Custom resources for advanced configuration
IBM® Automation foundation uses Kubernetes custom resources (CRs) for configuration. All the CRs are in the API groups that end with automation.ibm.com
. These API groups have a version of v1beta1
.
The following custom resources are used internally by IBM Automation foundation but awareness of them is useful for advanced configuration tasks.
Custom resource kind | Purpose |
---|---|
Cartridge | Describes a cartridge (extension) of IBM Automation foundation |
CartridgeRequirements | Describes the requirements of a cartridge (extension) of IBM Automation foundation |
EventProcessor | Describes an event processor |
The custom resource definitions (CRDs) for these kinds are declared in IBM Automation foundation's ClusterServiceVersion
.
Similar to a Kubernetes resource, these custom resources contain the following elements:
- a
metadata
field that describes the resource - a specification in a
spec
field - a
status
field
Note the following points about a CRD:
- In the representations of the following CRDs, the field that is suffixed with
[]
indicates an array and the field that is suffixed with{}
indicates default configuration. - Where a child element is marked as
mandatory
for a parent that isoptional
, that child element is mandatory only if the parent element is included.
Cartridge
The Cartridge
custom resource represents a cartridge that extends IBM Automation foundation. Complete information on Cartridge registration is found at Registration.
Cartridge CustomResourceDefinition
Cartridge YAML structure
The Cartridge
definition is organized in the following structure.
apiVersion: core.automation.ibm.com/v1beta1
kind: Cartridge
metadata: ~
spec:
description: ~
version: ~
status:
components:
ui:
endpoints:
caSecret:
secretName: ~
key: ~
casecret:
secretname: ~
key: ~
name: ~
scope: ~
type: ~
uri: ~
Cartridge details
- Cartridge:
- metadata (required): Refer to the Kubernetes API documentation for the fields of the metadata field. Make sure that the
name
field follows the naming conventions that are described in Technical naming of cartridges. - spec (required):
_CartridgeSpec_
defines the wanted specifications of the Cartridge.- description (optional): Provides a description of the Cartridge.
- version (mandatory): Desired version of the operand.
- status: IBM Automation foundation instance status.
- components (optional): The status of the components. Returned only when at least one of the components is enabled.
- ui: Information that is needed to access the IBM Automation foundation user interface. Endpoints of types
route
,service
, or both are returned here. The endpoint of typeroute
is configured with thepassthrough
TLS method. You can change the Route configuration.- endpoints: Access details to access the user interface.
- name: A name that represents this endpoint information.
- type: The type of endpoint, UI.
- scope: External.
- uri: The route URL to access the UI.
- caSecret (optional): Represents that
tls
is enabled. A reference to the public certificate that is used to protect the endpoint and verify the provided issuer.- secretName: Name of the secret.
- key: Key of the public key of CA within the secret.
- casecret: Equivalent to the previous field but
deprecated
as it is not consistent with the API used elsewhere. This is filled out along with the previous field for 1.1.x Cartridge Operands.- secretname:
- key:
- endpoints: Access details to access the user interface.
- managedResources: Inventory resources managed by this custom resource.
- conditions: Defines status of subresources that need to be ready before
Cartridge
is ready.
- ui: Information that is needed to access the IBM Automation foundation user interface. Endpoints of types
- components (optional): The status of the components. Returned only when at least one of the components is enabled.
- metadata (required): Refer to the Kubernetes API documentation for the fields of the metadata field. Make sure that the
Cartridge sample YAML
The following example shows a Cartridge
definition:
apiVersion: core.automation.ibm.com/v1beta1
kind: Cartridge
metadata:
name: com.acme.smartdecisions-dashboard
namespace: acme-iaf
spec:
description: "ACME Smart Decisions Dashboard"
version: "v1.0"
license:
accept: true
Cartridge status
The returned status
section takes the following form:
status:
components:
ui:
endpoints:
type: UI
name: external-route-https
scope: External
uri: https://iaf-system-ui.acme-iaf.acme.com
caSecret:
secretName: iaf-system-ui-tls-secret
key: ca.crt
casecret:
secretname: iaf-system-ui-tls-secret
key: ca.crt
conditions:
- lastTransitionTime: '2021-03-03T14:12:00Z'
status: 'True'
type: BedrockReady
- lastTransitionTime: '2021-03-03T14:26:01Z'
message: Cartridge successfully registered
reason: Registered
status: 'True'
type: Ready
CartridgeRequirements
The CartridgeRequirements
CR represents a cartridge that extends IBM Automation foundation. This CR is to be issued after the Cartridge
CR is issued and need not wait until the Cartridge
CR is Ready
.
CartridgeRequirements CustomResourceDefinition
CartridgeRequirements YAML structure
The CartridgeRequirements
definition is organized in the following structure:
apiVersion: base.automation.ibm.com/v1beta1
kind: CartridgeRequirements
metadata:
annotations: ~
spec:
requirements: ~
externalCartridges: ~
status:
components:
apicurio:
endpoints:
name: ~
scope: ~
type: ~
uri: ~
elasticsearch:
endpoints:
authentication:
secret:
secretName: ~
type: ~
caSecret:
key: ~
secretName: ~
name: ~
scope: ~
type: ~
uri: ~
kafka:
endpoints:
authentication:
secret:
secretName: ~
type: ~
bootstrapServers: ~
caSecret:
key: ~
secretName: ~
name: ~
scope: ~
type: ~
conditions: ~
managedResources: ~
CartridgeRequirements details
- CartridgeRequirements:
- metadata (required): Refer to the Kubernetes API documentation for the fields of the metadata field.
- annotations (required):
com.ibm.automation.cartridge
represents the Cartridge name.
- annotations (required):
- spec (required): CartridgeRequirementsSpec.
- requirements [] (optional): List of the IBM Automation foundation capabilities that the Cartridge is to use. Allowed values:
Events
,EventProcessors
(Deprecated),OperationalDataStore
. - externalCartridges [] (optional): List of technical Cartridge names that the Cartridge is to expect shared data from.
- requirements [] (optional): List of the IBM Automation foundation capabilities that the Cartridge is to use. Allowed values:
- status: CartridgeRequirements status.
- components: The status of the components that satisfy the requirements.
- apicurio (optional): Information that is needed to access the Apicurio registry.
- endpoints: List of endpoints that are available to access the Apicurio registry.
- type: The type of endpoint, API.
- name: A name that represents this endpoint information.
- scope:
Internal
,External
. - uri: An endpoint-specific address that is used for connections.
- endpoints: List of endpoints that are available to access the Apicurio registry.
- elasticsearch: Information that is needed to access Elasticsearch.
- endpoints: List of endpoints that are available to access Elasticsearch.
- type: The type of endpoint, API.
- name: A name that represents this endpoint information.
- scope:
Internal
,External
. - uri: Complete endpoint access URL.
- authentication: Authentication details to access the Elasticsearch.
- type: The type of the authentication mechanism. Default is
BasicSecret
. - secret: For
type: BasicSecret
, this references a basic auth type secret, which contains ausername
and apassword
field.- secretName: Name of the secret.
- type: The type of the authentication mechanism. Default is
- caSecret (optional): Represents that
tls
is enabled. A reference to the public certificate that the endpoint is protected with.- secretName: Name of the secret.
- key (optional): Key of the public key of CA within the secret.
- endpoints: List of endpoints that are available to access Elasticsearch.
- kafka (optional): Information that is needed to access the Kafka cluster. Available only when
Events
is a requirement in theCartridgeRequirementsSpec
.- endpoints: List of endpoints that are available to access Kafka.
- type: The type of endpoint, Kafka.
- name: The name that represents this endpoint information.
- scope:
Internal
,External
. - bootstrapServers: Complete endpoint access URL.
- authentication: Authentication details to access the Kafka.
- type: The type of the authentication mechanism. Default is
ScramSha512Secret
. - secret: For
type: ScramSha512Secret
, this references a secret where its name is the username and it contains apassword
field.- secretName: Name of the secret.
- type: The type of the authentication mechanism. Default is
- caSecret (optional): Represents that
tls
is enabled. A reference to the public certificate that the endpoint is protected with.- secretName: Name of the secret.
- key (optional): Key of the public key of CA within the secret.
- endpoints: List of endpoints that are available to access Kafka.
- apicurio (optional): Information that is needed to access the Apicurio registry.
- managedResources: Inventory resources that are managed by this custom resource.
- conditions: Defines status of subresources that need to be ready before
CartridgeRequirements
is ready.
- components: The status of the components that satisfy the requirements.
- Events: Specifying
Events
gets Kafka and Apicurio in status.Events
is mandatory for EventProcessors requirements.
- metadata (required): Refer to the Kubernetes API documentation for the fields of the metadata field.
Note:
- If Kafka is not present in
AutomationBase
CR, then the prerequisite forEvents
is not met and theCartridgeRequirements
CR does not go to theReady
state. It waits for a successfulKafkaReady
condition in theAutomationBase
CR. Similarly, for theEventProcessors
requirement, an instance ofElasticSearch
is required to be created successfully and anElasticReady
status must be present in theAutomationBase
CR for theCartridgeRequirements
CR to reconcile successfully. - Flink does not get installed here, if Flink is required, EventProcessor CR must be issued separately.
- When the operational data store (Elasticsearch) is not provided in the
AutomationBase
CR and aCartridgeRequirements
CR is successfully reconciled, an update to theAutomationBase
CR to include the operational data store does not update this addition in the existingCartridgeRequirements
CR. The workaround is to delete the existingCartridgeRequirements
CR and to create it after the operational data store is successfully created.
Note: While deleting AutomationBase
and CartridgeRequirements
, you will have to manually delete the corresponding KafkaComposite
too. See Troubleshooting for more details.
An alternative that is a temporary workaround is to include a dummy update in the CartridgeRequriements
CR after AutomationBase
CR shows ElasticReady
status. For example, you can add the following field under
the section status > components in the CartridgeRequirments
CR, which triggers the reconcile again for CartridgeRequirements
and all the operational data store details are updated in the CartridgeRequirements
CR with a new Elasticsearch user created.
"elasticsearch: {}"
CartridgeRequirements sample YAML
Following is an example:
apiVersion: base.automation.ibm.com/v1beta1
kind: CartridgeRequirements
metadata:
name: acme-smartdecisions-dashboard
namespace: acme-iaf
annotations:
com.ibm.automation.cartridge: com.acme.smartdecisions-dashboard
spec:
license:
accept: true
version: 1.1.0
requirements:
- Events
- EventProcessors (Deprecated)
- OperationalDataStore
CartridgeRequirements status
The returned status
section takes the following form:
status:
components:
elasticsearch:
endpoints:
- type: API
name: external-route-https
scope: External
uri: https://iaf-system-es.acme-iaf.acme.com
authentication:
type: BasicSecret
secret:
secretName: <cartridge-technical-name>-es-<type>-auth
caSecret:
secretName: iaf-system-es-tls-secret
key: ca.crt
- type: API
name: internal-service-https
scope: Internal
uri: https://iaf-system-es.acme-iaf
authentication:
type: BasicSecret
secret:
secretName: <cartridge-technical-name>-es-<type>-auth
caSecret:
secretName: iaf-system-es-tls-secret
key: ca.crt
kafka:
endpoints:
- type: Kafka
name: internal-service-plain
scope: Internal
bootstrapServers: iaf-system-kafka.acme-iaf.svc:9092
- type: Kafka
name: internal-service-tls
scope: Internal
bootstrapServers: iaf-system-kafka.acme-iaf.svc:9093
authentication:
type: ScramSha512Secret
secret:
secretName: <cartridge-technical-name>-kafka-<type>-auth
caSecret:
secretName: iaf-system-kafka-tls-secret
key: ca.crt
- type: Kafka
name: external-route-tls
scope: External
bootstrapServers: iaf-system-kafka.acme-iaf.acme.com:443
authentication:
type: ScramSha512Secret
secret:
secretName: <cartridge-technical-name>-kafka-<type>-auth
caSecret:
secretName: iaf-system-kafka-tls-secret
key: ca.crt
conditions:
- lastTransitionTime: '2021-03-03T14:32:06Z'
status: 'True'
type: CartridgeReady
- lastTransitionTime: '2021-03-03T14:31:35Z'
status: 'True'
type: ElasticUserReady
- lastTransitionTime: '2021-03-03T14:32:05Z'
status: 'True'
type: KafkaUserReady
- lastTransitionTime: '2021-03-04T05:01:03Z'
message: CartridgeRequirements successfully registered
reason: Registered
status: 'True'
type: Ready
Note:
- If Kafka is not present in
AutomationBase
CR, then the prerequisite forEvents
is not met and theCartridgeRequirements
CR does not go to theReady
state. It waits for a successfulKafkaReady
condition in theAutomationBase
CR. - Flink does not get installed here, if Flink is required, EventProcessor CR must be issued separately.
EventProcessors
in thespec.requirements
is deprecated but its use is supported until it is removed in a future release.EventProcessors
is replaced byOperationalDataStore
fromv1.2
of IBM Automation foundation. For theOperationalDataStore
requirement, an instance ofElasticSearch
is required to be created successfully and anElasticReady
status must be present in theAutomationBase
CR for theCartridgeRequirements
CR to reconcile successfully.
Topic Sharing
The following currently applies to IBM Events only. For EventStreams, the KafkaTopic
read/write permissions would be set manually using IAMs.
The field spec.externalCartridges
can be provided in the CartridgeRequirements
operand. The externalCartridges
is a list of Cartridge
names (Cartridges
that already exist, or the Cartridges
that will exist in the future) that are expected to provide shared
data onto a predefined KafkaTopic
, which would be relevant to the CartridgeRequirements
corresponding to the Cartridge
. Below
is an example :
apiVersion: base.automation.ibm.com/v1beta1
kind: CartridgeRequirements
metadata:
name: cartridge-requirements-a
annotations:
com.ibm.automation.cartridge: cartridge1-name
spec:
license:
accept: true
version: vnext
requirements:
- Events
apiVersion: base.automation.ibm.com/v1beta1
kind: CartridgeRequirements
metadata:
name: cartridge-requirements-b
annotations:
com.ibm.automation.cartridge: cartridge2-name
spec:
license:
accept: true
version: vnext
requirements:
- Events
externalCartridges:
- cartridge1-name
apiVersion: base.automation.ibm.com/v1beta1
kind: CartridgeRequirements
metadata:
name: cartridge-requirements-c
annotations:
com.ibm.automation.cartridge: cartridge3-name
spec:
license:
accept: true
version: vnext
requirements:
- Events
externalCartridges:
- cartridge1-name
- cartridge2-name
The above resources would have the following permissions:
cartridge1-name
would have read/write access forKafkaTopics
prefixed withcartridge1-name
.cartridge2-name
would have read only access forKafkaTopics
prefixed withcartridge1.shared
, as well as read/write access forKafkaTopics
prefixed withcartridge2-name
.cartridge3-name
would have read only access forKafkaTopics
prefixed withcartridge1.shared
orcartridge2.shared
, as well as read/write access forKafkaTopics
prefixed withcartridge3-name
.
Providing an externalCartridge
will only allow read access to the KafkaTopics
prefixed with externalCartridge.shared
. Data would have to be intentionally written to the .shared
KafkaTopics
by the relevant Cartridge
in order for it to be shared.
It should be noted that the .shared
KafkaTopic
is made up of the technical name of the Cartridge
, rather than the full name of the Cartridge
.
Notice that it is cartridge1.shared
rather than cartridge1-name.shared
. It is important to also consider this when adding shared
data to the .shared
KafkaTopic
.
EventProcessor
Deprecation note: Event Processing Operand versions 1.0.0
and 2.0.0
are now deprecated in favour of Event Processing Operand version 3.0.0
. However, you can continue to use these Operand versions
until they are removed in 6 months from the release of IBM Automation foundation v1.2.
EventProcessor CustomResourceDefinition
EventProcessor YAML structure
The EventProcessor
definition is organized in the following structure:
apiVersion: eventprocessing.automation.ibm.com/v1beta1
kind: EventProcessor
metadata:
annotations: ~
spec:
flink:
audit: ~
authentication: ~
env: ~
image: ~
jobManager:
nodeSelector: ~
template:
pod:
metadata:
annotations: ~
spec:
affinity: ~
containers:
image: ~
imagePullPolicy: ~
name: ~
resources: ~
tolerations: ~
logConfig:
log4j-console.properties: ~
logback-console.xml: ~
monitoring: ~
properties: ~
serviceAccountName: ~
storage:
class: ~
fsGroup: ~
selector: ~
size: ~
supplementalGroups: ~
volumeClaimTemplate: ~
taskManager:
nodeSelector: ~
replicas: ~
template:
pod:
metadata:
annotations: ~
spec:
affinity: ~
containers:
image: ~
imagePullPolicy: ~
name: ~
resources: ~
tolerations: ~
tls:
caSecret:
key: ~
secretName: ~
issuerRef:
group: ~
kind: ~
name: ~
volumeMounts: ~
volumes: ~
license: ~
version: ~
status:
conditions: ~
endpoints:
authentication:
secretName: ~
type: ~
caSecret:
key: ~
secretName: ~
name: ~
scope: ~
type: ~
uri: ~
EventProcessor details
EventProcessor
:metadata
(required): Refer to the Kubernetes API documentation for the fields of the metadata field.annotations
(required):com.ibm.automation.cartridge
representing theCartridge
name.
spec
(required): Specification.version
(required): The version of the operand to use.license
(required): Indicates whether you accepted the license or not. You must accept the license, and the value needs to betrue
to use the EventProcessor resource.flink
(required): Specify the use of Flink for thisEventProcessor
with optional configuration.image
(optional): Custom flink image forJobManager
andTaskManager
containers.taskManager
(optional): Configuration for Flink TaskManagers.replicas
(optional): Number ofTaskManager
replicas. Defaults to 1.nodeSelector
(optional): An optional key and value map of labels that are used to select the nodes on which the pods for this node group are to be scheduled.template
(optional):Template
is the object that describes the pod overrides that are used when pods are created.pod
(optional):FlinkPod
contains the pod information.metadata
(optional): UseFlinkPodMetadata
to customize the task manager pods metadata.annotations
(optional): Set or override annotations on the task manager pods.
spec
(optional):FlinkPodSpec
contains the pod container and scheduling information.containers
(optional):FlinkPodContainer
contains the specification for pod container overrides.name
(required): For example,taskmanager
.resources
(optional):ResourceRequirements
describes the compute resource requirements.image
(optional): Container image override.imagePullPolicy
(optional): ImagePullPolicy override.
affinity
(optional): Affinity information for pod scheduling.core/v1/Affinity
.tolerations
(optional): An optionalcore/v1/Tolerations
array to specify toleration for scheduling taints. For more information, see Taints and Tolerations.
jobManager
(optional): Configuration for Flink JobManagers.nodeSelector
(optional): An optional key and value map of labels that are used to select the nodes on which the pods for this node group are to be scheduled.template
(optional):Template
is the object that describes the pod overrides that are used when pods are created.pod
(optional):FlinkPod
contains the pod information.metadata
(optional): UseFlinkPodMetadata
to customize the job manager pods metadata.annotations
(optional): Set or override annotations on the job manager pods.
spec
(optional):FlinkPodSpec
contains the pod container and scheduling information.containers
(optional):FlinkPodContainer
contains the specification for pod container overrides.name
(required): For example,jobmanager
ortls-proxy
.resources
(optional):ResourceRequirements
describes the compute resource requirements.image
(optional): Container image override.imagePullPolicy
(optional): ImagePullPolicy override.
affinity
(optional): Affinity information for pod scheduling.core/v1/Affinity
.tolerations
(optional): An optionalcore/v1/Tolerations
array to specify toleration for scheduling taints. For more information, see Taints and Tolerations.
properties
(optional): Properties for configuring the Flink cluster. Any standard Flink configuration property can be included.logConfig
(optional): The logging configuration, a string-to-string map that becomes the configmap that is mounted at/opt/flink/conf
in started Flink pods. See the following examples for some possible keys to include:log4j-console.properties
: The contents of thelog4j
properties file to use. If not provided, a default that logs only tostdout
is provided.logback-console.xml
: The contents of the logback XML file to use. If not provided, a default that logs to onlystdout
is provided.- Other arbitrary keys are also allowed, and will become part of the ConfigMap.
env []
(optional): Environment variables that are shared by allJobManager
andTaskManager
containers.volumes []
(optional): Volumes that are shared by allJobManager
andTaskManager
pods.volumeMounts []
(optional): Volume mounts that are shared by allJobManager
andTaskManager
pods.serviceAccountName
(optional): Service account to be used by allJobManager
andTaskManager
pods.tls
(required): ConfigureTLS
for the Flink REST API. Specify{}
here to create self-signed certificates.issuerRef
(optional):IssuerRef
is a reference to the issuer for this certificate. Thename
field in this stanza is always required.name
(mandatory if usingissuerRef
): Name of theissuer
resource.kind
(optional): If not set, or set toIssuer
, an issuer resource with the given name in the namespace. If set toClusterIssuer
, aClusterIssuer
with the provided name is used.group
(optional): Specifies the group of the issuer resource.
caSecret
(optional): A reference to the certificate authority (CA) public certificate that is used to verify the provided issuer.secretName
(mandatory if usingcaSecret
): Name of the secret.key
(optional): Key of the public key of CA within the secret.
authentication
(required): EnablesBasic
authentication for the Flink REST API. Specify{}
here to enable this authentication.audit
(optional): Enables audit logging in theJob Manager
tls-proxy
container. Specify{}
here to enable this option.storage
(optional): Represents the storage spec for theEventProcessor
. This value creates a shared RWX PVC for the JM and TM pods, enabling persisted checkpoints and savepoints.size
(optional): Maximum amount of storage that is required. Defaults to 2Gi.class
(optional): Name of theStorageClass
that is required by the claim. Leave blank for the default. For more information, see Class.selector
(optional): A label query over volumes to consider for binding. For more information, see Label selectors.volumeClaimTemplate
(optional): Allows more detailed specification of thePersistentVolumeClaim
.fsGroup
(optional): Sets thefsGroup
on theJobManager
andTaskManager
containers security contexts.supplementalGroups
(optional): Sets thesupplementalGroups
on theJobManager
andTaskManager
containers security contexts.
monitoring
(optional): Setting this value enables prometheus monitoring for the Flink cluster and exports the metrics into OpenShift Monitoring.
status
: Status.endpoints []
: A list of available endpoints for the event processor. Currently, only the Flink REST API is shown. Only one item exists here.name
(required): The name of this endpoint.type
(required): The type of the endpoint,UI
orAPI
.scope
(required): The scope of the endpoint,Internal
orExternal
.uri
(optional): The URI for the endpoint. Required for typeUI
andAPI
.caSecret
(optional): A reference to a CA public key for trusting the endpoint. Only present iftls
is enabled.secretName
(required): Name of the secret.key
(optional): Key of the public key of CA within the secret.
authentication
(optional): Any relevant information to authenticate with the endpoint. Only set ifauthentication
is enabled.type
(required): The type of authentication. Currently, onlyBasicSecret
.secretName
(optional): The name of the Basic Auth type secret. Required for typeBasicSecret
. Basic auth secrets have ausername
andpassword
field.
conditions
: Defines status of subresources, which need to be ready beforeEventProcessor
is ready.
EventProcessor sample YAML
The following example shows an EventProcessor
definition:
apiVersion: eventprocessing.automation.ibm.com/v1beta1
kind: EventProcessor
metadata:
name: acme-smartdecisions-eventprocessor
namespace: acme-cp4a
annotations:
com.ibm.automation.cartridge: com.acme.smartdecisions-dashboard
spec:
version: "v2.0"
license:
accept: true
flink:
tls: {}
authentication: {}
taskManager:
replicas: 2
...
status:
endpoints:
- name: FlinkJobManager
type: API
scope: Internal
uri: https://some-service.namespace.svc:8081
caSecret:
secretName: my-ca-secret
key: ca.crt
authentication:
type: BasicSecret
secretName: my-auth-secret
conditions:
- lastTransitionTime: '2021-03-04T11:04:13Z'
message: Event Processor is ready
reason: Created
status: 'True'
type: Ready
- lastTransitionTime: '2021-03-04T11:04:13Z'
message: Default credentials should be updated for security reasons
reason: RandomlyGeneratedJobManagerCredentials
status: 'True'
type: Warning
For more information about event processors, see Event Processors section.