Skip to content

WIP: Install Operator as a User

Official documentation: https://docs.openshift.com/container-platform/4.3/operators/olm-creating-policy.html

Setup htpasswd auth (Optional)

Create htpasswd secret

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
oc create -f - <<EOF
apiVersion: v1
data:
  htpasswd: "$( (htpasswd -nb admin 'r3dh4t1!'; htpasswd -nb user 'r3dh4t1!') | base64 -b 0 )"
kind: Secret
metadata:
  name: htpasswd
  namespace: openshift-config
type: Opaque
EOF

Change OAuth config

{% hint style="warning" %} It overwrites the OAuth config

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
oc apply -f - <<EOF
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
    - htpasswd:
        fileData:
          name: htpasswd
      mappingMethod: claim
      name: Local
      type: HTPasswd
EOF

Add your private marketplace

{% embed url="https://github.com/rbo/openshift-examples/tree/master/operator/simple-application-operator" %}

Add application operator to your namespace

Create OLM Service Account

1
2
3
4
5
6
7
oc create -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: olm
  namespace: simple-application-operator
EOF

Setup roles and role bindings for OLM Service Account

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
oc apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: olm
  namespace: simple-application-operator
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: olm-bindings
  namespace: simple-application-operator
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: scoped
subjects:
- kind: ServiceAccount
  name: olm
  namespace: simple-application-operator
EOF

Create OperatorGroup as clusteradmin

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
oc create --as=system:admin -f - <<EOF
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: simple-application-operator
  namespace: simple-application-operator
spec:
  serviceAccountName: olm
  targetNamespaces:
  - simple-application-operator
EOF

Install the operator

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Get all need informations
$ oc get catalogsources.operators.coreos.com
NAME                  DISPLAY               TYPE   PUBLISHER      AGE
application-catalog   Application catalog   grpc   Robert Bohne   85m

$ oc get svc
NAME                  TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)     AGE
application-catalog   ClusterIP   172.30.96.52   <none>        50051/TCP   87m

$ oc port-forward service/application-catalog 50051 50051

# https://github.com/operator-framework/operator-registry#using-the-catalog-locally
$ grpcurl -plaintext  localhost:50051 api.Registry/ListPackages
{
  "name": "simple-application-operator"
}

$ grpcurl -plaintext -d '{"name":"simple-application-operator"}' localhost:50051 api.Registry/GetPackage
{
  "name": "simple-application-operator",
  "channels": [
    {
      "name": "beta",
      "csvName": "simple-application-operator.v0.1.0"
    },
    {
      "name": "stable",
      "csvName": "simple-application-operator.v0.1.0"
    }
  ],
  "defaultChannelName": "stable"
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
oc apply -f - <<EOF
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: simple-application-operator
  namespace: simple-application-operator
spec:
  channel: stable
  name: simple-application-operator
  source: application-catalog
  sourceNamespace: simple-application-operator
EOF

ToDo

  • Create doc bug: The Subscription "etcd" is invalid: spec.sourceNamespace: Required value
2021-05-18 2020-02-18 Contributors: Robert Bohne