The ibm-iam-operator
installs the IBM Cloud Platform Common Services Identity and access management (IAM) service.
Important: Do not install this operator directly. Install this operator only by using the IBM Common Service Operator. For more information about installing the IBM Common Service Operator operator, see Installer documentation (https://www.ibm.com/support/knowledgecenter/SSHKN6/kc_welcome_cs.html).
If you are using the operator as part of an IBM Cloud Pak, see the documentation for that IBM Cloud Pak to learn more about how to install and use the operator service. For more information about IBM Cloud Paks, see IBM Cloud Paks that use Common Services.
You can use the ibm-iam-operator
to install the authentication and authorization services for the IBM Cloud Platform Common Services.
With these services, you can configure security for IBM Cloud Platform Common Services, IBM Certified Containers (IBM products), or IBM Cloud Paks that are installed.
For more information about the available IBM Cloud Platform Common Services, see the IBM Knowledge Center.
-
Red Hat OpenShift Container Platform 4.2 or newer installed on one of the following platforms:
- Linux x86_64
- Linux on Power (ppc64le)
- Linux on IBM Z and LinuxONE
- 3.6.1
- Beta release
- 3.6.0
- With this version, support for OpenShift 4.3 is added.
- 3.5.0
Before you install this operator, you need to first install the operator dependencies and prerequisites:
-
For the list of operator dependencies, see the IBM Knowledge Center Common Services dependencies documentation.
-
For the list of prerequisites for installing the operator, see the IBM Knowledge Center Preparing to install services documentation.
To install the operator by using the IBM Common Services Operator, follow the installation and configuration instructions that are in the IBM Knowledge Center.
- If you are using the operator as part of an IBM Cloud Pak, see the documentation for that IBM Cloud Pak IBM Cloud Paks that use Common Services.
- If you are using the operator with an IBM Containerized Software, see the IBM Cloud Platform Common Services Knowledge Center Installer documentation.
For more instructions about how to run end-to-end testing with the Operand Deployment Lifecycle Manager, see ODLM guide.
These steps are based on the Operator Framework: Getting Started and Creating an App Operator.
- Repositories
Complete the following steps:
-
Set the Go environment variables.
export GOPATH=/home/<username>/go
export GO111MODULE=on
export GOPRIVATE="github.ibm.com"
-
Create the operator skeleton.
cd /home/ibmadmin/workspace/cs-operators
operator-sdk new iam-operator --repo github.com/ibm/iam-operator
The main program for the operator, cmd/manager/main.go
, initializes and runs the Manager. The Manager completes the following tasks:
- Automatically registers the scheme for all custom resources that are defined under
pkg/apis/...
. - Runs all controllers under
pkg/controller/...
. - Restrict the namespace that all controllers watch for resources.
-
Create the API definition ("Kind") that is used to create the CRD. a.
cd /home/ibmadmin/workspace/cs-operators/iam-operator
. b. Createhack/boilerplate.go.txt
that contains the copyright information for the generated code. c. Create the API definition ("Kind") by running the following command:operator-sdk add api --api-version=operator.ibm.com/v1alpha1 --kind=IAM
The command complete the following tasks: - Generatespkg/apis/operator/v1alpha1/<kind>_types.go
. For example,pkg/apis/operator/v1alpha1/authentications.go
. - Generatesdeploy/crds/operator.ibm.com_<kind>s_crd.yaml
. For example,deploy/crds/operator.ibm.com_authentications_crd.yaml
. - Generatesdeploy/crds/operator.ibm.com_v1alpha1_<kind>_cr.yaml
. For example,deploy/crds/operator.ibm.com_v1alpha1_authentications_cr.yaml
.The operator can manage more than one
Kind
API resource. -
Edit
<kind>_types.go
and add the fields that are exposed to the user. Then, regenerate the CRD. a. Edit<kind>_types.go
and add fields to the<Kind>Spec
struct. Then, run the following command:operator-sdk generate k8s
The command updateszz_generated.deepcopy.go
. b. Generate CRDs. Note: The Operator Framework: Getting Started provides theoperator-sdk generate openapi
command to generate CRD. However, the command is deprecated. You can run the following commands instead:operator-sdk generate crds
- The command updates
operator.ibm.com_authentications_crd.yaml
. openapi-gen --logtostderr=true -o "" -i ./pkg/apis/operator/v1alpha1 -O zz_generated.openapi -p ./pkg/apis/operator/v1alpha1 -h hack/boilerplate.go.txt -r "-"
- The command creates
zz_generated.openapi.go
. If you need to buildopenapi-gen
, follow these steps. The binary is built in$GOPATH/bin
.git clone https://github.com/kubernetes/kube-openapi.git cd kube-openapi go mod tidy go build -o ./bin/openapi-gen k8s.io/kube-openapi/cmd/openapi-gen
- The command creates
Note: Every time you modify
<kind>_types.go
, rungenerate k8s
,generate crds
, andopenapi-gen
to update the CRD and the generated code. -
Create the controller, which creates resources such as Deployments, DaemonSets, and other resources.
operator-sdk add controller --api-version=operator.ibm.com/v1alpha1 --kind=IAM
Notes:
- There is one controller for each Kind/CRD.
- The controller watches and reconciles the resources that are owned by the CR.
- For information about the Go types that implement Deployments, DaemonSets, and other resources, see https://godoc.org/k8s.io/api/apps/v1.
- For information about the Go types that implement Pods, VolumeMounts, and other resources, see https://godoc.org/k8s.io/api/core/v1.
- For information about the Go types that implement Ingress and other resources, see https://godoc.org/k8s.io/api/networking/v1beta1.
- Create the CRD. Do this one time before you start the operator.
a.
cd /home/ibmadmin/workspace/cs-operators/iam-operator
b.oc login
c.kubectl create -f deploy/crds/operator.ibm.com_authentications_crd.yaml
d.kubectl get crd authentications.operator.ibm.com
If the CRD changes, delete and create again:
- kubectl delete crd authentications.operator.ibm.com
-
Run the operator locally. a.
cd /home/ibmadmin/workspace/cs-operators/iam-operator
b.oc login
c.export OPERATOR_NAME=iam-operator
d.operator-sdk up local --namespace=<namespace>
-
Create a CR, which is an instance of the CRD.
-
Edit
deploy/crds/operator.ibm.com_v1alpha1_authentications_cr.yaml
. -
kubectl create -f deploy/crds/operator.ibm.com_v1alpha1_authentications_cr.yaml
-
Delete the CR and the associated resources that were created.
kubectl delete authentications example-authentication
The IBM IAM operator service supports running with the OpenShift Container Platform default restricted Security Context Constraints (SCCs).
For more information about the OpenShift Container Platform Security Context Constraints, see Managing Security Context Constraints.
The IAM operator does not define any specific pod security requirements.
The IAM operator does not define any specific custom pod security requirements.
The IAM operator service runs under a restricted security context constraint with a non root uid.