-
Notifications
You must be signed in to change notification settings - Fork 38
Home
Note: This driver is for internal testing and demo purposes only. For production use, refer to the instructions here
- Update your OpenShift cluster with a global pull secret for the cp.stg.icr.io entitled registry:
- Get an entitlement key to the IBM Entitled Container Fulfillment Registry. Log in to MyIBM Container Software Library with the IBMid and password that are associated with the entitled software. Click on 'View library' on the left and it should show that you have entitlement for 'all' IBM software. Follow the process under Obtaining a staging entitlement key if you are not able to access the library or you don't have entitlement to 'all' IBM software.
- In the Entitlement keys section, select
Copy key
to copy the entitlement key to the clipboard. - Use the console to configure the global pull secret with entitled registry (cp.stg.icr.io) credentials.
- In the console, click
Workloads
>Secrets
and select theopenshift-config
namespace. - Find the existing
pull-secret
secret. - Select
Edit Secret
. - Click
Add Credentials
to add an entry for the entitled registry. Specifycp.stg.icr.io
as the registry server address,cp
as the username, and the entitlement key that you obtained in the previous step as the password.
- To install the Operator using Operator Lifecycle Manager (OLM). Skip 2.1, 2.2 and 2.3 and follow step 3 if you want to use the kustomize-based install option:
2.1. Create ImageContentSourcePolicy
for mirroring (this is needed because Operator artifacts are built with production registry reference, but until we GA the images would only be in the staging registry):
apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
name: mirror-config
spec:
repositoryDigestMirrors:
- mirrors:
- cp.stg.icr.io/cp
source: cp.icr.io/cp
- mirrors:
- cp.stg.icr.io/cp
source: icr.io/cpopen
- mirrors:
- cp.stg.icr.io/cp
source: icr.io/appcafe
(To apply the resources, create a file and then copy and paste the contents above on your oc enabled system and run oc apply -f <fileName>)
2.2. Add the CatalogSource for Open Liberty Operator:
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: olo-catalog
namespace: openshift-marketplace
spec:
displayName: Open Liberty 1.4.0-rc.3
image: 'icr.io/appcafe/open-liberty-operator-catalog@sha256:862b5d13d923077fd6dfb99a0cc642468c6aa9c1081e4ee4c6ab9f9af37d0082'
sourceType: grpc
2.3. Install or Upgrade the Open Liberty Operator via OperatorHub:
2.3.1. To Install the Open Liberty Operator:
- From the OpenShift UI, click on
Operators
and thenOperatorHub
- In the search box type
open liberty
. Sometimes it takes a few minutes for the CatalogSource to be loaded by OCP. The operator won't show up until the CatalogSource is loaded. - Select the Open Liberty operator and click Install
- Complete the install with the default options
2.3.2. To Upgrade the Open Liberty Operator:
- Uninstall the OLO Operator
- Go to Administration > CustomResourceDefinitions
- Find
CatalogSource
- Click on Instances and find
olo-catalog
- Either update image SHA value from wiki or just delete
olo-catalog
instance and recreate from the wiki page with the latest sha value - Complete the install with the default options
- Alternative install options:
- To install the Operator using kubectl, use the artifacts in https://github.com/OpenLiberty/open-liberty-operator/tree/deploy-1.4.0-rc/internal/deploy/kubectl
- To install the Operator using kustomize, use the artifacts in https://github.com/OpenLiberty/open-liberty-operator/tree/deploy-1.4.0-rc/internal/deploy/kustomize/daily
- Create custom resources (CRs) to deploy applications and to gather trace/dump:
- Sample CRs are available from the OpenShift UI as well as in this folder
- Follow the documentation at https://github.com/OpenLiberty/open-liberty-operator/blob/main/doc/user-guide-v1.adoc
To enable the password encryption support:
- Create a Secret named
wlp-password-encryption-key
in the same namespace as the OpenLibertyApplication CR instance. Within the secret, the encryption key must be specified usingpasswordEncryptionKey
. Note that the encryption key will be shared by all CR instances, that enable password encryption, in the namespace.
apiVersion: v1
kind: Secret
metadata:
name: wlp-password-encryption-key
type: Opaque
stringData:
passwordEncryptionKey: randomkey
- Set
.spec.managePasswordEncryption
totrue
in the CR.
spec:
managePasswordEncryption: true
The Operator will handle mounting the encryption key into the app and enable the necessary Liberty server configuration to use it.
LTPA support from 1.3 should continue to work as before. When .spec.manageLTPA
is enabled with .spec.managePasswordEncryption
, then the password of the LTPA key will also be encrypted with the specified key by the Operator.
DNS can be configured in OpenLibertyApplication CR using the new fields:
-
.spec.dns.config
: The DNS Config for the application pod. -
.spec.dns.policy
: The DNS Policy for the application pod. Defaults to ClusterFirst.
Example:
spec:
dns:
config:
nameservers:
- 8.8.8.8
- 1.1.1.1
policy: None
Refer to the Kubernetes documentation for general information on DNS Config and DNS Policy.
Tolerations can be configured in OpenLibertyApplication CR using the new field:
-
.spec.dns.tolerations
: Tolerations to be added to application pods. Tolerations allow the scheduler to schedule pods on nodes with matching taints.
Example:
spec:
tolerations:
- key: "key1"
operator: "Equal"
value: "value1"
Refer to the Kubernetes documentation for general information on Taints and Tolerations.