What's new in the foundational services
Get a quick overview of what is added, changed, or improved, in the IBM Cloud Pak® foundational services.
What's new in foundational services installer version 3.23
Installer
-
IBM Catalog Management Plug-in (ibm-pak plugin):
In
ibm-pak plugin
version 1.7.0 (LTSR 3.19.12), the following enhancements are introduced:-
Support for verifying the integrity of downloaded CASEs. For more information, see
command-help.md
. -
The CatalogSource which supports only a single architecture is created with appropriate
kubernetes.io/arch
labels to support the new OpenShift Container Platform multi-architecture compute. -
Improved logging for prerequisite checks when you use the plug-in for non-mirroring activities using the launch command (
oc ibm-pak launch
) such as installing catalogs.
-
-
OpenShift Container Platform 4.12: Support for OpenShift Container Platform 4.12 is added. For more information, see Supported OpenShift versions and platforms.
-
Custom configurations are not overwritten: The
ibm-common-service-operator
andoperand-deployment-lifecycle-manager
operators no longer overwrite custom configurations that you make in the.spec.config
section of any foundational services operator subscription. -
Numeric namespace: You can now install foundational services in a namespace that has a numeric name. For example, a namespace with the name
123
.
Identity and Access Management (IAM)
-
IBM Cloud Pak SCIM Azure AD integration: Cloud Pak can use the Azure-IAM integration by using SCIM to manage the users and groups at the Cloud Pak end. The Azure-IAM integration will also help in managing the authentication and authorization for the resources. For more information, see IBM Cloud Pak SCIM Azure AD integration.
-
Recursive method to enable LDAP nested search: IAM supports recursive method to enable nested search for Tivoli Directory Server (TDS) and Security Directory Server (SDS) by using SCIM APIs. For more information, see Recursive approach to enable nested search.
-
Supporting all special characters for Group filter and User filter while configuring LDAP: From foundational services version 3.23 and later, while configuring LDAP connection, IAM supports all special characters for Group filter and User filter. However, for validated and tested special characters for Group filter and User filter, see LDAP filters.
Common Web UI
- In Common Web UI service version 1.21.0, there is a new option to disable auto complete on the login page. For more information, see Disabling auto complete on the login page.
User Data Services
Following enhancements are provided in the User Data Services version 2.0.10:
- OpenShift Container Platform 4.12 support: From foundational services version 3.23.2 onwards, User Data services is supported on OpenShift Container Platform 4.12.
Following enhancements are provided in the User Data Services version 2.0.9:
- OpenShift Container Platform 4.11 support: From foundational services version 3.23.0 onwards, User Data services is supported on OpenShift Container Platform 4.11.
- Hyperscaler properties support: From foundational services version 3.23.0 onwards, User Data services supports newly added Hyperscaler properties of
Account Contractual Usage
data standard for/consumption
endpoint.
What's new in prior releases of foundational services
- What's new in foundational services installer version 3.22
- What's new in foundational services installer version 3.21
- What's new in foundational services installer version 3.20
- What's new in foundational services installer version 3.19
- What's new in foundational services installer version 3.18
- What's new in foundational services installer version 3.17
- What's new in foundational services installer version 3.16
- What's new in foundational services installer version 3.15
- What's new in foundational services installer version 3.14
- What's new in foundational services installer version 3.13
- What's new in foundational services installer version 3.12
- What's new in foundational services installer version 3.11
- What's new in foundational services installer version 3.10
- What's new in foundational services installer version 3.9
- What's new in foundational services installer version 3.8
- What's new in foundational services installer version 3.7
- What's new in foundational services installer version 3.6
What's new in foundational services installer version 3.22
Installer
-
IBM Catalog Management Plug-in (ibm-pak plugin):
- The ibm-pak plug-in now generates a
component-set-config.yaml
file per CASE retrieval that can be used to pin a specific version downloaded. Thecomponent-set-config.yaml
can be specified as input on future CASE retrievals to ensure a repeatable install. - The list command now shows you the Application Version in addition to the CASE version for both available CASEs, including the one you have already downloaded.
- Colored plug-in console output can be enabled by running the command,
oc ibm-pak config color --enable true
, to highlight success or error messages.
- The ibm-pak plug-in now generates a
-
cloudctl case command deprecation: In foundational services version 3.22, the
cloudctl case
command is deprecated and replaced with ibm-pak plug-in. Support for thecloudctl case
command will be removed in a future release. For more information, seecloudctl case
and corresponding ibm-pak commands. -
Foundational services backup and restore (technology preview): Back up and restore foundational services by using the OADP (OpenShift API for Data Protection) operator. For more information, see IBM Cloud Pak foundational services backup and restore.
-
IBM Namespace Scope Operator permissions: Cluster permissions of the IBM Namespace Scope Operator are reduced. For more information, see IBM Namespace Scope Operator.
-
Back up and restore MongoDB during conversion to a multiple-namespaces installation (technology preview): Before you convert your single-instance cluster to a multiple-instances cluster, you can back up MongoDB. For more information, see Back up and restore MongoDB during conversion to a multiple-namespaces installation.
-
IBM Crossplane operators: If you want to uninstall the IBM Crossplane operators, you can add the
crossplaneProviderRemoval: true
configuration to theCommonService
CR. For more information, see Crossplane service.
IAM
-
Okta-IAM SCIM integration: CloudPak can leverage the OKTA-IAM integration by using SCIM to manage the users and groups at the CloudPak end. For more information, see IBM CloudPak SCIM Okta integration.
-
Nested search support for Tivoli Directory Server and Security Directory Server: IAM supports the Nested search for the Tivoli Directory Server (TDS) and Security Directory Server (SDS). For more information, see Enabling LDAP Nested Search.
-
Custom search base support for LDAP user entity: Custom search base for LDAP user entity is supported through the SCIM APIs. For more information, see Custom search base support for LDAP group and user entity in SCIM group and user APIs.
-
LDAP group filter support for SCIM user API: The LDAP Group filter value is supported when you query for a group of SCIM user. For more information, Custom Group filter support in SCIM User API.
License Service
-
Cluster threshold management and visualization feature: In OpenShift Container Platform, the User Workload monitoring enabled License Service will display the current core-based licensing data in Prometheus, under the
ibm_licensing_usage_daily_high_watermark
name. For more information, see Cluster threshold management and visualization. -
FIPS compliant: License Service and License Service Reporter are FIPS compliant now.
Certificate manager
-
ibm-cert-manager-operator: The ibm-cert-manager-operator can now automatically detect if another CNCF cert-manager is running on a cluster and will delegate certificate management to it.
-
Leaf certificate refresh enhancement: Foundational services can now refresh leaf certificates where the Certificate chain started from a Kubernetes secret. See Refreshing leaf certificates
Platform UI
- Prometheus and Grafana UI deprecation: In Platform UI version 1.8.x (foundational services version 3.21), Prometheus and Grafana UI are deprecated in OpenShift Container Platform version 4.10 and removed in OpenShift Container Platform version 4.11. When you click on the OpenShift Container Platform Grafana link from the Administration panel, you will now be redirected to the OpenShift Container Platform Observability Dashboard. For more information, see OpenShift Container Platform 4.10 release notes.
What's new in foundational services installer version 3.21
Installer
-
Convert a single-namespace foundational services installation to a multiple-namespaces installation: If you installed IBM Cloud Pak foundational services in a single namespace in your cluster, and you now want to install foundational services in multiple namespaces, you can run a script to do so. For more information, see Converting a single-namespace installation to a multiple-namespaces installation.
-
Catalog sources available only in
icr.io
: Catalog sources of all foundational services operators are now available only inicr.io
. The images and catalog sources inquay.io
anddocker.io
are no longer used. -
IBM Catalog Management Plug-in (
ibm-pak plugin
): The following enhancements are introduced:- Support for PowerPC 64-bit, little-endian, and IBM Z architecture.
- Enhanced describe command to view the top-level namespaces where images will be mirrored.
License Service
-
Audit snapshot has the information about the IBM Cloud Pak for Data services: Audit snapshot contains the information about the usage of Cloud Pak for Data services that are grouped under bundled products. The audit snapshot has 2 new
csv
files:services
andservices_daily
. Cloud Pak for Data services files will be visible in audit snapshots only when you use the relevant Cloud pak for Data offerings. For more information, see Audit snapshot. -
Audit snapshot is extended with the following new metadata file: The audit snapshot includes the new metadata file
data_condition.json
. For more information, see Audit snapshot. -
unrecognized-apps
file in audit snapshot: From License Service Reporter version 1.18.0, a new file,unrecognized-apps
, is seen when you generate the audit snapshot in the License Service Reporter. Earlier, theunrecognized-apps
file was only seen in the audit snapshot that was generated in License Service. For more information, see Audit snapshot. -
Importing audit snapshots from offline environments into License Service Reporter: When you generate audit snapshot with License Service from offline environments, you can upload in into License Service Reporter with a dedicated API. Thanks to the upload, the additional measurements are included in the collective license usage statistics on Licensing dashboard and in License Service Reporter reports. For more information, see Uploading audit snapshots from offline environments into License Service Reporter.
-
Data source configured for sending data to License Service Reporter is visible in the UI: Data source configured for sending data to License Service Reporter is visible in the UI, even if there is no IBM product deployed and available for reporting yet.
Identity and Access Management (IAM)
-
Server-side pagination support for LDAP through SCIM APIs: From foundational services version 3.21 and newer, the server-side pagination is supported for the LDAP. For more information, see SCIM pagination support for LDAP server.
-
Custom search base for LDAP group entity in SCIM group APIs: From foundational services version 3.21 and newer, you can use custom search base for LDAP group in SCIM APIs. For more information, see Custom search base support for LDAP group and user entity in SCIM group and user APIs.
-
Improved resiliency of
iam-onboarding
job: The resiliency of theiam-onboarding
job has been improved from foundational services version 3.21 and newer. For more information, see iam-onboarding job is in progress state for longer time.
What's new in foundational services installer version 3.20
Installer
-
Installing IBM Cloud Pak foundational services in multiple namespaces: In IBM Cloud Pak foundational services version 3.20, multiple foundational services instances capability is now generally available. For more information, see Installing IBM Cloud Pak foundational services in multiple namespaces
-
IBM Catalog Management Plug-in (
ibm-pak plugin
): The following enhancements are introduced:- You can download CASEs from cp.icr.io, an OCI compliant registry that stores CASEs as OCI artifacts.
- You can list all available CASEs to download, as well as list the versions and the latest versions available for CASEs that you already downloaded.
- You can get command outputs in json or yaml.
-
OpenShift Container Platform 4.11: Support for OpenShift Container Platform 4.11 is added. For more information, see Supported OpenShift versions and platforms.
Certificate manager
- Bring your own Cloud Native Computing Foundation (CNCF) cert-manager: IBM Cloud Pak foundational services can now delegate certificate management functionalities to CNCF cert-manager that is already installed on the cluster. For more information, see Control installation of Certificate manager operands.
Identity and Access Management (IAM)
-
Enabling Nested search for Microsoft Active Directory server type: You can enable Nested search for Microsoft Active Directory using the console. For more information, see Enabling LDAP Nested Search.
-
Configuring single sign-on by using SAML from your product UI: From IBM Cloud Pak foundational services version 3.20 and later, you can configure single sign on by using the SAML from your product UI. For more information, see Configuring single sign-on using your product UI.
-
Registering the SAML provider by using the Identity Provider (IdP) V3 API: From IBM Cloud Pak foundational services version 3.20 and later, you can register the SAML clients by using the IdP V3 API. For more information, see Registering the SAML clients using IdP V3.
-
Enhanced SCIM users search API performance: From foundational services version 3.20 and later, IAM has introduced the configuration parameters,
SCIM_AUTH_CACHE_MAX_SIZE
andSCIM_AUTH_CACHE_TTL_VALUE
to improve the performance of the SCIM users search API. For more information, see Enhancing SCIM user API performance.
What's new in foundational services installer version 3.19
Installer
-
Long Term Service Release (LTSR) and release cycle changes: IBM Cloud Pak foundational services 3.19 release is a Continuous Delivery (CD) release and a Long Term Service Release (LTSR). The 3.19 release delivers new features as well as security vulnerability and critical fixes. For more information about a CD and LTSR release, see Release types.
- Starting from 3.19, the
v3
channel becomes the LTSR channel. The fixes and patches for LTSR will be delivered through this channel. LTSR version will remain as 3.19.x. - The upcoming CD releases will be delivered through multiple OLM channels. To make sure that you continuously deliver new foundational services versions that contain newly delivered features and fixes, make sure your upgrade procedures get updated when the next version of foundational services releases. The version of CD release will continue to move forward. The next versions will be 3.20, 3.21 and higher.
- The 3.19.9 LTSR release has been updated with the same features and fixes as IBM Cloud Pak® foundational services versions 3.20, 3.21, 3.22, and 3.23.
- Starting from 3.19, the
-
IBM Catalog Management Plug-in (
ibm-pak plugin
):
In foundational services version 3.19, IBM Catalog Management Plug-in for IBM Cloud Paks is now generally available. For more information, see IBM Catalog Management Plug-in.
Certificate manager
- Configmap watcher removed from cert-manager: In version 3.19 of foundational services, configmap-watcher is removed from cert-manager.
Platform UI
- Dynamic membership type: When creating a new user group from Access control, you can now select the Dynamic membership type for attribute-based access control (ABAC) over the new user group that you are creating.
IBM API Catalog
- Removed service: In foundational services version 3.19 and newer, IBM API Catalog service is no longer available as an optional installable component. IBM API Catalog service still exists in foundational services version 3.18 or older.
License Service
-
Retrieving contribution of services: For the products that have three-layer reporting structure that includes services that are grouped under bundled products, and are enabled for reporting, such as IBM Cloud Pak for Data, you can view the contribution of these services with License Service. Use the
/services
API to see how services contribute to the usage of the bundled products. For more information, see Retrieving contribution of services. -
Tracking license usage on AWS ECS Fargate: You can track the license usage of IBM Software that is deployed on AWS ECS Fargate. For more information, see License usage on AWS ECS Fargate.
Identity and Access Management (IAM)
-
Export SAML metadata using the
samlmetadata
API: From foundational services version 3.19.0 and later, you can export the SAML metadata by using thesamlmetadata
API. For more information, see Export metadata. -
Registering OpenID Connect (OIDC) provider by using the Identity Provider (IdP) V3: You can register OIDC provider by using the IdP V3 API. For more information, see IdP V3 APIs.
-
Configuring single sign-on using OIDC: Using OIDC, you can configure single sign-on (SSO) between your product and supported providers. For more information, see Configuring single sign-on using OpenID Connect (OIDC).
-
Multi-value support for the
Group filter
andGroup member ID map
LDAP filters: From foundational services version 3.19 and later,Group filter
andGroup member ID map
filters support one or more than one value. For more information, see Default LDAP filters by LDAP type. -
Enhanced LDAP search: From foundational services version 3.19 and later, the LDAP search is enhanced. Now, by default, foundational services supports the LDAP query filter size limit to up to 5000. With the LDAP query filter size enhancement, the group API performance has also enhanced because the bulk of group members can be searched in a single LDAP search. For more information, see Enhanced SCIM group API performance.
User Data Services
Following enhancements are provided in the User Data Services version 2.0.8:
- Linux® on Power® (ppc64le) support: From foundational services version 3.19.0 onwards, you can install User Data services on Linux on Power (ppc64le).
- Bring your own EnterpriseDB (EDB): From foundational services version 3.19.0 onwards, you can bring your own EDB PostGres instance to configure User Data services. For more information, see Bring your own EDB.
What's new in foundational services installer version 3.18
Installer
-
Multiple foundational services instances (technology preview): You can install multiple foundational services instances in your cluster. For more information, see Installing IBM Cloud Pak foundational services in multiple namespaces.
-
License parameter: A
spec.license
parameter is added to theCommonService
custom resource. For more information, see License.
Business Teams Service
- Enhanced backup and restore capabilities: Business Teams Service now supports enhanced backup and restore capabilities. For more information, see Backup and Restore.
Certificate manager
-
Controlling installation of Certificate manager operands: A capability to control installation of Certificate manager operands during installation of foundational services is added. For more information, see Control installation of Certificate manager operands.
-
Bug fix: A bug where converted v1 Certificates are not updated when you are updating the corresponding
spe
c forv1alpha1
Certificates is fixed.
License Service
- Reporting metrics from Prometheus queries: License Service is enabled to report product metrics that come from Prometheus queries.
Image registry
- Images at a new location: From version 3.18 onwards, the foundational services images are available in the IBM Container Registry. The operator and catalog images are available at
icr.io/cpopen/
and all other foundational services images are available aticr.io/cpopen/cpfs/
. In foundational services version 3.18, the images are also available at the old location, which isquay.io
. However, in a subsequent release, publishing of new foundational services images toquay.io
might be stopped.
What's new in foundational services installer version 3.17
Installer
ibm-pak
plug-in technology preview: Theibm-pak
plug-in simplifies the delivery of air-gapped function with a singleoc
plug-in. For more information, see ibm-pak plug-in technology preview.
Business Teams Service
- Support for deployment profiles and deployment profile sizes: Business Teams Service now supports deployment profiles (Starter, Production) and deployment profile sizes (small, medium and large). For more information, see Post-installation.
Certificate manager
- Certificate manager update: IBM Certificate manager operator is updated to deploy Jetstack cert-manager v1.7.1.
MustGather diagnostics
- Passing the namespace to the command for custom script: Users gathering diagnostics using custom scripts option of MustGather can use the namespace from
must-gather
command in their scripts. For more information, see Using custom script to collect MustGather diagnostics that are not provided by default.
What's new in foundational services installer version 3.16
Installer
-
OpenShift Container Platform version: IBM Cloud Pak foundational services 3.16.0 supports OpenShift Container Platform 4.10. For more information, see Supported OpenShift versions and platforms.
-
Deployment scenarios: Information about supported deployment scenarios is added. For more information, see Supported cloud providers.
-
Deprecated versions: Installer versions 1.1.0, 3.4.x, and 3.5.x are deprecated. You cannot upgrade to these versions.
-
Bring your own certificate: You can now use the
CommonService
custom resource to add your own certificate authority (CA) certificate. For more information, see Bring your own CA Certificate.
Identity and Access Management (IAM)
- System for cross-domain identity management (SCIM): You can configure SCIM by using your product UI. You can select the attributes (User and Group attributes) to map the Identity provider attributes to the SCIM attributes. For more information, see SCIM configuration by using your product UI.
What's new in foundational services installer version 3.15
Installer
-
Previewing install command outputs and files to be mirrored: The air-gapped install scripts have been updated so that you can preview the output of the install commands and list of files to be mirrored, to a file, before the commands are run.
-
Setting up proxy environment variables: If your bastion host, portable compute device, or portable storage device must connect to the internet via a proxy, you must set environment variables on the machine that accesses the internet via the proxy server. Note that the proxy environment variables are supported only on cloudctl version 3.12.1 and higher.
-
Redis and Analytics Engine powered by Apache Spark are no longer supported: You can no longer install Redis (
ibm-cloud-databases-redis-operator
) or Analytics Engine powered by Apache Spark (ibm-cpd-ae-operator
) during foundational services installation. These operators are not supported from foundational services installer version 3.15 onwards. -
Importing and installing network policies: You can import and install foundational services network policies if you have
deny-all
policy in place. For more information, see Installing network policies for foundational services. -
Support of Network File System (NFS) for production: NFS is supported for production environments. For more information, see NFS support and configuration in IBM Cloud Pak foundational services.
Removed services
-
Audit logging: The
journald
support inAuditLogging
CR, and audit sidecar (icp-audit-service
) are removed with IBM Cloud Pak foundational services audit logging version 3.17.0. These services were deprecated in audit logging version 3.7.0. You can use Rsyslog Sidecar or HTTPS to forward audit logs to IBM Cloud Pak foundational services audit logging service. -
Monitoring: IBM Cloud Pak foundational services Prometheus as a data source of Grafana is removed from foundational services version 3.8.x and later.
License Service
-
Automatic integration with IBM Software Central and Red Hat Marketplace: License Service automatically integrates with IBM Software Central and Red Hat Marketplace when both License Service and Red Hat Marketplace operator are on the cluster. Thanks to the seamless integration you can track your license usage directly in IBM Software Central and Red Hat Marketplace. For more information, see Integration with IBM Software Central and Red Hat Marketplace.
-
Reporting license usage breakdown by services: License Service is enabled to report the breakdown of the license usage of an IBM Cloud Pak by services. The information about the breakdown will be reported by License Service only when the IBM Cloud Pak implements the proper mechanism for reporting services.
-
Advanced API authorization method: License Service supports an advanced and customizable authorization method that is based on a service account token, which is provided by the request header field. Service account token authentication provides flexible and customizable way to manage access to License Service APIs which is based on a role-based access control (RBAC). For more information, see Service account token.
What's new in foundational services installer version 3.14
Installer
Following enhancements are provided in the foundational services installer version 3.14:
-
Setting up a repeatable air-gap process: Once you complete a
CASE
save, you can mirror theCASE
as many times as you want to. This approach allows you to air gap a specific version of the Cloud Pak into development, test, and production stages. You can now save theCASE
to multiple registries (per environment) once and be able to run theCASE
in the future without repeating theCASE
save process.For more information, see Installing IBM Cloud Pak foundational services in an air-gapped environment.
IBM API Catalog service
-
Following enhancements are provided in the IBM API Catalog service version 1.1.0:
- Async API 2.0 and 2.1 document support: API Catalog now supports Async API 2.0 and 2.1 documents, both by using the RESTful API interface and the API custom resources (CRs) with the API Discovery operator.
- API Discovery Operator Support for YAML Documents: The API Discovery Operator can now be used to publish API documents in YAML format, in addition to the existing JSON format.
- API metadata: When you publish API documents, you can provide key-value metadata properties by using the RESTful API interface or the API CRs with the API Discovery operator. These metadata properties can also be used to filter published API documents that are retrieved when you list API documents by using the RESTful interface.
- Alternative API key: When you publish API Documents, you can provide a unique, custom alternative key as an alternative means of identifying, retrieving, and operating on a published API. This support is in addition to the existing support for API ID, and API name, and version. The key is supplied as a metadata property.
- User Experience: General user experience improvements for the API Catalog UI.
- Database: The IBM API Catalog service now uses
ibm-cloud-native-postgresql
version 1.10 and PostgreSQL version 12.9.
-
Information about upgrade and rollback to a previous version of the service is added.
Identity and Access Management (IAM)
Auto-onboarding the users to the Platform UI is enhanced. You can add the SAML users by using the Platform UI but the user data gets loaded only when the user login to the IAM. In IBM Cloud Pak foundational services version 3.13 and earlier, the SAML users with Platform UI administrator permission has viewer role set in IAM. Now, the SAML users display the roles that are set for them in the Platform UI.
IBM User Data Services (UDS)
Following enhancements are provided in the IBM User Data Services version 2.0.4:
- A new CR
AnalyticsProxyWithSubmodule
. - Only block storage support with ReadWriteOnce access mode.
- OpenShift Form View support enabled.
- Reduced number of user inputs for CR.
What's new in foundational services installer version 3.13
IBM Cloud Pak® foundational services 3.13.0 introduces the following new features and enhancements:
Certificate manager
You can automatically refresh the CA signed certificated by adding the ibm-cert-manager-operator/refresh-ca-chain: "true"
label to the certificate's YAML. For more information, see Enabling automatic refresh of CA signed certificates.
Business Teams Service
Business Teams Service (BTS) is introduced to IBM Cloud Pak foundational services. The Business Teams Service (BTS) is a microservice that allows to administer and manage global teams across business applications.
For more information, see Business Teams Service.
What's new in foundational services installer version 3.12
Installer
-
IBM Cloud Pak foundational services 3.12.0 supports OpenShift 4.9.
-
IBM Cloud Pak foundational services introduces support for POWER10® with OpenShift Container Platform 4.8 and 4.9.
To learn more, see Supported OpenShift versions and platforms.
IBM API Catalog service
You can use the IBM API Catalog service to discover and understand the common set of APIs across all the IBM Cloud Paks® that you install in your cluster. For more information about installing the service, see IBM Cloud Pak foundational services Installer service.
For more information about the service, see IBM API Catalog service.
Platform UI
- The Platform UI can be used with an optional installation of Cloud Pak Platform common landing page and Services catalog.
Thanks to these two additional components, you can effortlessly view your current IBM software products and discover new products that might bring additional value to your organization.
Cloud Pak Platform common landing page provides good visibility over all IBM Cloud Paks that you purchased. You are directed to the landing page upon login. You can view each of the Cloud Pak instances to which you have access, as well as information about new IBM software products that you might find valuable.
Services catalog provides the user interface for browsing additional IBM software products that can help you solve the business needs that are not yet met.
The new components are free of charge, however, they require additional OpenShift resources that must be purchased in the form of OpenShift entitlements.
For more information on Cloud Pak Platform, see Cloud Pak Platform and Installing Cloud Pak Platform operator.
- Administration Hub is renamed to Administration panel.
IAM
-
Identity Provider (IdP) APIs are introduced to register IdP configuration and their connection.
-
IBM Security Verify (ISV) is integrated with the IdP to configure single-sign on (SSO) through SAML.
-
You can onboard the ISV users and the groups by integrating ISV with the SCIM.
For more information, see Identity Provider APIs.
Certificate manager
- New
v1
APIs are introduced for the following Certificate manager resources:
v1alpha1 API |
v1 API |
---|---|
certificaterequests.v1alpha1.certmanager.k8s.io |
certificaterequests.v1.cert-manager.io |
certificates.v1alpha1.certmanager.k8s.io |
certificates.v1.cert-manager.io |
challenges.v1alpha1.certmanager.k8s.io |
challenges.acme.v1.cert-manager.io |
clusterissuers.v1alpha1.certmanager.k8s.io |
clusterissuers.v1.cert-manager.io |
issuers.v1alpha1.certmanager.k8s.io |
issuers.v1.cert-manager.io |
orders.v1alpha1.certmanager.k8s.io |
orders.acme.v1.cert-manager.io |
The v1alpha1
Issuers and Certificates are still supported, and when you create them, they are converted to v1
automatically.
The resources default to the v1
API. For example, when you run the oc get issuers
command, the output returns a list of v1
Issuers. To see the list of v1alpha1
Issuers, run the following command:
oc get issuers.v1alpha1.certmanager.k8s.io
.
About Certificate manager
Certificate manager can automatically refresh leaf certificates created from a CA issuer. For more information, see IBM Cloud Pak foundational services Certificate management.
License Service
-
The Percent of threshold column is added to the Licensing dashboard. Thanks to the new column, you can quickly estimate how your actual license usage compares to the set threshold. For more information, see Viewing license usage on the Licensing dashboard.
-
You can integrate License Service with Red Hat Marketplace to get a single pane of glass license usage reporting directly in Red Hat Marketplace. For more information, see Integration with Red Hat Marketplace.
MongoDB
You can view troubleshooting steps for resolving issues with MongoDB. For more information, see Troubleshooting MongoDB.
User Data Services
User Data Services (UDS) is introduced to IBM Cloud Pak foundational services. UDS collects, transforms, and transmits product usage data, user behavior and feature interaction data. For more information about the service, see User Data Services.
What's new in foundational services installer version 3.11
Installer
-
The default size profile for installation is the
starterset
profile (previous default size profile wassmall
). For more information, see Hardware requirements and recommendations for foundational services. -
You need to create the entitled registry secret if you are installing Cloud Native PostgreSQL in your cluster. For more information, see Creating the entitled registry secret.
IAM
-
You can change the custom hostname and certificates for the cp-console route from the foundational services by using a job. For more information, see Updating custom hostname and TLS secret.
-
LDAP configuration is not necessary for SAML integration for IBM Cloud Pak foundational services version 3.11.0 and later. For more information, see IAM for your product platform users.
-
To support the SCIM APIs for a configured LDAP connection in the IBM Cloud Pak foundational services, you can update
SCIM_LDAP_ATTRIBUTES_MAPPING
data withattributemapping
API. For more information, see Updating SCIM LDAP attributes mapping.
License Service
-
The audit snapshot that can be generated for multiple clusters from License Service Reporter is reconfigured and now comes in a form that is a valid audit proof. By generating the audit snapshot from Licensing dashboard or by using License Service Reporter API, you get a package that contains a collection of audit snapshots. For more information, see Audit snapshot in a multicluster environment.
-
License Service supports hyperthreading on worker nodes also referred to as Simultaneous multithreading (SMT) or Hyperthreading (HT). If your IBM software is deployed on a cluster that has SMT or HT enabled, hyperthreading might have great impact on your licensing costs. For more information, see Hyperthreading and Enabling hyperthreading.
MustGather diagnostics
-
The following parameters of the
gather
command are introduced to collect the additional data for MustGather diagnostics:-c
: Use the component name of-c
parameter with namespaces of-n
parameter to collect logs for the specific component within the namespace scope.-s ex
: You might want to collect MustGather diagnostics that are not provided by default. Use-s ex
option to collect MustGather diagnostics by allowing the components to create their own custom scripts as docker image.
-
You can collect logs for a component for the resources with the label
serviceability-addon =<component-name>
. -
You can use custom script to collect MustGather diagnostics that are not provided by default.
For more information, see Collecting support information about the cluster.
What's new in foundational services installer version 3.10
License Service
License Service can report open source products that are managed and supported by IBM, for example, WebSphere Liberty that is managed through IBM Cloud Foundry Migration Runtime (CFMR).
Nginx ingress (ibm-ingress-nginx-operator)
Nginx ingress is deprecated with installer version 3.10.0 and might be removed in a future release.
What's new in foundational services installer version 3.9
Installer
-
IBM Cloud Pak foundational services 3.9.0 supports OpenShift 4.8.
-
Following the OpenShift lifecycle policy , support for OpenShift version 4.5 is removed. For more information, see Supported OpenShift versions and platforms.
What's new in foundational services installer version 3.8
Installer
-
You can now set the approval strategy to either manual or automatic during or post installation. The approval strategy defines if the approval is needed to install or upgrade IBM Cloud Pak foundational services to the newest version. For more information, see Approval strategy.
-
The CatalogSource
opencloud-operators
is deprecated in IBM Cloud Pak foundational services version 3.8.0. For more information, see Installing IBM Cloud Pak foundational services by using the OpenShift console. -
The air-gapped installation documentation has been updated to include installation procedures for Bastion compute device, portable compute device, and portable storage device in a single page. Scenario diagrams and clickable charts have also been added for easy navigation. For more information, see Installing IBM Cloud Pak foundational services in an air-gapped environment.
Common Web UI
Administration panel user interface is updated. The System Overview section is removed and the Monitoring trends summary card is renamed to CPU monitoring trends.
Platform UI
The Platform UI provides the following updates for user management and platform customizations:
- The navigation is updated. Under Administration, User management is renamed to Access control, and Platform customization to Customizations.
- The flow for creating a user and a role on the Access control page is updated.
- You can customize extra elements, such as the browser icon, home page and login image to improve the console branding.
IAM
- Support for the new OAuth client authentication flow for application to service authentication and authorization. For more information, see Getting access token by using cpclient_credentials.
Monitoring
- IBM Cloud Pak foundational services monitoring mode is removed. Monitoring version 1.12.x installs only Grafana and uses Red Hat® OpenShift® Container Platform monitoring to configure Prometheus as a Grafana datasource.
License Service
-
For products that contribute to the license usage of an IBM Cloud Pak but are licensed with a metric other than that of the IBM Cloud Pak, License Service Reporter displays information about the contribution that is expressed in both the IBM Cloud Pak metric and the original metric of the product.
-
The License Service Reporter user interface is updated to improve user experience. The names of columns are updates, and information about the original recorded metric of the contributing services is displayed. For more information, see Viewing license usage on the Licensing dashboard.
-
The
bundled_products
file in the audit snapshot and the/bundled_products
API additionally include information about the license metric unit of an IBM Cloud Pak to which the bundled product contributes.
MustGather diagnostics
You can use MustGather tool to collect additional information about cluster upgrade scenarios. To view the support information about the cluster upgrade, go to Overview > Clusterupgrade in the downloaded directory.
What's new in foundational services installer version 3.7
Installer
-
IBM Cloud Pak®s can install IBM Cloud Pak foundational services in a namespace of their choice. For more information, see Installing IBM Cloud Pak foundational services in a custom namespace.
-
IBM Cloud Pak®s can use a template to configure hardware requirements and other parameters of foundational services. For more information, see Configuration templates.
Common Web UI
-
The Common header is replaced by a new header for shared use across IBM Cloud Paks.
With this header, the available toolbar options are streamlined to include only the main Menu, the User menu, and a Cloud Pak switcher (9-dot icon) menu to switch between installed IBM Cloud Paks and the Administration panel. In addition a link is included, which can open either the Administration panel or the Home page for the IBM Cloud Pak that is currently being accessed. Menu options for accessing the Visual Web Terminal, configuring the client, setting the Home page, and opening the IBM documentation are removed from the header.
-
The Administration panel page is updated to simplify the layout.
- Data from the Welcome widget and Workload distribution widget are moved to individual summary cards within the Overview section. These summary cards can now be rearranged on the page similar to other cards.
- New Cloud Pak deployment and Monitoring trends summary cards are added. The Cloud Pak deployment card displays the instances of IBM Cloud Paks that are deployed in the cluster, with an option to view more details. The Monitoring trends card shows the current load usage trend, the load average over the past 24 hours, and the pod that is responsible for the largest increase in load usage over that period. From this card, you can also open the Grafana dashboard to view additional monitoring data.
- A quick navigation section is now added to include general links to key sites, such as the IBM documentation for the Administration panel.
- The theme toggle is now removed. The dark theme is now the theme for the Administration panel.
Platform UI
The Platform UI service is now available as a part of IBM Cloud Pak foundational services. This service is available when you install the ibm-zen-operator
. This operator is available with IBM Cloud Pak foundational services Installer
version 3.7.x.
Note: The ibm-zen-operator
is not supported on Linux® on Power® (ppc64le) and Linux® on IBM® Z and LinuxONE platforms.
The Platform UI provides new features within the console for managing users and managing user profile settings. For more information, see Platform UI.
IAM
-
The Default authentication type for logging into the console is renamed to be IBM Provided credentials (admin only).
-
The Cloud Pak Administrator role has been added. The Cloud Pak Administrator role has admin access to the namespaces the namespace operator is watching. It has all the permissions account administrator has, in addition, it can configure IdPs, SAML and directory connections. For more information, see Platform roles and actions.
The default administration user (default name is
kubeadmin
) now gets this Cloud Pak Administrator role by default when you install instead of the CLuster Administrator role. If you are upgrading to 3.7.x, the default administration user retains their Cluster Administrator role and are not assigned the Cloud Pak Administrator role. -
The IAM APIs for authentication have been updated. Support for the JWK endpoint is added, and client_credentials and signature changes to /userInfo and /introspect endpoints were added. For more information, see OIDC Registration APIs.
-
With the addition of the Platform UI service or managing users and roles, users should use the Platform UI user management when both IAM and Platform UI are installed. The capabilities for creating and managing Teams still remain within IAM tools when both services are installed. You can continue to use Teams to grant user access to other namespaces.
In addition, you continue to use the IAM service to connect to identity providers, such as LDAP. You can continue to use
cloudctl
commands to import LDAP users, groups, create teams, assign user role and add user to teams. However, you will need to add the users and groups again with the Platform UI user management before the users can access the console. -
New user and group management support with SCIM 2.0. For more information, see Updating SCIM LDAP attributes mapping.
License Service
-
The Licensing dashboard is improved and extended. On the main view, you can now set a license usage threshold for each product to see how it compares with your actual license usage. Threshold is a means of control that helps you better understand your actual license needs. For more information, see Setting the license usage threshold.
-
You can retrieve the status page that contains the most important information about your deployments and their license usage for analysis and troubleshooting. For more information, see Obtaining a status page to view the license usage details.
-
The
/products
API is extended to enable retrieving information about the products that are deployed in namespaces that belong to user-defined groups. Thanks to grouping, you can see how the internal organizations or business divisions in your company contribute to the overall license usage. This information can help you with establishing the potential chargeback. For more information, see Chargeback - Filtering the license usage data by user-defined groups. -
The documentation is extended with a list of the core and non-core metrics that are collected by License Service and their aggregation rules. For more information, see Reported metrics.
Logging Service
The deprecated Logging service is removed in IBM Cloud Pak® foundational services version 3.7.x.
You might want to consider the logging offering that is included with Red Hat OpenShift Container Platform. For more information, see OCP cluster logging .
Metering Service
The deprecated Metering service is removed in IBM Cloud Pak® foundational services version 3.7.x.
You might want to consider the metering offering that is included with Red Hat OpenShift Container Platform. For more information, see About Metering .
MustGather diagnostics
MustGather diagnostics is extended to collect support information for IBM Automation Foundation.
What's new in foundational services installer version 3.6
Installer
-
You can use the IBM NamespaceScope Operator to manage permissions to namespaces in your cluster. For more information, see Authorizing foundational services to perform operations on workloads in a namespace.
-
The cluster permissions that the foundational service operators and operands have are available for reference. For more information, see IBM Cloud Pak foundational services cluster permissions.
-
Information to install a specific version of foundational services is provided. See the following topics:
-
During offline installation, you can now specify the deployment profile. For more information, see the following topics:
-
The
Operand Deployment Lifecycle Manager
is now installed in theibm-common-services
namespace. -
Display names of some operators are changed.
Old name | New name |
---|---|
IBM Common Service Operator | IBM Cloud Pak foundational services |
IBM Cert-manager Operator | IBM Cert Manager |
IBM Common UI Operator | IBM Common UI |
IBM Metering Operator | IBM Metering |
IBM Monitoring Prometheus Ext Operator | IBM Monitoring Prometheus Extension |
IBM Monitoring Exporters Operator | IBM Monitoring Exporters |
IBM Platform API Operator | IBM Platform API |
IBM Elastic Stack Operator | IBM Elastic Stack |
IAM
-
You can add users to teams by providing user information instead of the team payload. For more information, see Assign users to a team by providing the user information.
-
You can remove a user from a team by providing the user ID. For more information, see Assign users to a team by providing the user information.
Monitoring
-
Monitoring technology preview that was announced in version 3.5.x is moved to general availability. You now have the option to install only Grafana and use Red Hat® OpenShift® Container Platform monitoring to configure Prometheus as a Grafana datasource. For more information, see IBM Cloud Platform Monitoring service.
-
You can use the
nodeSelector
parameter to schedule monitoring service on specific nodes. For more information see, Monitoring (operator).
License Service
-
The Licensing dashboard, which is the License Service Reporter user interface, is extended with the deep dive view. Thanks to the deep dive, you can view and understand the contribution of individual bundled products and clusters to the overall license usage of your products. For more information, see Viewing license usage on the Licensing dashboard.
-
The enhanced time range selector on the Licensing dashboard allows the flexible reporting period selection. The new selector is optimized for customizing your reports to view the previous or current calendar months, quarters, and years, as well as the custom time range. For more information, see Viewing license usage on the Licensing dashboard.
-
License Service Reporter configuration is simplified. When you deploy the tool in the cluster, the License Service instance for this cluster is automatically configured to feed data into License Service Reporter. For more information, see Configuring data sources.
Events service
An Events service is introduced to provide a foundational event streaming platform, for IBM Cloud Paks. This Events service is installed through the Events Operator (ibm-events-operator
) when you install IBM Cloud Pak foundational services.
If an IBM Cloud Pak requires any additional configurations of the Kafka instance for the service, see the documentation for that IBM Cloud Pak.
This service is based on the open source Apache Kafka project . This service also uses and extends the open source Strimzi Operator to provide extra capabilities.
Extended Update Support (EUS) for IBM Cloud Pak foundational services components
For information about additional maintenance and support offerings, see Extended Update Support (EUS) for IBM Cloud Pak foundational services components.
Security Context Constraints
Administrators can use security context constraints (SCC) to control permissions for pods on their Red Hat OpenShift cluster. For more information, see Security context constraints.
FIPS
From installer version 3.6.3 onwards, FIPS compliance can be enabled for the management ingress and nginx ingress services. For more information, see Federal Information Processing Standard (FIPS).