IBM Support

Readme for Cloud Pak for Business Automation 21.0.1 IF001

Fix Readme


Abstract

The following document is the documentation for IBM Cloud Pak for Business Automation 21.0.1 IF001.
Including download and installation information and the list of APARs that are resolved in this interim fix.

Content

Readme file for: IBM Cloud Pak® Automation
Product Release: 21.0.1
Update Name: 21.0.1 IF001
Fix ID: 21.0.1-WS-CP4BA-IF001
Publication Date: 24 Apr 2021
Last modified date: 30 Apr 2021

Contents

Download location

Download 21.0.1-WS-CP4BA-IF001 from Fix Central here or access the container images in cp.icr.io with your IBMid (see below).

Prerequisites

Components impacted

Prior to installation

If you installed any of the Cloud Pak components on a Kubernetes cluster, you can update them with the 21.0.1 IF001 by using the updated operator and the relevant container interim fixes. Details like the image: tag of the interim fix image can be found in the pattern templates of the Container Application Software for Enterprises (CASE) package.
To deploy this interim fix as an update to a 21.0.1 deployment, follow the instructions in the Installing section. If you want to use the interim fix as a part of a new deployment or you want to upgrade a release prior to 21.0.1, refer to IBM Knowledge Center. For more information, see IBM Cloud Pak for Business Automation 21.0.x.

Installing

Step 1: Get access to the interim fix container images
You can access the container images in the IBM image registry with your IBMid (Option 1), or you can download the images from Fix Central (Option 2).
 
Option 1: Create a pull secret for the IBM Cloud Entitled Registry
  1. Log in to MyIBM Container Software Library with the IBMid and password that is associated with the entitled software.
  2. In the Container software library tile, click "View library" and then click "Copy key" to copy the entitlement key to the clipboard.
  3. Log in to your Kubernetes cluster and set the context to the project/namespace for your existing deployment.
  4. Create a pull secret by running a kubectl create secret command.
    $ kubectl create secret docker-registry admin.registrykey --docker-server=cp.icr.io --docker-username=cp --docker-password="<API_KEY_GENERATED>" --docker-email=<USER_EMAIL>
    Note: The "cp.icr.io" value for the docker-server parameter is the only registry domain name that contains the images. Use "cp" for the docker-username. The docker-email must be a valid email address (associated to your IBM ID). Make sure you are copying the Entitlement Key in the docker-password field within double quotation marks.
  5. Take a note of the secret and the server values so that you can set them to the "pullSecrets" and "repository" parameters when you update the operator for your containers.
Option 2: Download the packages from Fix Central  here
Note: If you connect remotely to the cluster from a Linux host/VM, then you must have Docker or Podman and the OpenShift command line interface (CLI) installed on OCP. If you have access to the master node on the OCP cluster, they are already installed. You can install Podman by running the following command.
$ yum -y install podman
For more information about the client-side tools you might need, see Preparing to install enterprise containers.
  1. Download the images per the instructions in the Download location section, and make a note of the file names.
  2. Log in to your Kubernetes cluster and set the context to the project/namespace for your existing deployment.
    $ oc login https://<cluster-ip>:<port> -u <cluster-admin> -p <password>
    $ oc project <existing deployment namespace>
  3. When you have all of the files for the images that you want to install, run the following commands to get your access token and to make sure you can use Kubectl.
    $ oc whoami -t
    $ kubectl cluster-info
  4. Check that you can run a  Podman command.
    $ podman ps -a
  5. Get the registry route.
    $ oc registry info --public
    If the command has no output or the output is an internal service URL, it means that the route is not enabled. To enable the registry route on the cluster run the following command.
    $ oc patch configs.imageregistry.operator.openshift.io/cluster --type merge -p '{"spec":{"defaultRoute":true}}'
    For more information about exposing routes on OCP 4.6, see Exposing the registry. Use the OCP version menu to find your specific version in the OpenShift documentation.
  6. Log in to the image registry by using the registry route that returns from the "oc registry info --public" command.
    $ podman login $(oc registry info --public) -u $(oc whoami) -p $(oc whoami -t) --tls-verify=false
    Note: If you are logged in to the cluster as "kubeadmin", the "oc whoami" command returns "kube:admin", which does not work. You must use "kubeadmin" as the login user.
    $ podman login $(oc registry info --public) -u kubeadmin -p $(oc whoami -t) --tls-verify=false
  7. Change the permissions of the scripts/loadimages.sh script so that you can run it.
    $ cd scripts
    $ chmod +x loadimages.sh
  8. Run the loadimages.sh script to load the images into your image registry. The following example shows the input values in the command line.
    $ ./loadimages.sh -p <ARCHIVE> -r $(oc registry info --public)/<project-name>
    Where:
    -p  The archive files location or archive file name
    -r  Target image registry and namespace
    Note: The <project-name> variable is the name of your existing deployment. Take a note of the image registry route so that you can enter it in the upgrade script. If you want to load the images into another project that can be referenced across namespaces, then you must allow pods to reference images from that project. For example, to allow any service account in a project that is named cp4a-project to reference images in another project named cp4a-images-project, use the oc policy add-role-to-group parameter. 
    $ oc policy add-role-to-group \
   system:image-puller system:serviceaccounts:cp4a-project \
   --namespace=cp4a-images-project
For more information, see Allowing pods to reference images across projects.
  9. Check that the images are pushed correctly to the registry.
    $ oc get is
  10. If you want to use an external registry, create a registry secret:
    $ oc create secret docker-registry admin.registrykey --docker-server=<registry_url> --docker-username=<your_account> --docker-password=<your_password> --docker-email=<your_email>
    Take a note of the secret and the server values so that you can set them to the "pullSecrets" and "repository" parameters when you update the operator for your containers.
Step 2: Update the installed operator
  1. Log in to your Kubernetes cluster and set the context to the project for your existing deployment.
    $ oc login https://<CLUSTERIP>:<port> -u <ADMINISTRATOR>
    $ oc project <project_name>
  2. Optional: If you have static storage on OCP, provide group write permission to the persistent volume (PV) of the operator according to the PV hostPath.path definition (/root/operator).
    $ chmod -R g=u /root/operator
    $ chmod g+rw /root/operator
    Note: If you are using dynamic provisioning, this step is not needed as the PV is created automatically as per the Storage Class definition.
    Remove the .OPERATOR_TYPE file in case it exists from a previous deployment.
    $ rm -f /<hostPath>/.OPERATOR_TYPE
    where hostPath is the value in your PV (root/operator).
  3. Starting from 21.0.1-IF001, you can no longer get the cert-kubernetes files from GitHub. To download the files, go to the Container Application Software for Enterprises (CASE) package URL, extract the package, and then extract the contents from the .tar file in the ibm-cp-automation/inventory/cp4aOperatorSDK/files/deploy/crs folder. Use the tar -xvzf command to extract the archives.
    $ cd cert-kubernetes
    Upgrade the operator in your project by running the following command.
    $ ./scripts/upgradeOperator.sh -i <registry_url>/icp4a-operator:21.0.1-IF001 -p '<my_secret_name>' -a accept
    Where registry_url is the value for your internal registry or cp.icr.io/cp/cp4a for the IBM Cloud Entitled Registry. The my_secret_name is the secret that is created to access the registry, and accept means that you accept the license.
    Note: If you installed the operator via Operator Lifecycle Manager then the command should take the following form:
    $ ./scripts/upgradeOperator.sh -n <project_name> -a accept
    Note: If you plan to use a non-admin user to install the operator, you must add the user to the "ibm-cp4a-operator" role.
    $ oc adm policy add-role-to-user ibm-cp4a-operator <user_name>
  4. Monitor the pod until it shows a STATUS of Running:
    $ oc get pods -w
    Note: When started, you can monitor the operator logs with the following command:
    $ oc logs -f deployment/ibm-cp4a-operator -c operator
Step 3: Update the custom resource YAML file for your deployment
Get the custom resource YAML file that you previously deployed (for example, scripts/generated-cr/ibm_cp4a_cr_final.yaml) and update the appVersion to "21.0.1.1".  The operator will pull the corresponding 21.0.1.1 container images based on the value of appVersion.
Note: If you are using a new CR from the "cert-kubernetes" GitHub repository that you download from the prerequisites step above, then the appVersion is already set to "21.0.1.1".
Tip: If you use image tags in your CR in your current deployment, then the correct values of the tags can be found in the fully customizable (FC) CR pattern templates provided with the interim fix under ../cert-kubernetes/descriptors/patterns (for example, ibm_cp4a_cr_enterprise_FC_content.yaml has the corresponding image tags for the iFix along with all the parameters that can be customized for the deployment).  Verify that the secret named in the CR YAML file as the imagePullSecrets is valid. Note that the secret might be expired, in which case you must re-create the secret.
Step 4: Update the custom resource YAML file for your deployment
If Business Automation Insights 21.0.1 is deployed, and only in this case, prune the Business Automation Insights deployment and jobs before you apply the updated custom resource YAML file.
  $ oc delete Deployment,Job -l 'app.kubernetes.io/name=ibm-business-automation-insights'
Tip: For Flink event processing to resume from its previous state, make sure that savepoints are created before the upgrade and specified in the updated CR. For more information see, https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/21.0.x?topic=tolerance-restarting-from-checkpoint-savepoint#task_bht_l5r_52b

Step 5: Apply the updated custom resource YAML file
  1. Check that all the components that you want to upgrade are configured with interim fix image tag values.
    $ cat scripts/generated-cr/ibm_cp4a_cr_final.yaml
  2. Update the configured components by applying the custom resource.
    $ kubectl apply -f scripts/generated-cr/ibm_cp4a_cr_final.yaml
Step 6: Verify the updated automation containers
The operator reconciliation loop might take several minutes. When all of the pods are Running, you can access the status of your containers by running the following commands:
$ oc status
$ oc get pods -w
$ oc logs <operatorPodName> -f -c operator

Performing the necessary tasks after installation

Uninstalling

List of Fixes

APARs are listed in tables, columns are defined as follow: 
Colunm title Column description
APAR The defect number
Title A short description of the defect
Sec. A mark indicates a defect related to security
Cont. A mark indicates a defect specific to the cloud pak integration of the component
B.I. A mark indicates the fix has a business impact. Details is found in the title column or the APAR document
General
APAR Title Sec. Cont. B.I.
N/A

Back to top

Cloud Pak for Automation Operator
APAR Title Sec. Cont. B.I.
JR63548 BUSINESS AUTOMATION INSIGHTS AND IBM AUTOMATION FOUNDATION BASE FAILED TO INSTALL WITH NO DEFAULT STORAGE CLASS X
JR63548 CP4BA 21.0.1 FAILED TO INSTALL WITH IBM AUTOMATION FOUNDATION 1.0.1 X

Back to top

APAR Title Sec. Cont. B.I.

N/A

Back to top

Automation Decision Services
APAR Title Sec. Cont. B.I.

JR63543

A dcomp project cannot be compiled
B.I.: Error during build of projects imported from Decision composer or Decision Center

 X X

JR63544

 WHILE UPGRADING, OPERATOR STUCK IN 20.0.3 RECONCILE ON ADS TASKS
B.I.: ADS is causing a transient operator error while upgrading from 20.0.3.2		 X X

Back to top

Automation Document Processing
APAR Title Sec. Cont. B.I.
N/A

Back to top

Business Automation Insights
APAR Title Sec. Cont. B.I.
JR63575

BAI installs using OLM Operator require privileged mode.

 X X
JR63577

Default RSA key and certificate remained in container 
JR63578

BAI Dashboard and Monitoring Source, missing when installed via Form UI

 X
JR63579

Permissions on monitoring sources with multiple fields do not work

 X

JR63580

 Business Automation Insights crashes displaying heatmaps when the source id contains a dot X
JR63581

When you pick a monitoring source with a certain id, displaying an heat map produces an error

 X
JR63582 BAI may not be able to handle events X

JR63583

 Airgapped BAI install doesn't install when shared_configuration.image_pull_secrets is absent from the CR X
JR63584 After upgrade from 20.0.3-IF002, BAI 21.0.1 do not work on ROKS X
JR63585 Could someone please advise if there is any workaround available or manual steps for customers to perform once 21.0.1-IF001 is installed? X

Back to top

Business Automation Navigator
APAR Title Sec. Cont. B.I.
N/A

Back to top

Business Automation Studio
APAR Title Sec. Cont. B.I.
JR63429

THE BREADCRUMB LINK DOESN'T WORK IN THE WORKFLOW DESIGNER WHEN YOU USE THE SAFARI BROWSER ON A MAC OS

 X

Back to top

Business Automation Workflow including Automation Workstream Services
APAR Title Sec. Cont. B.I.
JR63410

INVOKING EXTERNAL AUTOMATION SERVICES FROM WORKFLOW BUSINESS AUTOMATIONS FAILS

 X
JR63425 YOU NOTICE THAT THE MEMORY USE CONSTANTLY INCREASES 
JR63497 SPECIAL CHARACTERS IN OIDCCLIENTPASSWORD OR RESOURCE REGISTRY READER PASSWORD CAN CAUSE ISSUES X

Back to top

Enterprise Records
APAR Title Sec. Cont. B.I.
N/A

Back to top

FileNet Content Manager
APAR Title Sec. Cont. B.I.
See Cloud Pak for Automation Operator X

Back to top

Operational Decision Management
APAR Title Sec. Cont. B.I.
JR63540

DB2 / Kafka Secrets are randomly unreadable
B.I.: Secrets generated by the ODM role are sometimes unreadable by DB2 or BAI - start another deployment.

 X

JR63541

Cannot login Decision Server Console when UMS is also deployed for enterprise deployment
B.I.: Cannot login into Decision Center with customized webSecurity.xml

 X X

JR63542

Need configMaps with CP4BA URLs and credentials for OLM deployment
B.I.: After deploying CP4BA 21.0.1, customers will need to read the KC documentation to figure out what are URLs and credentials to use for ODM.

 X

Back to top

User Management Service
APAR Title Sec. Cont. B.I.
See Cloud Pak for Business Automation Operator X

Back to top

Known Limitations

For additional information, see the support page Cloud Pak for Business Automation Known Limitations

Document change history

  • 24 Apr 2021: Initial publish.
  • 29 Apr 2021:
                (1) Updated Fix central link
                (2) Added "Step 4: Update the custom resource YAML file for your deployment..." under Installing section; (2) Changed the Fix Central download link to point to the fix under IBM Cloud Pak for Business Automation category
  • 30 Apr 2021: remove cancelled APAR
    •

    [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS2JQC","label":"IBM Cloud Pak for Automation"},"ARM Category":[{"code":"a8m0z0000001gWWAAY","label":"CloudPak4Automation Platform"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"21.0.1"}]

    Document Information

    Modified date:
    30 April 2021

    UID

    ibm16440319

    Page Feedback