Changing default values for Cloud Pak foundational services

Each instance of Business Automation Insights that you install includes Cloud Pak foundational services, or locates an already installed instance. The foundational services can be configured post-installation to better integrate with Business Automation Insights.

About this task

The foundational services help you manage and administer IBM® software on your cluster. For example, the Cloud Pak foundational services include services such as the Platform UI (Zen) Service, the License Service, and the Identity Management (IM) Service. From the Platform UI (Zen), you can view key metrics for components of IBM Cloud® Paks and Cloud Pak foundational services that are installed on the cluster.

You might want to configure the foundational services in the following ways.

Cluster administrator password
Platform UI (Zen) customization
Custom certificates
Default storage class

Cluster administrator password

The cluster administrator password is stored in a Kubernetes secret. You can change the auto-generated password and restart the services that use the password by running a cloudctl command.

cloudctl pm update-secret kube-system platform-auth-idp-credentials -d admin_password

The password must follow the defined password rules. To list the password rules, run the following command:

cloudctl pm password-rules <namespace>

Platform UI (Zen) customization

The Zen Service is a reverse proxy that provides a common external URL to access Business Automation Insights. For more information, see Platform UI External link opens a new window or tab . Zen uses specific roles to define who can access a particular interface. For more information about managing the roles and user permissions, see Managing users .

Note: Each Cloud Pak has its own documentation on the roles that apply to its interfaces. For some APIs and UIs, you might need extra authorization in addition to the Platform UI roles. Therefore, it is best to review the documentation of a particular API or UI before you use it.

The ibm-zen-operator manages the Zen Service, and the Business Automation Insights operator does not manage the Zen settings after the initial creation. Customization of the Zen Service must be made directly in the Zen custom resource (CR).

You can review the settings and health of the Zen Service by running the following command, where <namespace> is usually the Business Automation Insights namespace.

kubectl get zenservice -o yaml -n <namespace>

The route that is associated with Zen is called cpd and it uses secure TLS communications. If you need the root CA for an external truststore, see Exporting the Zen CA and common services CA External link opens a new window or tab . When you access the cpd route, login requests are redirected to the IM service and the cp-console route. You can customize the hostname and certificates for these routes. For more information, see Customizing the Cloud Pak Identity Management (IM) service External link opens a new window or tab .

All the TLS certificates for Cloud Pak foundational services are created during installation, but you can replace the certificate and the route hostname for the foundational services entry point. The entry point is the endpoint that is used to access the console from outside the cluster. For more information, see Customizing the Cloud Pak entry point External link opens a new window or tab .

License Service custom certificates

To avoid certificate issues and untrusted certificates when you access the UIs and REST APIs, you can configure a custom certificate for License Service communication.

Change the certificate name to tls.crt.
Change the name of the key to tls.key.
Run the following command to change the directory to where the certificate and the key are stored:
```
cd <certificate_directory>
```

Create a secret by using the following command:

licensingNamespace=$(kubectl get pods --all-namespaces | grep "ibm-licensing-service-" | awk {'print $1'})
kubectl create secret tls ibm-licensing-certs --key tls.key --cert tls.crt -n ${licensingNamespace}

Edit the IBMLicensing custom resource to enable the https connection.
```
apiVersion: operator.ibm.com/v1alpha1
kind: IBMLicensing
metadata:
  name: instance
spec:
  httpsEnable: true
```
To access the IBM Licensing Operator:
1. From the navigation menu, click Operators > Installed Operators > IBM Licensing Operator.
2. Click the IBM License Service tab.
3. Click the IBMLicensings instance, and then click the YAML tab.

To apply the custom certificate that you created, add the httpsCertsSource parameter:

apiVersion: operator.ibm.com/v1alpha1
kind: IBMLicensing
metadata:
  name: instance
spec:
  httpsEnable: true
  httpsCertsSource: ibm-licensing-certs

Default storage class

The storage class that you used for the InsightsEngine instance is used for MongoDB. You can change the storage class name by adding the storageClass parameter with a storage class of your choice in the OperandConfig instance in the foundational services namespace.

Note: If you used a namespace-scoped foundational services instance then the namespace is defined in the common-service-maps configMap for the BAI deployment. If you used a cluster-scoped instance then the namespace is ibm-common-services.

- name: ibm-mongodb-operator
  spec:
    mongoDB:
      storageClass: <storage_class_name>

You can access the common-service instance by using the kubectl command-line interface (CLI) and running this command:

kubectl edit OperandConfig common-service -n <namespace>