Configuring an assembly

An assembly is an instance type that you can use to deploy multiple instances of other IBM Cloud Pak® for Integration instances and components from the same YAML file. This feature simplifies ease of instance creation and management, in part by supplying default configurations for complex elements, such as certificates and high availability. Learn how to customize and configure the resources managed by an assembly.

For information on deploying an assembly, see Using the assembly canvas.

Important: Managed instances created with an assembly can be edited or deleted only in the assembly Kubernetes resource, as shown in the following examples.

High availability

To provision an assembly instance in high availability (HA) mode, set the value of spec.availability.type to HA. This setting ensures that all components managed by this assembly instance are deployed in HA mode.

Note the following:

If the spec.availability.type field in undefined, it defaults to SingleInstance.
This field is immutable, so the value can't be changed later.

Example configuration file:

spec:
  availability:
    type: HA

Queue Manager managed instance

By default, for each managed instance of kind: QueueManager, a ConfigMap named qm-<.metadata.name>-default is created. The queue manager instance contains a default mqsc/ini and an issuer and certificate that is created with a self-signed certificate (signed by the Certificate Authority for the assembly). The instance is configured to use the ConfigMap and certificate.

This results in the following default configuration for the queue manager instance:

The QueueManager license is accepted, when accepted for the assembly.
The QueueManager license use is set to Production or NonProduction, depending on the assembly license.use value.
Persistent storage is enabled for the QueueManager with 2Gi, using the readWriteOnce storage class from the assembly.
A channel named MTLS.SVRCONN is created. The channel has TLS enabled, but access to the channel is blocked by default. For examples of how to enable access (advanced configuration), see Configuring an assembly.
The web interface is enabled.

Event Streams managed instance

By default, for each managed instance of kind EventStreams, the following default configuration is used:

The Event Streams license is accepted, when accepted for the assembly.
The Event Streams license use is set to the same setting configured for the assembly.
Persistent storage is enabled for Kafka with 10Gi, using the readWriteOnce storage class from the assembly.
Persistent storage is enabled for ZooKeeper with 2Gi, using the readWriteOnce storage class from the assembly.
The Kafka resources are set to 8Gi and 4 CPUs for both the requests and limits.

Integration runtime managed integration

By default, for each managed integration of kind IntegrationRuntime, the following default configuration is used:

License - The integration runtime license is accepted, when accepted for the assembly.
Pod replicas - The integration runtime has 1 or 3 pod replicas, depending on the availability type of the assembly.
The field logFormat is set to basic.
Version and release number - The integration runtime version is set to the latest runtime version that is part of the Cloud Pak for Integration release associated with this assembly. The Cloud Pak for Integration release number is referenced in the assembly spec.version.
Routes - The default configuration prevents the automatic creation of HTTP and HTTPS OpenShift routes with the setting spec.routes.disabled: true. If you want to enable automatic creation, set spec.routes.disabled: false.

API managed integration

There is no default configuration for managed integrations of kind API. Add the full definition of the API that you want this assembly to manage as per the API object in Using the API Kubernetes resource.

Product managed integration

There is no default configuration for managed integrations of kind Product. Add the full definition of the Product that you want this assembly to manage as per the API object in Using the API Product Kubernetes resource.

Assembly advanced settings

This advanced configuration option changes the behavior of an assembly.

Disable dry webhook check

Before an instance of an assembly is created, a dry run validation of the managed instances is done to ensure that the configuration is valid. This validation can be disabled by adding the "operator.ibm.com/ia-managed-instances-dry-run": "false" annotation to the metadata section of an assembly. For example:

metadata:
  annotations:
    "operator.ibm.com/ia-managed-instances-dry-run": "false"

Queue manager advanced settings

The following examples contain advanced configuration options that you can apply to a queue manager managed instance in an assembly. For information about default settings, see the section, "Queue manager managed instance" in Deploying an assembly by using the CLI.

Disable the web interface

The web interface can be disabled if the UI is not needed. To disable the web interface, add the following to the queue manager managed instance:

managedInstances:
  list:
  - kind: QueueManager
    metadata:
      name: qm1
    spec:
      web:
        enabled: false

Change the queue manager name

By default, the queue manager name is based on the .metadata.name value specified for kind: QueueManager. However, the name is automatically modified to remove characters such as -. To override the default, specify a name as follows:

managedInstances:
  list:
  - kind: QueueManager
    metadata:
      name: qm1
    spec:
      queueManager:
        name: queuemanager1

Add a queue and set up permissions

Access to the channel is disabled by default. The following procedure updates the default configuration to do the following:

Create a queue named APPQ.
Allow access to the queue by the app1 user.
Map from a client certificate's CN/OU to the app1 user.
Allow access to the channel by the app1 user.

Create a ConfigMap containing the additional MQSC commands needed to perform the actions:

apiVersion: v1
kind: ConfigMap
metadata:
  name: qm-qm1-queues
data:
  myqm.mqsc: |
    DEFINE QLOCAL('APPQ') REPLACE
    SET AUTHREC PROFILE('APPQ') PRINCIPAL('app1') OBJTYPE(QUEUE) AUTHADD(BROWSE,GET,INQ,PUT)
    SET CHLAUTH('MTLS.SVRCONN') TYPE(SSLPEERMAP) SSLPEER('CN=app1,OU=my-team') USERSRC(MAP) MCAUSER('app1') ACTION(REPLACE)
    SET AUTHREC PRINCIPAL('app1') OBJTYPE(QMGR) AUTHADD(CONNECT,INQ)
    REFRESH SECURITY

Update the mqsc section in the Config map and list the default generated Config map (named qm-<.metadata.name>-default) and new Config map created in step 1 (in this example, qm-qm1-queues):

managedInstances:
  list:
  - kind: QueueManager
    metadata:
      name: qm1
    spec:
      queueManager:
        mqsc:
          - configMap:
              name: qm-qm1-default
              items:
                - myqm.mqsc
          - configMap:
              name: qm-qm1-queues
              items:
                - myqm.mqsc

For more information on MQSC commands, see Configuration reference.

Create a client TLS certificate

To connect to a queue manager instance with the default TLS configuration, the client needs to use a certificate signed by the same certificate authority used by that queue manager. If SSLPEER is being used to map from a common name/organizational unit (CN/OU) to a user (as in the data.myqm.mqsc example in step 1), the certificate needs to have the matching CN/OU set.

The Issuer created by the assembly can be used to create the certificate, as in the following example:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: qm1-client
spec:
  commonName: app1
  subject:
    organizationalUnits:
    - my-team
  secretName: qm1-client
  issuerRef:
    name: qm-qm1-issuer
    kind: Issuer
    group: cert-manager.io

Configure these values according to your deployment:

.spec.commonName - the CN; needs to match that used in the SSLPEER in the MQSC.
.spec.subject.organizationalUnits - the OU; needs to match that used in the SSLPEER in the MQSC.
.spec.issuerRef.name - needs to match the name of the Issuer created by the IntegrationAssembly of qm-<QueueManager name>-issuer
.spec.secretName - where your certificate is created.

Rotate the TLS certificate

TLS certificates are set up with a default renewal period of 60 days, after which the certificate manager regenerates the secrets. This procedure manually initiates generation of a new secret.

Delete both of the default secrets:
- The certificate authority secret named ia-<IntegrationAssembly name>-ca in the same namespace as the assembly. If the queue manager is in a different namespace, when this secret gets regenerated by the certificate manager, it is automatically copied to the same namespace as the queue manager.
- The server secret named qm-<QueueManager name>-server
Delete any secrets created for client certificates, for example, those created in the previous section ("Create a client TLS certificate").
When the certificate secrets are regenerated:
- Restart the QueueManager pods.
- Restart any clients.

Event Streams advanced settings

The following examples contain advanced configuration options that you can apply to an Event Streams managed instance in an assembly. For information about default settings, see "Event Streams managed instance" in Deploying an assembly by using the CLI.

Increase the Kafka storage, replicas, and resources

The following configuration example increases these components:

Kafka storage, from the default of 10Gi to 20Gi.
Kafka replicas, from the default of 1 to 3.
Kafka resources, from the default of 8Gi/4 CPUs to 12Gi/6 CPUs.

This example keeps the default storage class:

managedInstances:
  list:
  - kind: EventStreams
    metadata:
      name: es1
    spec:
      strimziOverrides:
        kafka:
          storage:
            size: 20Gi
          replicas: 3
          resources:
            requests:
              memory: 12Gi
              cpu: 6000m
            limits:
              memory: 12Gi
              cpu: 6000m

Override the default storage classes

The following is an example of how to override the default storage classes used for Kafka and ZooKeeper:

managedInstances:
  list:
  - kind: EventStreams
    metadata:
      name: es1
    spec:
      strimziOverrides:
        kafka:
          storage:
            class: a-read-write-once-class-for-kafka
        zookeeper:
          storage:
            class: a-read-write-once-class-for-zookeeper

Integration runtime advanced settings

The following examples contain advanced configuration options that you can apply to a managed integration runtime in an assembly. For information about default settings, see "Integration runtime managed instance" in Deploying an assembly by using the CLI.

Apply BAR URLs and configurations

This is an example of how to add BAR files and configurations to integration runtimes:

managedIntegrations:
  list:
  - kind: IntegrationRuntime
    metadata:
      name: ir1
    spec:
      barURL:
        - <barURL>
      configurations:
        - <Configurations1>
        - <Configurations2>

For more information, see Configuration Reference and BarAuth type.

Routes

The default configuration prevents the automatic creation of HTTP and HTTPS OpenShift routes with the setting spec.routes.disabled: true. If you want to enable automatic creation, set spec.routes.disabled: false:

managedIntegrations:
  list:
  - kind: IntegrationRuntime
    metadata:
      name: ir1
    spec:
      routes:
        disabled: false

Uninstalling

For more information, see Uninstalling instances.