Home

Install WebSphere Liberty Operator Development driver (for testing and demo purposes only)

Note: This driver is for testing and demo purposes only. Use the instructions at https://ibm.biz/wlo-docs for installing production-ready versions of WebSphere Liberty Operator that are available from the IBM Operators Catalog.

1. Update your OpenShift cluster with a global pull secret for the cp.stg.icr.io entitled registry:

• Get an entitlement key to the IBM Entitled Container Fulfillment Registry. Log in to MyIBM Container Software Library with the IBMid and password that are associated with the entitled software. Click on 'Container software library' on the left and expand the listed item. It should show that you have entitlement for 'all' IBM software. If you are not able to access the library or you don't have entitlement to 'all' IBM software then follow the process under Obtaining a staging entitlement key .
• In the Entitlement keys section, pick an existing key or generate a new key. Select Copy key to copy the entitlement key to the clipboard.
• Use the OpenShift cluster UI to configure the global pull secret with entitled registry (cp.stg.icr.io) credentials.
• In the OpenShift cluster UI, click Workloads > Secrets and select the openshift-config namespace.
• Find the existing pull-secret secret.
• Select Edit Secret.
• Click Add Credentials to add an entry for the entitled registry. Specify cp.stg.icr.io as the registry server address, cp as the username, and the entitlement key that you obtained in the previous step as the password.

2. Install the Operator by using the following steps. If you want to use the kubectl or kustomize-based install options then skip steps 2.* and proceed to step 3:

2.1. Create ImageContentSourcePolicy for mirroring (this is needed because Operator artifacts are built with production registry reference, but until we GA the images would only be in the staging registry. The entry with icr.io/appcafe is not needed for WLO, but it's needed for OLO and RCO, hence included here as well.):

apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
   name: mirror-config
spec:
   repositoryDigestMirrors:
   - mirrors:
     - cp.stg.icr.io/cp
     source: cp.icr.io/cp
   - mirrors:
     - cp.stg.icr.io/cp
     source: icr.io/cpopen
   - mirrors:
     - cp.stg.icr.io/cp
     source: icr.io/appcafe

(To apply the resources, create a file and then copy and paste the contents above on your oc enabled system and run oc apply -f <fileName>)

2.2. Add the CatalogSource for WebSphere Liberty Operator:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: wlo-catalog
  namespace: openshift-marketplace
spec:
  displayName: WebSphere Liberty Catalog 1.5.2-rc.1-sps
  image: 'icr.io/cpopen/websphere-liberty-operator-catalog@sha256:04021adc0c29c18e64cf70013db861dde7c5e18db7705cf53d15eaa9b6dad3a4'
  sourceType: grpc

2.3. Install or Upgrade the WebSphere Liberty Operator via OperatorHub:

2.3.1. To Install the WebSphere Liberty Operator:

• From the OpenShift UI, click on Operators and then OperatorHub
• In the search box type websphere liberty. Sometimes it takes a few minutes for the CatalogSource to be loaded by OCP. The operator won't show up until the CatalogSource is loaded.
• Select the WebSphere Liberty operator and click Install
• Complete the install with the default options

2.3.2. To Upgrade the WebSphere Liberty Operator:

• Uninstall the WLO Operator
• Go to Administration > CustomResourceDefinitions
• Find CatalogSource
• Click on Instances and find wlo-catalog
• Either update image SHA value from wiki or delete wlo-catalog instance and recreate from the wiki page with the latest sha value
• Complete the install with the default options

3. Alternative install options:

• To install the Operator using kubectl, use the artifacts in https://github.com/WASdev/websphere-liberty-operator/tree/deploy-1.5.2/internal/deploy/kubectl
• To install the Operator using kustomize, use the artifacts in https://github.com/WASdev/websphere-liberty-operator/tree/deploy-1.5.2/internal/deploy/kustomize/daily

4. Create custom resources (CRs) to deploy applications and to gather trace, dump and performance data:

• Sample CRs are available from the OpenShift UI as well as in this folder
• Configuration options within the CRs are the same as Open Liberty Operator.

Follow the documentation at https://www.ibm.com/docs/en/was-liberty/base?topic=operator-using-websphere-liberty

New features in 1.5.2

File-based Health Checks

Enable file-based probes, instead of using HTTPS endpoint, using the new configuration in CR:

enableFileBased: Inspects the container filesystem to return health checks based upon files generated by the Liberty runtime. Only supported on Liberty version 25.0.0.6 or higher.

spec:
  probes:
    liveness: {}
    readiness: {}
    startup: {}
    enableFileBased: true

Optional configurations:

• checkInterval:The interval at which the Liberty runtime queries to update the file-based health check files. The value is a number followed by an optional time unit of ms for milliseconds or s for seconds. Only used when .spec.probes.enableFiledBased is set to true. Defaults to 5s.

• startupCheckInterval: The interval at which the Liberty runtime will query until an UP status is resolved and the health check file is created. The value is a number followed by an optional time unit of ms for milliseconds or s for seconds. If no time unit is specified for a value, the value is in milliseconds by default. Only used when .spec.probes.enableFiledBased is set to true. Defaults to 100ms.

• fileDirectory:The Liberty container directory used to track file-based health checks for the 'live', 'ready', and 'started' files. Only used when .spec.probes.enableFiledBased is set to true. Defaults to /output/health.

spec:
  probes:
    liveness: {}
    readiness: {}
    startup: {}
    enableFileBased: true
    checkInterval: 6s
    startupCheckInterval: 120ms
    fileDirectory: /liberty/defaultServer/health

File-based probes are also setup with the same default values below, as HTTPS probes, but can be overridden by users.

Startup:

  timeoutSeconds: 2
  periodSeconds: 10
  failureThreshold: 20

Liveness:

  initialDelaySeconds: 60
  timeoutSeconds: 2
  periodSeconds: 10
  failureThreshold: 3

Readiness:

  initialDelaySeconds: 10
  timeoutSeconds: 2
  periodSeconds: 10
  failureThreshold: 10

References from Liberty runtime:

• Doc: https://openliberty.io/docs/latest/health-check-microservices.html#_microprofile_health_v4_0
• Blog: https://openliberty.io/blog/2025/06/17/25.0.0.6.html#backport (updated) (edited)

LTPA Key and Password Encryption

• Switched to the AES-256 encryption by default. Existing LTPA keys and password encryption that were already generated with AES-128 will not change and should continue to work.