Readme for Cloud Pak for Automation 20.0.3 IF012

Fix Readme

Abstract

The following document is the documentation for IBM Cloud Pak for Automation 20.0.3 IF012.
Including download and installation information and the list of APARs that are resolved in this interim fix.

Content

Readme file for:	IBM Cloud Pak® Automation
Product Release:	20.0.3
Update Name:	20.0.3 IF012
Fix ID:	20.0.3-WS-CP4A-IF012
Publication Date:	13 January 2022
Last modified date:	20 January 2022

Prerequisites
Components impacted
Prior to installation
Installing
Performing the necessary tasks after installation
Uninstalling
List of fixes
Known Limitations
Document change history

Prerequisites

Download the installation script resources https://github.com/icp4a/cert-kubernetes/archive/20.0.3.2.tar.gz and extract the files to your local machine.
Change directory to the "cert-kubernetes" folder.

Components impacted

General

Prior to installation

If you installed any of the Cloud Pak components on a Kubernetes cluster, you can update them with 20.0.3 IF012 by using the updated operator and the relevant container interim fixes. Updated images are

cp.icr.io/cp/cp4a/icp4a-operator:20.0.3-IF012

cp.icr.io/cp/cp4a/ads/ads-runtime:20.0.3-IF012
cp.icr.io/cp/cp4a/bai/bai-admin:20.0.3-IF012
cp.icr.io/cp/cp4a/bai/bai-bawadv:20.0.3-IF012
cp.icr.io/cp/cp4a/bai/bai-bpmn:20.0.3-IF012
cp.icr.io/cp/cp4a/bai/bai-content:20.0.3-IF012
cp.icr.io/cp/cp4a/bai/bai-event-forwarder:20.0.3-IF012
cp.icr.io/cp/cp4a/bai/bai-elasticsearch:20.0.3-IF012
cp.icr.io/cp/cp4a/bai/bai-flink:20.0.3-IF012
cp.icr.io/cp/cp4a/bai/bai-flink-taskmanager:20.0.3-IF012
cp.icr.io/cp/cp4a/bai/bai-flink-zookeeper:20.0.3-IF012
cp.icr.io/cp/cp4a/bai/bai-icm:20.0.3-IF012
cp.icr.io/cp/cp4a/bai/bai-ingestion:20.0.3-IF012
cp.icr.io/cp/cp4a/bai/bai-init:20.0.3-IF012
cp.icr.io/cp/cp4a/bai/bai-kibana:20.0.3-IF012
cp.icr.io/cp/cp4a/bai/bai-management:20.0.3-IF012
cp.icr.io/cp/cp4a/bai/bai-monitoring-app:20.0.3-IF012
cp.icr.io/cp/cp4a/bai/bai-odm:20.0.3-IF012
cp.icr.io/cp/cp4a/bai/bai-setup:20.0.3-IF012
cp.icr.io/cp/cp4a/baw/pfs-elasticsearch-prod:20.0.3-IF012

Previous interim fixes will have included fixes which may also be addressed with this interim fix. Consult the Related links section for readmes of previous interim fixes, at the bottom of this document. Some images shipped with those previous interim fixes have not been updated with this interim fix. Depending on what components and capabilities you have installed and configured, additional fix information may apply to you, and in which case it is recommended that these images are updated to the latest available:

cp.icr.io/cp/cp4a/ban/navigator:ga-309-icn-la009
cp.icr.io/cp/cp4a/ban/navigator-sso:ga-309-icn-la009
cp.icr.io/cp/cp4a/bas/bastudio:20.0.3-IF011
cp.icr.io/cp/cp4a/bas/workflow-authoring:20.0.3-IF011
cp.icr.io/cp/cp4a/baw/workflow-server:20.0.3-IF011
cp.icr.io/cp/cp4a/baw/workflow-server-dbhandling:20.0.3-IF011
cp.icr.io/cp/cp4a/baw/pfs-prod:20.0.3-IF011
cp.icr.io/cp/cp4a/fncm/taskmgr:ga-309-tm-la009
cp.icr.io/cp/cp4a/baw/workflow-server-case-initialization:20.0.3-IF009
cp.icr.io/cp/cp4a/fncm/cpe:ga-556-p8cpe-la006
cp.icr.io/cp/cp4a/ums/ums:20.0.3-IF003

To deploy this interim fix as an update to a 20.0.3 deployment, follow the instructions in the Installing section. If you want to use the interim fix as a part of a new deployment or you want to upgrade a release prior to 20.0.3, refer to IBM Documentation. For more information, see IBM Cloud Pak for Automation 20.0.x.

Installing

Step 1: Get access to the interim fix container images
You can access the container images in the IBM image registry with your IBMid.

Create a pull secret for the IBM Cloud Entitled Registry

Log in to MyIBM Container Software Library with the IBMid and password that is associated with the entitled software.
In the Container software library tile, click "View library" and then click "Copy key" to copy the entitlement key to the clipboard.
Log in to your Kubernetes cluster and set the context to the project/namespace for your existing deployment.
Create a pull secret by running a kubectl create secret command.
$ kubectl create secret docker-registry admin.registrykey --docker-server=cp.icr.io --docker-username=cp --docker-password="<API_KEY_GENERATED>" --docker-email=<USER_EMAIL>
Note: The "cp.icr.io" value for the docker-server parameter is the only registry domain name that contains the images. Use "cp" for the docker-username. The docker-email must be a valid email address (associated to your IBM ID). Make sure you are copying the Entitlement Key in the docker-password field within double quotation marks.
Take a note of the secret and the server values so that you can set them to the "pullSecrets" and "repository" parameters when you update the operator for your containers.

Step 2: Update the installed operator

Log in to your Kubernetes cluster and set the context to the project for your existing deployment.
$ oc login https://<CLUSTERIP>:<port> -u <ADMINISTRATOR> -p <PASSWORD>
If the persistent volume (PV) for the operator is defined by a hostPath, provide group write permission according to the PV hostPath.path definition (/root/operator).
$ chmod -R g=u /root/operator
$ chmod g+rw /root/operator
Note: If you are using dynamic provisioning, this step is not needed as the PV is created automatically as per the Storage Class definition.
Remove the .OPERATOR_TYPE file in case it exists from a previous deployment.
$ rm -f /<hostPath>/.OPERATOR_TYPE
Where hostPath is the value in your PV (root/operator).
If Business Automation Insights is deployed, prune the Business Automation Insights deployment and jobs before you apply the updated custom resource YAML file.
```
$ oc delete Deployment,Job -l \
> 'app.kubernetes.io/name=ibm-business-automation-insights'
```
Tip: For Flink event processing to resume from its previous state, make sure that savepoints are created before the upgrade and specified in the updated CR. For more information see, https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/20.0.x?topic=tolerance-restarting-from-checkpoint-savepoint
Go to the downloaded cert-kubernetes folder for the IF012 interim fix.
Upgrade the operator in your project by running the following command.
$ ./scripts/upgradeOperator.sh -i <registry_url>/icp4a-operator:20.0.3-IF012 -p '<my_secret_name>' -a accept

Where registry_url is the value for your internal registry or cp.icr.io/cp/cp4a for the IBM Cloud Entitled Registry. The my_secret_name is the secret that is created to access the registry, and accept means that you accept the license.

Note: If you plan to use a non-admin user to install the operator, you must add the user to the "ibm-cp4a-operator" role.
$ oc adm policy add-role-to-user ibm-cp4a-operator <user_name>
Monitor the pod until it shows a STATUS of Running:
$ oc get pods -w
Note: When started, you can monitor the operator logs with the following command:
$ oc logs -f deployment/ibm-cp4a-operator -c operator

Step 3: Update the custom resource YAML file for your deployment

Get the custom resource YAML file that you previously deployed (for example, scripts/generated-cr/ibm_cp4a_cr_final.yaml) and update the appVersion to "20.0.3.2". The operator pulls the corresponding 20.0.3.2 container images based on the value of appVersion.

Note: If you are using a new CR from the "cert-kubernetes" GitHub repository that you download from the prerequisites step above, then the appVersion is already set to "20.0.3.2". To ensure you use the 20.0.3-IF012 images, make sure to refer to these updated images in your CR. See list of images and tags in the Prior to installation section, above. Remember to remove these references to specific images when you upgrade to future versions.

If you are deploying Workflow Authoring pattern, make sure to update the image tag

  workflow_authoring_configuration:
    images:
      repository: "cp.icr.io/cp/cp4a/bas/workflow-authoring"
      tag: "20.0.3-IF012"

If you are using multiple instances of Business Automation Workflow, make sure to update all following the pattern below.

baw_configuration:
- name: bawins1
  image:
    repository: "cp.icr.io/cp/cp4a/baw/workflow-server"
    tag: "20.0.3-IF012"

Tip: If you use image tags in your CR in your current deployment, then the correct values of the tags can be found in the fully customizable (FC) CR pattern templates provided with the interim fix under ../cert-kubernetes/descriptors/patterns (for example, ibm_cp4a_cr_enterprise_FC_content.yaml has the corresponding image tags for the iFix along with all the parameters that can be customized for the deployment). Verify that the secret named in the CR YAML file as the imagePullSecrets is valid. Note the secret might be expired, in which case you must re-create the secret.

Step 4: Apply the updated custom resource YAML file

Check that all the components that you want to upgrade are configured with interim fix image tag values.
$ cat scripts/generated-cr/ibm_cp4a_cr_final.yaml
Update the configured components by applying the custom resource.

$ kubectl apply -f scripts/generated-cr/ibm_cp4a_cr_final.yaml

Step 5: Verify the updated automation containers

The operator reconciliation loop might take several minutes. When all of the pods are Running, you can access the status of your containers by running the following commands:

$ oc status
$ oc get pods -w
$ oc logs <operatorPodName> -f -c operator

Performing the necessary tasks after installation

For more information, see IBM Cloud Pak for Automation 20.0.x.

Uninstalling

For more information, see IBM Cloud Pak for Automation 20.0.x.

List of Fixes

APARs are listed in tables and table columns are defined as follows:

Colunm title	Column description
APAR	The defect number
Title	A short description of the defect
Sec.	A mark indicates a defect related to security
Cont.	A mark indicates a defect specific to the Cloud Pak integration of the component
B.I.	A mark indicates the fix has a business impact. Details are found in the title column or the APAR document

General

General

APAR	Title	Sec.	Cont.	B.I.
N/A	Cloud Pak for Business Automation delivers container images that include operating system level and other open source libraries. Vulnerabilities (CVEs) for these libraries are published regularly. This interim fix includes fixes for these libraries to address: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 Previous interim fixes may have included fixes which are also addressed with this interim fix. Consult the Related links section for readmes of previous interim fixes, at the bottom of this document.	X	X

Known Limitations

For more information, see the support page Cloud Pak for Automation Known Limitations

Document change history

13 January 2022: Initial publish.

20 January 2022: Update related links

Related Information

Readme for Cloud Pak for Automation 20.0.3 IF011

Readme for Cloud Pak for Automation 20.0.3 IF010

Readme for Cloud Pak for Automation 20.0.3 IF009

Readme for Cloud Pak for Automation 20.0.3 IF008

Readme for Cloud Pak for Automation 20.0.3 IF007

Readme for Cloud Pak for Automation 20.0.3 IF006

Readme for Cloud Pak for Automation 20.0.3 IF005

Readme for Cloud Pak for Automation 20.0.3 IF004

Readme for Cloud Pak for Automation 20.0.3 IF003

Readme for Cloud Pak for Automation 20.0.3 IF002

Readme for Cloud Pak for Automation 20.0.3 IF001

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS2JQC","label":"IBM Cloud Pak for Automation"},"ARM Category":[{"code":"a8m0z0000001gWWAAY","label":"Other-\u003ECloudPak4Automation Platform"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"20.0.3"}]

Tips