Configuring a single-container deployment of ibm-itx-rs
A deployment of the ITX Runtime Server as a single container is configured with a YAML file which provides overrides to the default Runtime Server configuration file. This file must be provided at /data/config/config.yaml. It is recommended to separately add this override file to the volume which is used for the /data directory in the container. This file must be readable by the Runtime Server user which is used inside of the container (UID 1001, itxuser). The directory /data/config should be writable by this user. This mechanism is not used with Helm installations of the Runtime Server.
The override file follows the format of the ITX product configuration file config.yaml. Only the properties for which overrides are desired need to be in the override file. Several configuration parameters which are specific to the Runtime Server may be placed in the override file. These are described below.
The environment variables which were used for configuration in previous releases are not supported with one exception. The environment variable ITX_RS_LICENSE_ACCEPT must be set with value true to accept the license and use the container image. For example, the Docker command line option -e ITX_RS_LICENSE_ACCEPT=true could be used.
The following config.yaml properties are only used with the Runtime Server:
| config.yaml property | Description |
|---|---|
| Logging | |
| rest.logging.addWebServerConsoleLogging |
A boolean property which, when true, causes the REST server to send logging information to the container stderr stream. The default value is false. This property is analogous to the formerly supported environment variables ITX_RS_LOG_SERVICE_LOG_STD_ERR and ITX_RS_LOG_EXEC_LOG_STD_ERR. |
| rest.logging.disableWebServerAccessLogging |
A boolean property which, when true, disables the Runtime Server access log file. The default value is false (access log enabled). This property is analogous to the formerly supported environment variable ITX_RS_LOG_ACCESS_LOG_LEVEL. |
| rest.logging.useHostname |
A boolean property which, when true, causes the hostname to be added to Runtime Server log files. The default value is false for the single-container deployment. This property is analogous to the formerly supported environment variable ITX_RS_LOG_INCLUDE_HOST_IN_LOG_NAME. |
| SSL/TLS | |
| rest.inbound.mutualTls |
A boolean property which, when true, causes the Runtime Server to authenticate clients. A CA certificate file must be provided in this case. The default value is false. This property is analogous to the formerly supported environment variable ITX_RS_SSL_CLIENT_AUTH. |
| Redis TLS [valid for single-container deployments only when an external Redis server is used (redis.deploy is false)] | |
| redis.port | A value of 0 should be used when the external server uses TLS. The value must be non-zero when the external Redis server does not use TLS. |
| redis.tlsPort | The listening port for TLS connections of the external Redis server. The value must be zero if redis.port is non-zero. By default, TLS is not used. |
| redis.client.ssl.enabled | A boolean value which, when true, indicates that TLS should be used when connections are made to the Redis server. TLS parameters are ignored if this value is false. The default value is false. |
| redis.client.ssl.ca | The absolute path in the container of a PEM trust store file which is used to authenticate the Redis server. The default value is empty. |
| redis.client.ssl.cert | The absolute path in the container of a PEM certificate chain file which will be provided to the Redis server when it performs client authentication. The default value is empty. |
| redis.client.ssl.key | The absolute path in the container of a PEM private key file which will be used by the client when the Redis server performs client authentication. The default value is empty. |
| redis.client.ssl.sni | A hostname string which will be used by the client for the TLS SNI extension when the Redis server requires use of this extension. The default value is empty. |
Other configuration is provided through the regular ITX configuration options.
For the Runtime Server, HTTP and HTTPS are enabled or disabled with the rest.inbound.ports mapping. A value of 0 disables the scheme. A non-zero value provides the listening port for the scheme. By default, HTTP uses port 8080, and HTTPS is disabled. The tomcat.inbound.ports mapping is not used.
TLS is enabled for the Runtime Server by providing a non-zero value for the rest.inbound.ports.https property as mentioned above. The server certificate is provided as a PEM file at /opt/server/ssl/cert.pem in the container. The server private key is provided as a PEM file at /opt/server/ssl/key.pem in the container. If mutual authentication is used by setting rest.inbound.mutualTls to true, then a CA trust store is provided as a PEM file at /opt/server/ssl/ca.pem in the container. These files must be readable by the Runtime Server user (UID 1001, itxuser).
Authentication is provided in a single-container deployment of the Runtime Server through mutual TLS. The property rest.inbound.authentication.enabled is false for the Runtime Server.
By default, a single-container deployment of the Runtime Server is unfenced (rest.mode). If fenced mode is used, a Redis server will be created within the container by default. An external Redis server is not needed in this case. The default directory in the container for the Redis server database file redis.rdb is /data/catalog.
If an external Redis server is used for a single-container deployment, then communication with the Redis server over TLS is supported. An external Redis server is used if redis.deploy is false. By default, as mentioned above, an internal Redis server is used. Redis TLS parameters are provided in the table above. By default, TLS is not used when an external Redis server is used. The files must be readable by the Runtime Server user. The parameter for the non-TLS port, redis.port, must be 0 when TLS is used. The TLS port of the Redis server is given by redis.tlsPort.
Logging is configured through the properties of the rest.logging mapping such as rest.logging.level and rest.logging.rotation.fileAge. Also, the rest.executor.trace property can be used to send flow executor logging to stdout or stderr instead of being sent to a file.