Configuring the decision runtime

Edit online

You can customize the decision runtime secret and persistent volume.

About this task

The customization steps described here are optional as the installation applies the default configuration. However, if you change any parameter value inside the secret, you must update the secret.

For more information about decision runtime configuration parameters, see Automation Decision Services parameters.

Procedure

  1. Generate a runtime secret for sensitive configuration.

    Sensitive configuration settings must not be exposed in the custom resource YAML file. The icp4a-operator generates some of the settings automatically but you might want to define your own configuration.

    For example, you can create the following ibm-dba-ads-runtime-secret:

    apiVersion: v1
kind: Secret
metadata:
  name: ibm-dba-ads-runtime-secret
type: Opaque
stringData:
  asraManagerUsername: "asraManager"
  asraManagerPassword: "asraManagerPassword"
  decisionServiceUsername: "drs"
  decisionServicePassword: "drsPassword"
  decisionServiceManagerUsername: "drsManager"
  decisionServiceManagerPassword: "drsManagerPassword"
  decisionRuntimeMonitorUsername: "drsMonitor"
  decisionRuntimeMonitorPassword: "drsMonitorPassword"
  deploymentSpaceManagerUsername: "depManager"
  deploymentSpaceManagerPassword: "depManagerPassword"
  encryptionKeys: |
    <ENCRYPTION_KEYS>
  sslKeystorePassword: <SSL_KEYSTORE_PASSWORD>
    The parameters of the secret are explained in the following table.
    Important: Every username key must be unique.
    Table 1. ibm-dba-ads-runtime-secret configuration parameters
    Parameter Description Mandatory
    asraManagerUsername The user name to authenticate with the automation service registration API server for managing automation services. Not affected by decision_runtime.authentication_mode. Yes
    asraManagerPassword The user password to authenticate with the automation service registration API server for managing automation services. Not affected by decision_runtime.authentication_mode. Yes
    decisionServiceUsername The user name to authenticate with the decision runtime server for executing decision services. Yes
    decisionServicePassword The user password to authenticate with the decision runtime server for executing decision services. Yes
    decisionServiceManagerUsername The user name to authenticate with the decision runtime server for managing the decision archives. Not affected by decision_runtime.authentication_mode. Yes
    decisionServiceManagerPassword The user password to authenticate with the decision runtime server for managing the decision archives. Not affected by decision_runtime.authentication_mode. Yes
    decisionRuntimeMonitorUsername The user name to authenticate with the decision runtime server for monitoring the runtime server. Not affected by decision_runtime.authentication_mode. Yes
    decisionRuntimeMonitorPassword The user password to authenticate with the decision runtime server for monitoring the runtime server. Not affected by decision_runtime.authentication_mode. Yes
    deploymentSpaceManagerUsername The user name to authenticate with the decision runtime server for managing the deployment spaces. Not affected by decision_runtime.authentication_mode. Yes
    deploymentSpaceManagerPassword The user password to authenticate with the decision runtime server for managing the deployment spaces. Not affected by decision_runtime.authentication_mode. Yes
    encryptionKeys A data structure that encapsulates the secret to generate an Advanced Encryption Standard (AES) symetric key for ciphering/deciphering the secrets. The data structure must be: 
    {"activeKey":"key1","secretKeyList":[{"secretKeyId":"key1",
      "value":"123344566745435"},{"secretKeyId":"key2",
      "value":"987766544365675"}]}
    Where activeKey must exist in the secretKeyList and designates the secret to use for symetric key derivation. If the activeKey value does not exist, decision runtime won't start.    		 Yes
    sslKeystorePassword

    A password used to generate SSL keystores.

    		 Yes
  2. Configure the runtime service persistent volume.

    By default, dynamic provisioning is applied.

    Option 1: Using dynamic provisioning
    With decision_runtime_service.persistence.use_dynamic_provisioning set to true, you must specify a decision_runtime_service.persistence.storage_class_name according to storage classes guidelines. Use a ReadWriteMany (RWX) class. Setting storage_class_name to null means using the default storage class.
    Warning: The decision_runtime_service.persistence.storage_class_name parameter cannot be changed after installation.
    Option 2: Creating a persistent volume
    If you decide to set decision_runtime_service.persistence.use_dynamic_provisioning to false in the custom resource file (at a later stage in the installation), you must provide a matching persistent volume.
    Make sure you grant permissions to the root group 0 because the user that runs the runtime service pods belongs to this group.

    The persistent volume must deliver a minimum performance of 300 IOPS. On ROKS (IBM Cloud®), this level of performance is achieved by a volume of 30Gi bytes from the ibmc-file-gold-gid storage class, or by a volume of 150Gi byte from the ibmc-file-bronze-gid storage class. For details, see Storage class reference

    The persistent volume must support read and write access for a non-root user. The *-gid storage classes on IBM Cloud typically provide this support.

  3. Take care of untrusted TLS certificates.

    If you use the operator lifecycle manager (OLM) to install Automation Decision Services, then follow the documentation Importing the certificate of an external service to add untrusted certificates.

    If you use the deployment script to install Automation Decision Services, then execute the following steps to add untrusted certificates.

    1. Get the TLS certificate of a running service. 
      openssl s_client -connect <hostname>:<port> -servername <hostname> < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
    2. Create a ConfigMap that holds the TLS certificates of the services that are accessed by the decision runtime, namely the MongoDB instance and the optional ML servers. (You will set this ConfigMap to the decision_runtime_service.tls.certs_config_map_name parameter of the custom resource file, at a later stage in the installation.) 
      apiVersion: v1
kind: ConfigMap
metadata:
  name: runtime-tls-config
  labels:
    webapp: runtime
data:
  decision_storage.crt: |
    -----BEGIN CERTIFICATE-----
         ...
    -----END CERTIFICATE-----
      Note: The key for each certificate entry must be a valid filename with a .crt extension.
  4. Add parameters to configure allowed origins for the decision runtime and support the REST API to be called from a web application by using Cross-Origin Resource Sharing (CORS).
    See the sample configuration:
    ads_configuration:
  decision_runtime:
    allowed_origins: http://localhost,https://localhost
    asra:
      allowed_origins: http://localhost,https://localhost
  5. Add a parameter to configure the event emitter Kafka producers count for the decision runtime.
    See the sample configuration:
    ads_configuration:
  decision_runtime:
    event_emitter:
      kafka_producers_count: 1