Installing an Enterprise deployment in Operator Hub

Operator lifecycle manager (OLM) helps you to install, update, and manage the lifecycle of all operators and services that are deployed in OpenShift Container Platform (OCP) clusters.

Before you begin

  1. If you created an air gap environment, you must complete the steps in Preparing the operator and log file storage before you install the operator. In other cases, complete the steps in Preparing for an Enterprise deployment.
  2. You must then follow the relevant steps to prepare the patterns that you want to install. For more information, see Preparing capabilities.
  3. Log in to your OCP or ROKS cluster.
  4. In the Installed Operators view, verify the status of the IBM Cloud Pak for Business Automation operator installation reads succeeded, and verify the deployment by checking all of the pods are running.

    Operator installation succeeded

About this task

Operator lifecycle manager is part of the Operator Framework, which is an open source toolkit that is designed to manage Kubernetes applications in an effective, automated, and scalable way.

IBM provides operators to OCP in the form of a catalog. The catalog is added to an OCP cluster and appears in the OCP Operator Hub under the IBM Operator Catalog provider type.

Procedure

  1. Use the operator instance to apply a custom resource by clicking CP4BA deployment > Create Instance.
  2. In the Form View of the deployment editor, enter the values for everything that you want to include in your deployment.
    1. Enter a Name, or use the default icp4adeploy.
    2. Enter the appVersion 21.0.x.
    3. Accept the License by setting the value to true.
    4. Open the Shared Configuration section and enter values for the following parameters. For more information about the shared parameters, see Shared configuration parameters.
      Table 1. Shared configuration parameters
      Shared configuration parameter Value
      Hostname suffix A routing subdomain is generated by default.

      For 21.0.1 You must add a valid hostname. For example, <namespace>.myhostname.
      Purchased CP4BA license Set to production or non-production.
      Platform Set to OCP or ROKS.
      For 21.0.1 Image repository The default is cp.icr.io.
      For 21.0.1 Image pull secrets The default is admin.registrykey.
      root_ca_secret The default is icp4a-root-ca.
      external_tls_certificate_secret Set to the name of the secret that is used to store a wildcard certificate (and concatenated signers) to be used by all routes. If the value is empty, all external routes are signed with root_ca_secret.
      Content initialization Enable or disable ECM (FNCM) and BAN initialization.
      Content verification Enable or disable the ECM (FNCM) and BAN verification.
      Trusted certificate list If the root certificate authority (CA) key of the external service is not signed by the operator root CA key, provide the TLS certificate of the external service to the component's truststore.

      If the secret does not exist, then a self-signed signer certificate is generated. For more information, see Providing the root CA certificate.

      Important: If you choose to use self-signed certificates, certain features of the product might not work as expected because of modern browser restrictions that are related to self-signed certificates. A browser blocks any redirect to a site that uses a certificate that is not signed by a root CA that is trusted by the browser. This can result in access issues for business applications.
      Purchased FNCM license If you set IBM FileNet® Content Manager (FNCM) to true, set the value to production, non-production, or user. Otherwise, leave the value empty.
      Purchased BAW license If you set IBM Business Automation Workflow to true, set the value to production, non-production, or user. Otherwise, leave the value empty.
      Storage configuration Select the storage classes that are installed in your cluster for each of the three storage class fields: Slow storage for Enterprise, Medium storage for Enterprise, and Fast storage for Enterprise.
      Admin user The default administrator user for Application/Workflow/Workstreams. After you enter the value once, you can skip the setting for Studio, Applications, and Workflow/Workstreams configuration. Designate an existing LDAP user for the Studio/Playback Application Engine or Application Engine or Workflow/Workstreams admin user.
      Note: To use Application Engine or Playback Application Engine, this user ID must be in the IBM Business Automation Navigator administrator role, as specified in appLoginUsername in the Navigator secret. This user must also belong to the user management service (UMS) Teams admin group or the UMS Teams Administrators team. Otherwise, follow the instructions in Completing post-deployment tasks for Application Engine to add it to the Navigator administrator role and UMS team server admin group,
    5. Set Deployment Type to enterprise.
    6. Select the capabilities that you want to include.
      Tip: If you do not want to include a capability, leave the value as false. For more information about the capabilities and their dependencies, see Capabilities for Enterprise deployments.
      • FileNet Content Manager
      • Business Automation Application
      • Operational Decision Manager
      • Automation Decision Services
      • Automation Document Processing
      • Automation Workflow/Workstream Services
    7. Open the Advanced Configuration section, enter valid values for the LDAP Configuration, Datasource Configuration, Initialization Configuration, Enable Data Persistence, and choose whether to include Business Automation Insights. You must then enter valid values for the parameters of the selected capabilities in the list. For more information about configuring each capability, see Checking and completing your custom resource.
      Restriction: Due to a limitation in the Form View, the repo_service_url parameter in IBM FileNet Content Manager is still visible when Automation Document Processing (ADP) Runtime is set to false. You do not need to set a value for this configuration parameter if you do not want to include ADP.
      Notes:

      You can copy and paste parameters from the custom resource enterprise templates in the YAML View and edit the parameters. Go to the relevant folder in cert-kubernetes/descriptors/patterns to find all of the templates. For more information about downloading cert-kubernetes, see Preparing for an Enterprise deployment. You can edit the CR file in the editor, but it is best if you have the CR complete and verified before you save your changes in the editor. For example, go to http://www.yamllint.com/ to verify the contents of your file.

      For more information about the olm_ configuration parameters, see Business Automation configuration parameters for Operator Hub. You can add and remove parameters in the YAML View. You can switch between the Form View and the YAML View to complete your configuration.

      If you choose the Workflow pattern, the Business Automation Insights configuration is always added, even if you don't select the optional Business Automation Insights component.

  3. When you are ready, click Create.

Results

Check to make sure that the icp4ba cartridge in the IBM Automation Foundation Core is ready. For more information about IBM Automation Foundation, see What is IBM Automation foundation?

To view the status of the icp4ba cartridge in the OCP Admin console, click Operators > Installed Operators > IBM Automation Foundation Core. Click the Cartridge tab, click icp4ba, and then scroll to the Conditions section.

Conditions list

When the deployment is successful, a ConfigMap is created in the CP4BA namespace (project) to provide the cluster-specific details to access the services and applications. The ConfigMap name is prefixed with the deployment name (default is icp4adeploy). You can search for the routes with a filter on "cp4ba-access-info".

The contents of the ConfigMap depends on the components that are included. Each component has one or more URLs, and if needed a username and password. Each component has one or more URLs.

<component1> URL: <RouteUrlToAccessComponent1>  
<component2> URL: <RouteUrlToAccessComponent2>
Note: For 21.0.1 If you installed without an interim fix, you must go to the routes panel and open the routes with the corresponding names for Operational Decision Manager. The username and password is odmAdmin/odmAdmin.
  • Decision Server Console: <meta_name>-odm-ds-console-route
  • Decision Runner: <meta_name>-odm-dr-route
  • Decision Center: <meta_name>-odm-dc-route
  • Decision Server Runtime: <meta_name>-odm-ds-runtime-route

What to do next

When all of the containers are running, you can access the services.

Note: If the capabilities that you installed include Business Automation Navigator (BAN) and the User Management Service (UMS), then you need to configure the Single Sign-On (SSO) logout for the Admin desktop. For more information, see Configuring SSO logout between BAN and UMS.

Business Automation Studio leverages the IBM Cloud Pak Platform UI (Zen UI) to provide a role-based user interface for all Cloud Pak capabilities. Capabilities are dynamically available in the UI based on the role of the user that logs in. You can find the URL for the Zen UI by clicking Network > Routes and looking for the name cpd, or by running the following command.

oc get route |grep "^cpd"

Log in to the Admin Hub to configure your LDAP with the Identity and Access Management (IAM) service. You have two authentication types that you can log in with: OpenShift authentication and IBM provided credentials (admin only). Use your kubeadmin username and credentials to log in with OpenShift authentication. On ROKS, you must use IBM provided credentials. The default username for these credentials is "admin". You can get the default username by running the following command:

oc -n ibm-common-services get secret platform-auth-idp-credentials \
   -o jsonpath='{.data.admin_username}' | base64 -d && echo

You get the password by running the following command: 

oc -n ibm-common-services get secret platform-auth-idp-credentials \
   -o jsonpath='{.data.admin_password}' | base64 -d

You can change the default password at any time. For more information, see Changing the cluster administrator password.

You must then add users to the Automation Developer role to enable users and user groups to access Business Automation Studio and work with business applications and business automations. For more information, see Completing post-deployment tasks for Business Automation Studio.

To enable logs and monitoring add the wanted YAML to the CR in the YAML view. For example, the following parameters provide custom setting for the content pattern.

  monitoring_configuration:
    collectd_disable_host_monitoring: false
    collectd_interval: 10
    collectd_plugin_write_graphite_host: localhost
    collectd_plugin_write_graphite_port: 2003
    collectd_plugin_write_prometheus_port: 9103
    mon_enable_plugin_mbean: true
    mon_enable_plugin_pch: true
    mon_metrics_writer_option: 4
  logging_configuration: 
    mon_log_parse: true
    mon_log_shipper_option: "1"
    mon_log_service_endpoint: example.com:9200
    private_logging_enabled: false
    logging_type: default
    mon_log_path: /path_to_extra_log
  ecm_configuration:
    cpe:
      logging_enabled: true
      monitor_enabled: true
    css:
      logging_enabled: true
      monitor_enabled: true
    graphql:
      logging_enabled: true
      monitor_enabled: true
    cmis:
      logging_enabled: true
      monitor_enabled: true
    es:
      logging_enabled: true
      monitor_enabled: true

Some capabilities need you to follow post-deployment steps. For more information, see Completing post-deployment tasks.