Configuring Decision Designer

You can customize the Decision Designer sensitive configuration and TLS certificates.

About this task

The customizations described here are optional as default values are set if you do nothing. The steps in the Procedure section do not need to be done in order.

Procedure

  1. Optional: Generate a secret for sensitive configuration.

    Sensitive configuration settings must not be exposed in the custom resource YAML file. The icp4a-operator generates the secret <instance_name>-ads-designer-secret automatically, but you can decide to create your own secret with your own credentials.

    Here is an example of <instance_name>-ads-designer-secret.

    apiVersion: v1
    kind: Secret
    metadata:
      name: <instance_name>-ads-designer-secret
    type: Opaque
    stringData:
      encryptionKeys: |
        <ENCRYPTION_KEYS>
      sslKeystorePassword: <SSL_KEYSTORE_PASSWORD>

    The parameters of the secret are explained in the following table.

    Table 1. <instance_name>-ads-designer-secret configuration parameters
    Parameter Description Mandatory
    encryptionKeys A data structure that encapsulates the secret to generate an Advanced Encryption Standard (AES) symetric key for ciphering/deciphering the secrets. The data structure must be:
    {"activeKey":"key1","secretKeyList":[{"secretKeyId":"key1",
          "value":"123344566745435"},{"secretKeyId":"key2",
          "value":"987766544365675"}]}
    Where activeKey must exist in the secretKeyList and designates the secret to use for symetric key derivation. If the activeKey value does not exist, Decision Designer won't start.
    Yes
    sslKeystorePassword

    A password used to generate SSL keystores.

    Yes

    If you need more information about the Decision Designer secret, see the admin_secret_name parameter in Decision Designer parameters. For more information about customizing Decision Designer in the custom resources, see Configuring Automation Decision Services.

    Important: encryptionKeys is used to encrypt and decrypt some sensitive values in the database. The active key is used to encrypt new values. If the active key has been compromised or needs to be replaced, an administrator can define another one and reference it as the active key. Secrets that have been encrypted by older keys continue to be decrypted provided that the key ID is preserved. But it is recommended to re-encrypt them from Decision Designer, and then remove the old keys from encryptionKeys.
  2. Optional: Take care of untrusted TLS certificates.

    If Decision Designer is supposed to interact with servers like Git, machine learning (ML), MongoDB, or other servers whose TLS certificates are not signed by an official Certificate Authority (CA), you must gather these certificates and configure Decision Designer to establish trust with these servers.

    If you use the operator lifecycle manager (OLM) to install Automation Decision Services, then follow the documentation Importing the certificate of an external service to add untrusted certificates.

    If you use the deployment script to install Automation Decision Services, then execute the following steps to add untrusted certificates.

    1. Get the TLS certificate of a running service.
      openssl s_client -connect <hostname>:<port> -servername <hostname> < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
    2. Create a ConfigMap to hold the TLS certificates of the Git servers.
      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: <instance_name>-ads-designer-git-certificates
      data:
        my_git_server1.crt: |
          -----BEGIN CERTIFICATE-----
          ...
          -----END CERTIFICATE-----
        my_git_server2.crt: |
          -----BEGIN CERTIFICATE-----
          ...
          -----END CERTIFICATE-----

      You will set this ConfigMap to the decision_designer.git_servers_certs parameter of the custom resource file at a later stage in the installation.

    3. Create a ConfigMap to hold the TLS certificates of the ML providers.
      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: <instance_name>-ads-designer-ml-providers-certificates
      data:
        my_ml_provider1.crt: |
          -----BEGIN CERTIFICATE-----
               ...
          -----END CERTIFICATE-----
        my_ml_provider2.crt: |
          -----BEGIN CERTIFICATE-----
               ...
          -----END CERTIFICATE-----

      You will set this ConfigMap to the decision_designer.ml_providers_certs parameter of the custom resource file at a later stage in the installation.

    4. Create a ConfigMap to hold the TLS certificates of the external MongoDB or any other server.
      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: <instance_name>-ads-designer-mongo-other-certificates
      data:
        mongo_certificate.crt: |
          -----BEGIN CERTIFICATE-----
               ...
          -----END CERTIFICATE-----
        another_certificate.crt: |
          -----BEGIN CERTIFICATE-----
               ...
          -----END CERTIFICATE-----

      You will set this ConfigMap to the decision_designer.other_trusted_certs parameter of the custom resource file at a later stage in the installation.

    For more information about Decision Designer configuration parameters, see Decision Designer parameters.

    For more information about customizing the custom resources, see Configuring Automation Decision Services.

    Note: The key for each certificate entry must be a valid filename with a .crt extension.

What to do next

If you install Decision Designer, you must also install Business Automation Studio and Application Engine. Follow the preparing to install steps for each of these capabilities. For more information, see Preparing your chosen capabilities.