Configuration Management

Reconciliation

The DataPower Operator will reconcile any DataPowerService Custom Resource instance created or updated in the namespace(s) it watches. This means that when you create a new DataPowerService instance, the DataPower Operator will see that new instance and begin to reconcile the requested configuration.

Each DataPowerService will be translated to a StatefulSet, which is created in the cluster in the same namespace the DataPowerService resides in. This StatefulSet will deploy the actual DataPower Pods. When updates are made to the DataPowerService, those changes are propagated to the StatefulSet automatically. When the StatefulSet is updated, it performs a rolling update to propagate any changes out to the DataPower Pods.

This reconciliation behavior allows you to create a DataPowerService instance which specifies (for example) a couple of users and domains, and then update the backing resources (Secrets, ConfigMaps, etc.) directly in the cluster. When those resources are updated in the cluster, the DataPower Operator will automatically pick those changes up and propagate them to the StatefulSet.

Domains

Each DataPower domain specified in the domains property can be managed independently of the others. You can add, remove, or update any domain in the domains array, by modifying the DataPowerService instance in the cluster. For an in-depth look at what goes into configuring the domains property, see the Domain Configuration guide.

While the domain structures can be updated in the domains property (such as defining new ConfigMaps, or adding entirely new domains), the resources which back the domains can also be updated directly in the cluster.

For example, if the Secret resource referenced by a domain's certs spec is updated to include new crypto material (such as new certs or keys), this will trigger a reconciliation of that domain to serialize the changes to the StatefulSet and DataPower Pods.

Similarly, any ConfigMap referenced by the domain's dpApp spec can be updated in-place, and this will cause the new configuration / files to be deployed to the StatefulSet.

datapower.ibm.com/domains.default.reconciled: fd1a685cd12d5eeffd0d6c40209483ab80d8e87c216a026b209f089f13a821fb
datapower.ibm.com/domains.test-domain.reconciled: 2fcc805fec16d4f041c7eef5ca86eabc8598ef122926455c064f1d0691b1411d

Users

Similarly to domains, each user specified in the users property can be managed independently of the others. You can add, remove, or update any user in the users array, by modifying the DataPowerService instance in the cluster.

While the user structures can be updated in the users property (such as changing the accessLevel or group), the Secret specified by the passwordSecret can also be updated directly in the cluster.

For example, if the Secret specified by a user's passwordSecret is updated in the cluster, the DataPower Operator will reconcile this change to the StatefulSet, deploying the updated user configuration.

datapower.ibm.com/user.admin.reconciled: 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
datapower.ibm.com/username.commands.reconciled: e78f4ededdbc0dbbf3534b82ec7346cc3beddadf0e788e90c27d23e32c51d935