A newer version of this documentation is available.

View Latest

Install the Operator on OpenShift

      This guide walks through the recommended procedure for installing the Couchbase Autonomous Operator on a Red Hat OpenShift project.

      If you are looking to upgrade an existing installation of the Operator, see Upgrading the Autonomous Operator.


      Download the Operator package and unpack it on the same computer where you normally run oc. The Operator package contains YAML configuration files and command-line tools that you will use to install the Operator.

      After you unpack the download, the resulting directory will be titled something like couchbase-autonomous-operator-openshift.x.x-linux_x86_64. Make sure to cd into this directory before you run the commands in this guide.

      All commands in this guide are run as a system administrator account; they require the creation of cluster scoped resources or the granting of roles to service accounts (privilege escalation).

      It may be tempting to use the container images hosted on Docker Hub as they are dramatically smaller, and more secure, than those offered for use on the Red Hat Container Catalog. However, it is a Red Hat requirement for OpenShift users that Red Hat Container Catalog images be used. Use of Kubernetes images hosted on Docker Hub are not guaranteed to work, and are not supported, on the OpenShift platform.

      Install the CRD

      The first step in installing the Operator is to install the custom resource definitions (CRD) that describe the Couchbase resource types. This can be achieved with the following command:

      $ oc create -f crd.yaml

      Install the Operator

      The operator is composed of two components; a per-cluster dynamic admission controller (DAC) and a per-namespace Operator. Refer to the operator architecture document for additional information on what is required and security considerations.

      The DAC and Operator will be installed into the current project/namespace selected by the oc command. Ensure you have created and selected the correct namespace to install into.

      The Red Hat container catalog requires that deployments have login credentials that allow access to container images; these are provided by a secret:

      $ oc create secret docker-registry rh-catalog --docker-server=registry.connect.redhat.com \
        --docker-username=<rhel-username> --docker-password=<rhel-password> --docker-email=<docker-email>

      This command uses 3rd party resources and is subject to change. Consult the documentation provided by Red Hat for up to date instructions.

      The following command will install both the DAC and the Operator in the current project:

      $ bin/cbopcfg create admission --image-pull-secret rh-catalog
      $ bin/cbopcfg create operator --image-pull-secret rh-catalog

      Custom Installation

      Alternatively, you may wish to install just the DAC in the camelot namespace:

      $ oc project camelot
      $ bin/cbopcfg create admission --image-pull-secret rh-catalog

      And then install just the Operator into the asgard namespace:

      $ oc project asgard
      $ bin/cbopcfg create operator --image-pull-secret rh-catalog

      For further installation options please see the cbopcfg reference manual.

      Check the Status of the Operator

      You can use the following command to check on the status of the deployments:

      $ oc get deployments
      NAME                           READY   UP-TO-DATE   AVAILABLE   AGE
      couchbase-operator             1/1     1            1           8s
      couchbase-operator-admission   1/1     1            1           8s

      The Operator is ready to deploy CouchbaseCluster resources when both the DAC and Operator deployments are fully ready and available.

      Verifying the Dynamic Admission Controller

      In the latest versions of Kubernetes (kubectl 1.18 or higher), you can perform a dry run create command to validate the DAC is functioning correctly:

      $ oc create --dry-run=server -f - <<EOF
      apiVersion: couchbase.com/v2
      kind: CouchbaseBucket
        name: test
      couchbasebucket.couchbase.com/test created (server dry run)

      The previous command depends on the DAC to provide defaulting for resource attributes, this in turn allows the resource to pass schema validation.

      If the DAC is not installed or not functioning, you can expect an error such as:

      The CouchbaseBucket "test" is invalid: spec: Required value

      Installing User Permissions

      By default on an OpenShift platform, users will not have permissions to create and modify Couchbase custom resources. We provide a cluster role that can be installed once and referenced by any number of user accounts. To install the role:

      $ oc create -f cluster-role-user.yaml

      To associate the role with a user merlin in the namespace camelot use the following command:

      $ oc create rolebinding merlin-couchbasecluster --namespace camelot --user merlin --clusterrole couchbasecluster

      You can now login as the user merlin and manage Couchbase resources in the camelot namespace.

      Uninstalling the Operator

      Uninstalling the DAC and Operator is the reverse of the installation process:

      If you are performing an uninstall in order to upgrade the Operator to a newer version, do not delete the CRDs as this is only relevant for a full uninstall. Failure to do so will result in the deletion of all Couchbase clusters.

      $ bin/cbopcfg delete operator
      $ bin/cbopcfg delete admission
      $ oc delete -f crd.yaml