Issue Resolution Lifecycle operator secret usage

Find out about the secure operation of the Issue Resolution Lifecycle operator.

Secrets owned by the Issue Resolution Lifecycle operator

The Issue Resolution Lifecycle operator's secrets are created automatically when IBM Cloud Pak® for AIOps is installed. Alternatively, you can manually create some or all of these secrets before IBM Cloud Pak for AIOps is installed, with values of your own choosing. If these secrets exist before IBM Cloud Pak for AIOps is installed, then they are not modified (although new properties might be added).

The following table describes the secrets that the Issue Resolution Lifecycle operator owns. These secrets contain credentials, encryption keys, and other secrets. Some values can be changed after installation, which might necessitate restarting pods that have access to these secrets, or require additional steps to run. Details are provided in the table.

Table 1. Secrets that belong to the Issue Resolution Lifecycle operator
Secret Property Type Purpose Rotation Example commands
aiops-ir-lifecycle-flink-admin-user password hex15 Basic auth for https://aiops-ir-lifecycle-flink-api:9081 Change the secret. aiops-ir-lifecycle-flink will restart automatically. oc set data secret aiops-ir-lifecycle-flink-admin-user --from-literal=password=$(openssl rand --hex 15)
aiops-ir-lifecycle-flink-admin-user username fixed Basic auth for https://aiops-ir-lifecycle-flink-api:9081 The user name is flink-admin, this should not be changed and is included for future flexibility.
aiops-ir-lifecycle-flink-internal-keystore password hex15 Password used for key store within pods. Change the secret. aiops-ir-lifecycle-flink and aiops-ir-lifecycle-flink-taskmanager will restart automatically. oc set data secret aiops-ir-lifecycle-flink-internal-keystore --from-literal=password=$(openssl rand --hex 15)
aiops-ir-lifecycle-flink-internal-truststore password hex15 Password used for trust store within pods. Change the secret. aiops-ir-lifecycle-flink and aiops-ir-lifecycle-flink-taskmanager will restart automatically. oc set data secret aiops-ir-lifecycle-flink-internal-truststore --from-literal=password=$(openssl rand --hex 15)
aiops-ir-lifecycle-flink-rest-keystore password hex15 Password used for key store within pods. Change the secret. aiops-ir-lifecycle-flink and aiops-ir-lifecycle-flink-taskmanager will restart automatically. oc set data secret aiops-ir-lifecycle-flink-rest-keystore --from-literal=password=$(openssl rand --hex 15)
aiops-ir-lifecycle-flink-rest-truststore password hex15 Password used for trust store within pods. Change the secret. aiops-ir-lifecycle-flink and aiops-ir-lifecycle-flink-taskmanager will restart automatically. oc set data secret aiops-ir-lifecycle-flink-rest-truststore --from-literal=password=$(openssl rand --hex 15)
aiops-ir-lifecycle-flink-truststore password hex15 Password used for trust store within pods. Change the secret. aiops-ir-lifecycle-flink and aiops-ir-lifecycle-flink-taskmanager will restart automatically. oc set data secret aiops-ir-lifecycle-flink-truststore --from-literal=password=$(openssl rand --hex 15)
aiops-ir-lifecycle-policy-registry-svc password hex15 Basic authentication for https://aiops-ir-lifecycle-policy-registry-svc:5601 Change the secret.
- Restart cp4waiops-metricsprocessor.
- aiops-ir-lifecycle-policy-registry-svc restarts automatically.		 oc set data secret aiops-ir-lifecycle-policy-registry-svc --from-literal=password=$(openssl rand -hex 15) && oc delete pod -l connector.aiops.ibm.com/name=cp4waiops-metricsprocessor
aiops-ir-lifecycle-policy-registry-svc username fixed Basic authentication for https://aiops-ir-lifecycle-policy-registry-svc:5601 The username is system and must not be changed. It is included for future flexibility.

The Type for each secret in the table has one of the following entries:

  • hex15 - 15-byte number encoded in hexadecimal (30 hex digits).
  • fixed - do not change this value. The value is included in a secret for future flexibility.

Secrets that are used by the Issue Resolution Lifecycle operator

The following table describes secrets that are owned by another operator but that are used by the Issue Resolution Lifecycle operator. The table shows the Issue Resolution Lifecycle components that are automatically restarted if these secrets are rotated, no manual component restarts are required.

Table 2. Secrets that are used by the Issue Resolution Lifecycle operator
Secret Owner Purpose Automatically restarted
aimanager-ibm-minio-access-secret AIManager/aimanager Credentials for Minio S3 storage aiops-ir-lifecycle-flink, aiops-ir-lifecycle-flink-taskmanager
aiops-ir-analytics-ai-datalayer-system-secret AIOpsAnalyticsOrchestrator Credentials for AI datalayer aiops-ir-lifecycle-flink, aiops-ir-lifecycle-flink-taskmanager
aiops-topology-asm-credentials ASM/aiops-topology Credentials for https://aiops-topology-topology.aiops.svc:8080 aiops-ir-lifecycle-flink, aiops-ir-lifecycle-flink-taskmanager
aiops-topology-cassandra-auth-secret ASM/aiops-topology Credentials for Cassandra aiops-ir-lifecycle-flink-taskmanager, aiops-ir-lifecycle-policy-registry-svc
cp4waiops-cartridge-es-auth Installation Credentials for Elasticsearch aiops-ir-lifecycle-flink, aiops-ir-lifecycle-flink-taskmanager
iaf-system-elasticsearch-es-ss-cacert-kp Certificate/iaf-system-elasticsearch-es-ss-ca CA certificate for Elasticsearch aiops-ir-lifecycle-flink, aiops-ir-lifecycle-flink-taskmanager
<instance>-es-admin-user-connection-secret Installation Binding secret for Elasticsearch aiops-ir-lifecycle-datarouting, aiops-ir-lifecycle-policy-registry-svc
<instance>-kafka-secret Installation Binding secret for Kafka aiops-ir-lifecycle-datarouting, aiops-ir-lifecycle-flink, aiops-ir-lifecycle-flink-taskmanager, aiops-ir-lifecycle-policy-registry-svc
zen-service-broker-secret ibm-zen-operator Token for accessing Zen API aiops-ir-lifecycle-flink, aiops-ir-lifecycle-flink-taskmanager

Where <instance> is the name of your IBM Cloud Pak for AIOps instance, for example ibm-cp-aiops.