Shared configuration
The following tables list the configurable parameters. The parameters are either mandatory <Required> or optional in a custom resource file. If a parameter is absent or has no value, it means that the operator refers to the default value. You can overwrite the default value by entering a new value in your custom resource. Parameters that are mandatory must always be present and you must enter a valid value.
| Parameter | Description | Example value | Required |
|---|---|---|---|
| appVersion | The version of the current release. | 23.0.2 | Yes |
| ibm_license | Must exist to accept the IBM license. The only valid value is "accept". | accept | Yes |
| Parameter | Description | Default/Example value | Required |
|---|---|---|---|
| enable_fips | Enable/disable FIPS mode for the deployment. | false | No |
| encryption_key_secret | The name of the shared encryption key secret. The secret is used to store a password that is
used to encrypt various encryption keys generated by the product. The secret is generated if it does
not exist. The encryption_key_secret parameter is shared by IBM Business
Automation Workflow, IBM Business
Automation Studio, Application
Engine, and IBM Process Federation Server.If your installation
includes Business Automation Studio and
Application
Engine and you want to
compress and export an application project to Business Automation Studio or import an application
project in Application
Engine, you can
specify the encryption key ( |
ibm-iaws-shared-key-secret | No |
| external_tls_certificate_secret | This parameter is used to replace the TLS certificates for all routes managed by the CP4BA operator. The certificate can use a wildcard SAN or multiple hostname SANs that can work for all of the routes. If defined, the certificate is used for all external routes. If it is not defined, certificates for all external routes are signed with the certificate in the root_ca_secret parameter. | my-ext-tls-secret | No |
| image_pull_secrets | Shared image pull secrets. | [] | Not present |
| images.dbcompatibility_init_container.repository | Image name for database compatibility init container. | dba-dbcompatibility-initcontainer | No |
| images.dbcompatibility_init_container.tag | Image tag for database compatibility init container. |
23.0.2 |
No |
| images.keytool_job_container.repository | Image name for Transport Layer Security (TLS) job container. | dba-keytool-jobcontainer | No |
| images.keytool_job_container.tag | Image tag for TLS job container |
23.0.2 |
No |
| images.keytool_init_container.repository | Image name for TLS init container. | dba-keytool-initcontainer | No |
| images.keytool_init_container.tag | Image tag for TLS init container. |
23.0.2 |
No |
| images.pull_policy | Pull policy for all containers. | IfNotPresent | No |
| images.umsregistration_initjob.repository | Image name for OpenID Connect (OIDC) registration job container. | dba-umsregistration-initjob | No |
| images.umsregistration_initjob.tag | Image tag for OIDC registration job container. |
23.0.2 |
No |
| root_ca_secret | Root certificate authority (CA) secret name to store the root CA TLS key and certificate. The
default value when it is not set, is icp4a-root-ca. If the secret does not exist,
it is created and a self-signed root CA certificate is generated. To assign an existing secret, it
must be a TLS secret with the CA certificates. For more information, see TLS Secrets. |
icp4a-root-ca | No |
| sc_cpe_limited_storage | When set to "true", the Content Platform Engine (CPE) component is deployed
for Automation Document Processing capability as non-chargeable. |
true, false (default is false) | No |
| sc_deployment_baw_license | Use only when you want to install a deployment license for Business Automation Workflow. The only valid values are user, non-production, and production. If no value is set and the parameter is used, then the default is production. | production |
No Yes, if you want to install Business Automation Workflow. |
| sc_deployment_fncm_license | Use only when you want to install a deployment with a license for FileNet Content Manager. The only valid values are user, non-production, and production. If no value is set and the parameter is used, then the default is production. | production |
No Yes, if you want to install FileNet Content Manager. |
| sc_deployment_hostname_suffix | If you do not want to use a generated routing subdomain, you can customize the suffix that is
used as the routing subdomain to create your routes. If
sc_deployment_platform is set to "
If you
customize the hostname, you must ensure that the hostname suffix is the same as the default
OpenShift router canonical hostname, otherwise you might get an error when you use Business Automation Studio.OCP" or
"ROKS", routes are created automatically. The routes are generated in the
form: |
None | No |
| sc_deployment_license | Valid values are non-production and production. | production | Yes |
| sc_deployment_patterns | The patterns or capabilities to be deployed. Names of the patterns are separated by a comma. | foundation | Yes |
| sc_deployment_platform | Valid options are "OCP" and "ROKS".
|
OCP | Yes |
| sc_deployment_profile_size | For a starter deployment type, the starter profile must be
used. For a production deployment type, the default is |
small | No |
| sc_deployment_type | Digital Business Automation
can be installed for evaluation or production purposes. Set the value to starter for an evaluation deployment, and production for all other deployment types. Note: If you set the value to "starter", Db2® Universal
Container and OpenLDAP instances are created as part of the installation. If the value is set to
"starter", you must also set the sc_dynamic_storage_classname
parameter.
|
None | Yes |
| sc_drivers_url |
Necessary if you want to use your own JDBC drivers and/or need to provide ICCSAP drivers. If you are providing multiple JDBC drivers and ICCSAP drivers, all the files must be compressed in a single file. You must put the compressed file on an accessible web server and enter the URL as the value. For
example, |
None | No |
sc_egress_configuration
|
To enable or disable egress access to external systems. The default is to restrict access to external systems. Set the value of If set to Important: When the value of
sc_restricted_internet_access is set to
true, none of the CP4BA capabilities (excluding Operational Decision Manager) can access external systems
other than the known addresses for databases, LDAPs, and federated systems. For more information,
see Configuring cluster security. |
|
No |
sc_iam
|
The name of the admin user for the IBM Identity Management (IM) foundational service. | cpadmin | No |
| sc_image_repository | By default the IBM Entitled Registry is used, and the value is set to "cp.icr.io". When a private image registry is used, the value for sc_image_repository must be set to the URL for that location. For example: myimageregistry.com/project_name. For an air gap installation, make sure that the parameter is set to the default value. | cp.icr.io | No |
| sc_image_tag | A tag value that is applied to all container images. Digests are used instead of the image tag, but it is useful to keep the tag up to date with the corresponding version. The list of digests that are used in each version can be found in the resources.yaml file under the ${CASE_LOCAL_PATH}/ibm-cp-automation/inventory/cp4aOperatorSdk directory of the CASE package. For more information, see Preparing a client to connect to the cluster. |
None | No |
| sc_ingress_enable | For ROKS, set this parameter to true to enable Ingress. The default value is false, which creates routes instead of Ingress. | false |
No Yes on ROKS. |
| sc_ingress_tls_secret_name | Must be set if you enable ingress on ROKS. This secret provides TLS for the ingress
controller. To get the secret when Ingress is enabled with TLS, run the following command. |
None |
No Yes if ingress is enabled. |
| sc_install_automation_base | By default the value is set to true. The default value installs Kafka and
Elasticsearch for Business Automation Insights. If you want to use a pre-installed AutomationBase
instance in the Cloud Pak, then set the value to false to prevent the Cloud Pak
installing a new instance. You can also change the value after an installation if you want to
customize the AutomationBase instance. Setting the value to false after the
installation prevents the Cloud Pak operator from overriding the customized instance with the
default configuration. |
true | No |
| sc_optional_components | The optional components to be installed. | The optional components are:
|
No |
| sc_run_as_user | For Cloud Native Computing Foundation (CNCF) platforms such as Amazon Web Services (AWS), Google Kubernetes Engine (GKE), and so on, a value is required for this parameter. On OCP and ROKS, this parameter is not required. Specify the user to run the security context of the pod. The value is usually a number that corresponds to a user ID. | None | Yes if the deployment platform is set to other. |
| sc_seccomp_profile.type | Specify the type of seccomp profile to be used by the pods. Possible values are:
Unconfined, RuntimeDefault, Localhost. For more
information about seccomp profile, see the Restrict a Container's Syscalls with
seccomp. |
Default value:
Example: |
No |
| sc_seccomp_profile.localhost_profile | Specify the local path of the seccomp profile file. This parameter is required if
sc_seccomp_profile.type is set to Localhost. The value of
sc_seccomp_profile.localhost_profile is ignored if sc_seccomp_profile.type is set to anything other
than Localhost. For more information, see Configuring seccomp profiles. |
Example: profiles/audit.json | Only if sc_seccomp_profile.type is set to Localhost |
| sc_skip_ldap_config |
Controls whether the operator configures the Content Platform Engine to use an LDAP directory configuration or a SCIM directory configuration to authorize users and groups. Set to true (default) for the operator to configure a Content Platform Engine SCIM directory configuration to retrieve authorization information such as the groups to which a user belongs from IM. Set to false for the operator to configure a Content Platform Engine LDAP directory configuration to retrieve authorization information such as the groups to which a user belongs from an LDAP server. |
true | Yes, if false must be specified to retain a non-default configuration of the Content Platform Engine. Examples include upgrading from a previous deployment where an LDAP directory was configured to perform user and group authorization, or moving from a traditional deployment that utilized an LDAP directory to containerized. |
storage_configuration
|
Three storage classes are needed for slow, medium, and fast storage. If one storage class is
defined, then you can use that one storage class for all three parameters. The set block storage class name is used for the PVCs that are created for MongoDB. |
None | Yes |
| trusted_certificate_list | Trusted certificate secret names. Every component trusts these certificates for secure communication. Enter a comma-delimited list of the secret names in an array. For example, [secret_name1, secret_name2]. | [] | No |