Configuring the decision runtime

You can customize the decision runtime secret and persistent volume.

About this task

The customization steps described here are optional as the installation applies the default configuration. However, if you change any parameter value inside the secret, you must update the secret.

For more information about configuration parameters for the decision runtime, see Configuration parameters.

Procedure

  1. Generate a runtime secret for sensitive configuration.

    Sensitive configuration settings must not be exposed in the custom resource YAML file.

    The ibm-ads-operator generates some of the settings automatically but you might want to define your own configuration.

    For example, you can create the following ibm-dba-ads-runtime-secret:

    apiVersion: v1
kind: Secret
metadata:
  name: ibm-dba-ads-runtime-secret
type: Opaque
stringData:
  decisionServiceUsername: "drs"
  decisionServicePassword: "drsPassword"
  decisionServiceManagerUsername: "drsManager"
  decisionServiceManagerPassword: "drsManagerPassword"
  decisionRuntimeMonitorUsername: "drsMonitor"
  decisionRuntimeMonitorPassword: "drsMonitorPassword"
  deploymentSpaceManagerUsername: "depManager"
  deploymentSpaceManagerPassword: "depManagerPassword"
  encryptionKeys: |
    <ENCRYPTION_KEYS>
  sslKeystorePassword: "ssl-keystore-password"
    The parameters of the secret are explained in the following table.
    Important: Every username key must be unique.
    Table 1. ibm-dba-ads-runtime-secret configuration parameters
    Parameter Description Mandatory
    decisionServiceUsername The user name to authenticate with the decision runtime server for executing decision services. Yes
    decisionServicePassword The user password to authenticate with the decision runtime server for executing decision services. Yes
    decisionServiceManagerUsername The user name to authenticate with the decision runtime server for managing the decision archives. Not affected by decision_runtime.authentication_mode. Yes
    decisionServiceManagerPassword The user password to authenticate with the decision runtime server for managing the decision archives. Not affected by decision_runtime.authentication_mode. Yes
    decisionRuntimeMonitorUsername The user name to authenticate with the decision runtime server for monitoring the runtime server. Not affected by decision_runtime.authentication_mode. Yes
    decisionRuntimeMonitorPassword The user password to authenticate with the decision runtime server for monitoring the runtime server. Not affected by decision_runtime.authentication_mode. Yes
    deploymentSpaceManagerUsername The user name to authenticate with the decision runtime server for managing the deployment spaces. Not affected by decision_runtime.authentication_mode. Yes
    deploymentSpaceManagerPassword The user password to authenticate with the decision runtime server for managing the deployment spaces. Not affected by decision_runtime.authentication_mode. Yes
    encryptionKeys A data structure that encapsulates the secret to generate an Advanced Encryption Standard (AES) symetric key for ciphering/deciphering the secrets. The data structure must be: 
    {"activeKey":"key1","secretKeyList":[{"secretKeyId":"key1",
      "value":"123344566745435"},{"secretKeyId":"key2",
      "value":"987766544365675"}]}
    Where activeKey must exist in the secretKeyList and designates the secret to use for symetric key derivation. If the activeKey value does not exist, the decision runtime won't start.    		 Yes
    sslKeystorePassword A password used to generate SSL keystores. Yes
  2. Take care of untrusted TLS certificates.
    1. Get the TLS certificate of a running service. 
      openssl s_client -connect <hostname>:<port> -servername <hostname> < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
    2. Create a ConfigMap that holds the TLS certificates of the services that are accessed by the decision runtime, namely the optional machine learning servers. (You will set this ConfigMap to the decision_runtime_service.tls.certs_config_map_name parameter of the custom resource file, at a later stage in the installation.) 
      apiVersion: v1
kind: ConfigMap
metadata:
  name: runtime-tls-config
  labels:
    webapp: runtime
data:
  decision_storage.crt: |
    -----BEGIN CERTIFICATE-----
         ...
    -----END CERTIFICATE-----
      Note: The key for each certificate entry must be a valid filename with a .crt extension.

    For more information about the decision runtime configuration parameters, see Configuration parameters.

  3. Add a parameter to configure allowed origins for the decision runtime and support the REST API to be called from a web application by using Cross-Origin Resource Sharing (CORS).
    See the sample configuration:
    decision_runtime:
    allowed_origins: http://localhost,https://localhost
  4. Add a parameter to configure the event emitter Kafka producers count for the decision runtime.
    See the sample configuration:
    decision_runtime:
  event_emitter:
    kafka_producers_count: 1