Installing a production deployment in the OpenShift console

Edit online

Operator lifecycle manager (OLM) helps you to install, update, and manage the lifecycle of all operators and services that are deployed in OpenShift clusters.

Before you begin

  1. If you created an air gap environment, you must complete the steps in Preparing an air gap environment before you install the operator. In other cases, complete the steps in Preparing for a production deployment.
  2. You must then follow the relevant steps to prepare the patterns that you want to install. For more information, see Preparing capabilities.
  3. Log in to your OCP or ROKS cluster.
  4. If you used the All namespaces option to install the Cloud Pak operator, switch to the project that you created for your CP4BA deployment. For example, cp4ba-project.
  5. In the Installed Operators view, verify the status of the IBM Cloud Pak for Business Automation operator installation reads succeeded, and verify the deployment by checking all of the pods are running.
Warning: If your target cluster is ROKS classic and the worker nodes rebooted, then you must synchronize the time on each of the worker nodes before you deploy the CP4BA custom resource. To synchronize the times on the worker nodes, run the following command from a connected client:
oc get no -l node-role.kubernetes.io/worker --no-headers -o name | xargs -I {} --  oc debug {} -- chroot /host sh -c 'systemctl restart chronyd'

About this task

Operator lifecycle manager is part of the Operator Framework, which is an open source toolkit that is designed to manage Kubernetes applications in an effective, automated, and scalable way.

IBM provides operators to OpenShift in the form of a catalog. The catalog is added to an OpenShift cluster and appears in the OpenShift Operator Hub under the IBM Operator Catalog provider type.

Procedure

  1. Use the operator instance to apply a custom resource by clicking CP4BA deployment > Create Instance.
  2. In the Form View of the deployment editor, enter the values for everything that you want to include in your deployment.
    1. Enter a Name, or use the default icp4adeploy.
    2. Enter the appVersion 21.0.3.
    3. Accept the License by setting the value to true.
    4. Set Deployment Type to production.
    5. Open the Shared Configuration section and enter values for the following parameters. For more information about the shared parameters, see Shared configuration parameters.
      Table 1. Shared configuration parameters
      Shared configuration parameter Value
      Purchased CP4BA license Set to production or non-production.
      Platform Set to OCP or ROKS.
      root_ca_secret The default is icp4a-root-ca.
      external_tls_certificate_secret Set to the name of the secret that is used to store a wildcard certificate (and concatenated signers) to be used by all routes. If the value is empty, all external routes are signed with root_ca_secret.
      Content initialization Enable or disable ECM (FNCM) and BAN initialization.
      Content verification Enable or disable the ECM (FNCM) and BAN verification.
      Trusted certificate list If the root certificate authority (CA) key of the external service is not signed by the operator root CA key, provide the TLS certificate of the external service to the component's truststore.

      If the secret does not exist, then a self-signed signer certificate is generated. For more information, see Providing the root CA certificate.

      Important: If you choose to use self-signed certificates, certain features of the product might not work as expected because of modern browser restrictions that are related to self-signed certificates. A browser blocks any redirect to a site that uses a certificate that is not signed by a root CA that is trusted by the browser. This can result in access issues for business applications.
      Profile Size Set the profile that you want to use for your deployment. The default is small.

      For a small sized deployment, the size of the Cloud Pak foundational services instance is set to starterset.

      For a deployment profile size set to medium or large, the size of the Cloud Pak foundational services instance is set to small.

      To determine the real size needed for Cloud Pak foundational services, do proper performance testing with your intended workload and modify the CommonService CR to the correct size.
      Purchased FNCM license If you set IBM FileNet® Content Manager (FNCM) to true, set the value to production, non-production, or user. Otherwise, leave the value empty.
      Purchased BAW license If you set IBM Business Automation Workflow to true, set the value to production, non-production, or user. Otherwise, leave the value empty.
      Storage configuration Select a file-based dynamic storage class and a block storage class from the list installed in your cluster for each of the storage class fields: Slow storage for production, Medium storage for production, Fast storage for production, and Block storage.
      Admin user The default administrator user for Application/Workflow/Workstreams. After you enter the value once, you can skip the setting for Studio, Applications, and Workflow/Workstreams configuration. Designate an existing LDAP user for the Studio/Playback Application Engine or Application Engine or Workflow/Workstreams admin user.
      Note: To use Application Engine or Playback Application Engine, this user ID must be in the IBM Business Automation Navigator administrator role, as specified in appLoginUsername in the Navigator secret. This user must also belong to the Business Teams admin group or the Business Teams Administrators team. Otherwise, follow the instructions in Completing post-deployment tasks for Application Engine to add it to the Navigator administrator role and Teams server admin group.
    6. Select the capabilities that you want to include.
      Tip: If you do not want to include a capability, leave the value as false. For more information about the capabilities and their dependencies, see Capabilities for production deployments.
      • FileNet Content Manager
      • Operational Decision Manager
      • Automation Decision Services
      • Business Automation Application
      • Business Automation Workflow (a) Workflow Authoring (b) Workflow Runtime

        Select (b) Workflow Runtime to install Automation Workstream Services with Business Automation Workflow or Workstreams only.

      • Automation Workstream Services
      • Automation Document Processing (a) Development Environment (b) Runtime Environment

        Automation Document Processing does not support a cluster with a Linux on Z (s390x) architecture.

      Restriction: On OCP 4.6, the Optional Components section is not in the correct location in the Form View. However, you can still open the section to enable and disable components for the selected capabilities.
    7. Open the Advanced Configuration section, enter valid values for the LDAP Configuration, Datasource Configuration, Initialization Configuration, Enable Data Persistence, and choose whether to include Business Automation Insights. You must then enter valid values for the parameters of the selected capabilities in the list. For more information about configuring each capability in the YAML View, see Checking and completing your custom resource.
      Restriction: Due to a limitation in the Form View, the repo_service_url parameter in IBM FileNet® Content Manager is still visible when Automation Document Processing (ADP) Runtime is set to false. You do not need to set a value for this configuration parameter if you do not want to include ADP.

      If you selected Automation Document Processing (ADP) and your cluster is FIPS-enabled, then you must change the ca_configuration.global.enable_fips parameter to true in the YAML view. The default value is false. 

      ca_configuration:
    global:
      db_secret: aca-basedb
      enable_fips: true
      Note: You can copy and paste parameters from the custom resource templates in the YAML View and edit the parameters. Go to the relevant folder in cert-kubernetes/descriptors/patterns to find all of the templates. For more information about downloading cert-kubernetes, see Preparing a client to connect to the cluster. You can edit the CR file in the editor, but it is best if you have the CR complete and verified before you save your changes in the editor. For example, go to http://www.yamllint.com/ to verify the contents of your file.

      If you want to use a local image registry, add the sc_image_repository parameter to point to the URL of the local registry. 

      shared_configuration:
   sc_image_repository: myimageregistry.com/project_name
   ...
   storage_configuration:

      For more information about the olm_ configuration parameters, see Business Automation configuration parameters for Operator Hub. You can add and remove parameters in the YAML View. You can switch between the Form View and the YAML View to complete your configuration.

      If you choose the Workflow pattern, the Business Automation Insights configuration is always added, even if you don't select the optional Business Automation Insights component.

  3. When you are ready, click Create.

    The page switches to the CP4BA deployment tab, where you can watch the Status.

    Deployment status
  4. You can click the deployment name (icp4adeploy), and go to the Conditions section at the bottom of the page to see the status updates and any messages.

    You can also click the YAML tab to monitor the state of the selected capabilities.

What to do next

Check to make sure that the icp4ba cartridge in the IBM Automation Foundation Core is ready. For more information about IBM Automation Foundation, see What is IBM Automation foundation?

To view the status of the icp4ba cartridge in the OCP Admin console, click Operators > Installed Operators > IBM Automation Foundation Core. Click the Cartridge tab, click icp4ba, and then scroll to the Conditions section.

IAf core conditions

How to access the capability services

A ConfigMap is created in the namespace to provide the cluster-specific details to access the services and applications. Components that are successfully deployed have URLs in the ConfigMap. If any components failed, the URLs are not included. The ConfigMap name is prefixed with the deployment name (default is icp4adeploy). You can find the ConfigMap containing the routes information by clicking Workloads > ConfigMaps and then searching for the string "cp4ba-access-info".

ConfigMaps

The contents of the ConfigMap depends on the components that are included. Each component has one or more URLs.

<component1> URL: <RouteUrlToAccessComponent1>  
<component2> URL: <RouteUrlToAccessComponent2>

When all of the containers are running, you can access the services.

Tip: If you want or need to update values in a deployment that you made in the Form View, you must edit the deployment in the YAML View. You can edit true or false values in the Form View, but the other parameters need to be done in the YAML View. You can access the custom resource from the YAML tab, or by clicking Actions > Edit ICP4ACluster.

YAML view

Business Automation Studio leverages the IBM Cloud Pak Platform UI (Zen UI) to provide a role-based user interface for all Cloud Pak capabilities. Capabilities are dynamically available in the UI based on the role of the user that logs in. You can find the URL for the Zen UI by clicking Networking > Routes and looking for the name cpd, or by running the following command.

oc get route |grep "^cpd"

Log in to the Admin Hub to configure your LDAP with the Identity and Access Management (IAM) service. You have two authentication types that you can log in with: OpenShift authentication and IBM provided credentials (admin only). Use your kubeadmin username and credentials to log in with OpenShift authentication. On ROKS, you must use IBM provided credentials. The default username for these credentials is "admin". You can get the default username by running the following command:

oc -n ibm-common-services get secret platform-auth-idp-credentials \
   -o jsonpath='{.data.admin_username}' | base64 -d && echo

You get the password by running the following command: 

oc -n ibm-common-services get secret platform-auth-idp-credentials \
   -o jsonpath='{.data.admin_password}' | base64 -d

You can change the default password at any time. For more information, see Changing the cluster administrator password.

After you created a CP4BA deployment, the operator automatically connects your LDAP to IAM. The users and groups you defined in your LDAP are now available via IAM.

At this point, you must associate your users and groups to Zen roles to be able to use them in all of the CP4BA applications. IBM Automation has four roles defined: Automation Administrator, Automation Analyst, Automation Developer, and Automation Operator. For more information, see Roles and permissions.

Log in to the Common Web UI to get the IBM Cloud Pak console route and admin's password. Use the Platform UI (Zen) to create a group for your CP4BA Developers, and add your LDAP users and groups to this group. You then need to assign the Zen group with the Automation Developer role.

For more information about adding users, see Completing post-deployment tasks for Business Automation Studio.

Note: If you included multiple capabilities from FileNet Content Manager (FNCM), Automation Document Processing (ADP), and Business Automation Application (BAA) in your CP4BA deployment, then use the Navigator for CP4BA heading in the cp4ba-access-info ConfigMap and the custom resource status fields to find the route URL for Business Automation Navigator.

If you included FileNet Content Manager (FNCM) without the other capabilities, then use the Navigator for FNCM heading in the cp4ba-access-info ConfigMap and the custom resource status fields to find the route URL for Business Automation Navigator.

To enable logs and monitoring add the wanted YAML to the CR in the YAML view. For example, the following parameters provide custom setting for the content pattern.

monitoring_configuration:
    collectd_disable_host_monitoring: false
    collectd_interval: 10
    collectd_plugin_write_graphite_host: localhost
    collectd_plugin_write_graphite_port: 2003
    collectd_plugin_write_prometheus_port: 9103
    mon_enable_plugin_mbean: true
    mon_enable_plugin_pch: true
    mon_metrics_writer_option: 4
  logging_configuration: 
    mon_log_parse: true
    mon_log_shipper_option: "1"
    mon_log_service_endpoint: example.com:9200
    private_logging_enabled: false
    logging_type: default
    mon_log_path: /path_to_extra_log
  ecm_configuration:
    cpe:
      logging_enabled: true
      monitor_enabled: true
    css:
      logging_enabled: true
      monitor_enabled: true
    graphql:
      logging_enabled: true
      monitor_enabled: true
    cmis:
      logging_enabled: true
      monitor_enabled: true
    es:
      logging_enabled: true
      monitor_enabled: true

Some capabilities need you to follow post-deployment steps. For more information, see Completing post-installation tasks.