Configuring storage

By default, the operator does not specify a storageClass during PVC creation, so the cluster default is used.

Because a storageClass supporting ReadWriteMany is required, if your cluster default does not support it, you must specify a valid storage class.

You can specify the storage class and size that is used for each persistent volume claim that the IBM RPA operator creates. Use the storage section as shown in the following example:

apiVersion: rpa.automation.ibm.com/v1beta1
kind: RoboticProcessAutomation
metadata:
  name: rpa-sample-persistence-overrides
spec:
  license:
    accept: true
  tls: {}
  api:
    replicas: 1
    externalConnection:
      secretName: rpa-db-auth
    firstTenant: 
      groupMappings: 
        adminGroups: rpa-ibm-admins; managers
        superAdminsGroups: rpa-superadmins; bosses
        userGroups: rpa-ibm-users; employees
      name: super-tenant
      owner: 
        email: super-user-email
        name: super-user-name
    smtp: 
      port: 66
      server: 127.0.0.1
      userSecret: 
        secretName: smtp-secret-name
    storage:
      hot:
        size: 7Gi
        class: csi-cephfs
      archive:
        size: 11Gi
        class: csi-cephfs
  ui:
    replicas: 1
  version: 2.2.0
  ocr:
    replicas: 1

You can specify the label selector that is used to select a persistent volume for the persistent volume claim. Use the selector attribute of the hot and archive sections to select the persistent volume. See the Kubernetes label selectors documentation 🡥 for syntax.

You can specify the storage class that is used for persistent volumes that are created by IBM MQ in the IBM RPA custom resource. Use the systemQueueProvider section as shown in the following code:

apiVersion: rpa.automation.ibm.com/v1beta1
kind: RoboticProcessAutomation
metadata:
  name: rpa-sample-mq-persistence-overrides
spec:
  license:
    accept: true
  tls: {}
  api:
    replicas: 1
    externalConnection:
      secretName: rpa-db-auth
    firstTenant: 
      groupMappings: 
        adminGroups: rpa-ibm-admins; managers
        superAdminsGroups: rpa-superadmins; bosses
        userGroups: rpa-ibm-users; employees
      name: super-tenant
      owner: 
        email: super-user-email
        name: super-user-name
    smtp: 
      port: 66
      server: 127.0.0.1
      userSecret: 
        secretName: smtp-secret-name
  ui:
    replicas: 1
  version: 2.2.0
  ocr:
    replicas: 1
  systemQueueProvider:
    storage:
      class: "csi-cephfs"

You can specify the storage class that is used for persistent volumes that are created by Zen by manually replacing the AutomationUIConfig resource with the desired storage class before you create the IBM RPA instance. Replace the AutomationUIConfig with the following steps:

  1. Delete the existing AutomationUIConfig resource:

    oc delete AutomationUIConfig iaf-system

  2. Create a new resource with the desired storage class:

    cat <<EOF | oc apply -f -
  apiVersion: core.automation.ibm.com/v1beta1
  kind: AutomationUIConfig
  metadata:
    name: iaf-system
  spec:
    license:
      accept: true
    version: 1.3.11
    tls: {}
    storage:
      class: "csi-cephfs"  
EOF

For more details about Zen storage options, see the Zen documentation.

Storage permissions

If your storage configuration requires you to use a particular group or supplemental groups, you can customize it in the storage section of the IBM RPA CR. The following example demonstrates how to use fsGroup and supplementalGroups:

apiVersion: rpa.automation.ibm.com/v1beta1
kind: RoboticProcessAutomation
metadata:
  name: rpa-sample-storage-permissions
spec:
  license:
    accept: true
  tls: {}
  api:
    replicas: 1
    externalConnection:
      secretName: rpa-db-auth
    firstTenant: 
      name: super-tenant
      owner: 
        email: super-user-email
    smtp: 
      port: 66
      server: 127.0.0.1
      userSecret: 
        secretName: smtp-secret-name
    storage:
      fsGroup: 4000
      supplementalGroups:
      - 4001
      - 4002
  ui:
    replicas: 1
  version: 2.2.0
  ocr:
    replicas: 1
  systemQueueProvider:
    supplementalGroups:
    - 4001
    - 4002

The fsGroup and supplementalGroups properties of the storage section are used to set the PodSecurityContext for the API server. You can also configure supplementalGroups to be used by System Queue Provider containers.

Note:If fsGroup or supplementalGroups are required, you might need to provide a SecurityContextConstraint that is configured to support the specified values.

If you install IBM RPA on Red Hat® OpenShift® Kubernetes Service on IBM Cloud (ROKS) or on Red Hat® OpenShift® Service on AWS (ROSA), use the following configuration:

supplementalGroups:
- 65534
Important:For clusters with Red Hat Enterprise Linuxâ„¢ 7, use 99 instead of 65534.

See the following example of the settings that are required in a SecurityContextConstraint to accommodate these configurations:

fsGroup:
  ranges:
    - max: 3000
      min: 2000
  type: MustRunAs
supplementalGroups:
  type: RunAsAny

Storage on ROSA

IBM RPA requires a storage class supporting ReadWriteMany. Red Hat® OpenShift® Service on AWS (ROSA) does not provide ReadWriteMany storage by default and so must be installed.

AWS supports ReadWriteMany storage using Amazon Elastic File System (EFS). See Create your Amazon EFS file system 🡥 for installation instructions in AWS documentation.

After you create an EFS storage provider, you need to install the AWS Elastic File Service CSI Driver Operator. See Creating the AWS EFS storage class using the CLI 🡥 in the AWS documentation for installation instructions.

Once you have created and connected the AWS EFS CSI Driver, you need to create the following storage class for IBM RPA:

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: efs-sc
  annotations:
    storageclass.kubernetes.io/is-default-class: 'true'
provisioner: efs.csi.aws.com
parameters:
  provisioningMode: efs-ap 
  fileSystemId: fs-<file-system-id> 
  directoryPerms: "750" 
  gid: '65534'
  uid: '65534'
  basePath: "/dynamic_provisioning"

The storage class configuration for IBM RPA differs from the example given in the OpenShift® documentation in the following ways:

  • directoryPerms: 750 is the required permissions of the root directory of the volume.
  • gid and uid are required to be a fixed value because they must match the supplemental group provided in the IBM RPA Custom resource.
  • storageclass.kubernetes.io/is-default-class: Has been set to true so that this storage class is used by IBM RPA. If you do not wish to set the cluster default class, the StorageClass can be set in the IBM RPA CR.

Encryption

You can use passive disk encryption, if it is supported by your chosen storage provider. If you want data at rest to be encrypted, you must provide a storage class that implements encryption.