Install the Trustee operator

PERSONA: Operational security expert

You can assume that everything running in the trustee-operator-system namespace should run in a trusted, separate environment.

This whole section can be automated with the following command:

curl -L https://raw.githubusercontent.com/confidential-devhub/workshop-on-ARO-showroom/refs/heads/main/helpers/install-trustee.sh -o install-trustee.sh

chmod +x install-trustee.sh

./install-trustee.sh

Let’s start with installing Trustee. In addition to the Trustee operator, we also need the cert-manager operator to automatically create keys needed by Trustee.

Install via command line

We will install and stick to Trustee 1.0 for the time being.

Trustee:

oc apply -f-<<EOF
---
apiVersion: v1
kind: Namespace
metadata:
  name: trustee-operator-system
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: trustee-operator-group
  namespace: trustee-operator-system
spec:
  targetNamespaces:
  - trustee-operator-system
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: trustee-operator
  namespace: trustee-operator-system
spec:
  channel: stable
  installPlanApproval: Manual
  name: trustee-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  startingCSV: trustee-operator.v1.0.0
EOF

Approve the operator install (since it’s manual install plan).

oc get installplan -n trustee-operator-system -o jsonpath='{.items[?(@.spec.approved==false)].metadata.name}' | xargs -r oc patch installplan -n trustee-operator-system --type merge -p '{"spec":{"approved":true}}'

Cert-manager operator:

oc new-project cert-manager-operator

oc apply -f-<<EOF
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
    name: openshift-cert-manager-operator
    namespace: cert-manager-operator
spec:
    targetNamespaces:
    - "cert-manager-operator"
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
    name: openshift-cert-manager-operator
    namespace: cert-manager-operator
spec:
    channel: stable-v1
    name: openshift-cert-manager-operator
    source: redhat-operators
    sourceNamespace: openshift-marketplace
    installPlanApproval: Automatic
EOF

Verification

Ensure that the Operator is correctly installed by running the following command and checking that the PHASE is in Succeeded state:

watch oc get csv -n trustee-operator-system

Example output

NAME                      DISPLAY                            VERSION   REPLACES   PHASE
trustee-operator.v1.0.0   Red Hat build of Trustee           1.0.0                Succeeded

Same applies to the cert-manager operator:

watch oc get csv -n cert-manager-operator

Example output

NAME                            DISPLAY                                       VERSION   REPLACES   PHASE
cert-manager-operator.v1.18.0   cert-manager Operator for Red Hat OpenShift   1.18.0               Succeeded