Hi

I've deployed the IBM Licensing Operator following the instructions specified here:
https://github.com/IBM/ibm-licensing-operator/blob/latest/docs/Content/Install_on_OCP.md

Following these instructions the operator is installed in the ibm-common-services namespace.
The operator installs correctly and the instance is running.
However none of our products are being picked up in their respective namespaces.

As a test I deployed a demo application in the ibm-common-services namespace and this does get picked up by the IBM Licensing instance.

The product we deploy is IBM WebSphere Liberty using the OpenLiberty Operator
Following annotations are set (example data):
productChargedContainers: All
productID: 87f3487c22f34742a799164f3f3ffa78
productMetric: VIRTUAL_PROCESSOR_CORE
productName: IBM WebSphere Application Server Liberty Core

How can I configure the IBM Licensing Operator to pick up products in namespaces other than the ibm-common-services?

Hello,

It it possible to set

spec.securityContext.seccompProfile.type, 
spec.containers[*].securityContext.seccompProfile.type, 
spec.initContainers[*].securityContext.seccompProfile.type, and 
spec.ephemeralContainers[*].securityContext.seccompProfile.type 

to RuntimeDefault within an IBM Licensing service deployment without disabling any functionality?
This is needed for security hardening.

Thank you

Hi,

Is there any helm chart available or in pipeline to have the license operator installed and managed more efficiently than shell scripts. It would help us in GitOps CD deployment on all clusters.

In the bellow table indices of Required Resources table, there are 2 CPU Limit(m).
I think the latter must be Memory Limit (Mi) .

Hi Team
Need your help to the issue we are facing with Operator Lifecycle Manager (OLM).
we follow the all the step via link - https://github.com/IBM/ibm-licensing-operator/blob/release-1.8/docs/Content/Install_from_scratch.md
&
at step no 3.C where we had given our own namespace value the clusterserviceversion went into Pending phase.

Can you please help if any other steps needs to be followed ?

Regards
Atul

On IBM Cloud ROKS,
An error occurs when trying to create an instance with the following options.
deployments are not created because of this error.
Setting "routeEnabled: true" resolves this issue, but I would like to keep it to false.
This error does not occur in IKS, and it does not occur in versions prior to 1.20.3.

httpsEnable: false
ingressEnabled: false
routeEnabled: false

Operator version: 1.20.3

Error message

E0514 23:50:44.735331       1 filtered-cache.go:222] Failed to retrieve resource listerrorresource name may not be empty
2023-05-14T23:50:44Z	INFO	controllers.IBMLicensing	certificate secret not existing. Generating self signed certificate	{"cert name": "/"}
2023-05-14T23:50:53Z	ERROR	controllers.IBMLicensing	Error creating self signed certificate	{"error": "an empty namespace may not be set during creation"}
github.com/IBM/ibm-licensing-operator/controllers.(*IBMLicensingReconciler).reconcileCertificateSecrets
	/home/prow/go/src/github.com/IBM/ibm-licensing-operator/controllers/ibmlicensing_controller.go:581
github.com/IBM/ibm-licensing-operator/controllers.(*IBMLicensingReconciler).Reconcile
	/home/prow/go/src/github.com/IBM/ibm-licensing-operator/controllers/ibmlicensing_controller.go:199
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile
	/home/prow/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:121
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
	/home/prow/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:320
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/home/prow/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:273
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/home/prow/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:234
2023-05-14T23:50:53Z	ERROR	Reconciler error	{"controller": "ibmlicensing", "controllerGroup": "operator.ibm.com", "controllerKind": "IBMLicensing", "iBMLicensing": {"name":"instance"}, "namespace": "", "name": "instance", "reconcileID": "fed9ecbe-9e48-40a0-8d1b-d8aa3028c479", "error": "an empty namespace may not be set during creation"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/home/prow/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:273
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/home/prow/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:234

hi!

As license server reporter is part of this installation (crd, container,...)
-> Is the license server reporter installation available for offline installation (non cloudpak, non openshift - default kubernetes)?

kind regards

When using IBM License Service 1.16.3 installed as per https://www.ibm.com/docs/en/cpfs?topic=software-offline-installation, no products appear to be found after multiple data imports.

IBM Software is running in containers on this cluster, however. IBM License Metric Tool agents that are running on the worker Nodes of this cluster are finding that software.

The logs from the service instance Pod look like this:

2022-09-13 16:32:20.261 [scheduling-1] INFO  Starting data import with datacollector data source
2022-09-13 16:32:20.261 [scheduling-1] INFO  Using namespace ibm-common-services
2022-09-13 16:32:22.619 [scheduling-1] INFO  Starting data snapshots processing
2022-09-13 16:32:22.620 [scheduling-1] INFO  Processing data snapshot from 2022-09-13T16:32:22.568329Z
2022-09-13 16:32:22.620 [scheduling-1] INFO  No products processed during this import
2022-09-13 16:32:22.620 [scheduling-1] INFO  Data import with datacollector data source finished
2022-09-13 16:33:05.745 [qtp1196982797-19] INFO  Api Request: GET - /
2022-09-13 16:34:05.744 [qtp1196982797-16] INFO  Api Request: GET - /
2022-09-13 16:35:05.744 [qtp1196982797-13] INFO  Api Request: GET - /
2022-09-13 16:35:31.954 [qtp1196982797-17] INFO  Api Request: GET - /
2022-09-13 16:36:05.744 [qtp1196982797-13] INFO  Api Request: GET - /
2022-09-13 16:37:05.744 [qtp1196982797-19] INFO  Api Request: GET - /
2022-09-13 16:37:20.261 [scheduling-1] INFO  Starting data import with datacollector data source
2022-09-13 16:37:20.261 [scheduling-1] INFO  Using namespace ibm-common-services
2022-09-13 16:37:23.208 [scheduling-1] INFO  Starting data snapshots processing
2022-09-13 16:37:23.208 [scheduling-1] INFO  Processing data snapshot from 2022-09-13T16:37:23.043093Z
2022-09-13 16:37:23.208 [scheduling-1] INFO  No products processed during this import
2022-09-13 16:37:23.208 [scheduling-1] INFO  Data import with datacollector data source finished
<snip>

Accessing the status endpoint through an ingress shows the status page, but products, bundled products, nodes and pods are all empty. Downloading a report works, but the contents of the zip file appear to mostly be empty other than the header rows.

Hi,
we have a feature request to be able to exclude namespaces in a multi-tenant kubernetes cluster. For compliance reasons we can't allow the license operator to scan all namespaces in our AKS cluster. We have tried modifying the role binding for the service account but the software fails.
This feature would be greatly appreciated so that we can monitor the license usage only for the IBM related namespaces in our cluster.
Thanks in advance!

//Jonas

The instructions here:
https://www.ibm.com/docs/en/cpfs?topic=software-offline-installation

Using latest branch (at the time 1.16.3), in point 3e, it indicates to use kubectl to apply config/manager/manager.yaml to the Kubernetes cluster. This file, however, includes a Deployment definition that does not include a namespace name in the metadata:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ibm-licensing-operator
spec:
<snip>

Unless the user has specified a default Namespace for kubectl of ibm-common-services, this will be deployed to whatever their default Namespace happens to be (typically "default", but could be other values as well).

The Deployment, however, references a serviceAccountName: ibm-licensing-operator , which is defined in config/rbac/service_account.yaml - and this ServiceAccount does specify the ibm-common-services namespace. As a result, the Deployment does not work.

To be consistent with the other manifests, the Deployment defined in config/manager/manager.yaml should have a namespace attribute of ibm-common-services added to the metadata.

We've deployed this operator into Openshift 3.11 which doesn't have Operator Lifecycle Manager (OLM) and using the instructions on this page (https://github.com/IBM/ibm-licensing-operator/blob/v1.7.0/docs/Content/Install_without_OLM.md) the operator pod fails to start with the following error:

E0825 03:18:28.082831 1 reflector.go:127] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:156: Failed to watch 
*v1.Deployment: failed to list *v1.Deployment: deployments.apps is forbidden: User "system:serviceaccount:ibm-common- 
services:ibm-licensing-operator" cannot list deployments.apps at the cluster scope: no RBAC policy matched

This is due to the operator deployment setting the WATCH_NAMESPACE environment variable to
metadata.annotations['olm.targetNamespaces']. This causes the operator pod to try to start watching all namespaces but doesn't have the required cluster roles. The work around for us is to set the WATCH_NAMESPACE env variable to metadata.namespace .

Hi

We are currently installing the IBM Licensing Operator on openshift without a cloudpak.
Our instance looks as following:

apiVersion: operator.ibm.com/v1alpha1
kind: IBMLicensing
metadata:
  name: instance
spec:
  apiSecretToken: ibm-licensing-token
  datasource: datacollector
  httpsEnable: false
  routeEnabled: true
  routeOptions:
    tls:
      termination: edge
  resources:
    limits:
      cpu: 500m
      memory: 512Mi
    requests:
      cpu: 200m
      memory: 256Mi

This works great and we get a route with termination edge, however I would like to be able to specify the host (and path) used for the route. This seems to be possible when defining an ingress using ingressOptions, but not for a route using routeOptions.

Could this be implemented?

The step about the "Use git clone." explain that we need to clone the v1.12.0 version.

However no tag , nor branch exist in this reposisotry.
The readme that contain this erronous information is:
https://github.com/IBM/ibm-licensing-operator/blob/latest/docs/Content/Install_without_OLM.md

Hello,

Our current Infrastructure in Kubernetes does not use Ingress for accessing the Kubernetes Cluster and exposing Endpoints. Instead we are using the Managed Istio in the IBM Cloud and we are Using Istio Loadbalancer, Istio Gateways and Virtual Services for exposing the Endpoints outside of the Cluster.

We also don't use Cloud Packs.

But in the installation documentation of the IBM Licensing there is no instruction of how to use the IBM Licensing Operator without Istio and there is also no instruction of how to test the installation.

Could you provide a documentation or Guidelines of how to use the IBM Licensing Operator with Istio?

Thank you

Hello,

In order to follow new licencing rules, we tried installation of ibm-licensing-operator in AKS Rbac enabled cluster.
We tried to install License Service for stand-alone IBM Containerized Software without IBM Cloud Paks.

Apparently there is issues with roles and roleBinding.

Some additional rules seems needed at cluster scope.

Failed to watch *v1.Deployment: failed to list *v1.Deployment: deployments.apps is forbidden: User "system:serviceaccount:ibm-common-services:ibm-licensing-operator" cannot list resource "deployments" in API group "apps" at the cluster scope
Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:ibm-common-services:ibm-licensing-operator" cannot list resource "services" in API group "" at the cluster scope
Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:ibm-common-services:ibm-licensing-operator" cannot list resource "secrets" in API group "" at the cluster scope
.....

We need this rule to be at cluster scope level so in clusterRole ibm-licensing-operator

• apiGroups:
  • ""
    resources:
  • services
  • secrets
  • configmaps
  • pods
    verbs:
  • get
  • list
  • watch
• apiGroups:
  • extensions
    resources:
  • ingresses
    verbs:
  • get
  • list
  • watch

The ibm-license-service is not in the role.yaml file but in role_operand.yaml

The documentation seems incorrect, the same with the tag to use when we clone the repo.

Once done how to contact this service to retrieve data? Snapshot?
Only calling the service thanks to ingress seems not to work.
even calling the /version return an malformed response

Regards,

Hello,

We installed the ibm-licensing-operator following documentation below

https://github.com/IBM/ibm-licensing-operator/blob/release-1.4/docs/Content/Install_without_OLM.md

We make a simple by deploying websphere-liberty on AKS based on dockerfile like below ..
'FROM websphere-liberty:kernel
...

RUN configure.sh

EXPOSE 9080
'

The snapshop is download but all excels are empty,
Bundle and products reports return [].

Is there something missing? Did we need to activate specific feature ?

What should be in unrecognized-apps ? It's linked to IBM resources or to list others apps, deployment withour IBM products?
This file is empty too.

Thanks in advance.

Regards,

There is a typo in file path for offline installation instructions. We expect: operator.ibm.com_ibmlicensingquerysources.yaml