Shared configuration

You must set the parameters in the custom resource file to access the Docker images in your environment.

The following tables list the configurable parameters. The parameters are either mandatory <Required> or optional in a custom resource file. If a parameter is absent or has no value, it means that the operator refers to the default value. You can overwrite the default value by entering a new value in your custom resource. Parameters that are mandatory must always be present and you must enter a valid value.

Table 1. Shared configuration parameters: spec
Parameter Description Example value Required
appVersion The version of the current release. 26.0.0 Yes
ibm_license Must exist to accept the IBM license. The only valid value is "accept". accept Yes
Table 2. Shared configuration parameters: spec.shared_configuration
Parameter Description Default/Example value Required
enable_fips Enable/disable FIPS mode for the deployment. false No
encryption_key_secret The name of the shared encryption key secret. The secret is used to store a password that is used to encrypt various encryption keys generated by the product. The secret is generated if it does not exist. The encryption_key_secret parameter is shared by IBM Business Automation Workflow, IBM Business Automation Studio, Application Engine, and IBM Process Federation Server.

If your installation includes Business Automation Studio and Application Engine and you want to compress and export an application project to Business Automation Studio or import an application project in Application Engine, you can specify the encryption key (aeEncryptionKey) and the encryption salt value (aeEncryptionSalt) of this secret. These values are used to encrypt sensitive information of the exported file. This is an optional step.

 ibm-iaws-shared-key-secret No
external_tls_certificate_secret This parameter is used to replace the TLS certificates for all routes managed by the CP4BA operator. The certificate can use a wildcard SAN or multiple hostname SANs that can work for all of the routes. If defined, the certificate is used for all external routes. If it is not defined, certificates for all external routes are signed with the certificate in the root_ca_secret parameter. my-ext-tls-secret No
image_pull_secrets Shared image pull secrets. [] Not present
images.dbcompatibility_init_container.repository Image name for database compatibility init container. dba-dbcompatibility-initcontainer No
images.dbcompatibility_init_container.tag Image tag for database compatibility init container.

26.0.0

 No
images.keytool_job_container.repository Image name for Transport Layer Security (TLS) job container. dba-keytool-jobcontainer No
images.keytool_job_container.tag Image tag for TLS job container

26.0.0

 No
images.keytool_init_container.repository Image name for TLS init container. dba-keytool-initcontainer No
images.keytool_init_container.tag Image tag for TLS init container.

26.0.0

 No
images.pull_policy Pull policy for all containers. IfNotPresent No
images.umsregistration_initjob.repository Image name for OpenID Connect (OIDC) registration job container. dba-umsregistration-initjob No
images.umsregistration_initjob.tag Image tag for OIDC registration job container.

26.0.0

 No
opensearch_configuration.route_host This parameter is used to customize the public hostname for the OpenSearch Route. If not specified, a default hostname is generated in the form:

opensearch-<hostname_suffix>
 None No
root_ca_secret Root certificate authority (CA) secret name to store the root CA TLS key and certificate. The default value when it is not set, is icp4a-root-ca. If the secret does not exist, it is created and a self-signed root CA certificate is generated. To assign an existing secret, it must be a TLS secret with the CA certificates. For more information, see TLS Secrets External link opens a new window or tab. icp4a-root-ca No
sc_common_service.operator_namespace The namespace for the operators of the cluster-scoped Cloud Pak foundational services. "openshift-operators" No
sc_common_service.services_namespace The namespace for the services of the cluster-scoped Cloud Pak foundational services. "ibm-common-services"  
sc_deployment_hostname_suffix If you do not want to use a generated routing subdomain, you can customize the suffix that is used as the routing subdomain to create your routes.
If sc_deployment_platform is set to "OCP" or "ROKS", routes are created automatically. The routes are generated in the form:
<route-name>[-<namespace>].<hostname_suffix>
If you customize the hostname, you must ensure that the hostname suffix is the same as the default OpenShift router canonical hostname, otherwise you might get an error when you use Business Automation Studio.		 None No
sc_deployment_license Valid values are non-production and production. production Yes
sc_deployment_platform Valid options are "OCP", "ROKS" and "Other".
  • Use "OCP" for Red Hat OpenShift Container Platform.
  • Use "ROKS" for Red Hat OpenShift on IBM Cloud®.
  • Use "Other", for Rancher, Tanzu, or GKE platform.
 OCP Yes
sc_enable_instana_metric_collection Enables integration with Instana to collect application and infrastructure metrics for enhanced observability. If the parameter is not defined, then the default value is false. If you want to enable Instana monitoring for your BAI deployment, set the value to true. false, if not defined. No
sc_enable_pdb

Enables or disables a Pod Disruption Budget (PDB) for the BAI component. The parameter overrides the shared_configuration.sc_enable_pdb parameter value.

When PDB is set to true and the replica count for BAI management is greater than 1, then a PDB is created with a `minAvailable` value set to 1. If the replica count is 1, then the PDB has a `minAvailable` set to 0.

    
sc_enable_usage_metering

Enables the upload of usage metrics to IBM Software Central.

 true Yes
sc_generate_sample_network_policies

Use the parameter to generate network policy templates that you can install for a BAI deployment. The default is not to generate network policies that restrict access to external systems.

Set the value of sc_generate_sample_network_policies to true in your custom resource for BAI to generate sample network policies for the BAI capabilities. The templates restrict access for all pods to external systems. You can customize your network policy or use specific policies with matchLabels to set exceptions. 

false, if not defined. No
sc_hugepages
  • enabled
  • type
  • value
 By default, huge pages support is not enabled. If you want your BAI deployment to use the huge pages that you enabled on the cluster, then set enabled to true.

The type parameter identifies the type of the huge pages in the cluster. The default is "hugepages-2Mi".

The value parameter is used to set the specific size of the huge pages specified in bytes with an optional scale suffix [kKmMgG] in the OpenShift cluster to allocate.
  • false
  • hugepages-2Mi
  • 2M
 No
sc_iam
  • default_admin_username
 The name of the admin user for the IBM Identity Management (IM) foundational service. cpadmin No
sc_image_repository By default the IBM Entitled Registry is used, and the value is set to "cp.icr.io". When a private image registry is used, the value for sc_image_repository must be set to the URL for that location. For example: myimageregistry.com/project_name. For an air gap installation, make sure that the parameter is set to the default value. cp.icr.io No
sc_image_tag A tag value that is applied to all container images.

Digests are used instead of the image tag, but it is useful to keep the tag up to date with the corresponding version. The list of digests that are used in each version can be found in the resources.yaml file under the ${CASE_LOCAL_PATH}/ibm-ba-insights/inventory/cp4aOperatorSdk directory of the CASE package. For more information, see Preparing a client to connect to the cluster External link opens a new window or tab.

 None No
sc_ingress_enable For ROKS, set this parameter to true to enable Ingress. The default value is false, which creates routes instead of Ingress. false

No

Yes on ROKS.
sc_ingress_tls_secret_name Must be set if you enable ingress on ROKS. This secret provides TLS for the ingress controller.

To get the secret when Ingress is enabled with TLS, run the following command.

ibmcloud kubectl cluster get --cluster <clusterID> | grep Ingress
None

No

Yes if ingress is enabled.
sc_install_automation_base By default the value is set to true. The default value installs Kafka and Elasticsearch for Business Automation Insights. If you want to use a pre-installed AutomationBase instance in the Cloud Pak, then set the value to false to prevent the Cloud Pak installing a new instance. You can also change the value after an installation if you want to customize the AutomationBase instance. Setting the value to false after the installation prevents the Cloud Pak operator from overriding the customized instance with the default configuration. true No
sc_optional_components The optional components to be installed. None by default.

An example of an optional component:

  • bai
 No
sc_run_as_user For Cloud Native Computing Foundation (CNCF) platforms such as Amazon Web Services (AWS), Google Kubernetes Engine (GKE), and so on, a value is required for this parameter. On OCP and ROKS, this parameter is not required. Specify the user to run the security context of the pod. The value is usually a number that corresponds to a user ID. None Yes if the deployment platform is set to other.
sc_seccomp_profile.type Specify the type of seccomp profile to be used by the pods. Possible values are: Unconfined, RuntimeDefault, Localhost. For more information about seccomp profile, see the Restrict a Container's Syscalls with seccomp External link opens a new window or tab.
Default value:
  • RuntimeDefault on OCP 4.11 and later.
  • Empty on OCP 4.10.

Example: Localhost

 No
sc_seccomp_profile.localhost_profile Specify the local path of the seccomp profile file. This parameter is required if sc_seccomp_profile.type is set to Localhost. The value of sc_seccomp_profile.localhost_profile is ignored if sc_seccomp_profile.type is set to anything other than Localhost. For more information, see Configuring seccomp profiles External link opens a new window or tab. Example: profiles/audit.json Only if sc_seccomp_profile.type is set to Localhost
sc_service_ip_families

The sc_service_ip_families parameter is used to define a list of values that corresponds to the ipFamilies property of the Kubernetes Service object. If you have a dual-stack enabled cluster that supports both IPv6 and IPv4, then add a list with IPv6 and IPv4. The default is to use the cluster-level settings.

Warning: Setting a value for the parameter that is not supported in your cluster, for example by setting IPv6 when the cluster supports only IPv4, causes the BAI deployment to fail.

For more information, see Service External link opens a new window or tab.

You can set sc_service_ip_families to one of the following values:
  • (Dual stack)
    - IPv4
- IPv6
  • (Dual stack)
    - IPv6
- IPv4
 
shared_configuration:
  sc_service_ip_families:
  - IPv6
  - IPv4
  sc_service_ip_family_policy: PreferDualStack
 No
sc_service_ip_family_policy

The sc_service_ip_family_policy parameter is used to define a value that corresponds to the ipFamilyPolicy property of the Kubernetes Service object. If you have a dual-stack enabled cluster that supports both IPv6 and IPv4, then add the string PreferDualStack or RequireDualStack. The default is to use the cluster-level settings.

Warning: Setting a value for the parameter that is not supported in your cluster, for example setting RequireDualStack when the cluster supports only one IP family, causes the BAI deployment to fail.

For more information, see Service External link opens a new window or tab.

You can set the sc_service_ip_family_policy parameter to one of the following values:
  • PreferDualStack: The control plane assigns both IPv4 and IPv6 cluster IP addresses for the service on clusters that have dual-stack configured.
  • RequireDualStack: For clusters that have dual-stack configured, the behavior is the same as when the value is set to PreferDualStack. The control plane allocates cluster IP addresses from both IPv4 and IPv6 address ranges. If this option is used in clusters that do not have enabled dual-stack networking, then service creation fails.
 
shared_configuration:
  sc_service_ip_families:
  - IPv4
  - IPv6
  sc_service_ip_family_policy: PreferDualStack
 No
sc_skip_ldap_config

Controls whether the operator configures the Content Platform Engine to use an LDAP directory configuration or a SCIM directory configuration to authorize users and groups.

Set to true (default) for the operator to configure a Content Platform Engine SCIM directory configuration to retrieve authorization information such as the groups to which a user belongs from IM.

Set to false for the operator to configure a Content Platform Engine LDAP directory configuration to retrieve authorization information such as the groups to which a user belongs from an LDAP server.

 true

No.

False must be specified to retain a non-default configuration of the Content Platform Engine. Examples of a false value include upgrading from a previous deployment where an LDAP directory configured user and group authorization, or moving a traditional deployment that used an LDAP directory.

storage_configuration
  • sc_slow_file_storage_classname
  • sc_medium_file_storage_classname
  • sc_fast_file_storage_classname
  • sc_block_storage_classname
 Three storage classes are needed for slow, medium, and fast storage. If one storage class is defined, then you can use that one storage class for all three parameters.

The set block storage class name is used for the PVCs that are created for MongoDB.

None Yes
trusted_certificate_list Trusted certificate secret names. Every component trusts these certificates for secure communication. Enter a comma-delimited list of the secret names in an array. For example, [secret_name1, secret_name2]. [] No