Configuring Decision Designer

You can customize the Decision Designer sensitive configuration and TLS certificates.

About this task

The customizations described here are optional as default values are set if you do nothing. The steps in the Procedure section do not need to be done in order.

Procedure

  1. Optional: Generate a secret for sensitive configuration.

    Sensitive configuration settings must not be exposed in the custom resource YAML file. The ibm-ads-operator generates the secret <instance_name>-ads-designer-secret automatically, but you can decide to create your own secret with your own credentials.

    Here is an example of <instance_name>-ads-designer-secret.

    apiVersion: v1
kind: Secret
metadata:
  name: <instance_name>-ads-designer-secret
type: Opaque
stringData:
  encryptionKeys: |
    <ENCRYPTION_KEYS>
  sslKeystorePassword: <SSL_KEYSTORE_PASSWORD>

    The parameters of the secret are explained in the following table.

    Table 1. <instance_name>-ads-designer-secret configuration parameters
    Parameter Description Mandatory
    encryptionKeys A data structure that encapsulates the secret to generate an Advanced Encryption Standard (AES) symetric key for ciphering/deciphering the secrets. The data structure must be: 
    {"activeKey":"key1","secretKeyList":[{"secretKeyId":"key1",
      "value":"123344566745435"},{"secretKeyId":"key2",
      "value":"987766544365675"}]}
    Where activeKey must exist in the secretKeyList and designates the secret to use for symetric key derivation. If the activeKey value does not exist, Decision Designer does not start.    		 Yes
    sslKeystorePassword A password used to generate SSL keystores. Yes

    If you need more information about the Decision Designer secret, see the admin_secret_name parameter in Decision Designer parameters. For more information about customizing Decision Designer in the custom resources, see Configuring Decision Intelligence Client Managed Software.

    Important: encryptionKeys is used to encrypt and decrypt some sensitive values in the database. The active key is used to encrypt new values. If the active key has been compromised or needs to be replaced, an administrator can define another one and reference it as the active key. Secrets that have been encrypted by older keys continue to be decrypted provided that the key ID is preserved. However, it is recommended to re-encrypt them from Decision Designer, and then remove the old keys from encryptionKeys.
  2. Optional: Take care of untrusted TLS certificates.

    If Decision Designer is supposed to interact with servers like Git, machine learning (ML), or other servers whose TLS certificates are not signed by an official Certificate Authority (CA), you must gather these certificates and configure Decision Designer to establish trust with these servers.

    1. Get the TLS certificate of a running service. 
      openssl s_client -connect <hostname>:<port> -servername <hostname> < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
    2. Create a ConfigMap to hold the TLS certificates of the Git servers. 
      apiVersion: v1
kind: ConfigMap
metadata:
  name: <instance_name>-ads-designer-git-certificates
data:
  my_git_server1.crt: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  my_git_server2.crt: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

      You will set this ConfigMap to the decision_designer.git_servers_certs parameter of the custom resource file at a later stage in the installation.

    3. Create a ConfigMap to hold the TLS certificates of the ML providers. 
      apiVersion: v1
kind: ConfigMap
metadata:
  name: <instance_name>-ads-designer-ml-providers-certificates
data:
  my_ml_provider1.crt: |
    -----BEGIN CERTIFICATE-----
         ...
    -----END CERTIFICATE-----
  my_ml_provider2.crt: |
    -----BEGIN CERTIFICATE-----
         ...
    -----END CERTIFICATE-----

      You will set this ConfigMap to the decision_designer.ml_providers_certs parameter of the custom resource file at a later stage in the installation.

    4. Create a ConfigMap to hold the TLS certificates of any other server. 
      apiVersion: v1
kind: ConfigMap
metadata:
  name: <instance_name>-ads-designer-other-certificates
data:
  another_certificate.crt: |
    -----BEGIN CERTIFICATE-----
         ...
    -----END CERTIFICATE-----

      You will set this ConfigMap to the decision_designer.other_trusted_certs parameter of the custom resource file at a later stage in the installation.

    For more information about Decision Designer configuration parameters, see Decision Designer parameters.

    For more information about customizing the custom resources, see Configuring Decision Intelligence Client Managed Software.

    Note: The key for each certificate entry must be a valid filename with a .crt extension.