Application Engine parameters

Provide the details that are relevant to your Application Engine environment and your decisions for the deployment of the container.

The following tables list the configurable parameters and their default values. All properties are mandatory, unless they have a default value or are explicitly optional. Although Application Engine might seem to install correctly when some parameters are omitted, this kind of configuration is not supported.

The application_engine_configuration parameter is a list. You can deploy multiple instances of Application Engine. You can assign different configurations for each instance by following these rules.
  • Assign a different name to each instance by giving application_engine_configuration[*].name a different value.
  • Assign a different hostname to each instance by giving application_engine_configuration[*].hostname a different value to make it accessible.
The following tables list the parameters for configuring Application Engine.

Application Engine parameters

The following table lists the parameters for configuring Application Engine. The Required column shows the parameters that are required.

Table 1. Application Engine parameters: spec.application_engine_configuration
Parameter name Description Example value Required
name Name of the Application Engine instance. The name for each item in the array must be different. The name can consist of lowercase alphanumeric characters or '-', and must start and end with an alphanumeric character. Keep the instance name short.   No
hostname aae-ae-service route hostname. If the hostname is not set, a default hostname with the following format is used.
ae-<AE instance name>-<shared_configuration.sc_deployment_hostname_suffix>
This parameter is used only by stand-alone Business Automation Workflow on containers.		   No
port Application Engine port (only when using NodePort service). The default value is 443. 443 No
admin_user Designate an LDAP user for the Application Engine admin user. This user must have IBM Business Automation Navigator administrator rights. For more information, see Completing post-deployment tasks for Application Engine.   Yes
admin_secret_name Existing Application Engine administrative secret for sensitive configuration data. The default value is <CR name>-<AE name>-aae-app-engine-admin-secret for Application Engine. The default value is <CR name>-pbk-app-engine-admin-secret for Business Automation Studio playback server. <CR name>-<AE name>-aae-app-engine-admin-secret OR <CR name>-pbk-app-engine-admin-secret No
external_tls_secret This parameter is used only by stand-alone Business Automation Workflow on containers. For the aae-ae-service route, the name of the secret that contains the certificates and Transport Layer Security (TLS) private key to be used for the route. If you set this parameter, the setting overrides the default generated certificate and the shared setting for route certificates. If you need to customize the route's certificate, create a secret using the following command and set the secret name to the property.
kubectl create secret generic ext-tls-crt-secret --from-file=tls.crt=<path to crt file> --from-file=tls.key=<path to key file>
The crt file must contain the route certificate followed by any intermediate CA signer certificates and the root CA signer certificate in an unencrypted PEM format. The key file must also be in unencrypted PEM format.		   No
replica_size Number of Application Engine deployment replicas. The default value is 1. 1 No
data_persistence.enable To enable the data persistence feature on Application Engine, set this to true. The default value is false. false No
data_persistence.object_store_name The object store name used for data persistence. If application data persistence is enabled, input one CPE object store name. The default value is AEOS. AEOS No
use_custom_jdbc_drivers Whether to use a custom JDBC driver for Db2® database instead of the embedded one. If you don't want to use a custom driver, keep the default. The default value is false.

If you use an Oracle, a PostgreSQL, or a Microsoft SQL Server database, make sure that the value is set to true.

 false No
service_type Application Engine service type. The default value is Route. Route No
external_connection_timeout Number of seconds after which the Route connection times out. The default value is 90s. 90s No
autoscaling.enabled Whether to enable the Horizontal Pod Autoscaler for Application Engine. The default value is false. false No
autoscaling.min_replicas Minimum number of pods for Application Engine when autoscaling is enabled. The default value is 2. 2 No
autoscaling.max_replicas Maximum number of pods for Application Engine when autoscaling is enabled. The default value is 5. 5 No
autoscaling.target_average_utilization Target average CPU utilization over all the pods for the Application Engine init container when autoscaling is enabled. The default value is 80. 80 No
max_request_body_size Maximum size of request body (KB). The default value is 2000. 2000 No
database.dc_use_postgres

CP4BA has the capability to automatically provision an EDB Postgres instance.

If you want EDB Postgres to be created for a Business Automation Studio database, set this parameter to true.

 dc_use_postgres: true No
database.host (Only for Db2, PostgreSQL, or SQL Server) Application Engine database host. It must be an accessible address, such as an IP, hostname, or Kubernetes service name.   Yes
database.name (Only for Db2, PostgreSQL, or SQL Server) Application Engine database name.   Yes
database.port (Only for Db2, PostgreSQL, or SQL Server) Application Engine database port.   Yes
database.alternative_host (Only for Db2, PostgreSQL, or SQL Server) Application Engine database alternative host for database automatic client reroute (ACR) with high availability disaster recovery (HADR). If you want to enable the database ACR and HADR, configure both alternative_host and alternative_port. You must have Db2 servers whose hostnames can be resolved to IP addresses correctly in App Engine containers.   No
database.alternative_port (Only for Db2, PostgreSQL, or SQL Server) Application Engine database alternative host for database automatic client reroute (ACR) with high availability disaster recovery (HADR). If you want to enable the database ACR and HADR, configure both alternative_host and alternative_port.   No
database.type Application Engine database type. Db2, Oracle, PostgreSQL, and SQL Server are supported. The default value is db2. db2 No
database.enable_ssl Whether to enable Secure Sockets Layer (SSL) support for the database connection. The default value is false. false No
database.db_cert_secret_name Secret name for storing the database TLS certificate when an SSL connection is enabled.   Yes
database.oracle_url_without_wallet_directory If you use an Oracle database, enter the Oracle connection URL. The format is (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<your-oracle-database-hostname>)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=<your-oracle-database-service-name>)))).   No
database.oracle_url_with_wallet_directory Required when you enable SSL for Oracle database, you must enter the Oracle connection URL with the wallet path. The format is (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=<your-oracle-database-hostname>)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=<your-oracle-database-service-name>))(SECURITY=(SSL_SERVER_DN_MATCH=FALSE)(MY_WALLET_DIRECTORY=/shared/resources/oracle/wallet))).   No
database.current_schema Application Engine database schema.

If it is set to empty, the default schema name is DBASB for Db2 and PostgreSQL database types, and the default value of admin_secret_name is AE_DATABASE_USER for Oracle and SQL Server database types. Customization of database schema names are supported only for Db2 and PostgreSQL. For Db2, the schema name is case-sensitive, and must be specified in uppercase characters. For more information, see IBM Data Server Driver for JDBC and SQLJ configuration properties.

 DBASB No
database.oracle_sso_wallet_secret_name Secret name for storing wallet SSO binary file when an SSL connection is enabled and Oracle database is selected.   No
database.initial_pool_size Initial pool size of the Application Engine database. The default value is 1. 1 No
database.max_pool_size Maximum pool size of the Application Engine database. The default value is 100. 100 No
database.max_lru_cache_size Maximum Least Recently Used (LRU) cache size of the Application Engine database. The default value is 1000. 1000 No
database.max_lru_cache_age Maximum LRU cache age of the Application Engine database. The default value is 600000. 600000 No
database.dbcompatibility_max_retries Maximum number of times to retry checking database compatibility. The default value is 30. 30 No
database.dbcompatibility_retry_interval Retry interval for checking database compatibility. The default value is 10. 10 No
log_level.node Log level for output from the Application Engine server. The default value is audit. info No
log_level.browser Log level for output from the web browser. The default value is 2. 2 No
content_security_policy.enable Whether to enable the content security policy for Application Engine. The default value is false. false No
content_security_policy.allowlist Configuration of the Application Engine content security policy allowlist.   No
content_security_policy.frame_ancestor Configuration of the Application Engine content security policy frame_ancestor.   No
env.max_size_lru_cache_rr Maximum size of the cache for the Resource Registry. The default value is 1000. 1000 No
env.server_env_type Application Engine deployment type. The default value is development. development No
env.purge_stale_apps_interval (Application Engine playback server only) Interval for the purging job to run to purge stale apps. The default value is 86400000. 86400000 No
env.apps_threshold (Application Engine playback server only) Minimum number of existing apps for purging job to start purging stale apps. The default value is 100. 100 No
env.stale_threshold (Application Engine playback server only) Age of the apps to be considered as stale. The default value is 172800000. 172800000 No
env.service_threshold (Application Engine playback server only) Minimum number of preview-only automation services in the server for purging job to start purging stale preview-only automation services. The default value is 100. 100 No
env.service_stale_threshold (Application Engine playback server only) Age, in milliseconds, of preview-only automation service since publish to be considered as stale. The default value is 172800000. 172800000 No
env.uv_thread_pool_size UV thread pool size of the Application Engine NodeJS server. Increase this number if your Application Engine must support a high volume of traffic. The default value is 40. 40 No
env.connection_timeout Service socket connection timeout in milliseconds. The default value is 120000. 120000 No
env.custom_environment_variables Set the custom variables for your environment. For example, to set the timezone for the pod, you might enter:
  • -key: TZ
  • value: Europe/Warsaw
   No
env.public_app_context The context root used to expose the public applications. public-app No
images.db_job.repository Image name for the Application Engine database job container. By default, the path points to the URL and location in the IBM Entitled Registry. The default value is <path>/solution-server-helmjob-db where <path> is cp.icr.io/cp/cp4a/aae/. If sc_image_repository has a value, the path is that value. <path>/solution-server-helmjob-db No
images.db_job.tag Image tag for the Application Engine database job container. If you want to use a specific image version, you can override the default tag or digest. 24.0.0 No
images.solution_server.repository Image name for the Application Engine container. By default, the path points to the URL and location in the IBM Entitled Registry. The default value is <path>/solution-server where <path> is cp.icr.io/cp/cp4a/aae/. If sc_image_repository has a value, the path is that value. <path>/solution-server No
images.solution_server.tag Image tag for the Application Engine container. If you want to use a specific image version, you can override the default tag or digest. 24.0.0 No
max_age.auth_cookie Maximum age of an authentication cookie. The default value is 900000. 900000 No
max_age.csrf_cookie Maximum age of a Cross-Site Request Forgery (CSRF) cookie. The default value is 3600000. 3600000 No
max_age.static_asset Maximum age of a static asset cache. The default value is 2592000. 2592000 No
max_age.hsts_header The HTTP Strict-Transport-Security response header (often abbreviated as HSTS). The default value is 2592000. 2592000 No
probe.liveness.failure_threshold When a pod starts and the probe fails, Kubernetes tries this number of times before giving up. Minimum value is 1. The default value is 5. 5 No
probe.liveness.initial_delay_seconds Number of seconds after the container starts before the liveness probe is initiated. The default value is 60. 60 No
probe.liveness.period_seconds How often to do the liveness probe (in seconds). The default value is 10. 10 No
probe.liveness.timeout_seconds Number of seconds after which the probe times out. The default value is 180. 180 No
probe.liveness.success_threshold Minimum consecutive successes for the probe to be considered successful after failing. Minimum value is 1. The default value is 1. 1 No
probe.readiness.failure_threshold When a pod starts and the probe fails, Kubernetes tries this number of times before giving up. Minimum value is 1. The default value is 5. 5 No
probe.readiness.initial_delay_seconds Number of seconds after the container starts before the readiness probe is initiated. The default value is 10. 10 No
probe.readiness.period_seconds How often to do the readiness probe (in seconds). The default value is 10. 10 No
probe.readiness.timeout_seconds Number of seconds after which the probe times out. The default value is 180. 180 No
probe.readiness.success_threshold Minimum consecutive successes for the probe to be considered successful after failing. Minimum value is 1. The default value is 1. 1 No
redis.host Hostname of the Remote Dictionary Server (Redis) database that is used by Application Engine   No
redis.port Port number of the Redis database that is used by Application Engine   No
redis.ttl Time To Live for the session in the Redis database. The default value is 1800. 1800 No
redis.tls_enabled Whether to enable TLS connection for Redis.

If yes, set it to true, and put your redis server CA certificate in tls_trust_list or trusted_certificate_list of your custom resource. The default value is false.

 false No
redis.username Redis username. If you are using Redis V6 or later, fill in this field. Otherwise, leave this field empty.   No
resource_ae.limits.cpu Maximum amount of CPU that is required for the Application Engine container. The default value is 500m. 500m No
resource_ae.limits.memory Maximum amount of memory that is required for the Application Engine container. The default value is 1Gi. 1Gi No
resource_ae.limits.ephemeral_storage Maximum amount of ephemeral storage that is required for the Application Engine container. The default value is 2Gi. 2Gi No
resource_ae.requests.cpu Minimum amount of CPU that is required for the Application Engine container. The default value is 300m. 300m No
resource_ae.requests.memory Minimum amount of memory that is required for the Application Engine container. The default value is 256Mi. 256Mi No
resource_ae.requests.ephemeral_storage Minimum amount of ephemeral storage that is required for the Application Engine container. The default value is 512Mi. 512Mi No
resource_init.limits.cpu Maximum amount of CPU that is required for the Application Engine init container. The default value is 500m. 500m No
resource_init.limits.memory Maximum amount of memory that is required for the Application Engine init container. The default value is 256Mi. 256Mi No
resource_init.limits.ephemeral_storage Maximum amount of ephemeral storage that is required for the Application Engine init container. The default value is 2Gi. 2Gi No
resource_init.requests.cpu Minimum amount of CPU that is required for the Application Engine init container. The default value is 100m. 100m No
resource_init.requests.memory Minimum amount of memory that is required for the Application Engine init container. The default value is 128Mi. 128Mi No
resource_init.requests.ephemeral_storage Minimum amount of ephemeral storage that is required for the Application Engine init container. The default value is 512Mi. 512Mi No
session.check_period (For non-external session store) Interval to purge expired sessions from the session store. The default value is 3600000. 3600000 No
session.duration (For non-external session store) Time to live for the session. The default value is 1800000. 1800000 No
session.max (For non-external session store) Maximum number of sessions stored. The default value is 10000. 10000 No
session.resave Whether to enable session resaving. The default value is false. false No
session.rolling Whether to enable session rolling. The default value is true. true No
session.save_uninitialized Whether to save uninitialized sessions. The default value is false. false No
session.use_external_store Use an external store for storing sessions. The default value is false. false No
share_storage.enabled Shared storage to share the file upload cache among servers for Application Engine. The default value is true. true No
share_storage.pvc_name PVC for the Application Engine shared storage   No
share_storage.auto_provision.enabled Dynamic provisioner to provision the PVs and PVCs. The default value is true. true No
share_storage.auto_provision.storage_class The dynamic storage classname for provisioning the PVs and PVCs   No
share_storage.auto_provision.size Storage size for the PVs for Application Engine. The default value is 20Gi. 20Gi No
tls.tls_trust_list Trusted certificate secret names. Application Engine trusts those certificates for communication. The default value is []. [] No
log_storage.enabled Log storage to store the logs for Application Engine. The default value is true. true No
log_storage.pvc_name The name of the persistent volume claim (PVC) for log storage. The default value is cp4a-shared-log-pvc. cp4a-shared-log-pvc No
log_storage.log_file_size Storage size for the PVs for log storage. The default value is 20M. 20M No
log_storage.log_rotate_size Save up to the maximum files. The default value is 5. 5 No
log_storage.auto_provision.enabled Dynamic provisioner to provision the PVs and PVCs for log storage. The default value is true. true No
log_storage.auto_provision.storage_class The dynamic storage classname for provisioning the PVs and PVCs for log storage   No
log_storage.auto_provision.size Storage size for the PVs for log storage. The default value is 5Gi. 5Gi No
node_affinity.deploy_arch Values in this field are used as kubernetes.io/arch selector values. The valid values are amd64, s390x, and ppc64le.   No
node_affinity.custom_node_selector_match_expression Added in node selector match expressions. It accepts array list inputs. You can assign multiple selector match expressions except (kubernetes.io/arch). 
- key: kubernetes.io/hostname
  operator: In
  values:
    - worker0
    - worker1
    - worker3
 No
custom_annotations Values in this field are used as annotations in all generated pods. They must be valid annotation key-value pairs. customAnnotationKey: customAnnotationValue No
custom_labels Values in this field are used as labels in all generated pods. They must be valid label key-value pairs. customLabelKey: customLabelValue No
seccomp_profile Setting for secure computing mode (seccomp) profile in CP4A containers. You can also define the seccomp profile globally at shared_configuration.sc_seccomp_profile. Supported values are: Unconfined, RuntimeDefault, and Localhost. The default value is RuntimeDefault on OpenShift® Container Platform 4.11 (Kubernetes 1.24) and later. Seccomp profile is not created on OpenShift Container Platform 4.10 (Kubernetes 1.23) or earlier. For more information about seccomp profile, see Restrict a Container's Syscalls with seccomp and Restrict seccomp profiles.
Note: Defining a custom, Localhost seccomp profile that is stricter than the default RuntimeDefault profile may cause the pods to fail to start.
 RuntimeDefault No
localhost_profile The local path of the seccomp profile file. This parameter is required if sc_seccomp_profile is set to Localhost. The custom profile must be accessible by the pod. /profiles/fine-grained.json if seccomp_profile is Localhost No
zen_performance.keepalive Number of idle keepalive connections to an upstream server that remain open for each worker process. This parameter is optional. The default value is 512. 512 No
zen_performance.keepalive_timeout How long an idle keepalive connection remains open. This parameter is optional. The default value is 30s. 30s No
zen_performance.keepalive_requests Number of requests a client can make over a single keepalive connection. This parameter is optional. The default value is 500. 500 No
zen_performance.proxy_buffer_size Size of the buffer used to read the first part of the response received from the proxied server. This parameter is optional. The default value is 256k. 256k No
zen_performance.proxy_buffers Number and size of the buffers used for reading a response from the proxied server, for a single connection. This parameter is optional. The default value is 8 512k. 8 512k No
zen_performance.proxy_busy_buffers_size When buffering of responses from the proxied server is enabled, this parameter limits the total size of buffers that can be busy sending a response to the client while the response is not yet fully read. This parameter is optional. The default value is 512k. 512k No
zen_performance.proxy_connect_timeout Timeout for establishing a connection with a proxied server. This parameter is optional. The default value is 300s. 300s No
zen_performance.proxy_send_timeout Timeout for transmitting a request to the proxied server. The timeout is set only between two successive write operations, not for the transmission of the whole request. If the proxied server does not receive anything within this time, the connection is closed. This parameter is optional. The default value is 300s. 300s No
zen_performance.proxy_read_timeout Timeout for reading a response from the proxied server. The timeout is set only between two successive read operations, not for the transmission of the whole response. If the proxied server does not transmit anything within this time, the connection is closed. This parameter is optional. The default value is 300s. 300s No

Resource Registry parameters

The following table lists the parameters for configuring Resource Registry. All parameters are optional.

Table 2. Resource Registry parameters: spec.resource_registry_configuration
Parameter name Description Example values
admin_secret_name Existing Resource Registry administrative secret for sensitive configuration data. The default value is <CR name>-rr-admin-secret. <CR name>-rr-admin-secret
hostname rr-route hostname. If the hostname is not set, a default hostname with the following format is used.
rr-<shared_configuration.sc_deployment_hostname_suffix>
This parameter is used only by stand-alone Business Automation Workflow on containers.		  
port Resource Registry port for using the NodePort service. The default value is 443. 443
replica_size Number of etcd nodes in the cluster. Always set it to an odd number, as explained in the etcd FAQ. The default value is 1. 1
images.resource_registry.repository Repository and name of the Resource Registry image. By default, the path points to the URL and location in the IBM Entitled Registry. The default value is <path>/dba-etcd where <path> is cp.icr.io/cp/cp4a/aae/. If sc_image_repository has a value, the path is that value. <path>/dba-etcd
images.resource_registry.tag Tag name of the Resource Registry image. .If you want to use a specific image version, you can override the default tag or digest. 24.0.0
tls.tls_secret Existing TLS secret that contains tls.key and tls.crt  
probe.liveness.initial_delay_seconds Number of seconds after the container starts before the liveness probe is initiated. The default value is 60. 60
probe.liveness.period_seconds How often (in seconds) to perform the probe. The default value is 10. 10
probe.liveness.timeout_seconds Number of seconds after which the probe times out. The default value is 5. 5
probe.liveness.success_threshold Minimum consecutive successes for the probe to be considered successful after failing. Minimum value is 1. The default value is 1. 1
probe.liveness.failure_threshold When a pod starts and the probe fails, Kubernetes tries this number of times before giving up. Minimum value is 1. The default value is 3. 3
probe.readiness.initial_delay_seconds Number of seconds after the container starts before the readiness probe is initiated. The default value is 10. 10
probe.readiness.period_seconds How often (in seconds) to perform the probe. The default value is 10. 10
probe.readiness.timeout_seconds Number of seconds after which the probe times out. The default value is 5. 5
probe.readiness.success_threshold Minimum consecutive successes for the probe to be considered successful after failing. Minimum value is 1. The default value is 1. 1
probe.readiness.failure_threshold When a pod starts and the probe fails, Kubernetes tries this number of times before giving up. Minimum value is 1. The default value is 3. 3
resources.limits.cpu CPU limit for Resource Registry configuration. The default value is 500m. 500m
resources.limits.memory Memory limit for Resource Registry configuration. The default value is 512Mi. 512Mi
resources.limits.ephemeral_storage Ephemeral storage limit for Resource Registry configuration. The default value is 2Gi. 2Gi
resources.requests.cpu Requested CPU for Resource Registry configuration. The default value is 100m. 100m
resources.requests.memory Requested memory for Resource Registry configuration. The default value is 256Mi. 256Mi
resources.requests.ephemeral_storage Requested ephemeral storage for Resource Registry configuration. The default value is 128Mi. 128Mi
auto_backup.enable Whether to enable automatic backup for Resource Registry. If you enable automatic backup, you must create a persistent volume (PV). See Optional: Implementing storage. The default value is true. true
auto_backup.minimal_time_interval Minimal time interval for automatic backup. The default value is 300. 300
auto_backup.pvc_name The name of the persistent volume claim (PVC) for automatic backup. The default value is <name>-dba-rr-pvc. <name>-dba-rr-pvc
auto_backup.log_pvc_name The name of the persistent volume claim (PVC) for log storage for automatic backup. The default value is cp4a-shared-log-pvc. cp4a-shared-log-pvc
auto_backup.dynamic_provision.enable Whether to enable dynamic provisioning to provision the PVs and PVCs. The default value is true. true
auto_backup.dynamic_provision.size Storage size for PVs. The default value is 3Gi. 3Gi
auto_backup.dynamic_provision.size_for_logstore Storage size for PVs of log store  
auto_backup.dynamic_provision.storage_class Dynamic storage class name to provision the PVs and PVCs. The default value is {{ shared_configuration.storage_configuration.sc_fast_file_storage_classname }}. {{ shared_configuration.storage_configuration.sc_fast_file_storage_classname }}
node_affinity.deploy_arch Values in this field are used as kubernetes.io/arch selector values. The valid values are amd64, s390x, and ppc64le.  
node_affinity.custom_node_selector_match_expression Added in node selector match expressions. It accepts array list inputs. You can assign multiple selector match expressions except (kubernetes.io/arch). 
- key: kubernetes.io/hostname
  operator: In
  values:
    - worker0
    - worker1
    - worker3
custom_annotations Values in this field are used as annotations in all generated pods. They must be valid annotation key-value pairs. customAnnotationKey: customAnnotationValue
custom_labels Values in this field are used as labels in all generated pods. They must be valid label key-value pairs. customLabelKey: customLabelValue
seccomp_profile Setting for secure computing mode (seccomp) profile in CP4A containers. You can also define the seccomp profile globally at shared_configuration.sc_seccomp_profile. Supported values are: Unconfined, RuntimeDefault, and Localhost. The default value is RuntimeDefault on OpenShift Container Platform 4.11 (Kubernetes 1.24) and later. Seccomp profile is not created on OpenShift Container Platform 4.10 (Kubernetes 1.23) or earlier. For more information about seccomp profile, see Restrict a Container's Syscalls with seccomp and Restrict seccomp profiles.
Note: Defining a custom, Localhost seccomp profile that is stricter than the default RuntimeDefault profile may cause the pods to fail to start.
 RuntimeDefault
localhost_profile The local path of the seccomp profile file. This parameter is required if sc_seccomp_profile is set to Localhost. The custom profile must be accessible by the pod. /profiles/fine-grained.json if seccomp_profile is Localhost