Shared configuration
You must set the parameters in the custom resource file to access the Docker images in your environment.
The following tables list the configurable parameters. The parameters are either mandatory <Required> or optional in a custom resource file. If a parameter is absent or has no value, it means that the operator refers to the default value. You can overwrite the default value by entering a new value in your custom resource. Parameters that are mandatory must always be present and you must enter a valid value.
| Parameter | Description | Example value | Required |
|---|---|---|---|
| appVersion | The version of the current release. | 23.0.1 | Yes |
| ibm_license | Must exist to accept the IBM license. The only valid value is "accept". | accept | Yes |
| Parameter | Description | Default/Example value | Required |
|---|---|---|---|
| encryption_key_secret | The name of the shared encryption key secret. The secret is used to store a password that is used to encrypt various encryption keys generated by the product. The secret is generated if it does not exist. | ibm-iaws-shared-key-secret | No |
| external_tls_certificate_secret | This parameter is used to replace the TLS certificates for all routes managed by the CP4BA operator. The certificate can use a wildcard SAN or multiple hostname SANs that can work for all of the routes. If defined, the certificate is used for all external routes. If it is not defined, certificates for all external routes are signed with the certificate in the root_ca_secret parameter. | my-ext-tls-secret | No |
| image_pull_secrets | Shared image pull secrets. | [] | Not present |
| images.dbcompatibility_init_container.repository | Image name for database compatibility init container. | dba-dbcompatibility-initcontainer | No |
| images.dbcompatibility_init_container.tag | Image tag for database compatibility init container. |
23.0.1 |
No |
| images.keytool_job_container.repository | Image name for Transport Layer Security (TLS) job container. | dba-keytool-jobcontainer | No |
| images.keytool_job_container.tag | Image tag for TLS job container |
23.0.1 |
No |
| images.keytool_init_container.repository | Image name for TLS init container. | dba-keytool-initcontainer | No |
| images.keytool_init_container.tag | Image tag for TLS init container. |
23.0.1 |
No |
| images.pull_policy | Pull policy for all containers. | IfNotPresent | No |
| images.umsregistration_initjob.repository | Image name for OpenID Connect (OIDC) registration job container. | dba-umsregistration-initjob | No |
| images.umsregistration_initjob.tag | Image tag for OIDC registration job container. |
23.0.1 |
No |
| root_ca_secret | Root certificate authority (CA) secret name to store the root CA TLS key and certificate. The
default value when it is not set, is icp4a-root-ca. If the secret does not exist,
it is created and a self-signed root CA certificate is generated. To assign an existing secret, it
must be a TLS secret with the CA certificates. For more information, see TLS Secrets. |
icp4a-root-ca | No |
| sc_cpe_limited_storage | When set to "true", the Content Platform Engine (CPE) component is deployed
for Automation Document Processing capability as non-chargeable. |
true, false (default is false) | No |
| sc_deployment_baw_license | Use only when you want to install a deployment license for Business Automation Workflow. The only valid values are user, non-production, and production. If no value is set and the parameter is used, then the default is production. | production |
No Yes, if you want to install Business Automation Workflow. |
| sc_deployment_fncm_license | Use only when you want to install a deployment with a license for FileNet Content Manager. The only valid values are user, non-production, and production. If no value is set and the parameter is used, then the default is production. | production |
No Yes, if you want to install FileNet Content Manager. |
| sc_deployment_hostname_suffix | If you do not want to use a generated routing subdomain, you can customize the suffix used as
the routing subdomain to create your routes. If sc_deployment_platform is
set to "
If you
customize the hostname, you must ensure that the hostname suffix is the same as the default
OpenShift router canonical hostname, otherwise you might get an error when you use IBM Business
Automation Studio.OCP" or "ROKS", routes are created automatically. The
routes are generated in the
form: |
None | No |
| sc_deployment_license | Valid values are non-production and production. | production | Yes |
| sc_deployment_patterns | The patterns or capabilities to be deployed. Names of the patterns must be separated by a comma. | foundation | Yes |
| sc_deployment_platform | Valid options are "OCP" and "ROKS".
|
OCP | Yes |
| sc_deployment_profile_size | For a starter deployment type, the starter profile must be
used. For a production deployment type, the default is |
small | No |
| sc_deployment_type | Digital Business Automation
can be installed for evaluation or production purposes. Set the value to starter for an evaluation deployment, and production for all other deployment types. Note: If you set the value to "starter", Db2® Universal
Container and OpenLDAP instances are created as part of the installation. If the value is set to
"starter", you must also set the sc_dynamic_storage_classname
parameter.
|
None | Yes |
| sc_drivers_url |
Necessary if you want to use your own JDBC drivers and/or need to provide ICCSAP drivers. If you are providing multiple JDBC drivers and ICCSAP drivers, all the files must be compressed in a single file. You must put the compressed file on an accessible web server and enter the URL as the value. For
example, |
None | No |
sc_iam
|
The name of the admin user for the IBM Identity and Management (IM) foundational service. | cpadmin | No |
| sc_image_repository | By default IBM Entitled Registry is used, and the value is set to "cp.icr.io". When a private image registry is used, the value for sc_image_repository must be set to the URL for that location. For example: myimageregistry.com/project_name. For an air gap installation, make sure that the parameter is set to the default value. | cp.icr.io | No |
| sc_image_tag | A tag value that is applied to all container images. Digests are used instead of the image tag, but it is useful to keep the tag up to date with the corresponding version. The list of digests used in each version can be found in the resources.yaml file under the ${CASE_LOCAL_PATH}/ibm-cp-automation/inventory/cp4aOperatorSdk directory of the CASE package. For more information, see Preparing a client to connect to the cluster. |
None | No |
| sc_ingress_enable | For ROKS, set this parameter to true to enable Ingress. The default value is false, which creates routes instead of Ingress. | false |
No Yes on ROKS. |
| sc_ingress_tls_secret_name | Must be set if you enable ingress on ROKS. This secret provides TLS for the ingress
controller. To get the secret when Ingress is enabled with TLS, run the following command. |
None |
No Yes if ingress is enabled. |
| sc_install_automation_base | By default the value is set to true. The default value installs Kafka and
Elasticsearch for Business Automation Insights. If you want to use a pre-installed AutomationBase
instance in the Cloud Pak, then set the value to false to prevent the Cloud Pak
installing a new instance. You can also change the value after an installation if you want to
customize the AutomationBase instance. Setting the value to false after the
installation prevents the Cloud Pak operator from overriding the customized instance with the
default configuration. |
true | No |
| sc_optional_components | The optional components to be installed. | ums, bas, bai | No |
| sc_run_as_user | For Cloud Native Computing Foundation (CNCF) platforms such as Amazon Web Services (AWS), Google Kubernetes Engine (GKE), and so on, a value is required for this parameter. On OCP and ROKS, this parameter is not required. Specify the user to run the security context of the pod. The value is usually a number that corresponds to a user ID. | None | Yes if the deployment platform is set to other. |
| sc_seccomp_profile.type | Specify the type of seccomp profile to be used by the pods. Possible values are:
Unconfined, RuntimeDefault, Localhost. For more
information about seccomp profile, see the Restrict a Container's Syscalls with
seccomp. |
Default value:
Example: |
No |
| sc_seccomp_profile.localhost_profile | Specify the local path of the seccomp profile file. This parameter is required if
sc_seccomp_profile.type is set to Localhost. The value of
sc_seccomp_profile.localhost_profile is ignored if sc_seccomp_profile.type is set to anything other
than Localhost. For more information, see Configuring seccomp profiles. |
Example: profiles/audit.json | Only if sc_seccomp_profile.type is set to Localhost |
| sc_skip_ldap_config |
Set sc_skip_ldap_config to true if your deployment configures direct access to IM from the containers. Set sc_skip_ldap_config to false if you configured the content pattern and the FileNet P8 domain with a directory service provider. Upgrades from systems that are created with a directory service provider for a content pattern, must set this parameter to false. |
true | Yes, if there is an upgrade deployment when the previous deployment has LDAP XML and LDAP configured in ACCE. |
storage_configuration
|
Three storage classes are needed for slow, medium, and fast storage. If one storage class is
defined, then you can use that one storage class for all three parameters. The set block storage
class name is used for the PVCs that are created for MongoDB. The class name is passed to the
Automation foundation |
None | Yes |
| trusted_certificate_list | Trusted certificate secret names. Every component trusts these certificates for secure communication. Enter a comma-delimited list of the secret names in an array. For example, [secret_name1, secret_name2]. | [] | No |