Configuring custom resources

Learn how to configure custom resources for IBM Robotic Process Automation on Red Hat® OpenShift® Container Platform.

Before you begin

You need to create four secrets before you create the IBM RPA custom resource:

If you skip this step, the operator generates default credentials, but you get a warning message to change the Redis password. You must reinstall the IBM RPA operator with a new Redis secret to effectively change the password and remove the warning message.

For more information about configuring secrets, see Secrets 🡥.

Creating a database secret

Use the following command to create the secret:

oc create secret generic <NAME> -n <NAMESPACE> --from-literal=AddressContext='<ADDRESS_CONTEXT_CONNECTION_STRING>' --from-literal=AutomationContext='<AUTOMATION_CONTEXT_CONNECTION_STRING>' --from-literal=KnowledgeBase='<KNOWLEDGEBASE_CONTEXT_CONNECTION_STRING>' --from-literal=WordnetContext='<WORDNET_CONTEXT_CONNECTION_STRING>' --from-literal=AuditContext='<AUDIT_CONTEXT_CONNECTION_STRING>'

Replacing the following values:

  • NAME
    The name of your secret. It must match the name that you specify in the externalConnection section of the CR.

  • NAMESPACE
    The namespace that you want the secret to be created in. It can be the same namespace that you create your IBM RPA instance in.

  • ADDRESS_CONTEXT_CONNECTION_STRING
    The connection string to the address database.

  • AUTOMATION_CONTEXT_CONNECTION_STRING
    The connection string to the automation database.

  • KNOWLEDGEBASE_CONTEXT_CONNECTION_STRING
    The connection string to the knowledgebase database.

  • WORDNET_CONTEXT_CONNECTION_STRING
    The connection string to the wordnet database.

  • AUDIT_CONTEXT_CONNECTION_STRING
    The connection string to the audit database.

These connection strings must correspond to the Microsoft SQL Server databases you created as described in the Create the connection strings topic.

Example of connection string:

Data Source=dbserver.example.com\SQLEXPRESS,1433;Initial Catalog=automation;User ID=dbuser;Password=dbpass;Connect Timeout=30;Encrypt=False;TrustServerCertificate=False;ApplicationIntent=ReadWrite;MultiSubnetFailover=False

Creating an SMTP secret

Use the following command to create the secret:

oc create secret generic <NAME> -n <NAMESPACE> --from-literal=username=<USERNAME> --from-literal=password=<PASSWORD>

Replace the following values:

  • NAME
    The name of your secret. It must match the name that you specify in the userSecret property in the smtp section of the CR.

  • NAMESPACE
    The namespace that you want the secret to be created in. It needs to be the same namespace that you create your IBM RPA instance in.

  • USERNAME
    The username for the SMTP server.

  • PASSWORD
    The password for the SMTP server.

Creating the first tenant owner secret

Use the following command to create the secret:

oc create secret generic <NAME> -n <NAMESPACE> --from-literal=name=<USERNAME> --from-literal=email=<EMAIL>

Replace the following values:

  • NAME
    The name of your secret. It must match the name that you specify in the ownerSecret property in the firstTenant section of the CR.

  • NAMESPACE
    The namespace that you want the secret to be created in. It must be the same namespace that you create your RPA instance in.

  • USERNAME
    The username of the tenant admin.

  • EMAIL
    The email address of the tenant admin user.

Creating a Redis password secret

  1. Create a YAML secret locally with a specified password:

    apiVersion: v1
kind: Secret
metadata:
  name: <RPA-INSTANCE-NAME>-redis-rpa
  namespace: <NAMESPACE>
  labels:
    app.kubernetes.io/component: rpa
    app.kubernetes.io/instance: <RPA-INSTANCE-NAME>
    app.kubernetes.io/managed-by: ibm-rpa-operator
    app.kubernetes.io/name: redis
    rpa.automation.ibm.com/cr-name: <RPA-INSTANCE-NAME>
data:
  ADMIN_PASSWORD: <PASSWORD>
type: Opaque

    Replace the following values:

    • RPA-INSTANCE-NAME
      The name of your IBM RPA instance, which is specified in the name property of your Robotic Process Automation CR.

    • NAMESPACE
      The namespace that you want the secret to be created in. It needs to be the same namespace that you create your IBM RPA instance in.

    • PASSWORD
      The base64-encoded password for Redis.

  2. Apply the file:

    oc apply -f <FILENAME>.yaml

    Replace FILENAME with the path to the YAML file.

Important:
  • You cannot change the password after installing the operator.
  • If you don't create a password secret, the operator generates a default password and you get warning messages advising you to change the password.
  • To remove the warning message and change the password, you must create a new Redis password secret and reinstall the IBM RPA operator.
- To remove the warning message and change the password, you must create a new Redis password secret and reinstall the IBM RPA operator.

Basic setup

The following example shows a minimal IBM RPA custom resource that contains all the required sections and properties:

apiVersion: rpa.automation.ibm.com/v1beta1
kind: RoboticProcessAutomation
metadata:
  name: rpa-sample
spec:
  license:
    accept: true
  version: 1.12.0
  tls: {}
  api:
    externalConnection:
      secretName: rpa-db
    firstTenant:
      name: ibm
      owner:
        ownersecret:
          secretName: rpa-owner
    replicas: 1
    smtp:
      port: 587
      server: smtp.example.com
      userSecret:
        secretName: rpa-smtp
    storage: {}
  ui:
    replicas: 1
  ocr:
    replicas: 1

Understanding required CR sections

  • license
    Accept the license. Refer to IBM RPA license 🡥 for license details.
  • version
    Specify the version of the IBM RPA operand. Refer Versioning reference for available options.
  • tls
    Specify an empty TLS section in order for the operator to create self-signed certificates.
  • externalConnection
    Specify the name of a secret that contains the database connection strings.
  • api
    • firstTenant
      Specify the authentication configuration for the first tenant.
      • name
        Name of the first tenant
      • owner
        • ownerSecret
          Name of the secret that contains the username and email for the first tenant owner.
    • replicas
      Number of replicas of the IBM RPA's API server pod.
    • smtp
      Configure the SMTP server that IBM RPA uses to send email notifications.
      • port
        The port number used to connect to the SMTP server by using TLS.
      • server
        The hostname of the SMTP server
      • userSecret
        Name of the secret that contains the username and password for the SMTP server.
    • storage
      By specifying an empty storage section, the operator creates persistent volume claims using the cluster default storage class.
  • ui
    • replicas
      The number of replicas of the UI server pod.
  • ocr
    • replicas
      The number of replicas of the ABBYY™ Optical Character Recognition (OCR) pod. If you specify 0, no OCR pods are created.

Optional configurations

There are several sections that you get by default, but do not need to specify in the CR. You can include them if you want to customize their values and change the default behavior:

  • antiVirus
    Configures the antiVirus component of IBM RPA. This section is optional. If you do not specify it, the default number of replicas is 1.
    • replicas
      The number of replicas of the antivirus pod. If you specify 0, no antivirus pods are created.
  • nlp
    Configures the NLP provider component of IBM RPA. This section is optional. If you do not specify it, the default number of replicas is 1.
    • replicas
      The number of replicas of the NLP pod. If you specify 0, no NLP pods are created.
Important:If you are on a cluster or IBM RPA tenant with FIPS enabled, define the number of nlp replicas to 0.

  • webDriverUpdates
    Configures whether the server should look for web browser driver updates.

  • systemQueueProvider
    Configures the system queue provider for IBM RPA.

    • highAvailability
      If you do not specify highAvailability in the CR, the default value is false and deploys a single instance of IBM MQ as the system queue provider. If true, it deploys a high-availability configuration of IBM MQ.

    • supplementalGroups
      Provides a list of Linux™ Group IDs to be set on a container. This may be required when using NFS storage, for example:

      supplementalGroups:
- 4001
- 4002

      If you install IBM RPA on Red Hat® OpenShift® Kubernetes Service on IBM Cloud (ROKS) or on Red Hat® OpenShift® Service on AWS (ROSA), use the following configuration:

      supplementalGroups:
- 65534
      Important:For clusters with Red Hat Enterprise Linux™ 7, use 99 instead of 65534.

      To learn more, see Configuring storage. See IBM MQ in containers and IBM Cloud Pak for Integration for additional settings.

  • createRoutes
    Configures whether the IBM RPA operator creates Red Hat® OpenShift® Container Platform routes for IBM RPA.

false means that the IBM RPA does not create its own routes and true means that IBM RPA creates is own routes. If you do not specify createRoutes, the default value is false.

Example:

apiVersion: rpa.automation.ibm.com/v1beta1
kind: RoboticProcessAutomation
metadata:
  name: rpa-sample
spec:
  license:
    accept: true
  version: 1.12.0
  tls: {}
  api:
    externalConnection:
      secretName: rpa-db
    firstTenant:
      name: ibm
      owner:
        ownersecret:
          secretName: rpa-owner
    replicas: 1
    smtp:
      port: 587
      server: smtp.example.com
      userSecret:
        secretName: rpa-smtp
    storage: {}
    webDriverUpdates:
      enabled: true
    systemQueueProvider:
      storage:
        class: my-storage-class
  ui:
    replicas: 1
  ocr:
    replicas: 1

Note: In basic configuration, you get one replica by default but you do not need to specify in the CR.

Template

You can also create a template for your container by using the following fields:

  • template (optional)
    The object that describes the pod overrides that are used when pods are created.
    • pod (optional)
      Contains the pod information.
      • metadata (optional)
        Customize the task manager pods metadata.
        • annotations
          Set or override annotations on the task manager pods.
      • spec (optional)
        Contains the pod container and scheduling information.
        • containers (optional)
          Contains the specification for pod container overrides.
          • name (required): For example, taskmanager.
          • resources
            Describes the compute resource requirements.
          • image
            Override the container image.
          • imagePullPolicy
            Override imagePullPolicy.
        • affinity (optional)
          Affinity information for pod scheduling. For more information, see the Kubernetes documentation 🡥.
          • nodeAffinity (optional)
            Use it to select which nodes are selected by the scheduler.
          • podAffinity (optional)
            Use it to influence where your pods are deployed based on already deployed pods.
          • podAntiAffinity (optional)
            Describes the pod anti-affinity scheduling rules, such as to avoid putting this pod in the same node or zone as some other pod.
        • tolerations
          An optional core/v1/Tolerations array to specify toleration for scheduling taints. For more information, see the Kubernetes documentation 🡥.

An example of a template includes:

spec:
  template:
    pod:
      spec:
        containers:
        - name: svc
          resources:
            requests:
              cpu: 8
              memory: 64Gi
            limits:
              cpu: 10
              memory: 128Gi
        - name: sidecar
          resources:
            requests:
              cpu: 1
        affinity:
          nodeAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
              nodeSelectorTerms:
              - matchExpressions:
                - key: kubernetes.io/arch
                  operator: In
                  values:
                  - amd64
          podAntiAffinity:
            preferredDuringSchedulingIgnoredDuringExecution:
            - podAffinityTerm:
                labelSelector:
                  matchLabels:
                    app.kubernetes.io/component: rpa
                    app.kubernetes.io/instance: test-instance
                    app.kubernetes.io/managed-by: ibm-rpa-operator
                    app.kubernetes.io/name: apiserver
                    rpa.automation.ibm.com/cr-name: test-instance
                topologyKey: kubernetes.io/hostname
              weight: 80

Labels and annotations

Labels and annotations that are defined on a CR can be merged with the labels and annotations that are defined by the operator. Based on priority, the order of these labels and annotations is:

  • Template form labels and annotation (highest priority)
  • Short form label and annotation
  • Default from operator (lowest priority)

The labels and annotations can be applied to pods.

If the CR has only one main deployment, or if the deployments do not need to be configured independently, then you can configure the labels and annotations by using the labels and annotations keys:

spec:
  labels:
    my.custom/label: "foo"
  annotations:
    my.custom/annotation: "bar"

If the CR has multiple components that need to be configured independently, the keys can be included in component subsections:

spec:
  ui:
    labels:
      my.custom/label: "foo"
    annotations:
      my.custom/annotation: "bar"
  api:
    labels:
      my.custom/label: "fizz"
    annotations:
      my.custom/annotation: "buzz"

Or alternatively, the block can be split by component:

spec:
  labels:
    ui:
      my.custom/label: "foo"
    api:
      my.custom/label: "fizz"
  annotations:
    ui:
      my.custom/annotation: "bar"
    api:
      my.custom/annotation: "buzz"

Workload placement with node selectors

The schema must mark nodeSelector fields with the selector spec descriptor.

If there is only one main deployment for the CR, or the deployments do not need to be configured independently, then the node selectors are configured using the nodeSelector key:

spec:
  nodeSelector:
    disktype: ssd

If there are multiple components that need to be configured independently, the key can be included in component subsections:

spec:
  ui:
    nodeSelector:
      type: edge
  api:
    nodeSelector:
      disktype: ssd

Or alternatively, the block can be split by component:

spec:
  nodeSelector:
    ui:
      type: edge
    api:
      disktype: ssd

Customization for Redis

This is an optional Redis resource override that applies a uniform memory and CPU limit change to all the Redis resources, namely ProxyLog, DB, Proxy, and Mgmt.

The CR override is a top-level CR attribute sharedCache, as follows:

sharedCache:
  memoryLimit: 250Mi
  cpuLimit: 0.8

By default, the value of memoryLimit is 100Mi and cpuLimit is set to 0.4.

Compute resource limits

You can customize compute resource limits, in terms of CPU and memory. It uses the field name resources.

This is specified as follows:

Field Description
requests (object) Requests describe the minimum amount of compute resources that are required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value.
requests.cpu (Quantity) The CPU request.
requests.memory (Quantity) The memory request.
limits (object) Limits describe the maximum amount of compute resources that are allowed.
limits.cpu (Quantity) The CPU limit.
limits.memory (Quantity) The memory limit.

Here's an example:

resources:
  requests:
    cpu: "8"
    memory: 64Gi
  limits:
    cpu: "12"
    memory: 128Gi

This may also be used in the template form as an override to be merged onto a container. This should only be used where a container is unlikely to have its resource limits changed by a user:

spec:
  template:
    pod:
      containers:
      - name: helper-pod
        resources:
          requests:
            cpu: 0.5
            memory: 128Mi
          limits:
            cpu: 1
            memory: 128Mi