How do I easily install and use IBM License Service?
PDF VERSION: https://community.ibm.com/community/user/automation/viewdocument/how-do-i-easily-install-and-use-ibm?CommunityKey=c0005a22-520b-4181-bfad-feffd8bdc022&tab=librarydocuments
Last updated: February the 9th, 2024
Target audience: IT/DevOps administrating ODM Cluster
Estimated duration: 60 minutes
This article is part of an article series around Operational Decision Manager (ODM) on Certified Kubernetes. For more information about ODM environments and the topologies, see our ODM topologies blog entries.
Introduction
ODM customers interested in migrating to latest ODM versions will have to comply with the new Common Services architecture introduced in 4.0. Indeed, IBM License Service has become a standalone singleton which requires a unique installation per cluster.
There are several installation paths depending on your context. Before getting to the core of this article, you will find the parameters which will help you decide what is the best installation path for you. Mainly, this article will provide installation execution details describing each installation path.
Which installation is best for me?
The ODM edition as well as the cluster type are the parameters which will make you choose the best way to install the IBM License Service.
If you use ODM as a capability part of the Cloud Pak for Business Automation, hence deploying on Red Hat OpenShift (OCP), then you can rely on the installation scripts provided in the Cloud Pak CASE package.
Else if you use ODM on Certified Kubernetes and you are deploying ODM on OCP, then you can rely on the installation scripts provided in the Common Services 4.x CASE package.
Finally, if you use ODM on Certified Kubernetes and you are deploying ODM on other Certified Kubernetes editions, you can rely on the installation procedure described in the documentation.
Let’s explore those installation paths…
Installing IBM License Service using Cloud Pak Business Automation CASE package scripts on OCP
In the context of the Cloud Pak for Business Automation, the IBM License Service installation is included in the cluster preparation process which is described in this section: https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/23.0.2?topic=deployment-option-1-preparing-your-cluster-online
The installation can be split into two steps: retrieving the scripts and then running them.
How to get the CASE package?
The very first step is to retrieve the scripts which are contained in the Cloud Pak for Business Automation CASE package, in the “cert-kubernetes” repository. For more information about downloading “cert-kubernetes” repository, see Preparing a client to connect to the cluster.
|
wget https://github.com/IBM/cloud-pak/raw/master/repo/case/ibm-cp-automation/5.1.0/ibm-cp-automation-5.1.0.tgz
|
After downloading the TAR file, you need to extract the “cert-kubernetes” repository.
|
cd ibm-cp-automation/inventory
cd cp4aOperatorSdk/files/deploy/crs
tar -xvf cert-k8s-.tar
|
Run the installation script:
“cp4a-clusteradmin-setup.sh” is the script to focus on. This script is located in the CASE package in the “ibm-cp-automation/inventory/cp4aOperatorSdk/files/deploy/crs/cert-kubernetes/descriptors/op-olm” folder.
The script will handle IBM License Service and other prerequisites setup. The script is smart enough to either install from scratch or upgrade any existing instances. And then, it continues with other mandatory cluster setup actions.
The following steps are described in the instructions in this documentation page.
In case of fresh installation, the following message is displayed:
|
...
[INFO] Applying the latest IBM CP4BA Operator catalog source...
[✔] IBM CP4BA Operator catalog source Updated!
[INFO] Starting to install IBM Cert Manager and IBM Licensing Operator ...
[✔] ibm-licensing-catalog/ibm-cert-manager-catalog pod ready!
[✔] oc command available
[✔] <my_path>/cert-kubernetes/scripts/cpfs/yq/amd64/yq command available
[✔] oc command logged in as <my_admin>
[✔] Channel v4.2 is valid
[INFO] Major version is greater than 3, skipping delegation check
# Check migrating LTSR ibm-licensing-operator
[INFO] There is no LTSR ibm-licensing-operator to migrate, skipping
# Check migrating and deactivating LTSR ibm-cert-manager-operator
[INFO] No cert-manager-webhook found, skipping migration
# Validate CatalogSource for operator ibm-cert-manager-operator in ibm-cert-manager namespace
[✔] CatalogSource ibm-cert-manager-catalog from openshift-marketplace CatalogSourceNamespace is available for ibm-cert-manager-operator in ibm-cert-manager namespace
# Validate CatalogSource for operator ibm-licensing-operator-app in ibm-licensing namespace
[✔] CatalogSource ibm-licensing-catalog from openshift-marketplace CatalogSourceNamespace is available for ibm-licensing-operator-app in ibm-licensing namespace
# Installing cert-manager
# Checking whether Namespace ibm-cert-manager exist...
[INFO] Creating namespace ibm-cert-manager
namespace/ibm-cert-manager created
[INFO] Waiting for project ibm-cert-manager to be created
[✔] Project ibm-cert-manager is created
# Checking whether OperatorGroup in ibm-cert-manager exist...
[INFO] Creating following OperatorGroup:
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: ibm-cert-manager-operator
namespace: ibm-cert-manager
spec: {}
operatorgroup.operators.coreos.com/ibm-cert-manager-operator created
[INFO] Creating following Subscription:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: ibm-cert-manager-operator
namespace: ibm-cert-manager
spec:
channel: v4.2
installPlanApproval: Automatic
name: ibm-cert-manager-operator
source: ibm-cert-manager-catalog
sourceNamespace: openshift-marketplace
subscription.operators.coreos.com/ibm-cert-manager-operator created
[INFO] Waiting for operator ibm-cert-manager-operator CSV in namespace ibm-cert-manager to be bound to Subscription
[✔] Operator ibm-cert-manager-operator CSV in namespace ibm-cert-manager is bound to Subscription
[INFO] Waiting for operator ibm-cert-manager-operator in namespace ibm-cert-manager to be made available
[✔] Operator ibm-cert-manager-operator in namespace ibm-cert-manager is available
# Accepting license for certmanagerconfig.operator.ibm.com default in namespace ...
certmanagerconfig.operator.ibm.com/default patched
[✔] License accepted for certmanagerconfig.operator.ibm.com default
# Installing licensing
[✗] There is an ibm-licensing-operator-app Subscription already, so will upgrade it
# Checking whether Namespace ibm-licensing exist...
[✔] Namespace ibm-licensing already exists. Skip creating
# Checking whether OperatorGroup in ibm-licensing exist...
[✔] OperatorGroup already exists in ibm-licensing. Skip creating
# Updating ibm-licensing-operator-app in namesapce ibm-licensing...
[INFO] v4.0 is less than v4.2
[INFO] catalogsource ibm-licensing-catalog is the same as ibm-licensing-catalog
[INFO] ibm-licensing-operator-app is ready for updating the subscription.
subscription.operators.coreos.com/ibm-licensing-operator-app configured
[✔] Successfully patched subscription ibm-licensing-operator-app in ibm-licensing
[INFO] Waiting for operator ibm-licensing-operator-app to be upgraded
[✔] Operator ibm-licensing-operator-app is upgraded to latest version in channel v4.2
[INFO] Waiting for operator ibm-licensing-operator-app CSV in namespace ibm-licensing to be bound to Subscription
[✔] Operator ibm-licensing-operator-app CSV in namespace ibm-licensing is bound to Subscription
[INFO] Waiting for operator ibm-licensing-operator in namespace ibm-licensing to be made available
[✔] Operator ibm-licensing-operator in namespace ibm-licensing is available
[INFO] Waiting for ibmlicensing instance to be present.
[✔] ibmlicensing instance present
# Accepting license for ibmlicensing instance in namespace ...
ibmlicensing.operator.ibm.com/instance patched
[✔] License accepted for ibmlicensing instance
[INFO] Waiting for IBM Cert Manager Operator ready...
...
[✔] IBM Cert Manager Operator is running:
[INFO] Pod: cert-manager-controller-748f6f88b6-7s7zh
cert-manager-webhook-56d57b8f8f-hxg27
cert-manager-cainjector-bc587c95-5zk4h
ibm-cert-manager-operator-d8879b9f9-w4j5p
[INFO] Waiting for IBM Licensing Operator ready...
[✔] IBM Licensing Operator is running:
[INFO] Pod: ibm-licensing-operator-7dcd5495cb-mg9hk
ibm-licensing-service-instance-67489f8b4f-bqqj6
...
|
At this point, IBM License Service is up and running in your cluster. To verify the installation and its status, go to the verification section.
Installing IBM License Service using IBM Cloud Pak foundational services CASE package scripts on OCP
The IBM License Service is part IBM Cloud Pak foundational services. Its installation can be done using this specific CASE package.
The whole installation procedure is explained in this documentation page: https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.2?topic=manager-installing-cert-licensing-by-script .
The installation can be split into several steps which are details in the next sections.
Create the catalog source:
This can be done using the OCP console UI.
1. Log in the OCP console
2. Create the Common Services 4.2 Catalog source:
3. Create the License Service Catalog source:
4. Verify that the source container is ready in project “openshift-marketplace”: 
Download the CASE package
The very first step is to retrieve the scripts which are contained in the IBM Cloud Pak foundational services CASE package, in the “installer_scripts” folder. For more information about downloading the “installer_scripts” folder, see Downloading scripts for additional configuration from specific version CASE bundle.
|
export CASE_VERSION=4.2.0
|
After setting the CASE version, you need to download the TAR file.
|
|
After downloading the TAR file, you need to extract the “installer_scripts” folder.
|
tar -xvzf ibm-cp-common-services-$CASE_VERSION.tgz
cd ibm-cp-common-services/inventory/ibmCommonServiceOperatorSetup/installer_scripts
|
Run the setup command
The script will handle both the IBM Cert Manager and the IBM License Service installation on the cluster.
The script requires the availability of “yq” tool (lightweight and portable command-line YAML processor) and being logged to your cluster. To check those:
If the prerequisites are not met, please review the prerequisite of the previous steps: https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.2?topic=co-downloading-scripts-additional-configuration-from-specific-version-case-bundle
Various cases are described in this part of the documentation. This article will focus on a fresh installation of Cert Manager and Licensing using this command line:
|
./setup_singleton.sh --license-accept --enable-licensing
|
Sample output of the installation command:
|
[✔] oc command available
[✔] yq command available
[✔] oc command logged in as <my_admin>
[✔] Channel v4.2 is valid
[INFO] Major version is greater than 3, skipping delegation check
# Check migrating LTSR ibm-licensing-operator
[INFO] No LTSR ibm-licensing-operator to migrate, skipping
# Check migrating and deactivating LTSR ibm-cert-manager-operator
[INFO] LTSR ibm-cert-manager-operator already deactivated, skipping
# Validate CatalogSource for operator ibm-cert-manager-operator in ibm-cert-manager namespace
[✔] CatalogSource ibm-cert-manager-catalog from openshift-marketplace CatalogSourceNamespace is available for ibm-cert-manager-operator in ibm-cert-manager namespace
# Validate CatalogSource for operator ibm-licensing-operator-app in ibm-licensing namespace
[✔] CatalogSource ibm-licensing-catalog from openshift-marketplace CatalogSourceNamespace is available for ibm-licensing-operator-app in ibm-licensing namespace
# Installing cert-manager
[✗] There is a cert-manager Subscription already
[✗] There is a cert-manager-webhook pod Running, so most likely another cert-manager is already installed
[INFO] Continue to upgrade check
[INFO] Upgrading ibm-cert-manager-operator to channel: v4.2
# Checking whether Namespace ibm-cert-manager exist...
[✔] Namespace ibm-cert-manager already exists. Skip creating
# Checking whether OperatorGroup in ibm-cert-manager exist...
[✔] OperatorGroup already exists in ibm-cert-manager. Skip creating
# Updating ibm-cert-manager-operator in namesapce ibm-cert-manager...
[INFO] v4.2 is equal to v4.2
[INFO] catalogsource ibm-cert-manager-catalog is the same as ibm-cert-manager-catalog
[INFO] ibm-cert-manager-operator has already updated channel v4.2 and catalogsource ibm-cert-manager-catalog in the subscription.
subscription.operators.coreos.com/ibm-cert-manager-operator configured
[✔] Successfully patched subscription ibm-cert-manager-operator in ibm-cert-manager
[INFO] Waiting for operator ibm-cert-manager-operator to be upgraded
[✔] Operator ibm-cert-manager-operator is upgraded to latest version in channel v4.2
[INFO] Waiting for operator ibm-cert-manager-operator CSV in namespace ibm-cert-manager to be bound to Subscription
[✔] Operator ibm-cert-manager-operator CSV in namespace ibm-cert-manager is bound to Subscription
[INFO] Waiting for operator ibm-cert-manager-operator in namespace ibm-cert-manager to be made available
[✔] Operator ibm-cert-manager-operator in namespace ibm-cert-manager is available
# Accepting license for certmanagerconfig.operator.ibm.com default in namespace ...
certmanagerconfig.operator.ibm.com/default patched (no change)
[✔] License accepted for certmanagerconfig.operator.ibm.com default
# Installing licensing
# Checking whether Namespace ibm-licensing exist...
[INFO] Creating namespace ibm-licensing
namespace/ibm-licensing created
[INFO] Waiting for project ibm-licensing to be created
[✔] Project ibm-licensing is created
# Checking whether OperatorGroup in ibm-licensing exist...
[INFO] Creating following OperatorGroup:
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: ibm-licensing-operator-app
namespace: ibm-licensing
spec:
targetNamespaces:
- ibm-licensing
operatorgroup.operators.coreos.com/ibm-licensing-operator-app created
[INFO] Creating following Subscription:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: ibm-licensing-operator-app
namespace: ibm-licensing
spec:
channel: v4.2
installPlanApproval: Automatic
name: ibm-licensing-operator-app
source: ibm-licensing-catalog
sourceNamespace: openshift-marketplace
subscription.operators.coreos.com/ibm-licensing-operator-app created
[INFO] Waiting for operator ibm-licensing-operator-app CSV in namespace ibm-licensing to be bound to Subscription
[✔] Operator ibm-licensing-operator-app CSV in namespace ibm-licensing is bound to Subscription
[INFO] Waiting for operator ibm-licensing-operator in namespace ibm-licensing to be made available
[✔] Operator ibm-licensing-operator in namespace ibm-licensing is available
[INFO] Waiting for ibmlicensing instance to be present.
[✔] ibmlicensing instance present
# Accepting license for ibmlicensing instance in namespace ...
ibmlicensing.operator.ibm.com/instance patched (no change)
[✔] License accepted for ibmlicensing instance
|
At this point, IBM License Service is up and running in your cluster. To verify the installation and its status, go to the verification section.
Installing IBM License Service on other Certified Kubernetes
When deploying ODM on Certified Kubernetes, the end user still needs to install IBM License Service once per cluster.
The installation process is fully described in the documentation: https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.2?topic=service-installing-license-kubernetes-cluster
The next sections will describe a sample installation on an Amazon Elastic Kubernetes Service (EKS) cluster instance in command line.
Install the Operator Lifecycle Manager (OLM)
Make sure to be connected to your cluster beforehand:
|
> kubectl get node
NAME STATUS ROLES AGE
ip-<ip_address>.<region>.compute.internal Ready <none> 23h
ip-<ip_address>.<region>.compute.internal Ready <none> 23h
ip-<ip_address>.<region>.compute.internal Ready <none> 23h
|
Once connected to your cluster, make sure OLM is not already installed:
|
> kubectl get crd clusterserviceversions.operators.coreos.com
Error from server (NotFound): customresourcedefinitions.apiextensions.k8s.io "clusterserviceversions.operators.coreos.com" not found
|
To install OLM, please run the following command:
|
> olm_version=0.16.1
> curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releases/download/${olm_version}/install.sh | bash -s ${olm_version}
customresourcedefinition.apiextensions.k8s.io/catalogsources.operators.coreos.com created
customresourcedefinition.apiextensions.k8s.io/clusterserviceversions.operators.coreos.com created
customresourcedefinition.apiextensions.k8s.io/installplans.operators.coreos.com created
customresourcedefinition.apiextensions.k8s.io/operatorgroups.operators.coreos.com created
customresourcedefinition.apiextensions.k8s.io/operators.operators.coreos.com created
customresourcedefinition.apiextensions.k8s.io/subscriptions.operators.coreos.com created
customresourcedefinition.apiextensions.k8s.io/catalogsources.operators.coreos.com condition met
customresourcedefinition.apiextensions.k8s.io/clusterserviceversions.operators.coreos.com condition met
customresourcedefinition.apiextensions.k8s.io/installplans.operators.coreos.com condition met
customresourcedefinition.apiextensions.k8s.io/operatorgroups.operators.coreos.com condition met
customresourcedefinition.apiextensions.k8s.io/operators.operators.coreos.com condition met
customresourcedefinition.apiextensions.k8s.io/subscriptions.operators.coreos.com condition met
namespace/olm created
namespace/operators created
serviceaccount/olm-operator-serviceaccount created
clusterrole.rbac.authorization.k8s.io/system:controller:operator-lifecycle-manager created
clusterrolebinding.rbac.authorization.k8s.io/olm-operator-binding-olm created
deployment.apps/olm-operator created
deployment.apps/catalog-operator created
clusterrole.rbac.authorization.k8s.io/aggregate-olm-edit created
clusterrole.rbac.authorization.k8s.io/aggregate-olm-view created
operatorgroup.operators.coreos.com/global-operators created
operatorgroup.operators.coreos.com/olm-operators created
clusterserviceversion.operators.coreos.com/packageserver created
catalogsource.operators.coreos.com/operatorhubio-catalog created
Waiting for deployment "olm-operator" rollout to finish: 0 of 1 updated replicas are available...
deployment "olm-operator" successfully rolled out
deployment "catalog-operator" successfully rolled out
Package server phase: InstallReady
Package server phase: Succeeded
deployment "packageserver" successfully rolled out
|
At this stage you should have OLM up and running:
|
> kubectl get crd clusterserviceversions.operators.coreos.com
NAME CREATED AT
clusterserviceversions.operators.coreos.com 2024-01-19T09:47:28Z
|
Create the CatalogSource
The catalog source is created in a global catalog namespace. To find out whether you already have one on your cluster, run the following command:
|
> olm_namespace=$(kubectl get csv --all-namespaces -l olm.version -o jsonpath="{.items[?(@.metadata.name=='packageserver')].metadata.namespace}")
> GLOBAL_CATALOG_NAMESPACE=$(kubectl get deployment --namespace="${olm_namespace}" packageserver -o yaml | grep -A 1 -i global-namespace | tail -1 | cut -d "-" -f 2- | sed -e 's/^[ \t]*//')
> echo GLOBAL_CATALOG_NAMESPACE=${GLOBAL_CATALOG_NAMESPACE}
GLOBAL_CATALOG_NAMESPACE=olm
|
Once you identified the “GLOBAL_CATALOG_NAMESPACE” value, you can create the Catalog Source Kubernetes object:
|
> cat <<EOF | kubectl apply -f -
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: ibm-licensing-catalog
namespace: $GLOBAL_CATALOG_NAMESPACE
spec:
displayName: IBM License Service Catalog
publisher: IBM
sourceType: grpc
image: icr.io/cpopen/ibm-licensing-catalog
updateStrategy:
registryPoll:
interval: 45m
EOF
catalogsource.operators.coreos.com/ibm-licensing-catalog created
|
The result can be checked with the following commands:
|
> kubectl get catalogsource -n $GLOBAL_CATALOG_NAMESPACE
NAME DISPLAY TYPE PUBLISHER
ibm-licensing-catalog IBM License Service Catalog grpc IBM
[...]
> kubectl get pod -n $GLOBAL_CATALOG_NAMESPACE
NAME READY STATUS RESTARTS
ibm-licensing-catalog-mqgrr 1/1 Running 0
[...]
|
Create an OperatorGroup
An “OperatorGroup” is used to denote which namespaces your Operator should watch. It must exist in the namespace where your operator is deployed. You need first to create a namespace and then to add in an “OperatorGroup”.
|
> kubectl create namespace ibm-licensing
namespace/ibm-licensing created
> cat <<EOF | kubectl apply -f -
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: operatorgroup
namespace: ibm-licensing
spec:
targetNamespaces:
- ibm-licensing
EOF
operatorgroup.operators.coreos.com/operatorgroup created
|
At this stage, you should have an “OperatorGroup” up and running:
|
> kubectl get OperatorGroup -n ibm-licensing
NAME AGE
operatorgroup 31s
|
Create a Subscription
A subscription is created for the operator and is responsible for upgrades of IBM License Service when needed. Its creation refers to the related Catalog Source namespace retrieved in previous section.
Here is a sample output:
|
> echo $GLOBAL_CATALOG_NAMESPACE
olm
> cat <<EOF | kubectl apply -f -
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: ibm-licensing-operator-app
namespace: ibm-licensing
spec:
channel: v4.2
name: ibm-licensing-operator-app
source: ibm-licensing-catalog
sourceNamespace: $GLOBAL_CATALOG_NAMESPACE
EOF
subscription.operators.coreos.com/ibm-licensing-operator-app created
|
At this stage, IBM License Service is up and running in your cluster. To verify the installation and its status, go to the verification section.
Accessing IBM License Service data
Verifying IBM License Service installation
To verify its status, go to the OCP administration console and check that you have:
- a project named: “ibm-licensing“
- two pods running and ready: “ibm-licensing-operator” and “ibm-licensing-service-instance”
- <OCP specific> a route to your IBM License Service endpoint “ibm-licensing-service-instance”
For other Certified Kubernetes, follow those specific instructions. For our current example, see the EKS section: Configuring Kubernetes Ingress EKS
There are 4 different endpoints accessible: 
Checking IBM License Service Status
A status page is available to render the service current activities.
On OCP, one can access this page in a few steps:
- Open “ibm-licensing-service-instance” route (project=ibm-licensing > Networking > routes)
- Follow the location link
- Click on the “Status page” link
- Provide the “Authentication token“ which is stored in a secret named “ibm-licensing-token“
- Click OK, then this page is displayed
On other Certified Kubernetes, read this documentation page: Checking License Service components
Checking ODM license data
Once an ODM helm release deployed (Bronze sample, Gold sample), one can access the licensing data using the route described above.
There are 4 different endpoints accessible with the authentication token described above.
#OperationalDecisionManager(ODM)