Configuring IBM Cloud Pak foundational services

The IBM Cloud Pak foundational services operator creates the CommonService custom resource (CR) in the common service operator namespace.

The custom resource has the services, cluster configurations, and hardware profile that you can set before or after you install foundational services.

You can access the CommonService custom resource by using the OpenShift Container Platform console or by using the command-line interface (CLI).

  • To use the console, complete these steps:

    1. From the navigation pane, click Operators > Installed Operators.
    2. From the Project drop-down list, select common service operator namespace.
    3. Click IBM Cloud Pak foundational services .
    4. Select the CommonService tab. You can see the common-service custom resource instance.
    5. Click the common-service resource.
    6. Select the YAML tab to view and edit the common-service CR.
    7. Update the common-service CR. Explore this document to learn about available configuration options.
    8. Click Save

  • To use the CLI, run the following command:

oc edit CommonService common-service -n <your-foundational-services-namespace>
Note: The common-service CR in the common service operator namespace is the only CR that is used for updating and configuring foundational services. There can be other CRs in the operand namespace. However, the other CRs are managed by other services and should not be edited.

For example, by running the following command you get two similar CRs in the response. Only common-service CR oversees IBM Cloud Pak foundational services configuration:

oc get commonservice -A

The response:

NAMESPACE   NAME                AGE
cp4itest    common-service      172d  << Only this CR needs to be edited.
cp4itest    im-common-service   144d

Troubleshooting: If the changes to the common-service CR get reverted by an IBM Cloud Pak's operator, create a new common service CR, for example, CS-custom-IM-resource CR, with the desired change. For more information, see Customization of the CommonService CR is reverted by the IBM Cloud Pak operator.

Parameters in the CommonService CR

The CommonService CR has some parameters that control the placement of the OperandRegistry and OperandConfig in various deployment topologies. For more information about the topologies, see Topologies that need the IBM NamespaceScope Operator.

  • The servicesNamespace parameter determines the namespace in which the OperandRegistry and OperandConfig CRs are to be defined. The default is the same namespace in which the ibm-common-service-operator is deployed. The services that are shared across a tenant, such as the IM service, are also deployed in the servicesNamespace.

  • The operatorNamespace parameter determines where the requested service operators (subscriptions) are to be deployed. The default is the same namespace in which the ibm-common-service-operator is deployed.

  • The catalogName parameter specifies the name of the CatalogSource to be used for other services that are installed by Operand Deployment Lifecycle Manager (ODLM) in foundational services. Service operator subscriptions use this parameter to reference the correct catalog source.

  • The catalogNamespace parameter specifies the namespace in which the CatalogSource is located. This CatalogSource is defined by the catalogName parameter.

Note: The catalogName and catalogNamespace parameters must be set together.

Updating the custom resource

Set the following parameters by adding them to the CommonService custom resource. You can update these parameters before you create an OperandRequest instance or after you install the services. Add or modify the parameters and values in the spec section.

Approval strategy

The approval strategy defines whether the approval is needed to install, or upgrade IBM Cloud Pak foundational services. By default, the approval strategy is set to Automatic, however, you can change this setting during installation. You can also set the approval strategy after the installation by adding or changing the installPlanApproval parameter in the custom resource. If the approval strategy is set to Automatic, the operator is automatically installed or upgraded when a new version is available. If you set the installPlanApproval parameter to Manual, the operator is not automatically installed or upgraded. Instead, you get an an install plan that needs to be manually approved before an upgrade.

Notes:

  • When you set the installPlanApproval for the IBM Cloud Pak foundational services operator, it applies to all foundational services installed with this operator.
  • If you install the IBM Cloud Pak foundational services operator in a namespace where another operator is installed that already has the installPlanApproval: Manual set in its subscription, then the IBM Cloud Pak foundational services operator inherits this setting. The approval plan is set to Manual and IBM Cloud Pak foundational services operator cannot be automatically installed or upgraded.

Changing approval strategy from Automatic to Manual

To change the approval strategy from Automatic to Manual, change the installPlanApproval parameter value to Manual in the spec section of the CommonService CR.

Note: If the installPlanApproval parameter is not in the CR, add the following line to the CR in the spec section: installPlanApproval: Manual.
apiVersion: operator.ibm.com/v3
kind: CommonService
metadata:
  name: common-service
  namespace: <your-foundational-services-namespace>
spec:
  installPlanApproval: Manual

Changing approval strategy from Manual to Automatic

Note: Before you begin, make sure that the operators that are not a part of IBM Cloud Pak foundational services in the namespace have the installPlanApproval parameter set to Automatic in the subscription. Otherwise, even if you change the approval strategy from Manual to Automatic for the IBM Cloud Pak foundational services operator, this setting might be overwritten.

To change the approval strategy from Manual to Automatic, complete the following steps:

  1. Change the installPlanApproval parameter value to Automatic in the spec section of the CommonService CR.
Note: If the installPlanApproval parameter is not in the CR, add the following line to the CR in the spec section: installPlanApproval: Automatic.
apiVersion: operator.ibm.com/v3
kind: CommonService
metadata:
  name: common-service
  namespace: <your-foundational-services-namespace>
spec:
  installPlanApproval: Automatic

Bring your own CA Certificate

You can replace the foundational services self-signed certificate authority (CA) certificate with your own CA certificate in either of the following ways:

  • Create an issuer and generate a certificate, or create just the secret. For more information, see Bringing your own CA Certificate.
  • Update the CommonService CR.
Note: Anytime you need to bring back your original certificate, see Bringing back your original CA Certificate.

If you are updating the CommonService CR to bring your own certificate, first update BYOCACertificate: true in the spec section of the CommonService CR.

Note: If BYOCACertificate specification is not in the CR, you can add it in the spec section as shown in the following example:
apiVersion: operator.ibm.com/v3
kind: CommonService
metadata:
  name: common-service
  namespace: <your-foundational-services-namespace>
spec:
  BYOCACertificate: true

After you update the CommonService CR, complete the following steps to replace the foundational services self-signed CA certificate with your own CA certificate:

  1. Prepare and have your Transport Layer Security (TLS) certificate, TLS private key, and CA certificate ready.

  2. Create a backup of the foundational services self-signed CA certificate. By default, the certificate is created in the <span data-key-file="/home/jenkins/workspace/workspace/dita-converter/git_repo/conrefs.yml" data-conkeyref="conrefs/keyword.cs_ns" data-variable="keyword.cs_ns" class="md-conref">keyword.cs_ns</span> namespace.

    oc get certificate cs-ca-certificate -n <your-foundational-services-namespace> -o yaml > cs-ca-certificate.yaml

  3. Delete the foundational services self-signed CA certificate resource so that the cert-manager service does not re-create the updated secret.

    oc delete certificate cs-ca-certificate -n <your-foundational-services-namespace>

  4. Delete the foundational services self-signed CA certificate secret.

    oc delete secret cs-ca-certificate-secret -n <your-foundational-services-namespace>

  5. Re-create the cs-ca-certificate-secret secret with your CA certificate (ca.crt), TLS certificate (tls.crt), and private key (tls.key).

    oc -n <your-foundational-services-namespace> create secret generic cs-ca-certificate-secret --from-file=ca.crt=<your path>/ca.crt  --from-file=tls.crt=<your path>/tls.crt  --from-file=tls.key=<your path>/tls.key

  6. Refresh the leaf certificates that are created by individual foundational services. For more information and steps to refresh the leaf certificates, see Refreshing cert-manager certificates.

License

Note: To enable IBM Support, you must accept the license. For more information about Licensing acceptance, see License Accept.

Accept the licenses to use the services. To do so, add spec.license.accept: true in the spec section of the CRs. See the following samples:

  • Foundational services license in the common-service CR.
apiVersion: operator.ibm.com/v3
kind: CommonService
metadata:
  name: common-service
  namespace: <your-foundational-services-namespace>
spec:
  license:
    accept: true
  size: as-is
  • License service license in the instance CR.
apiVersion: operator.ibm.com/v1alpha1
kind: IBMLicensing
metadata:
  name: instance
spec:
  license:
    accept: true
  • Certificate manager service license in the default CR.
apiVersion: operator.ibm.com/v1
kind: CertManagerConfig
metadata:
  name: default
spec:
  license:
    accept: true
  • IBM NamespaceScope Operator license in the NamespaceScope CR, if your topology needs the service.
apiVersion: operator.ibm.com/v1
kind: NamespaceScope
metadata:
  name: common-service
  namespace: <foundational-services-namespace>
spec:
  license:
    accept: true

Hardware profile

Set the hardware requirements profile based on the workloads in your cluster. For more information about the profiles, see Hardware requirements and recommendations for foundational services.

You can use the templates to update the hardware requirements of the services that you are installing. You can also use the templates to set the configuration parameters of the services.

The default profile is starterset (starter). You can change the profile to small, medium, or large (production), if required. If you are upgrading your cluster from a previous release, the default profile setting is as-is, which means that the hardware requirements setting from the previous release is retained.

apiVersion: operator.ibm.com/v3
kind: CommonService
metadata:
  name: common-service
  namespace: <your-foundational-services-namespace>
spec:
  size: as-is

Storage class

Instead of specifying the storage class for each service in the spec.<service-name> section, you can specify a storage class for all services in the spec section. Any service that needs to use a storage class will then use this specified storage class.

apiVersion: operator.ibm.com/v3
kind: CommonService
metadata:
  name: common-service
  namespace: <your-foundational-services-namespace>
spec:
  size: as-is
  storageClass: <storage-class-name>

When you specify a storage class in the spec section, the storage class of a service is updated to reflect this value only if the service is not yet deployed.

  • For example, common-service-db and the Keycloak service both use a storage class. If IBM Cloud Pak A specifies rook-cephfs as the storage class in the spec section and requests only for common-service-db, then common-service-db is deployed with rook-cephfs as the storage class. Though IBM Cloud Pak A did not request for the Keycloak service, internally the storage class for the Keycloak service is set as rook-cephfs. In the same cluster, if IBM Cloud Pak B then specifies rook-ceph-block as the storage class in the spec section and requests for the Keycloak service, then the service is deployed with rook-ceph-block as the storage class. The storage class for common-service-db is not changed and it continues to use rook-cephfs.

For more information about configuring options that are related to storage for PostgreSQL common-service-db services, see Cloud Native PostgreSQL settings.

Services configuration

Add any service-related configuration in the spec.services section. First, add services: under spec:. You need to add services: section only once. You can add all services-related configuration under the same section.

apiVersion: operator.ibm.com/v3
kind: CommonService
metadata:
  name: common-service
  namespace: <your-foundational-services-namespace>
spec:
  services:

Then, add the service configuration. For example, if you are adding a storage class for common-service-db, the configuration would be as shown in the following example:

apiVersion: operator.ibm.com/v3
kind: CommonService
metadata:
  name: common-service
  namespace: <your-foundational-services-namespace>
spec:
  services:
  - name: common-service-db
    spec:
      storage:
        storageClass: <your-storage-class>
      walStorage:
        storageClass: <your-storage-class>
  • This topic covers examples of configuration. However, you can perform additional configuration. For example, if you need to increase the resources for a service pod, find the current setting in the operandConfig, copy the block and paste it into the common-service CR with the required changes.

Example: Modifying the resources for IM service pod

  1. Run the following command you retrieve the operand configuration for the IM service.
    oc get operandconfig common-service -n <common service operand namespace> -oyaml | grep ibm-im-operator -A40 -m

    The response:

    - name: ibm-im-operator
  spec
    authentication:
      authService:
        resources:
          limits:
            cpu: 1000m
            memory: 1090Mi
          requests:
            cpu: 600m
            ephemeral-storage: 256Mi
            memory: 540Mi
  ---
  2. Copy the part of the response with the appropriate section from the operandConfig and add this part to the common-service CR. Run the following command to edit the common-service CR:
    oc edit commonservice common-service -n <common service operator namespace>
  3. Edit the common-service CR by pasting the block from the response into the CR and modify the resource limits and requests for IAM.
Note: If this is the first time when you add a part of the operandConfig yaml into the common-service CR, you need to precede the block with the services section. It is important to keep the columns exactly as copied from the operandConfig to keep the column-sensitive yaml formatting.
spec:
  license:
    accept: true
  operatorNamespace: cp4itest
  size: medium
  services:                             <<<  Add the services section before the block from the operandConfig when you add your first configuration
  - name: ibm-im-operator
    spec:
      authentication:
        authService:
          resources:
            limits:
              cpu: 1000m
              memory: 1090Mi
            requests:
              cpu: 700m
              ephemeral-storage: 256Mi
              memory: 540Mi

Add Labels to foundational services resources

Add labels to all foundational services resources including IM and IDP Config UI

Specify the labels that you want to add to all foundational services resources in the spec section of the CommonService CR. The labels are added to all the resources that are created by the foundational services.

apiVersion: operator.ibm.com/v3
kind: CommonService
metadata:
  name: common-service
  namespace: <your-foundational-services-namespace>
spec:
  labels:
    cpfssupport/addOnId: service-name
    some-other-label-key: some-other-label-value

Add labels to specific foundational services resources including IM and IDP Config UI

Specify the labels that you want to add to specific foundational services resources in the spec.services section of the CommonService CR. The labels are added to the specific resources that are created by the foundational services.

apiVersion: operator.ibm.com/v3
kind: CommonService
metadata:
  name: common-service
  namespace: <your-foundational-services-namespace>
spec:
  services:
  - name: ibm-im-operator
    spec:
      authentication:
        labels:
          cpfssupport/app: im
          some-other-label-key: some-other-label-value
  - name: ibm-idp-config-ui-operator
    spec:
      commonWebUI:
        labels:
          cpfssupport/app: idp-config-ui
          some-other-label-key: some-other-label-value

Add labels to Certificate manager service

Specify the labels that you want to add to the Certificate manager service resources in the spec section of the CertManagerConfig CR. The labels are added to all the resources that are created by the Certificate manager service. See Managing Certificate Manager metadata for more information.

Add labels to License Service

Specify the labels that you want to add to the License service resources in the spec section of the IBMLicensing CR. The labels are added to all the resources that are created by the License service. See Managing License Service metadata for more information.

Add labels to License Service Reporter

Specify the labels that you want to add to the License service reporter resources in the spec section of the IBMLicenseServiceReporter CR. The labels are added to all the resources that are created by the License service reporter. See Managing License Service Reporter metadata for more information.

Federal Information Processing Standard (FIPS)

For information on configuring foundational services to enable FIPS, see Enabling FIPS.

Ephemeral storage setting

  • Products must declare ephemeral storage requests for each product container in the Pod definition so that Kubernetes knows how to schedule your Pod spec.containers[].resources.request.ephemeral-storage
  • Product must declare ephemeral storage limits for each product container in the Pod definition in most scenarios. Use the following guidance to determine if it is required spec.containers[].resources.limits.ephemeral-storage
    • Ephemeral storage limits are not needed if you use the readOnlyRootFilesystem security context
    • If you use emptyDir volumes with readOnlyRootFilesystem, then use emptyDir.sizeLimit instead of setting ephemeral storage limits

Huge pages settings

foundational services supports allocation and consumption of pre-allocated huge pages for a service. To enable huge pages for foundational services, you must configure the huge pages setting in Red Hat OpenShift Container Platform first. For more information, about configuring huge pages on Red Hat OpenShift Container Platform, see What huge pages do and how they are consumed by applications.

You can configure huge pages settings for Identity Management (IM) and its dependency Cloud Native PostgreSQL by modifying the foundational services Custom Resource and specifying huge pages allocation in the spec section.

  • Huge pages can be consumed through container-level resource requirements using the resource name hugepages-<size>, where size is the most compact binary notation using integer values that is supported on a particular node. For example, if a node supports 2048KiB page sizes, this node exposes a schedulable resource hugepages-2Mi.
  • To allocate huge pages of a specific size, specify the amount of memory <allocation> for hugepages-<size>. For example, to allocate 1GiB of 2MiB huge pages, specify hugepages-2Mi: 1Gi.
apiVersion: operator.ibm.com/v3
kind: CommonService
metadata:
  name: huge-pages-common-service
spec:
  size: small
  hugepages:           
     enable: true
     hugepages-<size>: <allocation>

To view which services support huge pages and how to enable this setting, see Configuring huge pages for foundational services .

Cloud Native PostgreSQL settings

Storage class and Volume Size (common-service-postgresql)

Specify a storage class name for the persistent volume. If you do not add the storage class configuration, the default storage class that is available in the cluster is used for PostgreSQL Cluster CR.

services:
  - name: common-service-postgresql
    spec: {}
    resources:
      - apiVersion: postgresql.k8s.enterprisedb.io/v1
        kind: Cluster
        name: common-service-db
        data:
          spec:
            storage:
              storageClass: <your-storage-class>
              size: <volume-size>
            walStorage:
              storageClass: <your-storage-class>
              size: <volume-size>

Notes:

  • If you change the storage class settings after foundational services installation, the changes are not applied to the existing PostgreSQL cluster. The changes are applied only to the new PostgreSQL clusters that are created after the storage class settings are updated.

  • If you want to change the volume size settings after the foundational services installation, check if the storage class supports volume expansion. See Volume expansion.

    • If the storage class supports volume expansion, you can update the volume size settings.
    • If the storage class does not support volume expansion, contact IBM Support.

  • If you are installing your IBM Cloud Pak on OpenShift Container Platform cluster with multiple zones, use the storage class with volumeBindingMode: WaitForFirstConsumer. To get the storage class with volumeBindingMode: WaitForFirstConsumer, you can, for example, by running the following command:

    oc get storageclass | grep WaitForFirstConsumer
ibmc-vpcblock-odf-10iops                      vpc.block.csi.ibm.io   Delete          WaitForFirstConsumer   true                   2y59d
ibmc-vpcblock-odf-5iops                       vpc.block.csi.ibm.io   Delete          WaitForFirstConsumer   true                   2y59d
ibmc-vpcblock-odf-custom                      vpc.block.csi.ibm.io   Delete          WaitForFirstConsumer   true                   2y59d
ibmc-vpcblock-odf-general                     vpc.block.csi.ibm.io   Delete          WaitForFirstConsumer   true                   2y59d
ibmc-vpcblock-odf-ret-10iops                  vpc.block.csi.ibm.io   Retain          WaitForFirstConsumer   true                   2y59d
ibmc-vpcblock-odf-ret-5iops                   vpc.block.csi.ibm.io   Retain          WaitForFirstConsumer   true                   2y59d
ibmc-vpcblock-odf-ret-custom                  vpc.block.csi.ibm.io   Retain          WaitForFirstConsumer   true                   2y59d
ibmc-vpcblock-odf-ret-general                 vpc.block.csi.ibm.io   Retain          WaitForFirstConsumer   true                   2y59d

Configuring resources for PostgreSQL cluster (common-service-postgresql)

Specify resource settings. If you do not specify a setting, the default resource settings that are available in the cluster are used for PostgreSQL cluster.

services:
  - name: common-service-postgresql
    spec: {}
    resources:
      - apiVersion: postgresql.k8s.enterprisedb.io/v1
        kind: Cluster
        name: common-service-db
        data:
          spec:
            instances: 3 
            resources:
              limits: 
                cpu: <cpu-limit>
                memory: <memory-limit>
                ephemeralStorage: <ephemeral-storage-limit>
                hugepages-<size>: <allocation>  # enabled only if hugepages is enabled for the cluster
              requests: 
                cpu: <cpu-request>
                memory: <memory-request>
                ephemeralStorage: <ephemeral-storage-request>

Configuring shared buffers for PostgreSQL cluster (common-service-postgresql)

Configure the shared_buffers parameter for your EDB PostgreSQL database.

The shared_buffers parameter allocates the memory for the database server to cache data. You can adjust the value between 20% to 25% of the total spec.resources.requests.memory value. For example, if your spec.resources.requests.memory value is 600 Mi, the recommended value for the shared_buffers parameter is 150 MB.

In the following example, the spec.resources.requests.memory value is set to 600 Mi for a large profile in the common-service-db cluster instance custom resource (CR).

oc get cluster.postgresql.k8s.enterprisedb.io common-service-db -ojsonpath='{.spec.resources.requests.memory}'
600Mi

To adjust the value of the shared_buffers parameter, go to the common-service-postgresql service entry. Find the common-service-db CR, and in the spec.postgresql.parameters section, add the shared_buffers parameter. The following example shows how to set the shared_buffers parameter to 150 MB.

services:
  - name: common-service-postgresql
    spec: {}
    resources:
      - apiVersion: postgresql.k8s.enterprisedb.io/v1
        kind: Cluster
        name: common-service-db
        data:
          spec:
            postgresql:
              parameters:
                shared_buffers: 150MB

After you save the changes, restart EDB. For more information, see Restart Opens in a new tab .

Configuring replicas for PostgreSQL operator (cloud-native-postgresql)

Specify the number of replicas for the PostgreSQL operator. If you do not specify the number of replicas, the default number of replicas for the PostgreSQL operator is 1.

apiVersion: operator.ibm.com/v3
kind: CommonService
metadata:
  name: common-service
  namespace: <your-foundational-services-namespace>
spec:
  operatorConfigs:
    - name: cloud-native-postgresql
      replicas: <number-of-replicas>

Authentication settings

Changing the default cpadmin username

The IBM Cloud Pak foundational services installation creates a default cpadmin user, who is a cluster administrator. You can customize the username by adding the defaultAdminUser parameter.

Note: If you already have a user by the name cpadmin in your cluster, you must set the defaultAdminUser parameter with a custom name that is not admin before you install foundational services. This is to avoid your admin user from being removed if you uninstall foundational services later.
- name: ibm-im-operator
  spec:
    authentication:
      config:
        defaultAdminUser: <custom-username>

Delegating authentication to OpenShift (ibm-im-operator)

Authentication with Red Hat OpenShift is enabled by default. The ibm-im-operator has the following default configuration. If you do not update these parameters, authentication with OpenShift is enabled with no prefix.

- name: ibm-im-operator
  spec:
    authentication:
      config:
        roksEnabled: true
        roksURL: <your-endpoint-URL>
        roksUserPrefix: ""

You can disable the authentication, or update the parameters as required. Following are the parameter descriptions:

  • roksEnabled: Set to false: to disable authentication with Red Hat OpenShift.
  • roksURL: The public service endpoint URL of your public cloud cluster. For more information about how to get the URL, see Updating OpenShift authentication.
  • roksUserPrefix: Prefix to be used with the username. When you access your cluster console or CLI, you use the prefix along with the username to authenticate with OpenShift. If you are using IM with Red Hat OpenShift Kubernetes Service in the IBM Cloud, you must set the prefix to IAM#.
Assigning the cloud pak administrator privileges to an OpenShift user

If you are delegating authentication to OpenShift, you can assign the cloud pak administrator privileges to an existing OpenShift user. The user can be added to the bootstrapUserId parameter.

To add the bootstrapUserId parameter before IM service installation, see the following configuration:

- name: ibm-im-operator
  spec:
    authentication:
      config:
        bootstrapUserId: "<custom-username>"

To add the bootstrapUserId parameter after IM service installation, see Changing the default cluster administrator.

Adding custom OIDC claims

The IM service uses the default scopes and claims that WebSphere® Application Server Liberty provides. Based on your OIDC authentication requirements, you can customize the OIDC claims that are returned by the UserInfo endpoint.

To add the custom claims before you install the IM service, add the following configuration:

- name: ibm-im-operator
  spec:
    authentication:
      config:
        claimsSupported: "<list-of-claims>"
        claimsMap: "<list-of-claims-map>"
        scopeClaim: "profile=<list-of-claims-in-the-profile>"

See the following example:

apiVersion: operator.ibm.com/v3
kind: CommonService
metadata:
  name: common-service
  namespace: <your-foundational-services-namespace>
spec:
  size: medium
  services:
  - name: ibm-im-operator
    spec:
      authentication:
        config:
          claimsSupported: "name,family_name,display_name,given_name,preferred_username"
          claimsMap: "name=\"givenName\" family_name=\"givenName\" given_name=\"givenName\" preferred_username=\"givenName\" display_name=\"displayName\""
          scopeClaim: "profile=\"name,family_name,display_name,given_name,preferred_username\""

Disabling nonce

To improve security, nonce is enabled by default. Nonce associates a client session with an ID token and is used in authentication to ensure that attackers do not use old sessions.

To disable nonce, add the following configuration:

- name: ibm-im-operator
  spec:
    authentication:
      config:
        nonceEnabled: false

Adding description of the login options (ibm-idp-config-ui-operator)

You can configure multiple authentication types in your cluster. For more information, see Authentication types.

The authentication types that you configure in your cluster are displayed on the console login page. You can provide a short description of the authentication types in the ibm-idp-config-ui-operator by configuring these parameters. The description is then displayed on the console login page.

- name: ibm-idp-config-ui-operator
  spec:
    globalUIConfig:
      enterpriseLDAP: <Provide a short description about the enterprise LDAP authentication type.>
      defaultAuth: <Provide a short description about the default authentication type.>
      osAuth: <Provide a short description about the OpenShift authentication type.>
      enterpriseSAML: <Provide a short description about the enterprise SAML authentication type.>

Setting the preferred login options (ibm-im-operator)

If you configured multiple authentication types in your cluster, but you want the console login page to display any one or a selected set of the configured login options, you can set the preferredLogin: parameter. For example, preferredLogin:SAML,LDAP.

Use the following parameter values:

  • For default authentication, use DEFAULT
  • For enterprise LDAP, use LDAP
  • For enterprise SAML, use SAML
  • For OpenShift authentication, use ROKS
  • For enterprise OpenID Connect (OIDC), use OIDC

    • The OIDC option automatically redirects with a single OIDC provider. If more than one OIDC provider is available, you need to select one at the login screen.

    • If you have multiple OIDC providers, and you need to select one at the login screen, setting the preferredLogin value as shown in the following examples is not an option.

      preferredLogin: azure_OIDC
preferredLogin: keycloak_OIDC

- name: ibm-im-operator
  spec:
    authentication:
      config:
        preferredLogin: <option1>,<option2>,<optionN>

Changing the OIDC issuer URL (ibm-im-operator)

Default configuration of OIDC in your product uses <cluster_address>:443 in the authentication endpoints, which are used to authenticate users to Kubernetes. However, in the oidcIssuerURL, local host IP address is used, the default value of which is https://127.0.0.1:443/idauth/oidc/endpoint/OP. If required, you can change the oidcIssuerURL endpoint to use a hostname for Kubernetes authentication. If you want to use the .well-known/openid-configuration endpoint, you must update the oidcIssuerURL with the hostname that you want to use.

- name: ibm-im-operator
  spec:
    authentication:
      config:
        oidcIssuerURL: <https://<hostname>:443/oidc/endpoint/OP>

Changing the provider issuer URL (ibm-im-operator)

If you want to use the .well-known/openid-configuration endpoint, you must update the providerIssuerURL with the hostname that you want to use. You can use the endpoint to get the OIDC configuration information of the provider. The default setting is providerIssuerURL: ''.

- name: ibm-im-operator
  spec:
    authentication:
      config:
        providerIssuerURL: <https://<hostname>:443/idprovider/v1/auth/.well-known/openid-configuration

Changing the cluster name (ibm-im-operator)

The default cluster name is mycluster. You can change the cluster name by using the clusterName parameter. The cluster name is used in Cloud Resource Names (CRNs).

- name: ibm-im-operator
  spec:
    authentication:
      config:
        clusterName: <custom-name>

HA configuration

If you are configuring high availability (HA) in your cluster, add the following configuration for the IM operator:

- name: ibm-im-operator
   spec:
     authentication:
       replicas: 3

Sample ibm-im-operator operator section in the custom resource

Following is a sample configuration of the ibm-im-operator operator in the custom resource. The sample includes the authentication with Red Hat OpenShift and OIDC URL parameters.

- name: ibm-im-operator
    spec:
      authentication:
        config:
          bootStrapUserId: clusteradmin
          roksEnabled: true
          roksURL: 'https://c100-e.eu-de.containers.cloud.ibm.com:32301'
          roksUserPrefix: 'IAM#'
          oidcIssuerURL: 'https://c100-e.eu-de.containers.cloud.ibm.com:443/oidc/endpoint/OP'
          preferredLogin: ROKS

Configuring resources for IM (ibm-im-operator)

Specify resource settings. If you do not specify a setting, the default resource settings that are available in the cluster are used for IM.

  - name: ibm-im-operator
    spec:
      authentication:
        replicas: 1
        authService:
          resources:
            limits:
              cpu:
              memory:
              ephemeral-storage:
              hugepages-<size>:    # enabled only if hugepages is enabled for the cluster
            requests:
              cpu:
              memory:
              ephemeral-storage:
        clientRegistration:
          resources:
            limits:
              cpu:
              memory:
              ephemeral-storage:
              hugepages-<size>:   # enabled only if hugepages is enabled for the cluster
            requests:
              cpu:
              memory:
              ephemeral-storage:
        identityManager:
          resources:
            limits:
              cpu:
              memory:
              ephemeral-storage:
              hugepages-<size>:   # enabled only if hugepages is enabled for the cluster
            requests:
              cpu:
              memory:
              ephemeral-storage:
        identityProvider:
          resources:
            limits:
              cpu:
              memory:
              ephemeral-storage:
              hugepages-<size>:  # enabled only if hugepages is enabled for the cluster
            requests:
              cpu:
              memory:
              ephemeral-storage:

MustGather settings

MustGather configuration settings

Table 1. MustGather configuration settings
Parameter Description Default value Syntax
gatherConfig Set the MustGather configuration parameters such as data modules, namespaces and labels. "" String

Example configuration with default values:

apiVersion: operator.ibm.com/v1alpha1
kind: MustGatherConfig
metadata:
  name: default
spec:
  gatherConfig: |-
    modules="overview,system,failure,ocp,cloudpak"
    namespaces="common-service,ibm-common-services"
    labels=""

MustGather job settings

Table 2. MustGather job settings
Parameter Description Default value Syntax
serviceAccountName Set the name of the service account for the MustGather job. default String
mustgatherConfigName Set the name of the MustGather config. default String

Example configuration with default values:

apiVersion: operator.ibm.com/v1alpha1
kind: MustGatherJob
metadata:
  name: example-mustgatherjob
spec:
  serviceAccountName: default
  mustgatherConfigName: default

MustGather service settings

Table 3. MustGather service settings
Parameter Description Default value Syntax
persistentVolumeClaim.name Set the name of the MustGatherService Persistent Volume Claim. default String
persistentVolumeClaim.storageClassName Set the name of the storage class that will be used to dynamically create a PV. The storage permissions use the OpenShift default UID, GID and supplemental-groups. If you install an IBM Cloud Pak on IBM Cloud, use the ibmc-file-gold-gid storage class. Cluster chooses one storage class in the list. String
mustgather.name Set the name of the MustGather service deployment. default String
mustgather.serviceAccountName Set the service account name for the MustGather service deployment. default String
mustgather. nodeSelector Set the node selector for the MustGather service deployment. none String
mustgather. tolerations Set the MustGather service deployment tolerations. none String
mustgather. securityContext Set the MustGather service deployment securityContext. none String
mustgather. replicas Set the MustGather service deployment replicas. 0 int32

The MustGather support information is used for troubleshooting purposes, and no backup or restore is needed.

Example configuration with default values:

apiVersion: operator.ibm.com/v1alpha1
kind: MustGatherService
metadata:
  name: must-gather-service
spec:
  # Add fields here
  persistentVolumeClaim:
    name: must-gather-pvc
    storageClassName: ""
    resources:
      requests:
        storage: 5Gi
  mustGather:
    name: must-gather-service
    replicas: 1
    serviceAccountName: default
    nodeSelector:
      node-role.kubernetes.io/worker: ""
    tolerations:
    - effect: NoSchedule
      key: dedicated
      operator: Exists
    - key: CriticalAddonsOnly
      operator: Exists
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      readOnlyRootFilesystem: true
      runAsNonRoot: true
    resources:
      requests:
        memory: "64Mi"
        cpu: "50m"
      limits:
        memory: "512Mi"
        cpu: "500m"

Certificate management service settings

Cert Manager configuration is available in the CertManagerConfig CR. See more information in the Configuring IBM Cert Manager.

Common Web UI settings

Table 4. Settings for Common Web UI
Parameter Description Default value Syntax
commonWebUI.resources.limits.cpu Sets the CPU limit for commonWebUI container. 300m Kubernetes CPU units (String)
commonWebUI.resources.limits.memory Sets the memory limit for commonWebUI container. 256Mi Bytes (String)
commonWebUI.resources.requests.cpu Sets the CPU request for commonWebUI container. 300m Kubernetes CPU units (String)
commonWebUI.resources.requests.memory Sets the memory request for commonWebUI container. 256Mi Bytes (String)
replicas (use instead of replicaCount) Sets the number of commonWebUI replicas. 1 Integer

Example configuration with default values:

- name: ibm-idp-config-ui-operator
    spec:
      commonWebUI:
        replicas: 1
        resources:
          requests:
            memory: 256Mi
            cpu: 300m
            ephemeral-storage: 251Mi
          limits:
            memory: 256Mi
            cpu: 300m

Specify resource settings. If you do not specify a setting, the default resource settings that are available in the cluster are used for the common UI service.

- name: ibm-idp-config-ui-operator
  spec:
    commonWebUI:
      replicas: 1
      resources:
        requests:
          memory:
          cpu:
          ephemeral-storage:
        limits:
          memory:
          cpu:
          ephemeral-storage: