The identity configuration management for Kubernetes operator is installed with Operator Lifecycle Manager, which manages the installation, upgrade, and removal of the components that encompass identity configuration management for Kubernetes.
Required access: Cluster administrator
-
By default, the identity configuration management components are installed on worker nodes of your OpenShift Container Platform cluster without any additional configuration. You can install the identity configuration management operator onto worker nodes by using the OpenShift Container Platform OperatorHub web console interface, or by using the OpenShift Container Platform CLI.
-
If you have configured your OpenShift Container Platform cluster with infrastructure nodes, you can install the identity configuration management onto those infrastructure nodes.
Note
|
Upgrades are not supported from identity configuration management for Kubernetes v0.1.0. If you have v0.1.0 installed, you will need to uninstall it before installing v0.2.0 or higher. |
Prerequisites
Before you install identity configuration management for Kubernetes, see the following requirements:
-
Your RedHat OpenShift Container Platform cluster must have access to the identity configuration management for Kubernetes operator in the OperatorHub catalog from the OpenShift Container Platform console.
-
You need access to the catalog.redhat.com.
-
OpenShift Container Platform version 4.10, 4.9 or 4.8.12 and higher. For 4.8, a minimum of 4.8.12 is required, due to Bugzilla 1969902, must be deployed in your environment, and you must be logged into with the OpenShift Container Platform CLI. See the following install documentation for OpenShift Container Platform:
-
Your OpenShift Container Platform command line interface (CLI) must be configured to run
oc
commands. See Getting started with the CLI for information about installing and configuring the OpenShift Container Platform CLI. -
Your OpenShift Container Platform permissions must allow you to create a namespace.
-
You must have an Internet connection to access the dependencies for the operator.
-
You must have one of the following installed:
Confirm your OpenShift Container Platform installation
You must have a supported OpenShift Container Platform version, including the registry and storage services, installed and working. For more information about installing OpenShift Container Platform, see the OpenShift Container Platform documentation.
-
Verify that the identity configuration management for Kubernetes operator is not already installed on your OpenShift Container Platform cluster. The identity configuration management for Kubernetes operator allows only one single installation on each OpenShift Container Platform cluster. Continue with the following steps if there is no installation.
-
To ensure that the OpenShift Container Platform cluster is set up correctly, access the OpenShift Container Platform web console with the following command:
kubectl -n openshift-console get route
See the following example output:
openshift-console console console-openshift-console.apps.new-coral.purple-chesterfield.com console https reencrypt/Redirect None
-
Open the URL in your browser and check the result. If the console URL displays
console-openshift-console.router.default.svc.cluster.local
, set the value foropenshift_master_default_subdomain
when you install OpenShift Container Platform. See the following example of a URL:https://console-openshift-console.apps.new-coral.purple-chesterfield.com
.
You can proceed to install identity configuration management for Kubernetes.
Installing from the OperatorHub web console interface
Best practice: From the Administrator view in your OpenShift Container Platform navigation, install the OperatorHub web console interface that is provided with OpenShift Container Platform.
-
Select Operators > OperatorHub to access the list of available operators, and select identity configuration management for Kubernetes operator.
-
On the Operator subscription page, select the options for your installation:
-
Namespace:
-
The identity configuration management for Kubernetes must be installed in its own namespace, or project.
-
Under Installed Namespace, choose Create Namespace and specify
idp-mgmt-config
. If there is already a namespaceidp-mgmt-config
or you prefer another namespace, choose a different namespace.
-
-
Channel: The channel that you select corresponds to the release that you are installing. When you select the channel, it installs the identified release, and establishes that the future errata updates within that release are obtained.
-
Approval strategy: The approval strategy identifies the human interaction that is required for applying updates to the channel or release to which you subscribed.
-
Select Automatic to ensure any updates within that release are automatically applied.
-
Select Manual to receive a notification when an update is available. If you have concerns about when the updates are applied, this might be best practice for you.
-
Note: To upgrade to the next minor release, you must return to the OperatorHub page and select a new channel for the more current release.
-
-
Select Install to apply your changes and create the operator.
After the identity configuration management for Kubernetes is created, the status for the operator is Running on the Installed Operators page.
-
After installing the operator, create an instance of the
IDPConfig
resource to install the necessary components that provide the IDP configuration management APIs. Here’s an example:apiVersion: identityconfig.identitatem.io/v1alpha1 kind: IDPConfig metadata: name: idp-config namespace: idp-mgmt-config spec:
You can now use the services provided by the identity configuration management for Kubernetes.
Installing from the OpenShift Container Platform CLI
-
Create a identity configuration management for Kubernetes namespace where the operator requirements are contained. Run the following command, where
namespace
is the name for your identity configuration management for Kubernetes namespace. A value ofidp-mgmt-config
is recommended. The value fornamespace
might be referred to as Project in the OpenShift Container Platform environment:oc create namespace <namespace>
-
Switch your project namespace to the one that you created. Replace
namespace
with the name of the identity configuration management for Kubernetes namespace that you created in step 1.oc project <namespace>
-
Create a YAML file to configure an
OperatorGroup
resource. Each namespace can have only one operator group. Replacedefault
with the name of your operator group. Replacenamespace
with the name of your project namespace. See the following example:apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: <default> spec: targetNamespaces: - <namespace>
-
Run the following command to create the
OperatorGroup
resource. Replaceoperator-group
with the name of the operator group YAML file that you created:oc apply -f <path-to-file>/<operator-group>.yaml
-
Create a YAML file to configure an OpenShift Container Platform Subscription. Your file should look similar to the following example:
apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: idp-mgmt-operator-subscription spec: sourceNamespace: openshift-marketplace source: redhat-operators channel: alpha installPlanApproval: Automatic name: idp-mgmt-operator
Note: For installing the identity configuration management for Kubernetes on infrastructure nodes, the see Operator Lifecycle Manager Subscription additional configuration section.
-
Run the following command to create the OpenShift Container Platform Subscription. Replace
subscription
with the name of the subscription file that you created:oc apply -f <path-to-file>/<subscription>.yaml
-
Create an instance of the
IDPConfig
resource to install the necessary components that provide the IDP configuration management APIs. Here’s an example:apiVersion: identityconfig.identitatem.io/v1alpha1 kind: IDPConfig metadata: name: idp-config namespace: idp-mgmt-config spec:
Notes:
-
A
ServiceAccount
with aClusterRoleBinding
automatically gives cluster administrator privileges to identity configuration management for Kubernetes and to any user credentials with access to the namespace where you install identity configuration management for Kubernetes.
Installing on infrastructure nodes
An OpenShift Container Platform cluster can be configured to contain infrastructure nodes for running approved management components. Running components on infrastructure nodes avoids allocating OpenShift Container Platform subscription quota for the nodes that are running those management components.
After adding infrastructure nodes to your OpenShift Container Platform cluster, follow the Installing from the OpenShift Container Platform CLI instructions and add the following configurations to the Operator Lifecycle Manager Subscription.
Add infrastructure nodes to the OpenShift Container Platform cluster
Follow the procedures that are described in
Creating infrastructure machine sets in the OpenShift Container Platform documentation. Infrastructure nodes are configured with a Kubernetes taint
and label
to keep non-management workloads from running on them.
To be compatible with the infrastructure node enablement provided by
identity configuration management for Kubernetes, ensure your infrastructure nodes have the following taint
and label
applied:
metadata:
labels:
node-role.kubernetes.io/infra: ""
spec:
taints:
- effect: NoSchedule
key: node-role.kubernetes.io/infra
Operator Lifecycle Manager Subscription additional configuration
Add the following additional configuration before applying the Operator Lifecycle Manager Subscription:
spec:
config:
nodeSelector:
node-role.kubernetes.io/infra: ""
tolerations:
- key: node-role.kubernetes.io/infra
effect: NoSchedule
operator: Exists