Installation Process Kubernetes
This will guide you through the installation process of IBM DevOps Solution Workbench .
After the installation finished successfully, you will have
- a running instance of Solution Designer
- a running instance of Solution Hub
⚠warning
Please note that both components are not fully configured after the installation.
Roles in the installation process
Kubernetes cluster administrator
The cluster administrator is responsible for:
- Creating projects (namespaces)
- Pushing all Container Images to the Image Registry
- Apply cluster-wide resources
- Installing the IBM DevOps Solution Workbench Operator
Project administrator
The project administrator is responsible for:
- Installing IBM DevOps Solution Workbench
- Installing Envoys on prepared namespaces
- Providing necessary configuration data
Namespaces
You will need to have different namespaces for different purposes as described below
| Namespace | Description |
|---|---|
| k5-tools | The namespace that has the tool setup installed and basic configuration. |
| k5-projects | Kubernetes namespaces used as deployment targets. In SSolution Designer, they are referred to as deployment targets as they are only used to deploy and execute microservices. In Solution hub, they are referred to as k5-projects and in other cases it can be referred to as Envoy. You can have at least one or more deployment targets as per your preference. |
| imgreg-namespace | In case you are using the cluster internal image registry, you will need to have another namespace just to host the container images. |
Before you begin
⚠warning
Please make sure that all system requirements are met.
In order to install IBM DevOps Solution Workbench the following requirements should be met on the machine from where the installer is executed:
-
You are logged-in into the kubernetes cluster as a user with sufficient rights for the task at hand
oc login -
You have created a
config.jsonfile for the login into the Image Registry in the installation folder, like:{"auths":{"my.image.registry.io":{"username":"iamapikey","password":"pw","auth":"aWFtYXBpa2V5OnB3"}}} -
Your current working directory is set to the directory of the unpacked installer package. The package contains all contents of the IBM DevOps Solution Workbench Operator index image.
Step 0: Choose an image registry
You need to choose an image registry to store the container images that IBM DevOps Solution Workbench are comprised of and needs to be able to load for its installation.
You can choose any OCI compliant container registry (Red Hat Quay, Harbor etc.). No matter what registry
you choose make a note of the registry name (the hostname) including the port and any path following that. Wherever
the placeholder <YOUR_PRIVATE_REGISTRY> in this document is used specify the full registry name, i.e. if using the
internal registry.
image-registry.cloud-image-registry.svc:5000/isw-images # do not use a protocol like docker:// or https://
Step 1: Push images to private registry
⚠warning
See also Red Hat Documentation Using Operator Lifecycle Manager on restricted networks and Mirroring images for a disconnected installation.
Introduction
The oc adm catalog mirror command will push all required container images into your private image registry and create all needed kubernetes resources that are needed to configure the image mirroring and to add the IBM DevOps Solution Workbench Operator into the Operator Hub in your cluster.
Description
Executing the oc adm catalog mirror command pushes all required container images into the specified image registry.
You can use your own container image registry with its credentials.
oc adm catalog mirror file://local/index/isw_release/isw-operator-catalog@DIGEST my.image.registry.io/my_namespace -a ./config.json
⚠warning
Please ensure that you are using the latest version that is available in Passport Advantage Online
Parameters
The oc adm catalog mirror command script has the following parameters:
oc adm catalog mirror SRC DEST -a ./config.json
| Variable | Description | Example | Default |
|---|---|---|---|
SRC | Source files | - | - |
DEST | Target or destination image registry | - | - |
-a, --registry-config | Path to your registry credentials (Optional) | - | - |
--manifests-only | Calculate the manifests required for mirroring, but do not actually mirror image content (Optional) | - | - |
Step 2: Apply cluster resources
Introduction
Custom Resource Defintions
Please apply the following custom resource definitions:
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1
metadata:
name: k5clients.k5.project.operator
spec:
group: k5.project.operator
names:
plural: k5clients
singular: k5client
shortNames:
- k5c
kind: k5client
listKind: k5clientList
scope: Namespaced
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
apiVersion:
description: >-
APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the
latest internal value, and may reject unrecognized values. More
info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: >-
Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the
client submits requests to. Cannot be updated. In CamelCase.
More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of a k5 client (OIDC client)
type: object
required:
- clientId
- secretName
properties:
associatedRoles:
description: >-
The roles that are assigned to the service account of this
client
type: array
minItems: 0
items:
type: string
clientId:
description: The name of the client
type: string
clientTemplate:
description: Configuration of the client
type: string
hostname:
description: The hostname of the OIDC provider
type: string
realm:
description: The realm the client belongs to
type: string
redirectURIs:
description: The URIs the client should redirect to
type: array
x-kubernetes-list-type: set
minItems: 0
items:
type: string
secretName:
description: The secret name the OIDC information is stored in
type: string
status:
type: object
properties:
error:
type: string
success:
type: string
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1
metadata:
name: k5dashboards.k5.project.operator
spec:
group: k5.project.operator
names:
plural: k5dashboards
singular: k5dashboard
shortNames:
- k5d
kind: k5dashboard
listKind: k5dashboardList
scope: Namespaced
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- apiVersion
- kind
- spec
properties:
apiVersion:
type: string
kind:
type: string
spec:
description: Detailed specification for the k5dashboard
type: object
properties:
configmap:
type: object
properties:
extra:
type: object
additionalProperties:
type: string
logging:
type: object
additionalProperties:
type: string
spring:
type: object
additionalProperties:
type: string
configuration:
type: object
properties:
istio:
type: object
properties:
enabled:
type: boolean
allowHttpOnly:
description: Setting for enabling http communication.
type: object
properties:
enabled:
type: boolean
hostname:
type: string
iamHost:
type: string
iamRealm:
type: string
replicaSet:
type: integer
tetheredTo:
type: string
type:
type: string
enum:
- DEV
- TEST
- STAGE
- PROD
status:
type: object
properties:
error:
type: string
success:
type: string
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: k5externalsecrets.k5.config
spec:
group: k5.config
scope: Namespaced
versions:
- name: v1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
required:
- spec
type: object
properties:
spec:
type: object
properties:
controllerId:
description: The ID of controller instance that manages this K5ExternalSecret.
This is needed in case there is more than a KES controller instances within the cluster.
type: string
type:
type: string
description: >-
DEPRECATED: Use spec.template.type
template:
description: Template which will be deep merged without mutating
any existing fields. into generated secret, can be used to
set for example annotations or type on the generated secret
type: object
x-kubernetes-preserve-unknown-fields: true
backendType:
description: >-
Determines which backend to use for fetching secrets
type: string
enum:
- secretsManager
- systemManager
- vault
- azureKeyVault
- gcpSecretsManager
- alicloudSecretsManager
- ibmcloudSecretsManager
- akeyless
vaultRole:
description: >-
Used by: vault
type: string
vaultMountPoint:
description: >-
Used by: vault
type: string
kvVersion:
description: Vault K/V version either 1 or 2, default = 2
type: integer
minimum: 1
maximum: 2
keyVaultName:
description: >-
Used by: azureKeyVault
type: string
dataFrom:
type: array
items:
type: string
data:
type: array
items:
type: object
properties:
key:
description: Secret key in backend
type: string
name:
description: Name set for this key in the generated secret
type: string
property:
description: Property to extract if secret in backend is a JSON object
type: string
isBinary:
description: >-
Whether the backend secret shall be treated as binary data
represented by a base64-encoded string. You must set this to true
for any base64-encoded binary data in the backend - to ensure it
is not encoded in base64 again. Default is false.
type: boolean
path:
description: >-
Path from SSM to scrape secrets
This will fetch all secrets and use the key from the secret as variable name
type: string
recursive:
description: Allow to recurse thru all child keys on a given path, default false
type: boolean
secretType:
description: >-
Used by: ibmcloudSecretsManager
Type of secret - one of username_password, iam_credentials or arbitrary
type: string
version:
description: >-
Used by: gcpSecretsManager
type: string
x-kubernetes-int-or-string: true
versionStage:
description: >-
Used by: alicloudSecretsManager, secretsManager
type: string
versionId:
description: >-
Used by: secretsManager
type: string
oneOf:
- required:
- key
- name
- required:
- path
roleArn:
type: string
description: >-
Used by: alicloudSecretsManager, secretsManager, systemManager
region:
type: string
description: >-
Used by: secretsManager, systemManager
projectId:
type: string
description: >-
Used by: gcpSecretsManager
oneOf:
- properties:
backendType:
enum:
- secretsManager
- systemManager
- properties:
backendType:
enum:
- vault
- properties:
backendType:
enum:
- azureKeyVault
required:
- keyVaultName
- properties:
backendType:
enum:
- gcpSecretsManager
- properties:
backendType:
enum:
- alicloudSecretsManager
- properties:
backendType:
enum:
- ibmcloudSecretsManager
- properties:
backendType:
enum:
- akeyless
anyOf:
- required:
- data
- required:
- dataFrom
status:
type: object
properties:
lastSync:
type: string
status:
type: string
observedGeneration:
type: number
additionalPrinterColumns:
- jsonPath: .status.lastSync
name: Last Sync
type: date
- jsonPath: .status.status
name: status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
names:
shortNames:
- k5es
kind: K5ExternalSecret
plural: k5externalsecrets
singular: k5externalsecret
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1
metadata:
name: k5projects.k5.project.operator
spec:
group: k5.project.operator
names:
plural: k5projects
singular: k5project
shortNames:
- k5p
kind: k5project
listKind: k5projectList
scope: Namespaced
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
description: >-
k5project is an extension for easily enabling projects to run k5
managed solutions
type: object
required:
- apiVersion
- kind
- spec
properties:
apiVersion:
description: >-
APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the
latest internal value, and may reject unrecognized values. More
info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: >-
Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the
client submits requests to. Cannot be updated. In CamelCase.
More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
spec:
description: Specification of k5project settings
type: object
required:
- type
- stage
- tetheredTo
- hostname
- configuration
properties:
configuration:
description: General configuration settings for the k5-project
type: object
properties:
configurationManagement:
description: >-
Settings for the configuration-management that is
installed as part of the hub, that is capable for the
configuration of the solution deployment pipeline.
type: object
properties:
autoConfiguration:
description: >-
Automatically setup default configuration values in
the configuration management for deploying
solutions. Default value is true.
type: object
properties:
enabled:
description: >-
Whether autoconfiguration should be enabled or
not.
type: boolean
dashboard:
description: >-
Settings for the k5-dashboard that will be installed as
part of the envoy, that is capable of visulaizing
deployed solutions.
type: object
properties:
configmap:
description: >-
A generic possibility to pass more configuration
values to the dashboard application. Usually there
is no need to specify further configurations.
type: object
properties:
extra:
description: >-
A section containing settings for the behaviour
of the application, in the narrower sense all
settings that do not fit to the logging or
spring section.
type: object
additionalProperties:
type: string
logging:
description: >-
A section containing settings for the logging
behaviour of the application.
type: object
additionalProperties:
type: string
spring:
description: >-
A section containing spring boot settings for
the behaviour of the application, in the
narrower sense the spring.boot framework.
type: object
additionalProperties:
type: string
replicaSet:
description: >-
The number of pods, that should be running the
service. Default value is 2.
type: integer
iam:
description: >-
Settings for the Identity Access Management of the k5
project. This means configuring the OIDC compliant
endpoint for securing solutions.
type: object
required:
- host
- realm
properties:
additionalClientRedirectPatterns:
description: >-
Additional redirect URIs, that should be considere,
when the clients are created automatically.
type: array
minItems: 0
items:
type: string
autoConfiguration:
description: >-
Autoconfiguration for the iam will try to configure
the necessary clients and provides the kubernetes
secrets to the project containing the relevant
security binding data.
type: object
properties:
enabled:
description: >-
Whether the autoconfiguration (creating clients
in IAM and providing the secrets) will be done
automatically.
type: boolean
host:
description: >-
The hostname including the protocol that is used as
Security Provider (IAM, OIDC compliant).
type: string
realm:
description: >-
The realm that is used as Security Provider (IAM,
OIDC compliant).
type: string
istio:
description: >-
Settings for the Istio service mesh is used by k5
solutions.
type: object
properties:
enabled:
description: >-
Whether Istio service mesh will be availabe in the
k5 project or not.
type: boolean
strictMtls:
description: >-
Whether Istio service mesh will be availabe in the
k5 project with Stirct mTLS policy or not.
type: boolean
kafka:
description: >-
Settings for the default kafka message system that is
used by k5 solutions.
type: object
properties:
enabled:
description: >-
Whether kafka will be availabe in the k5 project or
not.
type: boolean
pipelineManager:
description: >-
Settings for the k5-pipelinemanager that will be
installed as part of the envoy, that is capable of
administrating pipelines for building and deploying k5
solutions.
type: object
properties:
configmap:
description: >-
A generic possibility to pass more configuration
values to the dashboard application. Usually there
is no need to specify further configurations.
type: object
properties:
extra:
description: >-
A section containing settings for the behaviour
of the application, in the narrower sense all
settings that do not fit to the logging or
spring section.
type: object
additionalProperties:
type: string
logging:
description: >-
A section containing settings for the logging
behaviour of the application.
type: object
additionalProperties:
type: string
spring:
description: >-
A section containing spring boot settings for
the behaviour of the application, in the
narrower sense the spring.boot framework.
type: object
additionalProperties:
type: string
migrateExistingPipelines:
description: >-
To migrate all existing pipelines using new custom
templates.
type: boolean
replicaSet:
description: >-
The number of pods, that should be running the
service. Default value is 2.
type: integer
useDefaultPipelineTemplates:
description: >-
To use default pipeline template instead of custom
templates enable this.
type: boolean
webhookUrl:
description: >-
The webhook url that can be used to trigger
pipelines during a git push event.
type: string
schemaRegistry:
description: Settings for the Schema Registry of the k5 project.
type: object
properties:
autoConfiguration:
description: >-
Autoconfiguration for the schemaRegistry will try to
configure the necessary information needed for the
schema registry.
type: object
properties:
enabled:
description: >-
Whether the autoconfiguration (schema registry
binding) will be done automatically.
type: boolean
clientId:
description: >-
The client that is used for the schema registry OIDC
configuration.
type: string
realm:
description: >-
The realm that is used for the schema registry OIDC
configuration.
type: string
securityEnabled:
description: Allows to disable security for the schema registry.
type: boolean
url:
description: >-
The hostname including the protocol that is used as
Security Provider (IAM, OIDC compliant).
type: string
truststore:
description: >-
Settings for the default truststore, that is used by
k5-solutions. A truststore contains the certificates for
secure ssl communication in a pem format.
type: object
properties:
additionalCertificates:
description: >-
Specification for further certificates, that should
be part of the default truststore. They will be
appended regardless of the truststore
autoconfiguration. This object contains all
certificates in PEM ASCII format, whereby each
certificate is specified with its own (json/yaml)
key.
type: object
additionalProperties:
type: string
autoConfiguration:
description: >-
Autoconfiguration for the truststore will try to
detect the necessary certificates and try to import
them automatically to a truststore. By default this
feature will not be enabled.
type: object
properties:
enabled:
description: >-
Whether autoconfiguration should be enabled or
not. Please be aware that enabling the
truststore autoconfiguration may set the
security of your system at risk. Please do not
use this for production or high security
scenarios.
type: boolean
validationCrd:
description: >-
Settings for the default CRD validation for k5
solutions.
type: object
properties:
enabled:
description: >-
Whether CRD validation is enabled or not in the k5
solutions.
type: boolean
allowHttpOnly:
description: Setting for enabling http communication.
type: object
properties:
enabled:
type: boolean
hostname:
description: >-
The hostname under which the solutions, that are running in
the k5-project will be accessible.
type: string
previousStages:
description: >-
List with namespaces (previous stage) that a deploy pipeline
can use to deploy already built images from a previous
stage.
type: array
minItems: 0
items:
type: string
stage:
description: >-
A freely definable string, that refers to your logical
staging name.
type: string
tetheredTo:
description: >-
The project (namespace) where the base installation of ssob
is located. The k5-project will be tethered to this
namespace. Tethering means that the accounts of the
namespace given in tetheredTo fields also have access to the
k5-project. This is for example needed for metering.
type: string
type:
description: >-
The type of the k5 project. This refers to the type of usage
this project is intended for. Possible values are "DEV" for
development purposes, "TEST" for testing purposes, "STAGE"
for staging purposes and "PROD" for production scenario.
Please keep in mind, that this setting also has effects on
the license type that is used in this project.
type: string
enum:
- DEV
- TEST
- STAGE
- PROD
status:
description: >-
Status is a object value representing the state of this resource
that was handled by an operator
type: object
properties:
conditions:
type: array
minItems: 0
items:
type: object
properties:
message:
type: string
reason:
type: string
status:
type: string
enum:
- "True"
- "False"
- Unknown
type:
type: string
enum:
- Error
- Ready
errors:
type: array
minItems: 0
items:
type: string
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1
metadata:
name: k5realms.k5.project.operator
spec:
group: k5.project.operator
names:
plural: k5realms
singular: k5realm
shortNames:
- k5r
kind: k5realm
listKind: k5realmList
scope: Namespaced
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
apiVersion:
description: >-
APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the
latest internal value, and may reject unrecognized values. More
info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: >-
Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the
client submits requests to. Cannot be updated. In CamelCase.
More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification for k5 realm settings
type: object
required:
- realmTemplate
properties:
hostname:
description: The hostname of the OIDC provider
type: string
realm:
description: The name of the realm
type: string
realmTemplate:
description: >-
The configuration of the realm, e.g. setting the roles of
the realm
type: string
status:
type: object
properties:
error:
type: string
success:
type: string
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1
metadata:
name: k5topics.k5.project.operator
spec:
group: k5.project.operator
names:
plural: k5topics
singular: k5topic
shortNames:
- k5t
kind: k5topic
listKind: k5topicList
scope: Namespaced
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- apiVersion
- kind
- spec
properties:
apiVersion:
type: string
kind:
type: string
spec:
description: Specification of k5 topic settings
type: object
required:
- name
- bindingName
properties:
bindingName:
type: string
name:
type: string
numPartitions:
type: integer
replicationFactor:
type: integer
retentionHours:
type: integer
saslJaasConfigLoginModule:
type: string
saslMechanism:
type: string
status:
type: object
properties:
error:
type: string
success:
type: string
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1
metadata:
name: solutions.sol.rt.cp.knowis.de
spec:
preserveUnknownFields: false
group: sol.rt.cp.knowis.de
names:
plural: solutions
singular: solution
shortNames:
- sol
kind: Solution
listKind: SolutionList
categories:
- serving
- all
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- apiVersion
- kind
- spec
properties:
apiVersion:
description: >-
APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the
latest internal value, and may reject unrecognized values. More
info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources
type: string
kind:
description: >-
Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the
client submits requests to. Cannot be updated. In CamelCase.
More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
type: string
spec:
description: Detailed description of solution.
type: object
required:
- selector
- descriptor
properties:
description:
description: An additional description text of the solution.
type: string
descriptor:
description: Detailed description of the solution.
type: object
required:
- type
- name
properties:
description:
type: string
language:
type: string
apiBindings:
description: All used API bindings.
type: array
items:
type: string
name:
description: The simple name of the solution.
type: string
pattern: '^[A-Z\-][A-Z0-9\-]{0,25}$'
application:
description: The application name.
type: string
pipelineRunName:
description: CI pipelineRunName that deployed this solution.
type: string
commitSha:
description: CommitSha of the pipeline who deployed this solution.
type: string
timestamp:
description: >-
Date-time information when the solution deployed with
UTC+0 timezone.
type: string
pattern: "^[0-9]{8}-[0-9]{6}-[0-9]{4}$"
version:
description: Any kind of version information of the solution.
type: string
links:
description: Links of the solution like health check.
type: array
items:
type: object
required:
- type
- url
properties:
description:
description: Additional description of the link.
type: string
name:
description: The name of the path.
type: string
type:
description: Defining the type of the link.
type: string
enum:
- api.docs
- swagger.ui
- actuator.health
- actuator.info
- bpm.toolkit
- baw.toolkit
url:
description: The relative path.
type: string
fullName:
description: The display name of the solution.
type: string
type:
description: The relative context path.
type: string
enum:
- CustomSolution
- CustomFrameworkSolution
- CustomDomainSolution
- ManagedDomainSolution
solution:
description: Solution related specific details.
type: object
properties:
externalBaseUrl:
description: External Base URL.
type: string
internalBaseUrl:
description: Internal Base URL.
type: string
topicBindings:
description: All used Topic bindings.
type: array
items:
type: string
pipelineId:
description: >-
CI pipelineId that deployed this solution (replaced by
pipelineRunName).
type: string
selector:
description: >-
The selector to address all related resources of the
solution.
type: object
properties:
matchLabels:
type: object
properties:
sol.rt.cp.knowis.de/name:
type: string
status:
description: Detailed information about the status of the solution
type: object
properties:
deploymentStage:
description: The current deployment stage of the the solution.
type: string
enum:
- Starting
- PreMigration
- DataMigration
- Interims
- DataCleanup
- Complete
deploymentTimestamp:
description: Time of deployment of the solution.
type: string
format: date-time
additionalPrinterColumns:
- name: Acronym
type: string
description: The name of the solution
jsonPath: .spec.descriptor.name
- name: FullName
type: string
description: The full name of the solution
jsonPath: .spec.descriptor.fullName
- name: Type
type: string
description: The type of the solution
jsonPath: .spec.descriptor.type
- name: Version
type: string
description: The release version of the solution
jsonPath: .spec.descriptor.pipelineRunName
Aggregate Role
Please apply the following roles:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: k5.knowis.com-v1-admin
labels:
rbac.authorization.k8s.io/aggregate-to-admin: 'true'
rules:
- verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
apiGroups:
- k5.project.operator
resources:
- k5clients
- k5dashboards
- k5pipelinemanagers
- k5projects
- k5realms
- k5topics
- verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
apiGroups:
- k5.config
resources:
- k5externalsecrets
- verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
apiGroups:
- k5.config
resources:
- k5externalsecrets/status
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: k5.knowis.com-v1-edit
labels:
rbac.authorization.k8s.io/aggregate-to-edit: 'true'
rules:
- verbs:
- create
- update
- patch
- delete
apiGroups:
- k5.project.operator
resources:
- k5clients
- k5dashboards
- k5pipelinemanagers
- k5projects
- k5realms
- k5topics
- verbs:
- create
- update
- patch
- delete
apiGroups:
- k5.config
resources:
- k5externalsecrets
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: k5.knowis.com-v1-view
labels:
rbac.authorization.k8s.io/aggregate-to-view: 'true'
rules:
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- k5clients.k5.project.operator
- k5dashboards.k5.project.operator
- k5externalsecrets.k5.config
- k5pipelinemanagers.k5.project.operator
- k5projects.k5.project.operator
- k5realms.k5.project.operator
- k5topics.k5.project.operator
- verbs:
- get
- list
- watch
apiGroups:
- k5.project.operator
resources:
- k5clients
- k5dashboards
- k5pipelinemanagers
- k5projects
- k5realms
- k5topics
- verbs:
- get
- list
- watch
apiGroups:
- k5.config
resources:
- k5externalsecrets
Create the pull secret
- Create an image pull secret in your installation namespace with Secret name
ibm-entitlement-key(default name of the expected image pull secret) and the following values:- Registry server address, Username, Password
Step 4: Install Operator
Introduction
After pushing all needed images into your image registry, configuring the image mirroring it will be possible to install the IBM DevOps Solution Workbench Operator.
⚠warning
If you did not install Tekton before, you need to add this workaround Tekton Workaround
Apply the following resources to deploy the installation operator:
kind: Deployment
apiVersion: apps/v1
metadata:
name: isw-controller-manager
spec:
replicas: 1
selector:
matchLabels:
control-plane: controller-manager
template:
metadata:
creationTimestamp: null
labels:
control-plane: controller-manager
spec:
restartPolicy: Always
serviceAccountName: isw-controller-manager
imagePullSecrets:
- name: ibm-entitlement-key
schedulerName: default-scheduler
terminationGracePeriodSeconds: 10
securityContext:
runAsNonRoot: true
containers:
- resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 10m
memory: 64Mi
readinessProbe:
httpGet:
path: /readyz
port: 8081
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 1
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
terminationMessagePath: /dev/termination-log
name: manager
command:
- /manager
livenessProbe:
httpGet:
path: /healthz
port: 8081
scheme: HTTP
initialDelaySeconds: 15
timeoutSeconds: 1
periodSeconds: 20
successThreshold: 1
failureThreshold: 3
env:
- name: WATCH_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: 'metadata.annotations[''olm.targetNamespaces'']'
- name: OPERATOR_CONDITION_NAME
value: ibm-k5.v1.12.0
securityContext:
allowPrivilegeEscalation: false
imagePullPolicy: IfNotPresent
terminationMessagePolicy: File
image: 'de.icr.io/isw_release/isw-operator-controller@sha256:993a6337e10d26f3178a6a9846915accafef6e314284305fe058745ba03a7a85'
args:
- '--leader-elect'
serviceAccount: isw-controller-manager
dnsPolicy: ClusterFirst
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 25%
maxSurge: 25%
revisionHistoryLimit: 1
progressDeadlineSeconds: 600
Step 5: Create an ISW Resource to install the product
Introduction
After the successful installation of the Operator you can install the product by creating an ISW Resource.
Description
Open the installed Operator and in your namespace and go to ISW and create a new Resource, see also Configure ISW Custom Resource:
apiVersion: k5.ibm.com/v1beta1
kind: ISW
metadata:
name: k5-tools
namespace: k5-tools
spec:
designer:
enabled: true
domain: apps.host.my.cloud
license:
accept: true
privateRegistry: <YOUR_PRIVATE_REGISTRY, e.g. us.icr.io/my_namespace>
Parameters
| Variable | Description | Required | Default |
|---|---|---|---|
| designer.enabled | Enabled or disables the Solution Designer | no | true |
| domain | Domain is the ingress domain which is used to create routes. It can be retrieved by calling oc get ingresses.config/cluster -o jsonpath={.spec.domain} | yes | - |
| license.accept | A value that confirms that you accept the license | yes | - |
| privateRegistry | Your private image registry to pull all the uploaded images from, e.g. us.icr.io/my_namespace> | yes | - |
| values | A set of values to configure the installation | no |
Step 6: Validate the installation
To validate the results of the previous installation steps, you can check the status.conditions of your created ISW
CustomResource. If there is an Available condition with status: true, the installation was successful:
status:
conditions:
- lastTransitionTime: '2025-06-06T10:00:00Z'
message: Deployed version 5.0.0
reason: Deployed
status: 'True'
type: Available
endpoints:
- name: solution-hub
scope: External
type: UI
uri: 'https://k5-hub-release.apps.cluster.my.cloud/'
- name: solution-designer
scope: External
type: UI
uri: 'https://k5-designer-release.apps.cluster.my.cloud/'
versions:
- name: operator
version: 1.5.0
- name: ISW
version: '5.0.0'
The status also provides you the links to Solution Hub and Solution Designer, just checkout the uris
in status.endpoints.
ℹ️note
Solution Hub or Solution Designer are not fully functional before you configure the product, see next steps
Next steps
With your successful installation of IBM DevOps Solution Workbench, you can go on to configure the product which is a mandatory step.
You must also review the configuration of Network Policies. Without disabling or configuring the EgressNetworkPolicy, IBM DevOps Solution Workbench can not work.
Troubleshooting
CrashLoopBackOff - missing CRD
If the operator is in CrashLoopBackOff, please check the logs of the pod. If the logs suggest that
the EgressNetworkPolicy does not exist, please have a look at Network Policies.
k5 clone is not working on MacOs (base64 issue)
If the k5 clone command is failing on MacOS like this
k5 clone -s MYSOLUTION -p "my-git"
========= Cloning Solution to filesystem =================================================
--------- > Authenticating ---------------------------------------------------------------
--------- > Cloning Solution from Solution Git Repository --------------------------------
Cloning into '/dev/MYSOLUTION'...
fatal: unable to access 'https://my-git/MYSOLUTION.git/': error setting certificate verify locations:
CAfile: /Users/MyUser/.k5/k5-cli/default/designtime.ca.crt
CApath: /Users/MyUser/.k5/k5-cli/default
[ERROR] Cloning failed, removing directory: /dev/MYSOLUTION
Then please verify, if the file /Users/MyUser/.k5/k5-cli/default/designtime.ca.crt has proper base64 encoded
values only. To do so, open the file and verify, that all lines between the -----BEGIN CERTIFICATE-----
and -----END CERTIFICATE----- do not exceed 64 characters. For manual and local fixing you can adjust the lines by
breaking after 64 characters. And verify, that this is solving the experienced issue.
To fix it generally, the value of global.truststore.trustMap.identity must be adjusted in a similar way. Afterwards
the setup of k5 must be reset by downloading the designtime.config.json and
executing k5 setup --file ./cli-config.json.
How to analyze JWT in case of unauthorized responses
If a request is rejected and the response contains invalid_token, then it is helpful to decode the JWT itself by using
for example jwt.io. So it is easier to see, if the JWT is decode-able and what kind of content it
has, and to understand, what might cause the unexpected rejections.
Understanding the reason of The iss claim is not valid
If a request is rejected and the response contains invalid_token in combination of The iss claim is not valid, then
the JWT was created by an OIDC provider using a different issuer URL, than the configured one.
It is helpful to decode the JWT itself by using for example jwt.io and check the value of iss. That must be the same as it is configured described by configuring OIDC provider for solutions and configuring deployment targets.