IBM Cloud Operator
With the IBM Cloud Operator, you can provision and bind IBM public cloud services to your Kubernetes cluster in a Kubernetes-native way. The IBM Cloud Operator is based on the Kubernetes custom resource definition (CRD) API so that your applications can create, update, and delete IBM Cloud services from within the cluster by calling Kubnernetes APIs, instead of needing to use several IBM Cloud APIs in addition to configuring your app for Kubernetes.
Table of content
Features
-
Service provisioning: Create any service with any plan that is available in the IBM Cloud catalog.
-
Bindings management: Automatically create Kubernetes secrets in your Kubernetes cluster with the credentials to bind to any provisioned service to the cluster.
Back to top
Upgrading the operator
Follow the instructions for the kind of installation you used: OperatorHub or the curl
installation command.
curl
installation command
To upgrade existing curl
installs, you can reinstall the operator with the curl
installation command.
If your current installation is version 0.1.x or 0.2.x, then follow these steps to complete a successful upgrade.
-
Copy your secrets and configmaps to use the new names.
-
Re-run the curl
installation command to install the latest version.
-
Verify the new operator is running.
kubectl get pods -n ibmcloud-operator-system
-
Verify ibmcloud.ibm.com/v1
Service
versions provision correctly.
-
Delete the old version with kubectl delete ns ibmcloud-operators
.
-
Delete the secrets and configmaps using the old names from step 1.
OperatorHub
To upgrade an OperatorHub installation, use the OpenShift web console to perform the upgrade. If upgrading from the alpha
channel subscription to stable
, follow the additional upgrade instructions below.
Upgrading to version v0.3 or v1.0
IMPORTANT NOTICE: v0.1 and v0.2 used a different naming scheme for secrets and configmaps. Before you update the IBM Cloud Operator, create secret and configmap resources with these names and copy the contents of your previous resources to the new resources. Then, the upgraded operator recognizes and continues to update the resources.
Existing Service
and Binding
resources do not need modification for the upgrade.
Previous names (v0.1 and v0.2) |
Current names (v0.3 and v1.0) |
Description |
secret-ibm-cloud-operator |
ibmcloud-operator-secret |
Secret with the API key, scoped to the namespace. |
config-ibm-cloud-operator |
ibmcloud-operator-defaults |
ConfigMap with the default values for new resources. |
ibm-cloud-operator |
ibmcloud-operator-config |
ConfigMap with the management namespace configuration. |
${namespace}-secret-ibm-cloud-operator |
${namespace}-ibmcloud-operator-secret |
Management namespace Secret with the API key for ${namespace}. |
${namespace}-config-ibm-cloud-operator |
${namespace}-ibmcloud-operator-defaults |
Management namespace ConfigMap with default values for new resources in ${namespace}. |
Tip: Forgot to update the secret and configmap names before upgrading? The operator will not take action on Service and Binding resources until the new secrets and configmaps have been created. Creating these after the upgrade will also work.
OperatorHub stable channel
Continuous updates and bug fixes are provided in the latest stable channel. Subscribing to the stable
channel in OperatorHub means you automatically get the latest updates without breaking backward compatibility.
Changelog
For a list of recent changes, see the releases page.
Back to top
Prerequisites
-
Have an IBM Cloud account.
-
Have a cluster that runs Kubernetes version 1.11 or later (OpenShift 3.11 or later).
-
Install the required command line tools.
-
Log in to your IBM Cloud account from the CLI.
ibmcloud login
-
Target the appropriate resource group (-g
) and default region (-r
) for provisioning services:
ibmcloud target -g default -r us-south
-
If you also want to provision Cloud Foundry services, target the appropriate org
and space
(--cf
).
ibmcloud target --cf
-
Set the Kubernetes context of your CLI to your cluster so that you can run kubectl
commands. For example, if your cluster runs OpenShift, use the oc login
command.
If your cluster is in IBM Cloud Kubernetes Service, run the following command.
ibmcloud ks cluster config -c <cluster_name_or_ID>
To check that your Kubernetes context is set to your cluster, run the following command.
kubectl config current-context
Back to top
Setting up the operator
You can use an installation script to set up the IBM Cloud Operator.
By default, the installation script stores an API key in a Kubernetes secret in your cluster that can be accessed by the IBM Cloud Operator.
Next, the script sets default values that are used to provision IBM Cloud services, like the resource group and region to provision the services in. Later, you can override any default value in the Service
custom resource. Finally, the script deploys the operator in your cluster.
To use your own API key, set the IBMCLOUD_API_KEY
environment variable to the key before running the installation script:
export IBMCLOUD_API_KEY="CUSTOM_API_KEY"
If installed with Operator Hub, the operator will run in the openshift-operators
namespace. Otherwise, it will run in the ibmcloud-operator-system
namespace.
Prefer to create the secrets and defaults yourself? See the IBM Cloud Operator installation guide.
Using a service ID
By default, the installation script creates an IBM Cloud API key that impersonates your user credentials, to use to set up the IBM Cloud Operator. However, you might want to create a service ID in IBM Cloud Identity and Access Managment (IAM). By using a service ID, you can control access for the IBM Cloud Operator without having the permissions tied to a particular user, such as if that user leaves the company. For more information, see the IBM Cloud docs.
-
Create a service ID in IBM Cloud IAM. If possible, do not use spaces in the names for your IAM credentials. When you use the operator binding feature, any spaces are replaced with underscores.
ibmcloud iam service-id-create serviceid-ico -d service-ID-for-ibm-cloud-operator
-
Assign the service ID access to the required permissions to work with the IBM Cloud services that you want the operator to manage. The required permissions vary with each IBM Cloud service. You can also scope an access policy to different regions or resource groups. For example, the following command grants the service ID the Administrator platform role in the default resource group in the US South (Dallas) region. For more information, see the IBM Cloud docs.
ibmcloud iam service-policy-create serviceid-ico --roles Administrator --resource-group-name default --region us-south
-
Create an API key for the service ID.
ibmcloud iam service-api-key-create apikey-ico serviceid-ico -d api-key-for-ibm-cloud-operator
-
Set the API key of the service ID as your CLI environment variable. Now, when you run the installation script, the script uses the service ID's API key. The following command is an example for macOS.
export IBMCLOUD_API_KEY=<apikey-ico-value>
-
Confirm that the API key environment variable is set in your CLI.
echo $IBMCLOUD_API_KEY
-
Follow the prerequisite steps to log in to the IBM Cloud account that owns the service ID.
Back to top
Installing the operator for OpenShift clusters
Before you begin, complete the prerequisite steps to log in to IBM Cloud and your cluster, and optionally set up a service ID API key.
To configure the latest release for OpenShift before installing via the OperatorHub, run the following script:
-
Latest release:
curl -sL https://raw.githubusercontent.com/IBM/cloud-operators/master/hack/configure-operator.sh | bash
-
Specific release: Replace -v 0.0.0
with the specific version that you want to install.
curl -sL https://raw.githubusercontent.com/IBM/cloud-operators/master/hack/configure-operator.sh | bash -s -- -v 0.0.0 store-creds
Back to top
Installing the operator for Kubernetes clusters
Before you begin, complete the prerequisite steps to log in to IBM Cloud and your cluster, and optionally set up a service ID API key.
-
Latest release: To install the latest stable release of the operator, run the following script.
curl -sL https://raw.githubusercontent.com/IBM/cloud-operators/master/hack/configure-operator.sh | bash -s -- install
-
Specific release: Replace -v 0.0.0
with the specific version that you want to install.
curl -sL https://raw.githubusercontent.com/IBM/cloud-operators/master/hack/configure-operator.sh | bash -s -- -v 0.0.0 install
Back to top
Uninstalling the operator
WARNING: This is a destructive operation. The uninstaller deletes the Service
and Binding
CRDs, which deletes the custom resources of those types. If you only want to upgrade to a newer version, only delete the operator's Deployment.
Before you begin, complete the prerequisite steps to log in to IBM Cloud and your cluster.
To remove the operator and all of the associated custom resources, run the following script:
curl -sL https://raw.githubusercontent.com/IBM/cloud-operators/master/hack/configure-operator.sh | bash -s -- remove
Back to top
Using the IBM Cloud Operator
To use the IBM Cloud Operator, create a service instance and then bind the service to your cluster. For more information, see the sample configuration files, user guide, and reference documentation.
Step 1: Creating a service instance
-
To create an instance of an IBM public cloud service, first create a Service
custom resource file. For more options, see the Service properties reference doc.
<SERVICE_CLASS>
is the IBM Cloud service that you want to create. To list IBM Cloud services, run ibmcloud catalog service-marketplace
and use the Name value from the output.
<PLAN>
is the plan for the IBM Cloud service that you want to create, such as free
or standard
. To list available plans, run ibmcloud catalog service <SERVICE_CLASS> | grep plan
.
apiVersion: ibmcloud.ibm.com/v1
kind: Service
metadata:
name: myservice
spec:
plan: <PLAN>
serviceClass: <SERVICE_CLASS>
-
Create the service instance in your cluster.
kubectl apply -f filepath/myservice.yaml
-
Check that your service status is Online in your cluster.
kubectl get services.ibmcloud
NAME STATUS AGE
myservice Online 12s
-
Verify that your service instance is created in IBM Cloud.
ibmcloud resource service-instances | grep myservice
Step 2: Binding the service instance
-
To bind your service to the cluster so that your apps can use the service, create a Binding
custom resource, where the serviceName
field is the name of the Service
custom resource that you previously created. For more options, see Binding properties.
apiVersion: ibmcloud.ibm.com/v1
kind: Binding
metadata:
name: mybinding
spec:
serviceName: myservice
-
Create the binding in your cluster.
kubectl apply -f filepath/mybinding.yaml
-
Check that your service status is Online.
kubectl get bindings.ibmcloud
NAME STATUS AGE
mybinding Online 25s
-
Check that a secret of the same name as your binding is created. The secret contains the service credentials that apps in your cluster can use to access the service.
kubectl get secrets
NAME TYPE DATA AGE
mybinding Opaque 6 102s
Back to top
Using separate IBM Cloud accounts
You can provision IBM Cloud services in separate IBM Cloud accounts from the same cluster. To use separate accounts, update the secrets and configmap in the Kubernetes namespace where you want to create services and bindings.
Tip: Just want to use a different account one time and don't want to manage a bunch of namespaces? You can also specify a different account in the individual service configuration, by overriding the default account context.
- Get the IBM Cloud account details, including account ID, Cloud Foundry org and space, resource group, region, and API key credentials.
- Edit or replace the
ibmcloud-operator-secret
secret in the Kubernetes namespace that you want to use to create services in the account.
- Edit or replace the
ibmcloud-operator-defaults
configmap in the Kubernetes namespace that you want to use to create services in the account.
- Optional: Set up a management namespace so that cluster users with access across namespaces cannot see the API keys for the different IBM Cloud accounts.
Back to top
Setting up a management namespace
By default, the API key credentials and other IBM Cloud account information are stored in a secret and a configmap within each namespace where you create IBM Cloud Operator service and binding custom resources. However, you might want to hide access to this information from cluster users in the namespace. For example, you might have multiple IBM Cloud accounts that you do not want cluster users in different namespaces to know about.
-
Create a management namespace that is named safe
.
kubectl create namespace safe
-
In the namespace where the IBM Cloud Operator runs, create an ibmcloud-operator-config
configmap that points to the safe
namespace.
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
name: ibmcloud-operator-config
namespace: openshift-operators # Or update to the namespace where IBM Cloud Operator is running
labels:
app.kubernetes.io/name: ibmcloud-operator
data:
namespace: safe
EOF
-
Copy the existing or create your own ibmcloud-operator-secret
secrets and ibmcloud-operator-defaults
configmaps from the other Kubernetes namespace into the safe
namespace. Important: You must rename the secrets and configmaps with the following naming convention.
<namespace>-ibmcloud-operator-secret
<namespace>-ibmcloud-operator-defaults
For example, if you have a cluster with three namespaces default
, test
, and prod
:
default-ibmcloud-operator-secret
default-ibmcloud-operator-defaults
test-ibmcloud-operator-secret
test-ibmcloud-operator-defaults
prod-ibmcloud-operator-secret
prod-ibmcloud-operator-defaults
-
Delete the ibmcloud-operator-secret
secrets and ibmcloud-operator-defaults
configmaps in the other Kubernetes namespaces.
Back to top
Reference documentation
Service Properties
A Service
custom resource includes the properties in the following table. Each parameter
value is treated as a raw value by the operator and passed as-is. For more information, see the IBM Cloud Operator user guide.
Parameter |
Required |
Type |
Comments |
serviceClass * |
Yes |
string |
The IBM Cloud service that you want to create. To list IBM Cloud services, run ibmcloud catalog service-marketplace and use the Name value from the output. |
plan * |
Yes |
string |
The plan to use for the service instance, such as free or standard . To use an existing service instance, set to Alias . To list available plans, run `ibmcloud catalog service <SERVICE_CLASS> |
serviceClassType * |
CF only |
string |
Set to CF for Cloud Foundry services. Otherwise, omit this field. |
externalName * |
No |
string |
The name for the service instance in IBM Cloud, such as in the console. |
parameters |
No |
[]Param |
Parameters that are passed in to create the service instance. These parameters vary by service, and can be anything, such as a number, string, or object. |
tags |
No |
[]string |
The IBM Cloud tag to assign the service instance, to help organize your cloud resources such as in the IBM Cloud console. |
context |
No |
Context |
The IBM Cloud account context to use instead of the default account context. |
*
Note: The serviceClass
, plan
, serviceClassType
, and externalName
parameters are immutable. After you set these parameters, you cannot later edit their values. If you do edit the values, the changes are overwritten back to the original values.
Back to top
Binding Properties
A Binding
custom resources includes the properties in the following table. For more information, see the IBM Cloud Operator user guide.
Field |
Required |
Type |
Comments |
serviceName |
Yes |
string |
The name of the Service resource that corresponds to the service instance on which to create credentials for the binding. |
serviceNamespace |
No |
string |
The namespace of the Service resource. |
alias |
No |
string |
The name of existing IBM Cloud credentials to link this binding to. This binding creates a secret for these credentials in the cluster namespace, but cannot modify the existing credentials in IBM Cloud. Note that any spaces are replaced with underscores. |
secretName |
No |
string |
The name of the Secret to be created. If you do not specify a value, the secret is given the same name as the binding. |
role |
No |
string |
The IBM Cloud IAM role to create the credentials to the service instance. Review the each service's documentation for a description of the roles. If you do not specify a role, the IAM Manager service access role is used. If the service does not support the Manager role, the first returned role from the service is used. |
parameters |
No |
[]Any |
Parameters that are passed in to create the create the service credentials. These parameters vary by service, and can be anything, such as an integer, string, or object. |
Back to top
Account context in operator secret and configmap
The IBM Cloud Operator needs an account context, which indicates the API key and the details of the IBM Cloud account to be used for creating services. The API key is stored in a ibmcloud-operator-secret
secret that is created when the IBM Cloud Operator is installed. Account details such as the account ID, Cloud Foundry org and space, resource group, and region are stored in a ibmcloud-operator-defaults
configmap.
When you create an IBM Cloud Operator service or binding resource, the operator checks the namespace that you create the resource in for the secret and configmap. If the the operator does not find the secret and configmap, it checks its own namespace for a configmap that points to a management namespace. Then, the operator checks the management namespace for <namespace>-ibmcloud-operator-secret
secrets and <namespace>-ibmcloud-operator-defaults
configmaps. If no management namespace exists, the operator checks the default
namespace for the ibmcloud-operator-secret
secret and ibmcloud-operator-defaults
configmap.
You can override the account context in the Service
configuration file with the context
field, as described in the following table. You might override the account context if you want to use a different IBM Cloud account to provision a service, but do not want to create separate secrets and configmaps for different namespaces.
Field |
Required |
Type |
Description |
org |
No |
string |
The Cloud Foundry org. To list orgs, run ibmcloud account orgs . |
space |
No |
string |
The Cloud Foundry space. To list spaces, run ibmcloud account spaces . |
region |
No |
string |
The IBM Cloud region. To list regions, run ibmcloud regions . |
resourceGroup |
No |
string |
The IBM Cloud resource group name. You must also include the resourceGroupID . To list resource groups, run ibmcloud resource groups . |
resourceGroupID |
No |
string |
The IBM Cloud resource group ID. You must also include the resourceGroup . To list resource groups, run ibmcloud resource groups . |
resourceLocation |
No |
string |
The location of the resource. |
Back to top
Versions
Review the supported Kubernetes API versions for the following IBM Cloud Operator versions.
Operator version |
Kubernetes API version |
v0.3 or later |
v1 |
v0.2 |
v1beta1 or v1alpha1 |
v0.1 |
v1alpha |
Back to top
Contributing to the project
See Contributing to Cloud Operators
Back to top
Troubleshooting
See the Troubleshooting guide.
Back to top