Checking the cluster configuration

You must check and edit the shared sections of the compiled custom resource file before you apply it to the operator.

About this task

In all cases, check the <Required> values for the image_pull_secrets and images parameters in the shared_configuration section. For more information, see Shared configuration parameters.

Table 1. Checking <Required> parameters for selected images
Parameter Description
dbcompatibility_init_container Repository from where to pull the Application Engine init_container and the corresponding tag.
image_pull_secrets Secrets in your target namespace to pull images from the specified repository.

Procedure

  1. Locate the shared_configuration section in the custom resource (CR) file in the OCP console YAML View or the file that you created by using the deployment script, then check and correct the deployment parameters.
    The custom resource templates can include the following parameters:
    License parameters
    • sc_deployment_license, which can be non-production, or production.
    • sc_deployment_fncm_license, which can be: user, non-production, or production.
    • sc_deployment_baw_license, which can be: user, non-production, or production.
    Note: You can ignore the fncm and baw parameters if they do not appear in your custom resource.
    Platform parameters
    • sc_deployment_platform, which can be "OCP" or "ROKS".
    • sc_ingress_enable must be set to true to create an ingress on ROKS.
    Sizing parameters
    sc_deployment_profile_size, which determines the profile of your deployment. The default is small, but you can change the profile to medium or large.
    Huge pages
    sc_hugepages, enables the allocation of huge pages that are configured in the cluster to your CP4BA deployment. By default, huge pages allocation is not enabled. If you want your CP4BA deployment to use the huge pages that you enabled on the cluster, then set sc_hugepages.enabled to true. For more information, see Shared configuration.
    Storage parameters
    These parameters are mandatory.
    • sc_slow_file_storage_classname
    • sc_medium_file_storage_classname
    • sc_fast_file_storage_classname
    • sc_block_storage_classname
    Content pattern parameters
    The following content pattern parameters can be true or false.
    • sc_content_initialization
    • sc_content_verification
    Note: You can ignore these parameters if you are not installing the content pattern.
  2. Optional: Configure the root secret, external SSL/TLS certificate secret, and the trusted certificate list.

    The custom YAML file includes the root_ca_secret, external_tls_certificate_secret, and trusted_certificate_list parameters. The root_ca_secret parameter is the name of the secret that contains the root CA signer certificate for the Cloud Pak. If the secret does not exist, then a self-signed signer certificate is generated. For more information, see Changing the default root CA signer certificate.

    For production environments, it is likely that you want to use your own certificates that are trusted by your clients. The external_tls_certificate_secret parameter is used to store a wildcard certificate, which can be more convenient than a certificate for each subdomain. A multi-domain wildcard certificate can also be used to secure multiple domains and their subdomain names. For more information, see Creating secure endpoints for external services.

    Important: If you choose to use self-signed certificates, certain features of the product might not work as expected because of modern browser restrictions that are related to self-signed certificates. A browser blocks any redirect to a site that uses a certificate that is not signed by a root CA that is trusted by the browser. This can result in access issues for business applications.

    The trusted_certificate_list parameter can be used to trust root CA certificates for external services. For more information, see Connecting endpoints to external services over TLS.

  3. Check the resource_registry_configuration section.

    Automatic backup for the Resource Registry is recommended. For more information, see Enabling Resource Registry disaster recovery.

  4. Check the values for the image_pull_secrets parameter, the sc_image_repository parameter, and for the Application Engine repositories.

    All components use the same docker image repository. By default, the IBM Entitlement Registry is used "cp.icr.io".

    shared_configuration:
      sc_image_repository: cp.icr.io
      image_pull_secrets:
      - ibm-entitlement-key

    For an air gap installation, make sure that the sc_image_repository parameter is set to the default value. The images section is needed only if your environment is offline (air gapped deployment).

    shared_configuration:
      sc_image_repository: cp.icr.io
      image_pull_secrets:
      - ibm-entitlement-key
      images:
         dbcompatibility_init_container:
           repository: <registry_url>:5000/<namespace>/dba-dbcompatibility-initcontainer
           tag: <version> 
         pull_policy: IfNotPresent

    The <version> number is 24.0.0.

    Note: The images section is needed only if your environment is offline (air gapped deployment).

    If you loaded the images to a local registry, enter your values in the sc_image_repository parameter, and edit the ibm-entitlement-key secret with the local "Registry Server Address" (for example mycorp-docker-local.mycorp.com) and the user credentials to pull the images from your registry.

    sc_image_repository: <registry_domain_name>/<project-name>
    Note: If your custom resource does not include BAA, you do not see these lines in your custom resource file.
  5. If required: If you did not run the cp4a-prerequisites.sh script and selected an LDAP in your deployment, then enter the appropriate parameter values for your LDAP instance in the ldap_configuration section.

    Authorization does not work in the cluster if the LDAP parameter values do not match what is required by your LDAP design. LDAP designs can vary significantly, so the default values are not always the correct values. For improved performance, limit access to the minimum number of users and groups. Make sure that the pagination, base DNs, or SCIM attribute mappings parameters are set correctly. For more information, see LDAP configuration.

    If you need to create a secret for the lc_bind_secret parameter to store the bind dn and bind password, then go ahead and create it.

    oc create secret generic my-ldap-tds-secret --from-literal=ldapUsername="cn=root" --from-literal=ldapPassword="XXXXXXXX"

    Verify that the LDAP bind secret is set properly in the OCP console or by running the following command, and then set the value in the custom resource file.

    oc extract secret/my-ldap-tds-secret --to=-
    Important: When the LDAP password expires or changes, you must remember to update this secret with the new password, and then restart any pods that got stuck or failed as a result of the LDAP being inaccessible.

    If you want to use SSL-enabled LDAP in your container environment, you must create the SSL secret with the certificate of the LDAP server.

    1. Get the root CA that is used to sign your LDAP server and save it to a certificate, for example ldap-server-cert.crt. See OpenSSL for instructions to export the root CA of your external service.
    2. To create the secret, run the following command.
      oc create secret generic secretName --from-file=tls.crt=your_cert_path/ldap-server-cert.crt

      Substitute your values for secretName and your_cert_path/ldap-server-cert.crt. The certificate and key files must be in Privacy Enhanced Mail (PEM) format.

    3. After you obtain the certificate and create the secret, you enable SSL and provide the secret name in the custom resource YAML file in the ldap_configuration section.
      ldap_configuration:
        …
          lc_ldap_ssl_enabled: true
          lc_ldap_ssl_secret_name: "<secretName>"

      Set the enabled parameter to true and provide your own secret name.

    If you want to use ROKS Virtual Private Cloud (VPC) infrastructure, make sure that you adjust your configuration in the following ways.

    • Your LDAP server must be in the same VPC as the ROKS VPC.
    • The custom resource parameter lc_ldap_server must be set to the internal IP or internal DNS, for example:
      lc_ldap_server: 10.240.0.16
    Note: If you used the OCP console, SCIM parameters are not available in the Form view or the YAML view. To add parameters for a SCIM configuration, for example under scim_configuration_iam, then edit the CR outside of the console.
  6. If required: If you did not run the cp4a-prerequisites.sh script and you did not select EDB Postgres as the only database type, then enter the parameter values for your data source instance in the datasource_configuration section.

    Your deployment might need several databases. Follow the configuring instructions for each component to complete this section.

  7. Optional: If you selected EDB Postgres as a database type for any of the capabilities, check the database parameters under the datasource_configuration section as they are used if present in the custom resource.

    The value of the database_name is used to create the database for that component. The database_ssl_secret_name is set to the secret that is created for the {{ meta.name }}-pg-client-cert-secret parameter.

    The following database names are used for each component if these parameters are not specified in the custom resource.

    Table 2. Component database default names
    Components Default database names
    dc_gcd_datasource gcddb
    dc_os_datasources os + (index) + db
    dc_cpe_datasources chos + (index)
    dc_icn_datasource icndb
    dc_odm_datasourcure odmdb
    dc_ca_datasource adpbase
    bastudio_configuration basdb
    bastudio_configuration.playback_server.database.name appdb
    baw_configuration
    • document object store database
    • design object store database
    • target object store database
    bawdb + (index)
    • bawdocs
    • bawdos
    • bawtos
    application_engine_configuration aaedb + (index)
  8. Optional: Modify the default value (cpadmin) of the sc_iam.default_admin_username parameter for the Identity Management (IM) foundational service.

    The IM admin username cannot be the same as a user in your LDAP. If your LDAP has a user with the name cpadmin, then set a different default admin username for IM.

  9. Optional: Modify the network configuration for your deployment by adding your custom values to the shared_configuration.sc_egress_configuration section.

    By default, all the CP4A pods have restricted network access to external systems. Set the value of sc_restricted_internet_access to false to allow all CP4BA pods access to external systems. You can customize the OpenShift DNS and API Server namespaces and ports, or use the defaults. For more information, see Shared configuration parameters.

    For more information about customizing your network security, see Configuring cluster security.