift Container Platform:

  • Your OpenShift Container Platform command line interface (CLI) must be configured to run oc commands. See Getting started with the CLI for information about installing and configuring the OpenShift Container Platform CLI.

  • Your OpenShift Container Platform permissions must allow you to create a namespace.

  • You must have an Internet connection to access the dependencies for the operator.

  • You must have one of the following installed:

Confirm your OpenShift Container Platform installation

You must have a supported OpenShift Container Platform version, including the registry and storage services, installed and working. For more information about installing OpenShift Container Platform, see the OpenShift Container Platform documentation.

  1. Verify that the identity configuration management for Kubernetes operator is not already installed on your OpenShift Container Platform cluster. The identity configuration management for Kubernetes operator allows only one single installation on each OpenShift Container Platform cluster. Continue with the following steps if there is no installation.

  2. To ensure that the OpenShift Container Platform cluster is set up correctly, access the OpenShift Container Platform web console with the following command:

    kubectl -n openshift-console get route

    See the following example output:

    openshift-console console console-openshift-console.apps.new-coral.purple-chesterfield.com
console   https   reencrypt/Redirect     None

  3. Open the URL in your browser and check the result. If the console URL displays console-openshift-console.router.default.svc.cluster.local, set the value for openshift_master_default_subdomain when you install OpenShift Container Platform. See the following example of a URL: https://console-openshift-console.apps.new-coral.purple-chesterfield.com.

You can proceed to install identity configuration management for Kubernetes.

Installing from the OperatorHub web console interface

Best practice: From the Administrator view in your OpenShift Container Platform navigation, install the OperatorHub web console interface that is provided with OpenShift Container Platform.

  1. Select Operators > OperatorHub to access the list of available operators, and select identity configuration management for Kubernetes operator.

  2. On the Operator subscription page, select the options for your installation:

    • Namespace:

      • The identity configuration management for Kubernetes must be installed in its own namespace, or project.

      • Under Installed Namespace, choose Create Namespace and specify idp-mgmt-config. If there is already a namespace idp-mgmt-config or you prefer another namespace, choose a different namespace.

    • Channel: The channel that you select corresponds to the release that you are installing. When you select the channel, it installs the identified release, and establishes that the future errata updates within that release are obtained.

    • Approval strategy: The approval strategy identifies the human interaction that is required for applying updates to the channel or release to which you subscribed.

      • Select Automatic to ensure any updates within that release are automatically applied.

      • Select Manual to receive a notification when an update is available. If you have concerns about when the updates are applied, this might be best practice for you.

    Note: To upgrade to the next minor release, you must return to the OperatorHub page and select a new channel for the more current release.

  3. Select Install to apply your changes and create the operator.

    After the identity configuration management for Kubernetes is created, the status for the operator is Running on the Installed Operators page.

  4. After installing the operator, create an instance of the IDPConfig resource to install the necessary components that provide the IDP configuration management APIs. Here’s an example:

    apiVersion: identityconfig.identitatem.io/v1alpha1
kind: IDPConfig
metadata:
  name: idp-config
  namespace: idp-mgmt-config
spec:

    You can now use the services provided by the identity configuration management for Kubernetes.

Installing from the OpenShift Container Platform CLI

  1. Create a identity configuration management for Kubernetes namespace where the operator requirements are contained. Run the following command, where namespace is the name for your identity configuration management for Kubernetes namespace. A value of idp-mgmt-config is recommended. The value for namespace might be referred to as Project in the OpenShift Container Platform environment:

    oc create namespace <namespace>

  2. Switch your project namespace to the one that you created. Replace namespace with the name of the identity configuration management for Kubernetes namespace that you created in step 1.

    oc project <namespace>

  3. Create a YAML file to configure an OperatorGroup resource. Each namespace can have only one operator group. Replace default with the name of your operator group. Replace namespace with the name of your project namespace. See the following example:

    apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: <default>
spec:
  targetNamespaces:
  - <namespace>

  4. Run the following command to create the OperatorGroup resource. Replace operator-group with the name of the operator group YAML file that you created:

    oc apply -f <path-to-file>/<operator-group>.yaml

  5. Create a YAML file to configure an OpenShift Container Platform Subscription. Your file should look similar to the following example:

    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: idp-mgmt-operator-subscription
spec:
  sourceNamespace: openshift-marketplace
  source: redhat-operators
  channel: alpha
  installPlanApproval: Automatic
  name: idp-mgmt-operator

    Note: For installing the identity configuration management for Kubernetes on infrastructure nodes, the see Operator Lifecycle Manager Subscription additional configuration section.

  6. Run the following command to create the OpenShift Container Platform Subscription. Replace subscription with the name of the subscription file that you created:

    oc apply -f <path-to-file>/<subscription>.yaml

  7. Create an instance of the IDPConfig resource to install the necessary components that provide the IDP configuration management APIs. Here’s an example:

    apiVersion: identityconfig.identitatem.io/v1alpha1
kind: IDPConfig
metadata:
  name: idp-config
  namespace: idp-mgmt-config
spec:

Notes:

  • A ServiceAccount with a ClusterRoleBinding automatically gives cluster administrator privileges to identity configuration management for Kubernetes and to any user credentials with access to the namespace where you install identity configuration management for Kubernetes.

Installing on infrastructure nodes

An OpenShift Container Platform cluster can be configured to contain infrastructure nodes for running approved management components. Running components on infrastructure nodes avoids allocating OpenShift Container Platform subscription quota for the nodes that are running those management components.

After adding infrastructure nodes to your OpenShift Container Platform cluster, follow the Installing from the OpenShift Container Platform CLI instructions and add the following configurations to the Operator Lifecycle Manager Subscription.

Add infrastructure nodes to the OpenShift Container Platform cluster

Follow the procedures that are described in Creating infrastructure machine sets in the OpenShift Container Platform documentation. Infrastructure nodes are configured with a Kubernetes taint and label to keep non-management workloads from running on them.

To be compatible with the infrastructure node enablement provided by identity configuration management for Kubernetes, ensure your infrastructure nodes have the following taint and label applied:

metadata:
  labels:
    node-role.kubernetes.io/infra: ""
spec:
  taints:
  - effect: NoSchedule
    key: node-role.kubernetes.io/infra

Operator Lifecycle Manager Subscription additional configuration

Add the following additional configuration before applying the Operator Lifecycle Manager Subscription:

spec:
  config:
    nodeSelector:
      node-role.kubernetes.io/infra: ""
    tolerations:
    - key: node-role.kubernetes.io/infra
      effect: NoSchedule
      operator: Exists