Applying the required permissions by running the authorize-instance-topology command

Before you install an instance of IBM® Software Hub, you must ensure that the project where the operators will be installed can watch the project where the control plane and services are installed. You can run the authorize-instance-topology command to apply the required permissions to the projects that are associated with an instance of IBM Software Hub.

Remember: The role created by the authorize-instance-topology command includes a wildcard character. If you want to give the NamespaceScope operator the minimum privileges necessary to manage the projects associated with an instance of IBM Software Hub, complete Applying the required permissions by giving the NamespaceScope operator the minimum RBAC to manage an instance IBM Software Hub instead.

Before you begin

Installation phase
  • You are not here. Setting up a client workstation
  • You are not here. Setting up a cluster
  • You are not here. Collecting required information
  • You are not here. Preparing to run installs in a restricted network
  • You are not here. Preparing to run installs from a private container registry
  • You are not here. Preparing the cluster for IBM Software Hub
  • You are here icon. Preparing to install an instance of IBM Software Hub
  • You are not here. Installing an instance of IBM Software Hub
  • You are not here. Setting up the control plane
  • You are not here. Installing solutions and services
Who needs to complete this task?

Cluster administrator A cluster administrator must complete this task.

When do you need to complete this task?

Repeat as needed If you plan to install multiple instances of IBM Software Hub, you must repeat this task for each instance that you plan to install.

Best practice: You can run the commands in this task exactly as written if you set up environment variables. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

About this task

The authorize-instance-topology command:
  • Creates the specified projects if they don't already exist.
  • Creates the NamespaceScope operator in the operators project.
  • Applies the require role to the operands project and any tethered projects.
  • Binds the applied role to the service account of the NamespaceScope operator.

Procedure

To apply the required permissions to the projects:

  1. Log the cpd-cli in to the Red Hat® OpenShift® Container Platform cluster: 
    ${CPDM_OC_LOGIN}
    Remember: CPDM_OC_LOGIN is an alias for the cpd-cli manage login-to-ocp command.
  2. Run the cpd-cli manage authorize-instance-topology to apply the required permissions to the projects.
    Tip: Before you run this command against your cluster, you can preview the oc commands that this command will issue on your behalf by running the command with the --preview=true option.

    The oc commands are saved to the preview.sh file in the work directory.

    Instances without tethered projects 
    cpd-cli manage authorize-instance-topology \
--cpd_operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS}
    Instances with tethered projects 
    cpd-cli manage authorize-instance-topology \
--cpd_operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--additional_ns=${PROJECT_CPD_INSTANCE_TETHERED_LIST}

What to do next

Now that you've applied the required permissions to the projects, you're ready to complete Authorizing a user to act as an IBM Software Hub instance administrator.