Custom resources
IBM® Automation foundation uses Kubernetes custom resources (CRs) for configuration. All the CRs are in the API groups that end with automation.ibm.com. These API groups have a version of v1beta1.
The following custom resources are used by IBM Automation foundation:
| Custom resource kind | Purpose |
|---|---|
| AutomationUIConfig | Defines the configuration of the platform user interface |
| AutomationBase | Defines an instance of the IBM Automation foundation |
The custom resource definitions (CRDs) for these kinds are declared in IBM Automation foundation's ClusterServiceVersion.
More custom resources that are used internally are available, which you might encounter for more advanced configuration tasks.
As with any Kubernetes resource, these custom resources contain the following elements:
- a
metadatafield that describes the resource - a specification in a
specfield - a
statusfield
Note the following points:
- In the representations of the following CRDs, the field that is suffixed with
[]indicates an array and the field that is suffixed with{}indicates default configuration. - Where a child element is marked as
requiredfor a parent that isoptional, that child element is required only if the parent element is included. - To deploy multiple instances in a single namespace, create more instances of the CR with different names in that namespace. However, you can have only one
AutomationBaseand oneAutomationUIConfiginstance in a namespace, as this resource is shared by all consumers in the namespace. - To deploy multiple instances across a cluster, the operators must be installed to watch all namespaces.
Configuring TLS certificates and secrets
All IBM Automation foundation resources that configure connections (AutomationBase, AutomationUIConfig, EventProcessor) have the same configuration options for TLS. Inside a tls section within
the custom resource specification.
- Configuring TLS for
AutomationUIConfigconfigures the certificates for Platform UI for cluster external access by pass-through route. - Configuring TLS for
AutomationBaseconfigures the certificates for Kafka, Elasticsearch, and Apicurio, for cluster internal access and cluster external access by pass-through routes. - Configuring TLS for
EventProcessorconfigures the certificates for Flink, for cluster internal access.
TLS certificates and secrets can be configured in two ways.
Note: A third mechanism exists to configure TLS certificates and secrets, which are available only in the AutomationUIConfig CR.
1. Using generated self-signed certificates and secrets
If the tls value in CR is defined as in the following snippet, then the Operator for that CR generates a self-signed CA certificate and the leaf certificates by using the IBM Cert Manager.
apiVersion: core.automation.ibm.com/v1beta1
kind: AutomationUIConfig (AutomationBase, EventProcessor)
metadata:
name: iaf-system
spec:
...
tls: {}
The certificates generated this way is automatically mounted and renewed by IBM Cert Manager without the need for any user interaction.
2. Providing a custom certificate Issuer
You can pre-create (that is after you install Operators but before you create any custom resources) an IBM Cert Manager Issuer and set it in the tls section of the CRs as shown in the following snippet. The Operator for the CR will then use the provided Issuer to generate the leaf certificates instead of creating a self-signed CA certificate.
tls:
issuerRef:
name: <user_created_issuer>
caSecret:
key: ca.crt
secretName: <user_created_ca_secret>
For this configuration to work with applications consuming IBM Automation foundation, the caSecret section must also be completed with a reference to a secret containing the public CA certificate, which trusts the certificate that is
provided in the Issuer. Thus, completing the chain (if the Issuer was configured with a root CA then the two certificates are the same, the same secret that was used to create the Issuer can also be used here, if appropriate).
This value is used to inform them of the public CA certificate they must trust.
Therefore, by using this mechanism an Issuer can be provided, which contains a root or intermediate signing certificate chain and key, which is used to generate leaf certificates for the IBM Automation foundation components, and a separate
secret can be provided in caSecret, which contains only a copy of the root CA public key to inform the consuming application on how to trust IBM Automation foundation components.
The certificates that are generated by this Issuer are automatically mounted and renewed by IBM Cert Manager without any need for user interaction. Management of the provided issuer is left to the user.
3. Providing a custom certificate for Platform UI
You can use your custom certificates (ca.crt, cert.crt, and cert.key) with Platform UI.
ca.crtcontains the CA root certificate and the intermediate certificates.cert.crtcontains the server certificate.cert.keycontains the private key of the server certificate.
You can either use certificates that are obtained from another provider or create them manually by using a tool such as openssl
-
Create a secret with the name
external-tls-secretin the IBM Automation foundation namespace before you create theAutomationUIConfigCR, by using the following command.oc create secret generic external-tls-secret --from-file=cert.crt=./cert.crt --from-file=cert.key=./cert.key --from-file=ca.crt=./ca.crt -
Configure the
AutomationUIConfigCR as follows:tls: certificateSecret: secretName: external-tls-secret caSecret: secretName: external-tls-secret key: ca.crt
This configuration ensures that Platform UI's NGINX pods use the custom certificates that you configured with the external-tls-secret.
Note:
- It is required that you set the name of the secret to
external-tls-secret. - If you are configuring
tlsin theAutomationUIConfigCR by usingcertificateSecret,tls: certificateSecret: secretName: external-tls-secret caSecret: secretName: external-tls-secret key: ca.crt
You need to manually restart the IBM Platform UI ibm-nginx- pods in your project namespace.
Manually restarting the ibm-nginx- pods can be achieved by issuing the following command.
Note: Ensure to replace <iaf-project> in the following command with the namespace or project where you installed IBM Automation foundation.
oc delete pod -l component=ibm-nginx -n <iaf-project>
When you use this configuration the certificates that are placed in the external-tls-secret are managed by the user. Therefore, renewal or replacement is left to the user.
Configuring IBM Automation foundation to have a common CA for all components
By default TLS is specified as tls: {} in IBM Automation foundation, which means that each AutomationBase, AutomationUIConfig, and EventProcessor has a separate and distinct CA and certificate
chain. To configure a common CA for each component, a custom Issuer must be provided. This can be the same Issuer for each component. That Issuer can also be configured
to be self-signed if desired.
AutomationUIConfig
The AutomationUIConfig custom resource is used to override the default configuration for the Platform UI. The default configuration uses the cluster default storage class and self-signed certificates.
Key points about the AutomationUIConfig CR
Note: If you want to override the default configuration, the AutomationUIConfig custom resource must be created before any Cloud Paks or other extensions are created.
-
Use the
AutomationUIConfigCR to set theStorageClassand TLS certificates for the Platform UI dashboard. -
The following code shows a sample
AutomationUIConfigCR:apiVersion: core.automation.ibm.com/v1beta1 kind: AutomationUIConfig metadata: name: iaf-system spec: license: accept: true version: 1.2.0 tls: {} storage: class: "csi-cephfs" -
When a
CartridgeCR is issued without issuing anAutomationUIConfigCR, anAutomationUIConfigCR is created internally uses the cluster's default storage class and self-signed certificates for the Platform UI. - If the Platform UI cannot be created with the configuration for some reason (such as the default storage class not being sufficient), the
ZenServicecustom resource does not achieveCompletedstatus with theStatus.URLset. While the ZenService is in this state, it is possible to edit theAutomationUIConfigto change the storage class to resolve the problem. - Updating the
StorageClassof an existingAutomationUIConfigCR is not allowed when theZenServiceCR is inCompletedstatus, and theStatus.URLis set. Following are the two ways to set a differentStorageClassafterZenServiceis created.- Approach 1: Update the storage class along with
zen: falseand post that update tozen: trueor nothing (as the default behavior iszen: true). - Approach 2: Delete the
AutomationUIConfigCR and create a new one with new storage class.
- Approach 1: Update the storage class along with
- As of IBM Automation foundation v1.1.0, you can install the IBM Automation foundation Core Operator without requiring Zen to be installed by configuring
zen: falsein the AutomationUIConfig CR YAML and then issuing the Cartridge CR.
AutomationUIConfig CustomResourceDefinition
AutomationUIConfig YAML structure
The AutomationUIConfig definition is organized in the following structure:
apiVersion: core.automation.ibm.com/v1beta1
kind: AutomationUIConfig
metadata: ~
spec:
tls:
caSecret:
key: ~
secretName: ~
certificateSecret:
secretName: ~
issuerRef:
group: ~
kind: ~
name: ~
storage:
class: ~
deleteClaim: ~
overrides: ~
selector: ~
size: ~
type: ~
AutomationUIConfig details
The following structure provides the definition for each of the keys and their expected values.
Note: When creating a custom AutomationUIConfig definition, you must specify a valid storage class for Platform UI (Zen).
- AutomationUIConfig
- metadata (required): Refer to the Kubernetes API documentation for the fields of the metadata field
- spec (required): Specification.
- license (required): By installing this component, you accept the license terms.
- accept (required): Value set to
true.
- accept (required): Value set to
- tls (required): To enable
tlswith self-signed certificates, specify{}here.certificateSecret(optional): If you want to use custom certificate with Platform UI, then provideca.crt,cert.crt, andcert.keyin theexternal-tls-secret.secretName(optional): Set this field toexternal-tls-secret.
- issuerRef (optional):
IssuerRefis a reference to the issuer for this certificate. Thenamefield in this stanza is always required.- name (required): Name of the
issuerresource. - kind (optional): If this value is not set or if it is set to
Issuer, anIssuerresource with the given name in the namespace is used. If set toClusterIssuer, aClusterIssuerwith the provided name is used. - group (optional): Specifies the group of the
Issuerresource.
- name (required): Name of the
- caSecret (optional): A reference to the CA's public certificate that is used to verify the provided issuer.
- secretName : Name of the secret.
- key (optional): Key of the public key of the CA within the secret.
- storage (optional): Represents the storage spec for the UI.
- type (optional): Type of storage. Default is
persistent-claim. - size (optional): Maximum amount of storage that is required.
- class (required): Name of the
StorageClassthat is required by the claim. For more information, see Class
.
- overrides (optional): Name of the overrides that Platform UI expects for the
storageClassset. For PortworxStorageClass, it isportworx. For OpenShift container storage, it isocs. For more information, see Storage Considerations. - selector (optional): A label query over volumes to consider for binding. For more information, see Label selectors .
- deleteClaim (optional): Defines whether the operator is to delete the claim when the operand is deleted. Defaults to
false.
- type (optional): Type of storage. Default is
- version (required): Desired version of the operand.
- license (required): By installing this component, you accept the license terms.
Providing Custom Parameters to Zen
This feature enables the user to provide customized parameters to Zen. Following are the list of parameters that are supported and included as in the official Zen documentation. For more information, see Keys and Default Values for ZenService Custom Resource. These parameters need to be added in the AutomationUIConfig CR as shown below:
spec:
zenService:
csNamespace: ibm-common-services
acceptRollback: N/A / true / false
cert_manager_enabled: N/A / true / false
cloudpakfordata: N/A / true / false
generateAdminPassword: N/A / false / true
iamIntegration: false / true
ignoreForMaintenance: N/A / true
scaleConfig: N/A / small / medium / large / xlarge (for x86_64 only)
storageClass: (Primary Storage Class)
zenCoreMetaDbStorageClass: (Secondary Storage Class)
storageVendor: portworx / ocs
version: N/A / 4.4.0 (version in format x.x.x)
zen_vault_enabled: N/A / false / true
userHomeSC: (storage class for userHome)
zenCustomRoute:
route_host: (Customized zen route)
enableTopologyZone: N/A / false / true
enableTopologyRegion: N/A / false / true
customizedTopologyKey: N/A / (String type)
nodeTaints: N/A / (String type)
All the fields given in the spec are optional and the user can specify the required parameters as mentioned in Zen documentation.
Custom route might be enabled using zenCustomRoute field as shown in the preceding spec. The route_host can be specified under it to get the customized Zen route. The certs and secrets for the same would be managed by the
tls field. Hence there is no need to add other fields under zenCustomRoute except the route_host. For customized Zen route, on prem (fyre clusters) it should be in the format <your-custom-route-name>.<apps.domain-name-of-cluster>.
For example, my-zen-route.apps.my-cluster.cp.fyre.ibm.com. For SaaS, it should be of the format <your-custom-route-name>.<Availability-Zone>.<domain-name>. For example, test-zen-ui.us-south.containers.appdomain.cloud.
For more information, see custom certificates for Zen.
Note: Further information regarding Zen Route is available in the Custom CloudPak Platform UI (Zen) Route section.
storageClass: The user can provide the storageClass inside the ZenService field or in the Storage field inside the spec (like it is done currently). Both fields cannot be enabled simultaneously. But while
specifying the ZenService field, it is mandatory to add storageClass inside it, as ZenService takes the precedence and only parameters defined inside it will be considered. Otherwise, ZenService CR will show an error.
Example,
spec:
storage:
class: <Your_managed-nfs-storage>
Few points to be considered regarding zen and zenService field:
- If
zen=trueand zenService is not specified, create the old zenService CR (as in the existing functionality). - If zenService is specified, zenService field takes the precedence and a customized zenService CR is created irrespective of what the zen field is.
- If
zen=false, and no zenService field being specified, zenService would not be created.
AutomationBase
The AutomationBase CR represents an instance of IBM Automation foundation that is installed into a Kubernetes namespace. Cartridges are associated with an instance of this custom resource.
This custom resource contains the instance-wide configuration information, which currently includes the following kinds of information:
- The Kafka cluster
- The Elasticsearch cluster
- The user interface
The IBM Automation foundation operator uses the status of this CR to report its endpoints, status, and conditions, following Kubernetes operator best practices.
AutomationBase CustomResourceDefinition
AutomationBase YAML structure
The AutomationBase definition is organized in the following structure:
apiVersion: base.automation.ibm.com/v1beta1
kind: AutomationBase
metadata: ~
spec:
apicurio:
config: ~
image: ~
imagePullPolicy: ~
resources: ~
elasticsearch:
additionalAllowedAPIs: ~
license:
accept: ~
monitoring:
template:
pod:
spec:
affinity:
nodeAffinity: ~
podAffinity: ~
podAntiAffinity: ~
containers:
image: ~
imagePullPolicy: ~
livenessProbe: ~
name: ~
readinessProbe: ~
resources: ~
tolerations: ~
nodegroupspecs:
config:
key: ~
value: ~
name: ~
nodeSelector: ~
replicas: ~
storage:
class: ~
fsGroup: ~
selector: ~
size: ~
supplementalGroups: ~
volumeClaimTemplate: ~
template:
pod:
spec:
affinity:
nodeAffinity: ~
podAffinity: ~
podAntiAffinity: ~
containers:
image: ~
imagePullPolicy: ~
livenessProbe: ~
name: ~
readinessProbe: ~
resources: ~
tolerations: ~
snapshotStores:
name: ~
storage:
class: ~
fsGroup: ~
selector: ~
size: ~
supplementalGroups: ~
volumeClaimTemplate: ~
tls:
caSecret:
key: ~
secretName: ~
issuerRef: ~
version: ~
kafka: ~
license:
accept: ~
status:
components:
apicurio:
endpoints:
name: ~
scope: ~
type: ~
uri:
caSecret: ~
key: ~
secretName: ~
elasticsearch:
endpoints:
authentication:
secret:
secretName: ~
type: ~
caSecret:
key: ~
secretName: ~
name: ~
scope: ~
type: ~
uri: ~
kafka:
endpoints:
authentication:
secret:
secretName: ~
type: ~
bootstrapServers: ~
caSecret:
key: ~
secretName: ~
name: ~
scope: ~
type: ~
conditions: ~
managedResources: ~
tls:
caSecret:
key: ~
secretName: ~
issuerRef:
group: ~
kind: ~
name: ~
AutomationBase details
- AutomationBase:
- metadata (required): Refer to the Kubernetes API documentation for the fields of the metadata field.
- spec (required): Automation Base instance spec.
- license (required): By installing this component, you accept the license terms.
- accept (required): Value set to
true.
- accept (required): Value set to
- tls (required): To enable
tlswith self-signed certificates, specify{}here. The sametlsconfiguration is used for all the services within the AutomationBase Kafka, Elasticsearch, and more.- issuerRef (optional):
IssuerRefis a reference to the issuer for this certificate. Thenamefield in this stanza is always required.- name (required): Name of the
issuerresource. - kind (optional): If not set, or set to
Issuer, an Issuer resource with the given name in the namespace is used. If set toClusterIssuer, aClusterIssuerwith the provided name is used. - group (optional): Specifies the group of the issuer resource.
- name (required): Name of the
- caSecret (optional): A reference to the certificate authority (CA)'s public certificate that is used to verify the provided issuer.
- secretName: Name of the secret.
- key (optional): Key of the public key of CA within the secret.
- issuerRef (optional):
- elasticsearch (optional): See the following example for the minimum settings for Elasticsearch.
- version (required): Desired version of the operand. The only version that is supported is 1.0.0 and is the default. Specify
v1.0to receive 1.0.0 or later fixes. - license (required): By installing this component, you accept the license terms.
- accept (required): Must be set to
trueto accept the license.
- accept (required): Must be set to
- tls (optional): TLS configuration for Elasticsearch.
- issuerRef (optional): The issuer that the instance uses to generate client-facing certificates.
- caSecret (optional): A reference to the certificate authority public certificate that is used to verify the provided issuer.
- secretName (optional): The name of the secret that contains the value.
- key (optional): The key for the value in the secret.
- snapshotStores (optional): Optional snapshot repository storage. Mounted at
/usr/share/elasticsearch/snapshot-store/{name}on all nodes in all node groups.- name: Name of this storage definition that is up to 10 characters long.
- storage (optional): Storage definition.
- class (optional): Storage class name. If omitted, the default cluster storage class is used.
- size (optional): Size with scale suffix, such as
100Gi. - selector (optional): Label selector for finer-grained PV selection. For more information, see the Kubernetes documentation
- volumeClaimTemplate (optional): Allows more detailed specification of the volume claim template. For more information, see the Kubernetes documentation
- fsGroup (optional): The group ID for the file system. This might have to be set for some storage providers such as NFS.
- supplementalGroups (optional): A supplemental groups array, which provides a list of Linux Group IDs to be set on a container.
- nodegroupspecs[] (required): Specification for node groups. For more information, see Operational data store.
- name (required): Name of the Elasticsearch node group that is up to 10 characters long.
- replicas (required): Number of Elasticsearch nodes to deploy.
- nodeSelector (optional): An optional key and value map of labels that is used to select the nodes on which the pods for this node group are to be scheduled.
- storage (optional): Storage for each Elasticsearch pod.
- class (optional): Storage class name. If omitted, the default cluster storage class is used.
- size (optional): Size with scale suffix, such as
100Gi. - selector (optional): Label selector for finer-grained PV selection. For more information, see the Kubernetes documentation
- volumeClaimTemplate (optional): Allows more detailed specification of the volume claim template. For more information, see the Kubernetes documentation
- fsGroup (optional): The group ID for the file system. This might have to be set for some storage providers such as NFS.
- supplementalGroups (optional): A supplemental groups array, which provides a list of Linux Group IDs to be set on a container.
- config[] (optional): Represents the Elasticsearch configuration.
- key (required):
- value (required):
- template (optional):
Templateis the object that describes the pod overrides that are used when pods are created.- pod (optional):
ElasticsearchPodcontains the pod information.- spec (optional):
ElasticsearchPodSpeccontains the pod container and scheduling information.- containers (optional):
ElasticsearchPodContainercontains the specification for pod container overrides.- name (required):
- image (optional): Container image override.
- imagePullPolicy (optional): ImagePullPolicy override.
- livenessProbe (optional): Configuration for LivenessProbe. For more information, see the Kubernetes documentation.
- readinessProbe (optional): Configuration for ReadinessProbe. For more information, see the Kubernetes documentation.
- resources (optional):
ResourceRequirementsdescribes the compute resource requirements.
- affinity (optional): Affinity information for pod scheduling.
- nodeAffinity (optional): An optional
core/v1/NodeAffinitystruct for finer-grained selection of nodes on which the pods for this node group are to be scheduled. - podAffinity (optional): Describes pod affinity scheduling rules, such as to colocate this pod in the same node or zone as some other pod.
- podAntiAffinity (optional): Describes pod anti-affinity scheduling rules, such as to avoid putting this pod in the same node or zone as some other pod.
- nodeAffinity (optional): An optional
- tolerations (optional): An optional
core/v1/Tolerationsarray to specify toleration for scheduling taints. For more information, see the Kubernetes documentation.
- containers (optional):
- spec (optional):
- pod (optional):
- monitoring (optional): Setting this value enables Prometheus monitoring for Elasticsearch and exports the metrics into OpenShift Monitoring.
- template (optional):
Templateis the object that describes the pod overrides that are used when pods are created. This is for the exporter that extracts and formats metrics from Elasticsearch.- pod (optional):
ElasticsearchPodcontains the pod information.- spec (optional):
ElasticsearchPodSpeccontains the pod container and scheduling information.- containers (optional):
ElasticsearchPodContainercontains the specification for pod container overrides.- name (required):
- image (optional): Container image override.
- imagePullPolicy (optional): ImagePullPolicy override.
- livenessProbe (optional): Configuration for LivenessProbe. For more information, see the Kubernetes documentation.
- readinessProbe (optional): Configuration for ReadinessProbe. For more information, see the Kubernetes documentation.
- resources (optional):
ResourceRequirementsdescribes the compute resource requirements.
- affinity (optional): Affinity information for pod scheduling.
- nodeAffinity (optional): An optional
core/v1/NodeAffinitystruct for finer-grained selection of nodes on which the pods for this node group are to be scheduled. - podAffinity (optional): Describes pod affinity scheduling rules, such as to colocate this pod in the same node or zone as some other pod.
- podAntiAffinity (optional): Describes pod anti-affinity scheduling rules, such as to avoid putting this pod in the same node or zone as some other pod.
- nodeAffinity (optional): An optional
- tolerations (optional): An optional
core/v1/Tolerationsarray to specify toleration for scheduling taints. For more information, see the Kubernetes documentation.
- containers (optional):
- spec (optional):
- pod (optional):
- template (optional):
- additionalAllowedAPIs (optional): An optional supplemental list of allowed APIs. For more information, see here.
- version (required): Desired version of the operand. The only version that is supported is 1.0.0 and is the default. Specify
- apicurio (optional): Apicurio can be enabled with default configuration for the IBM Automation foundation instance by setting the field to
{}. Following are the other options:- image (optional): An optional image name to deploy instead of the default.
- imagePullPolicy (optional): The image pull policy to be used instead of the default.
- resources (optional):
ResourceRequirementsdescribes the compute resource requirements. - config (optional): An optional map of
key: valueconfiguration properties that are passed to the Apicurio application.
- kafka (optional): Kafka can be enabled with default configuration for the IBM Automation foundation instance by setting the field to
{}. The default Kafka configuration that is used is shown in the following example:
- license (required): By installing this component, you accept the license terms.
AutomationBase sample YAML
apiVersion: base.automation.ibm.com/v1beta1
kind: AutomationBase
metadata:
name: sample
namespace: iafdemo
spec:
kafka:
clientsCa:
generateCertificateAuthority: false
clusterCa:
generateCertificateAuthority: false
entityOperator:
template:
pod:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- s390x
metadata:
annotations:
productID: 068a62892a1e4db39641342e592daa25
productMetric: FREE
productName: IBM Cloud Platform Common Services
securityContext:
runAsNonRoot: true
tlsSidecarContainer:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: true
topicOperatorContainer:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: true
userOperatorContainer:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: true
tlsSidecar:
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 500m
memory: 128Mi
topicOperator:
resources:
limits:
cpu: '1'
memory: 1Gi
requests:
cpu: '1'
memory: 1Gi
userOperator:
resources:
limits:
cpu: '1'
memory: 1Gi
requests:
cpu: '1'
memory: 1Gi
kafka:
authorization:
type: simple
config:
offsets.topic.replication.factor: 3
transaction.state.log.min.isr: 2
transaction.state.log.replication.factor: 3
listeners:
- name: plain
port: 9092
tls: false
type: internal
- authentication:
type: scram-sha-512
name: tls
port: 9093
tls: true
type: internal
- authentication:
type: scram-sha-512
name: external
port: 9094
tls: true
type: route
replicas: 3
resources:
limits:
cpu: '2'
memory: 4Gi
requests:
cpu: '2'
memory: 4Gi
storage:
size: 10Gi
type: persistent-claim
class: ibmc-block-gold
template:
kafkaContainer:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: true
pod:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- s390x
metadata:
annotations:
productID: 068a62892a1e4db39641342e592daa25
productMetric: FREE
productName: IBM Cloud Platform Common Services
securityContext:
runAsNonRoot: true
zookeeper:
replicas: 3
resources:
limits:
cpu: '1'
memory: 2Gi
requests:
cpu: '1'
memory: 2Gi
storage:
size: 10Gi
type: persistent-claim
class: ibmc-block-gold
template:
pod:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- s390x
metadata:
annotations:
productID: 068a62892a1e4db39641342e592daa25
productMetric: FREE
productName: IBM Cloud Platform Common Services
securityContext:
runAsNonRoot: true
zookeeperContainer:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: true
license:
accept: true
tls: {}
version: "v1.0"
elasticsearch:
license:
accept: true
version: "v1.0"
nodegroupspecs:
- name: master-data
replicas: 3
For the complete Kafka configuration, see Kafka schema reference.
Note: While deleting AutomationBase and CartridgeRequirements, you will have to manually delete the corresponding KafkaComposite too. See Troubleshooting for more details.
- elasticsearch (optional): To enable Elasticsearch with the default configuration for the IBM Automation foundation instance, set the field with braces
{}. The default Elasticsearch configuration that is used is shown in the following example:
elasticsearch:
spec:
license:
accept: true
nodegroupspecs:
- name: master-data
replicas: 3
storage: {}
template:
pod:
spec: {}
tls:
caSecret:
key: ca.crt
secretName: iaf-system-es-clst-cert
issuerRef:
name: iaf-system-es-cls-issuer
version: "v1.0"
- Apicurio is initialized for the IBM Automation foundation instance along with Kafka for IBM Automation foundation v1.0.x only. From IBM Automation foundation v1.1.0 onwards, Apicurio is made optional.
- Apicurio (optional):
- resources: Resource requirements, which are CPU and memory.
- image: Container image, the Apicurio image.
- imagePullPolicy: Image pull policy, which is "Always", "Never" and "IfNotPresent".
- config: - Map of
key: valueproperties that are passed to the image - status: IBM Automation foundation instance status.
- components: The status of the components that satisfy the requirements.
- apicurio (optional): Information that is needed to access the Apicurio registry. Available only when
Eventsis a requirement in theCartridgeRequirementsSpec.- endpoints: List of endpoints that are available to access the Apicurio registry.
- type: The type of endpoint, API.
- name: A name that represents this endpoint information.
- scope:
Internal,External. - uri: URI to access the Apicurio schema registry.
- endpoints: List of endpoints that are available to access the Apicurio registry.
- caSecret (optional): Represents that
tlsis enabled. A reference to the public certificate that the endpoint is protected with.- secretName: Name of the secret.
- key (optional): Key of the public key of CA within the secret.
- kafka: Information that is needed to access the Kafka cluster. Available only when
Eventsis a requirement in theCartridgeRequirementsSpec. - elasticsearch: Information that is needed to access Elasticsearch.
- endpoints: List of endpoints that are available to access Elasticsearch.
- type: The type of endpoint, API.
- name: A name that represents this endpoint information.
- scope:
Internal,External. - uri: Complete endpoint access URL.
- authentication: Authentication details to access the Elasticsearch.
- type: The type of the authentication mechanism. The default is
BasicSecret. - secret: For
type: BasicSecret, this references a basic auth type secret, which contains ausernameand apasswordfield.- secretName: Name of the secret.
- type: The type of the authentication mechanism. The default is
- caSecret (optional): Represents that
tlsis enabled. A reference to the public certificate that the endpoint is protected with.- secretName: Name of the secret.
- key (optional): Key of the public key of CA within the secret.
- endpoints: List of endpoints that are available to access Elasticsearch.
- kafka: Information that is needed to access the Kafka cluster. Available only when
Eventsis a requirement in theCartridgeRequirementsSpec.- endpoints: List of endpoints that are available to access Kafka.
- type: The type of endpoint, Kafka.
- name: The name that represents this endpoint information.
- scope:
Internal,External. - bootstrapServers: Complete endpoint access URL.
- authentication: Authentication details to access the Kafka.
- type: The type of the authentication mechanism. The default is
ScramSha512Secret. - secret: For
type: ScramSha512Secret, this references a secret where its name is the username and it contains apasswordfield.- secretName: Name of the secret.
- type: The type of the authentication mechanism. The default is
- caSecret (optional): Represents that
tlsis enabled. A reference to the public certificate that the endpoint is protected with.- secretName: Name of the secret.
- key (optional): Key of the public key of CA within the secret.
- secretName: Name of the secret.
- key: Key of the public key of CA within the secret.
- managedResources: Inventory resources managed by this custom resource.
- conditions: Defines status of subresources that need to be ready before
AutomationBaseis ready.
- endpoints: List of endpoints that are available to access Kafka.
- resources: Resource requirements, which are CPU and memory.
AutomationBase sample YAML
Here's an example:
apiVersion: base.automation.ibm.com/v1beta1
kind: AutomationBase
metadata:
name: acme-iaf
namespace: acme-iaf
spec:
license:
accept: true
tls: {}
elasticsearch: {}
kafka: {}
AutomationBase status
The returned status section takes the following form:
status:
components:
elasticsearch:
endpoints:
- type: API
name: external-route-https
scope: External
uri: https://iaf-system-es.acme-iaf.acme.com
caSecret:
secretName: iaf-system-es-tls-secret
key: ca.crt
- type: API
scope: Internal
name: internal-service-https
uri: https://iaf-system-es.acme-iaf
caSecret:
secretName: iaf-system-es-tls-secret
key: ca.crt
kafka:
endpoints:
- type: Kafka
name: internal-service-plain
scope: Internal
bootstrapServers: iaf-system-kafka.acme-iaf.svc:9092
- type: Kafka
name: internal-service-tls
scope: External
bootstrapServers: iaf-system-kafka.acme-iaf.svc:9093
caSecret:
secretName: iaf-system-kafka-tls-secret
key: ca.crt
- type: Kafka
name: external-route-tls
scope: External
bootstrapServers: iaf-system-kafka.acme-iaf.acme.com:443
caSecret:
secretName: iaf-system-kafka-tls-secret
key: ca.crt
conditions:
- lastTransitionTime: '2021-03-03T14:31:30Z'
status: 'True'
type: ApicurioReady
- lastTransitionTime: '2021-03-03T14:29:19Z'
status: 'True'
type: BedrockReady
- lastTransitionTime: '2021-03-03T14:29:19Z'
status: 'True'
type: ElasticReady
- lastTransitionTime: '2021-03-03T14:31:28Z'
status: 'True'
type: KafkaReady
- lastTransitionTime: '2021-03-03T14:31:30Z'
message: AutomationBase instance successfully created
reason: InstanceCreated
status: 'True'
type: Ready
The returned status section takes the following form:
status:
conditions:
- lastTransitionTime: '2021-03-03T14:12:08Z'
message: AutomationUIConfig successfully registered
reason: Registered
status: 'True'
type: Ready
Mutual TLS supporting Kafka
If the TLS authentication is provided in the AutomationBase CR, the user would be able to create the KafkaUser and the Kafka endpoint with mutual TLS (mTLS) authentication enabled. Multiple KafkaUsers can be created by giving different authentication types in AutomationBase CR as shown below.
- To create multiple authentication types (including TLS), you will have to add listeners configuration with different authentications. Below is an example :
-
After the successful registration of the CR, the Kafka CR will be created with all the authentication types.
-
Post this, create a CartridgeRequirements CR to get Kafka users.
Note: The number of Kafka users created depends on the number of authentications with their configurations (internal or external) given in the AutomationBase CR.
KafkaUser CR sample YAML
The following example shows the KafkaUser CR structure:
apiVersion: ibmevents.ibm.com/v1beta2
kind: KafkaUser
metadata:
generateName: cartridge-sample-kafka-auth-3-8dw8g-
resourceVersion: '38557725'
name: cartridge-sample-kafka-auth-3
uid: cd896fed-ff1a-4adf-b18b-d24103dd0c72
creationTimestamp: '2021-10-06T12:08:32Z'
generation: 1
managedFields:
- apiVersion: ibmevents.ibm.com/v1beta1
fieldsType: FieldsV1
fieldsV1:
'f:metadata':
'f:generateName': {}
'f:labels':
.: {}
'f:crossplane.io/claim-name': {}
'f:crossplane.io/claim-namespace': {}
'f:crossplane.io/composite': {}
'f:ibmevents.ibm.com/cluster': {}
'f:ownerReferences':
.: {}
'k:{"uid":"a7316d1a-7a40-4063-9bd9-54b185e11738"}':
.: {}
'f:apiVersion': {}
'f:controller': {}
'f:kind': {}
'f:name': {}
'f:uid': {}
'f:spec':
.: {}
'f:authentication':
.: {}
'f:type': {}
'f:authorization':
.: {}
'f:acls': {}
'f:type': {}
manager: crossplane
operation: Update
time: '2021-10-06T12:08:32Z'
- apiVersion: ibmevents.ibm.com/v1beta1
fieldsType: FieldsV1
fieldsV1:
'f:status':
.: {}
'f:conditions': {}
'f:observedGeneration': {}
'f:secret': {}
'f:username': {}
manager: okhttp
operation: Update
time: '2021-10-06T12:08:34Z'
namespace: acme-iaf1
ownerReferences:
- apiVersion: shim.bedrock.ibm.com/v1alpha1
controller: true
kind: KafkaComposite
name: cartridge-sample-kafka-auth-3-8dw8g
uid: a7316d1a-7a40-4063-9bd9-54b185e11738
labels:
crossplane.io/claim-name: cartridge-sample-kafka-auth-3
crossplane.io/claim-namespace: acme-iaf1
crossplane.io/composite: cartridge-sample-kafka-auth-3-8dw8g
ibmevents.ibm.com/cluster: iaf-system
spec:
authentication:
type: tls
authorization:
acls:
- host: '*'
operation: All
resource:
name: cartridge
patternType: prefix
type: topic
- host: '*'
operation: All
resource:
name: cartridge
patternType: prefix
type: group
- host: '*'
operation: Read
resource:
name: __schema_cartridge
patternType: prefix
type: topic
- host: '*'
operation: Alter
resource:
name: __schema_cartridge
patternType: prefix
type: topic
- host: '*'
operation: Describe
resource:
type: cluster
- host: '*'
operation: Read
resource:
name: __schema_
patternType: prefix
type: topic
type: simple
status:
conditions:
- lastTransitionTime: '2021-10-06T12:08:33.285184329Z'
status: 'True'
type: Ready
observedGeneration: 1
secret: cartridge-sample-kafka-auth-3
username: CN=cartridge-sample-kafka-auth-3
Kafka CR sample YAML
The following example shows the Kafka CR structure:
apiVersion: ibmevents.ibm.com/v1beta2
kind: Kafka
metadata:
generateName: iaf-system-2fn68-
resourceVersion: '38551681'
name: iaf-system
uid: 01c94455-c21a-4752-8a41-7892fbb01ddb
creationTimestamp: '2021-10-06T11:58:52Z'
generation: 1
managedFields:
- apiVersion: ibmevents.ibm.com/v1beta1
fieldsType: FieldsV1
fieldsV1:
'f:metadata':
'f:generateName': {}
'f:labels':
.: {}
'f:crossplane.io/claim-name': {}
'f:crossplane.io/claim-namespace': {}
'f:crossplane.io/composite': {}
'f:ownerReferences':
.: {}
'k:{"uid":"a6900af8-ee88-4870-ba50-8c6616e55c56"}':
.: {}
'f:apiVersion': {}
'f:controller': {}
'f:kind': {}
'f:name': {}
'f:uid': {}
'f:spec':
.: {}
'f:clusterCa':
.: {}
'f:generateCertificateAuthority': {}
'f:entityOperator':
.: {}
'f:template':
.: {}
'f:pod':
.: {}
'f:affinity':
.: {}
'f:nodeAffinity':
.: {}
'f:requiredDuringSchedulingIgnoredDuringExecution':
.: {}
'f:nodeSelectorTerms': {}
'f:metadata':
.: {}
'f:annotations':
.: {}
'f:productID': {}
'f:productMetric': {}
'f:productName': {}
'f:securityContext':
.: {}
'f:runAsNonRoot': {}
'f:tlsSidecarContainer':
.: {}
'f:securityContext':
.: {}
'f:allowPrivilegeEscalation': {}
'f:capabilities':
.: {}
'f:drop': {}
'f:privileged': {}
'f:readOnlyRootFilesystem': {}
'f:runAsNonRoot': {}
'f:topicOperatorContainer':
.: {}
'f:securityContext':
.: {}
'f:allowPrivilegeEscalation': {}
'f:capabilities':
.: {}
'f:drop': {}
'f:privileged': {}
'f:readOnlyRootFilesystem': {}
'f:runAsNonRoot': {}
'f:userOperatorContainer':
.: {}
'f:securityContext':
.: {}
'f:allowPrivilegeEscalation': {}
'f:capabilities':
.: {}
'f:drop': {}
'f:privileged': {}
'f:readOnlyRootFilesystem': {}
'f:runAsNonRoot': {}
'f:tlsSidecar':
.: {}
'f:resources':
.: {}
'f:limits':
.: {}
'f:cpu': {}
'f:memory': {}
'f:requests':
.: {}
'f:cpu': {}
'f:memory': {}
'f:topicOperator':
.: {}
'f:resources':
.: {}
'f:limits':
.: {}
'f:cpu': {}
'f:memory': {}
'f:requests':
.: {}
'f:cpu': {}
'f:memory': {}
'f:userOperator':
.: {}
'f:resources':
.: {}
'f:limits':
.: {}
'f:cpu': {}
'f:memory': {}
'f:requests':
.: {}
'f:cpu': {}
'f:memory': {}
'f:kafka':
.: {}
'f:authorization':
.: {}
'f:type': {}
'f:config':
.: {}
'f:offsets.topic.replication.factor': {}
'f:transaction.state.log.min.isr': {}
'f:transaction.state.log.replication.factor': {}
'f:listeners': {}
'f:replicas': {}
'f:resources':
.: {}
'f:limits':
.: {}
'f:cpu': {}
'f:memory': {}
'f:requests':
.: {}
'f:cpu': {}
'f:memory': {}
'f:storage':
.: {}
'f:size': {}
'f:type': {}
'f:template':
.: {}
'f:kafkaContainer':
.: {}
'f:securityContext':
.: {}
'f:allowPrivilegeEscalation': {}
'f:capabilities':
.: {}
'f:drop': {}
'f:privileged': {}
'f:readOnlyRootFilesystem': {}
'f:runAsNonRoot': {}
'f:pod':
.: {}
'f:affinity':
.: {}
'f:nodeAffinity':
.: {}
'f:requiredDuringSchedulingIgnoredDuringExecution':
.: {}
'f:nodeSelectorTerms': {}
'f:metadata':
.: {}
'f:annotations':
.: {}
'f:productID': {}
'f:productMetric': {}
'f:productName': {}
'f:securityContext':
.: {}
'f:runAsNonRoot': {}
'f:zookeeper':
.: {}
'f:replicas': {}
'f:resources':
.: {}
'f:limits':
.: {}
'f:cpu': {}
'f:memory': {}
'f:requests':
.: {}
'f:cpu': {}
'f:memory': {}
'f:storage':
.: {}
'f:size': {}
'f:type': {}
'f:template':
.: {}
'f:pod':
.: {}
'f:affinity':
.: {}
'f:nodeAffinity':
.: {}
'f:requiredDuringSchedulingIgnoredDuringExecution':
.: {}
'f:nodeSelectorTerms': {}
'f:metadata':
.: {}
'f:annotations':
.: {}
'f:productID': {}
'f:productMetric': {}
'f:productName': {}
'f:securityContext':
.: {}
'f:runAsNonRoot': {}
'f:zookeeperContainer':
.: {}
'f:securityContext':
.: {}
'f:allowPrivilegeEscalation': {}
'f:capabilities':
.: {}
'f:drop': {}
'f:privileged': {}
'f:readOnlyRootFilesystem': {}
'f:runAsNonRoot': {}
manager: crossplane
operation: Update
time: '2021-10-06T11:58:52Z'
- apiVersion: ibmevents.ibm.com/v1beta1
fieldsType: FieldsV1
fieldsV1:
'f:status':
.: {}
'f:clusterId': {}
'f:conditions': {}
'f:listeners': {}
'f:observedGeneration': {}
manager: okhttp
operation: Update
time: '2021-10-06T12:02:29Z'
namespace: acme-iaf1
ownerReferences:
- apiVersion: shim.bedrock.ibm.com/v1alpha1
controller: true
kind: KafkaComposite
name: iaf-system-2fn68
uid: a6900af8-ee88-4870-ba50-8c6616e55c56
labels:
crossplane.io/claim-name: iaf-system
crossplane.io/claim-namespace: acme-iaf1
crossplane.io/composite: iaf-system-2fn68
spec:
clusterCa:
generateCertificateAuthority: false
entityOperator:
template:
pod:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- s390x
- ppc64le
metadata:
annotations:
productID: 068a62892a1e4db39641342e592daa25
productMetric: FREE
productName: IBM Cloud Platform Common Services
securityContext:
runAsNonRoot: true
tlsSidecarContainer:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: true
topicOperatorContainer:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: true
userOperatorContainer:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: true
tlsSidecar:
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 500m
memory: 128Mi
topicOperator:
resources:
limits:
cpu: '1'
memory: 1Gi
requests:
cpu: '1'
memory: 1Gi
userOperator:
resources:
limits:
cpu: '1'
memory: 1Gi
requests:
cpu: '1'
memory: 1Gi
kafka:
authorization:
type: simple
config:
offsets.topic.replication.factor: 3
transaction.state.log.min.isr: 2
transaction.state.log.replication.factor: 3
listeners:
- authentication:
type: scram-sha-512
name: scram
port: 9093
tls: true
type: internal
- authentication:
type: scram-sha-512
name: scramext
port: 9094
tls: true
type: route
- authentication:
type: tls
name: tls
port: 9095
tls: true
type: internal
- authentication:
type: tls
name: external
port: 9096
tls: true
type: route
replicas: 3
resources:
limits:
cpu: '2'
memory: 4Gi
requests:
cpu: '2'
memory: 4Gi
storage:
size: 10Gi
type: persistent-claim
template:
kafkaContainer:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: true
pod:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- s390x
- ppc64le
metadata:
annotations:
productID: 068a62892a1e4db39641342e592daa25
productMetric: FREE
productName: IBM Cloud Platform Common Services
securityContext:
runAsNonRoot: true
zookeeper:
replicas: 3
resources:
limits:
cpu: '1'
memory: 2Gi
requests:
cpu: '1'
memory: 2Gi
storage:
size: 10Gi
type: persistent-claim
template:
pod:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- s390x
- ppc64le
metadata:
annotations:
productID: 068a62892a1e4db39641342e592daa25
productMetric: FREE
productName: IBM Cloud Platform Common Services
securityContext:
runAsNonRoot: true
zookeeperContainer:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: true
status:
clusterId: 5NZNlW74QgCnVO5BWmC3Jw
conditions:
- lastTransitionTime: '2021-10-06T12:02:28.922Z'
status: 'True'
type: Ready
listeners:
- addresses:
- host: iaf-system-kafka-bootstrap.acme-iaf1.svc
port: 9093
bootstrapServers: 'iaf-system-kafka-bootstrap.acme-iaf1.svc:9093'
certificates:
- |
-----BEGIN CERTIFICATE-----
MIIDGzCCAgOgAwIBAgIRAIhYJOETxBquBUtF2wcUnH8wDQYJKoZIhvcNAQELBQAw
JzElMCMGA1UEAxMcSUJNIEF1dG9tYXRpb24gRm91bmRhdGlvbiBDQTAeFw0yMTA5
MjkwODEyMzBaFw0yMTEyMjgwODEyMzBaMCcxJTAjBgNVBAMTHElCTSBBdXRvbWF0
aW9uIEZvdW5kYXRpb24gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCtYAaoVt6lU/SmRmEou/QxmzGwhzUQDWGBrfF/7cv5TkDhvLL7j5VMSw7g4how
b8az+5xHGffFKyq+z2sPEvxrT0A0nfcUsaCT6b6/oWbaqh5vwkkP8lZnIQAfrauP
yxzdofdjZMf/MBv6wxHZepacrgtDdV4enyQZcbCZWbRMCYmhCnUdbJWxj+jucAYw
egJUf79ZPuPIp/XZnTKuvNUQQ1PQud71j4KEstJNVnpqs3rmNA4ICL1ZpEsk3XrN
Qqviv9zlBpqcIizCdAiQP9XueYZC4V5Bz9vM00xyVzppjhAByw5Meb2F0MbuGLM+
TvUOObci5Dq2jgGLLOuUek+FAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIChDAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQwbYVtkeUFY6NeJLBKd72waDsW7TANBgkq
hkiG9w0BAQsFAAOCAQEAEACxQa/pqTu8CJs8nN/h2UE5+Pxo2tuOMyV26ohuy+i2
/1sMvRFNAqzpeb5qD/7hdAtN9JK3+znbCmArLGASNFebS5E5yASN1R76IyBQgHHA
x3sKIRnquxdw4kjgWZTndHTij7NDTMHotYdTsDJyc4u6/oKgtU0pBNQLuGSL6PNu
bRt+r8mAyZximHNkHYXrb7MFLhLXd0TRAt9TxKPFCW7T280iuP70tXLlU9ysbX0e
fC1bvggwgXR6yXxe500zc68qlPaKdeJQDXOwEl+OxSnocE0iZ21zyEG53EoYw5MB
ktavTFervY6lFyZxLj6mHC7v9fIkj49Tb2ObuoUDsw==
-----END CERTIFICATE-----
type: scram
- addresses:
- host: iaf-system-kafka-bootstrap.acme-iaf1.svc
port: 9095
bootstrapServers: 'iaf-system-kafka-bootstrap.acme-iaf1.svc:9095'
certificates:
- |
-----BEGIN CERTIFICATE-----
MIIDGzCCAgOgAwIBAgIRAIhYJOETxBquBUtF2wcUnH8wDQYJKoZIhvcNAQELBQAw
JzElMCMGA1UEAxMcSUJNIEF1dG9tYXRpb24gRm91bmRhdGlvbiBDQTAeFw0yMTA5
MjkwODEyMzBaFw0yMTEyMjgwODEyMzBaMCcxJTAjBgNVBAMTHElCTSBBdXRvbWF0
aW9uIEZvdW5kYXRpb24gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCtYAaoVt6lU/SmRmEou/QxmzGwhzUQDWGBrfF/7cv5TkDhvLL7j5VMSw7g4how
b8az+5xHGffFKyq+z2sPEvxrT0A0nfcUsaCT6b6/oWbaqh5vwkkP8lZnIQAfrauP
yxzdofdjZMf/MBv6wxHZepacrgtDdV4enyQZcbCZWbRMCYmhCnUdbJWxj+jucAYw
egJUf79ZPuPIp/XZnTKuvNUQQ1PQud71j4KEstJNVnpqs3rmNA4ICL1ZpEsk3XrN
Qqviv9zlBpqcIizCdAiQP9XueYZC4V5Bz9vM00xyVzppjhAByw5Meb2F0MbuGLM+
TvUOObci5Dq2jgGLLOuUek+FAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIChDAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQwbYVtkeUFY6NeJLBKd72waDsW7TANBgkq
hkiG9w0BAQsFAAOCAQEAEACxQa/pqTu8CJs8nN/h2UE5+Pxo2tuOMyV26ohuy+i2
/1sMvRFNAqzpeb5qD/7hdAtN9JK3+znbCmArLGASNFebS5E5yASN1R76IyBQgHHA
x3sKIRnquxdw4kjgWZTndHTij7NDTMHotYdTsDJyc4u6/oKgtU0pBNQLuGSL6PNu
bRt+r8mAyZximHNkHYXrb7MFLhLXd0TRAt9TxKPFCW7T280iuP70tXLlU9ysbX0e
fC1bvggwgXR6yXxe500zc68qlPaKdeJQDXOwEl+OxSnocE0iZ21zyEG53EoYw5MB
ktavTFervY6lFyZxLj6mHC7v9fIkj49Tb2ObuoUDsw==
-----END CERTIFICATE-----
type: tls
- addresses:
- host: >-
iaf-system-kafka-scramext-bootstrap-acme-iaf1.apps.peehu.cp.fyre.ibm.com
port: 443
bootstrapServers: >-
iaf-system-kafka-scramext-bootstrap-acme-iaf1.apps.peehu.cp.fyre.ibm.com:443
certificates:
- |
-----BEGIN CERTIFICATE-----
MIIDGzCCAgOgAwIBAgIRAIhYJOETxBquBUtF2wcUnH8wDQYJKoZIhvcNAQELBQAw
JzElMCMGA1UEAxMcSUJNIEF1dG9tYXRpb24gRm91bmRhdGlvbiBDQTAeFw0yMTA5
MjkwODEyMzBaFw0yMTEyMjgwODEyMzBaMCcxJTAjBgNVBAMTHElCTSBBdXRvbWF0
aW9uIEZvdW5kYXRpb24gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCtYAaoVt6lU/SmRmEou/QxmzGwhzUQDWGBrfF/7cv5TkDhvLL7j5VMSw7g4how
b8az+5xHGffFKyq+z2sPEvxrT0A0nfcUsaCT6b6/oWbaqh5vwkkP8lZnIQAfrauP
yxzdofdjZMf/MBv6wxHZepacrgtDdV4enyQZcbCZWbRMCYmhCnUdbJWxj+jucAYw
egJUf79ZPuPIp/XZnTKuvNUQQ1PQud71j4KEstJNVnpqs3rmNA4ICL1ZpEsk3XrN
Qqviv9zlBpqcIizCdAiQP9XueYZC4V5Bz9vM00xyVzppjhAByw5Meb2F0MbuGLM+
TvUOObci5Dq2jgGLLOuUek+FAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIChDAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQwbYVtkeUFY6NeJLBKd72waDsW7TANBgkq
hkiG9w0BAQsFAAOCAQEAEACxQa/pqTu8CJs8nN/h2UE5+Pxo2tuOMyV26ohuy+i2
/1sMvRFNAqzpeb5qD/7hdAtN9JK3+znbCmArLGASNFebS5E5yASN1R76IyBQgHHA
x3sKIRnquxdw4kjgWZTndHTij7NDTMHotYdTsDJyc4u6/oKgtU0pBNQLuGSL6PNu
bRt+r8mAyZximHNkHYXrb7MFLhLXd0TRAt9TxKPFCW7T280iuP70tXLlU9ysbX0e
fC1bvggwgXR6yXxe500zc68qlPaKdeJQDXOwEl+OxSnocE0iZ21zyEG53EoYw5MB
ktavTFervY6lFyZxLj6mHC7v9fIkj49Tb2ObuoUDsw==
-----END CERTIFICATE-----
type: scramext
- addresses:
- host: >-
iaf-system-kafka-external-bootstrap-acme-iaf1.apps.peehu.cp.fyre.ibm.com
port: 443
bootstrapServers: >-
iaf-system-kafka-external-bootstrap-acme-iaf1.apps.peehu.cp.fyre.ibm.com:443
certificates:
- |
-----BEGIN CERTIFICATE-----
MIIDGzCCAgOgAwIBAgIRAIhYJOETxBquBUtF2wcUnH8wDQYJKoZIhvcNAQELBQAw
JzElMCMGA1UEAxMcSUJNIEF1dG9tYXRpb24gRm91bmRhdGlvbiBDQTAeFw0yMTA5
MjkwODEyMzBaFw0yMTEyMjgwODEyMzBaMCcxJTAjBgNVBAMTHElCTSBBdXRvbWF0
aW9uIEZvdW5kYXRpb24gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCtYAaoVt6lU/SmRmEou/QxmzGwhzUQDWGBrfF/7cv5TkDhvLL7j5VMSw7g4how
b8az+5xHGffFKyq+z2sPEvxrT0A0nfcUsaCT6b6/oWbaqh5vwkkP8lZnIQAfrauP
yxzdofdjZMf/MBv6wxHZepacrgtDdV4enyQZcbCZWbRMCYmhCnUdbJWxj+jucAYw
egJUf79ZPuPIp/XZnTKuvNUQQ1PQud71j4KEstJNVnpqs3rmNA4ICL1ZpEsk3XrN
Qqviv9zlBpqcIizCdAiQP9XueYZC4V5Bz9vM00xyVzppjhAByw5Meb2F0MbuGLM+
TvUOObci5Dq2jgGLLOuUek+FAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIChDAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQwbYVtkeUFY6NeJLBKd72waDsW7TANBgkq
hkiG9w0BAQsFAAOCAQEAEACxQa/pqTu8CJs8nN/h2UE5+Pxo2tuOMyV26ohuy+i2
/1sMvRFNAqzpeb5qD/7hdAtN9JK3+znbCmArLGASNFebS5E5yASN1R76IyBQgHHA
x3sKIRnquxdw4kjgWZTndHTij7NDTMHotYdTsDJyc4u6/oKgtU0pBNQLuGSL6PNu
bRt+r8mAyZximHNkHYXrb7MFLhLXd0TRAt9TxKPFCW7T280iuP70tXLlU9ysbX0e
fC1bvggwgXR6yXxe500zc68qlPaKdeJQDXOwEl+OxSnocE0iZ21zyEG53EoYw5MB
ktavTFervY6lFyZxLj6mHC7v9fIkj49Tb2ObuoUDsw==
-----END CERTIFICATE-----
type: external
observedGeneration: 1