Configuring Decision Designer
You can customize the Decision Designer sensitive configuration and TLS certificates.
About this task
Procedure
- Optional:
Generate a secret for sensitive configuration.
Sensitive configuration settings must not be exposed in the custom resource YAML file. The
icp4a-operator
generates the secret<instance_name>-ads-designer-secret
automatically, but you can decide to create your own secret with your own credentials.Here is an example of
<instance_name>-ads-designer-secret
.apiVersion: v1 kind: Secret metadata: name: <instance_name>-ads-designer-secret type: Opaque stringData: encryptionKeys: | <ENCRYPTION_KEYS> sslKeystorePassword: <SSL_KEYSTORE_PASSWORD>
The parameters of the secret are explained in the following table.
Table 1. <instance_name>-ads-designer-secret
configuration parametersParameter Description Mandatory encryptionKeys A data structure that encapsulates the secret to generate an Advanced Encryption Standard (AES) symetric key for ciphering/deciphering the secrets. The data structure must be:
Where{"activeKey":"key1","secretKeyList":[{"secretKeyId":"key1", "value":"123344566745435"},{"secretKeyId":"key2", "value":"987766544365675"}]}
activeKey
must exist in thesecretKeyList
and designates the secret to use for symetric key derivation. If theactiveKey
value does not exist, Decision Designer won't start.Yes sslKeystorePassword A password used to generate SSL keystores.
Yes If you need more information about the Decision Designer secret, see the admin_secret_name parameter in Decision Designer parameters. For more information about customizing Decision Designer in the custom resources, see Configuring Automation Decision Services.
Important:encryptionKeys
is used to encrypt and decrypt some sensitive values in the database. The active key is used to encrypt new values. If the active key has been compromised or needs to be replaced, an administrator can define another one and reference it as the active key. Secrets that have been encrypted by older keys continue to be decrypted provided that the key ID is preserved. But it is recommended to re-encrypt them from Decision Designer, and then remove the old keys fromencryptionKeys
. - Optional: Take care of untrusted TLS certificates.
If Decision Designer is supposed to interact with servers like Git, machine learning (ML), MongoDB, or other servers whose TLS certificates are not signed by an official Certificate Authority (CA), you must gather these certificates and configure Decision Designer to establish trust with these servers.
If you use the operator lifecycle manager (OLM) to install Automation Decision Services, then follow the documentation Importing the certificate of an external service to add untrusted certificates.
If you use the deployment script to install Automation Decision Services, then execute the following steps to add untrusted certificates.
- Get the TLS certificate of a running service.
openssl s_client -connect <hostname>:<port> -servername <hostname> < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
- Create a ConfigMap to hold the TLS certificates of the Git servers.
apiVersion: v1 kind: ConfigMap metadata: name: <instance_name>-ads-designer-git-certificates data: my_git_server1.crt: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- my_git_server2.crt: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
You will set this ConfigMap to the decision_designer.git_servers_certs parameter of the custom resource file at a later stage in the installation.
- Create a ConfigMap to hold the TLS certificates of the ML providers.
apiVersion: v1 kind: ConfigMap metadata: name: <instance_name>-ads-designer-ml-providers-certificates data: my_ml_provider1.crt: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- my_ml_provider2.crt: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
You will set this ConfigMap to the decision_designer.ml_providers_certs parameter of the custom resource file at a later stage in the installation.
- Create a ConfigMap to hold the TLS certificates of the external MongoDB or any other
server.
apiVersion: v1 kind: ConfigMap metadata: name: <instance_name>-ads-designer-mongo-other-certificates data: mongo_certificate.crt: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- another_certificate.crt: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
You will set this ConfigMap to the decision_designer.other_trusted_certs parameter of the custom resource file at a later stage in the installation.
For more information about Decision Designer configuration parameters, see Decision Designer parameters.
For more information about customizing the custom resources, see Configuring Automation Decision Services.
Note: The key for each certificate entry must be a valid filename with a.crt
extension. - Get the TLS certificate of a running service.