Cloud Pak for Business Automation Production deployment manual installation ✍️

For version 24.0.0 IF002 https://www.ibm.com/support/pages/node/7163631

Installs BAW and FNCM environment.

• Disclaimer ✋
• Preparing your cluster
• Preparing a client to connect to the cluster
  • Creating an install client directly in OCP
  • Command line preparation in install Pod
• Prerequisite software
  • OpenLDAP
    • Access info after deployment
  • PostgreSQL
    • Access info after deployment
• Cloud Pak for Business Automation Development Environment (Authoring)
  • Preparing a client to connect to the cluster
  • Setting up the cluster by running a script
  • Prepare property files
  • Generate, update and apply SQL and Secret files
  • Validate connectivity
  • Generating the custom resource with the deployment script
  • Checking and completing your custom resource
  • Deploying the custom resource you created with the deployment script
  • Access info after deployment
  • Completing post-installation tasks
  • Validating your production deployment
  • Next steps
• Cloud Pak for Business Automation Test Environment (Runtime)
  • Preparing a client to connect to the cluster
  • Setting up the cluster by running a script
  • Prepare property files
  • Generate, update and apply SQL and Secret files
  • Validate connectivity
  • Generating the custom resource with the deployment script
  • Checking and completing your custom resource
  • Deploying the custom resource you created with the deployment script
  • Access info after deployment
  • Completing post-installation tasks
  • Validating your production deployment
  • Next steps
    • Connect to Authoring
• Contacts
• Notice

Disclaimer ✋

This is not an official IBM documentation.
Absolutely no warranties, no support, no responsibility for anything.
Use it on your own risk and always follow the official IBM documentations.
It is always your responsibility to make sure you are license compliant when using this repository to install IBM Cloud Pak for Business Automation.
Used OpenLDAP and PostgreSQL cannot run on Restricted OCP from CP4BA.

Please do not hesitate to create an issue here if needed. Your feedback is appreciated.

Not for production use. Suitable for Demo and PoC environments - but with Production deployment.

Preparing your cluster

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=deployment-preparing-your-cluster and
https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=deployment-getting-access-images-from-public-entitled-registry

• Empty OpenShift cluster of a supported version
• With direct internet connection
• File RWX StorageClass - in this case ocs-storagecluster-cephfs is used, feel free to find and replace
• Block RWO StorageClass - in this case ocs-storagecluster-ceph-rbd is used, feel free to find and replace. File Based RWX is also usable but is not supported.
• Cluster admin user
• IBM entitlement key from https://myibm.ibm.com/products-services/containerlibrary

Preparing a client to connect to the cluster

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=deployment-preparing-client-connect-cluster and additional utilities for script execution

Requested tooling provided in the install Pod.

• kubectl
• oc
• podman
• IBM Semeru JDK 17
• yq
• jq
• git

Creating an install client directly in OCP

In your OCP cluster create Project cp4ba-install using OpenShift console.

kind: Project
apiVersion: project.openshift.io/v1
metadata:
  name: cp4ba-install
  labels:
    app: cp4ba-install

Create PVC where all files used for installation would be kept if you would need to re-instantiate the install Pod.

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: install
  namespace: cp4ba-install
  labels:
    app: cp4ba-install
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: ocs-storagecluster-cephfs
  volumeMode: Filesystem

Assign cluster admin permissions to cp4ba-install default ServiceAccount under which the installation is performed by applying the following yaml.

This requires the logged in OpenShift user to be cluster admin.

The ServiceAccount needs to have cluster admin to be able to create all resources needed to deploy the platform.

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cluster-admin-cp4ba-install
  labels:
    app: cp4ba-install
subjects:
  - kind: User
    apiGroup: rbac.authorization.k8s.io
    name: "system:serviceaccount:cp4ba-install:default"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin

Create a pod from which the install will be performed with the following definition.
It is ready when the message Install pod - Ready is in its Log.

kind: Pod
apiVersion: v1
metadata:
  name: install
  namespace: cp4ba-install
  labels:
    app: cp4ba-install
spec:
  containers:
    - name: install
      securityContext:
        privileged: true
      image: ubi9/ubi:9.4
      command: ["/bin/bash"]
      args:
        ["-c","cd /usr;
          yum install podman -y;
          yum install ncurses -y;
          yum install jq -y;
          yum install git -y;
          curl -LO https://github.com/ibmruntimes/semeru17-binaries/releases/download/jdk-17.0.9%2B9_openj9-0.41.0/ibm-semeru-open-jdk_x64_linux_17.0.9_9_openj9-0.41.0.tar.gz;
          tar -xvf ibm-semeru-open-jdk_x64_linux_17.0.9_9_openj9-0.41.0.tar.gz;
          ln -fs /usr/jdk-17.0.9+9/bin/java /usr/bin/java;
          ln -fs /usr/jdk-17.0.9+9/bin/keytool /usr/bin/keytool;
          curl -k https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable/openshift-client-linux.tar.gz --output oc.tar;
          tar -xvf oc.tar oc;
          chmod u+x oc;
          ln -fs /usr/oc /usr/bin/oc;
          curl -LO https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl;
          chmod u+x kubectl;
          ln -fs /usr/kubectl /usr/bin/kubectl;
          curl -LO https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64.tar.gz;
          tar -xzvf yq_linux_amd64.tar.gz;
          ln -fs /usr/yq_linux_amd64 /usr/bin/yq;
          podman -v;
          java -version;
          keytool;
          oc version;
          kubectl version;
          yq --version;
          jq --version;
          git --version;
          while true;
          do echo 'Install pod - Ready - Enter it via Terminal and \"bash\"';
          sleep 300; done"]
      imagePullPolicy: IfNotPresent
      volumeMounts:
        - name: install
          mountPath: /usr/install
  volumes:
    - name: install
      persistentVolumeClaim:
        claimName: install

Command line preparation in install Pod

This needs to be repeated if you don't perform this in one go and you come back to resume.

Open Terminal window of the install pod.

Enter bash.

bash

Prerequisite software

CP4BA needs at least LDAP and Database. In this deployment OpenLDAP and PostgreSQL are used.

You would normally use your own production ready instances.

Please note that OpenLDAP is working but is not officially supported by CP4BA.

OpenLDAP

Deployment of rootless bitnami OpenLDAP

Create cp4ba-openldap Project

echo "
kind: Project
apiVersion: project.openshift.io/v1
metadata:
  name: cp4ba-openldap
  labels:
    app: cp4ba-openldap
" | oc apply -f -

Create ConfigMap for env

echo "
kind: ConfigMap
apiVersion: v1
metadata:
  name: openldap-env
  namespace: cp4ba-openldap
  labels:
    app: cp4ba-openldap
data:
  BITNAMI_DEBUG: 'true'
  LDAP_ORGANISATION: cp.internal
  LDAP_ROOT: 'dc=cp,dc=internal'
  LDAP_DOMAIN: cp.internal
" | oc apply -f -

Create ConfigMap for users and groups

echo "
kind: ConfigMap
apiVersion: v1
metadata:
  name: openldap-customldif
  namespace: cp4ba-openldap
  labels:
    app: cp4ba-openldap
data:
  01-default-users.ldif: |-
    # cp.internal
    dn: dc=cp,dc=internal
    objectClass: top
    objectClass: dcObject
    objectClass: organization
    o: cp.internal
    dc: cp

    # Units
    dn: ou=Users,dc=cp,dc=internal
    objectClass: organizationalUnit
    ou: Users

    dn: ou=Groups,dc=cp,dc=internal
    objectClass: organizationalUnit
    ou: Groups

    # Users
    dn: uid=cpadmin,ou=Users,dc=cp,dc=internal
    objectClass: inetOrgPerson
    objectClass: top
    cn: cpadmin
    sn: cpadmin
    uid: cpadmin
    mail: [email protected]
    userpassword: Password
    employeeType: admin

    dn: uid=cpuser,ou=Users,dc=cp,dc=internal
    objectClass: inetOrgPerson
    objectClass: top
    cn: cpuser
    sn: cpuser
    uid: cpuser
    mail: [email protected]
    userpassword: Password

    # Groups
    dn: cn=cpadmins,ou=Groups,dc=cp,dc=internal
    objectClass: groupOfNames
    objectClass: top
    cn: cpadmins
    member: uid=cpadmin,ou=Users,dc=cp,dc=internal

    dn: cn=cpusers,ou=Groups,dc=cp,dc=internal
    objectClass: groupOfNames
    objectClass: top
    cn: cpusers
    member: uid=cpadmin,ou=Users,dc=cp,dc=internal
    member: uid=cpuser,ou=Users,dc=cp,dc=internal
" | oc apply -f -

Create Secret for password

echo "
kind: Secret
apiVersion: v1
metadata:
  name: openldap
  namespace: cp4ba-openldap
  labels:
    app: cp4ba-openldap
stringData:
  LDAP_ADMIN_PASSWORD: Password
" | oc apply -f -

Create PVC for data

echo "
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: openldap-data
  namespace: cp4ba-openldap
  labels:
    app: cp4ba-openldap
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: ocs-storagecluster-cephfs
  volumeMode: Filesystem
" | oc apply -f -

Create Deployment

echo "
kind: Deployment
apiVersion: apps/v1
metadata:
  name: openldap
  namespace: cp4ba-openldap
  labels:
    app: cp4ba-openldap
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cp4ba-openldap
  template:
    metadata:
      labels:
        app: cp4ba-openldap
    spec:
      containers:
        - name: openldap
          resources:
            requests:
              cpu: 100m
              memory: 256Mi
            limits:
              cpu: 500m
              memory: 512Mi
          startupProbe:
            tcpSocket:
              port: ldap-port
            timeoutSeconds: 1
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 30
          readinessProbe:
            tcpSocket:
              port: ldap-port
            timeoutSeconds: 1
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 10
          livenessProbe:
            tcpSocket:
              port: ldap-port
            timeoutSeconds: 1
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 10
          terminationMessagePath: /dev/termination-log
          ports:
            - name: ldap-port
              containerPort: 1389
              protocol: TCP
          image: 'bitnami/openldap:2.6.8'
          imagePullPolicy: IfNotPresent
          volumeMounts:
            - name: data
              mountPath: /bitnami/openldap/
            - name: custom-ldif-files
              mountPath: /ldifs/
          terminationMessagePolicy: File
          envFrom:
            - configMapRef:
                name: openldap-env
            - secretRef:
                name: openldap
          securityContext:
            seccompProfile:
              type: RuntimeDefault
            privileged: false
            allowPrivilegeEscalation: false
            runAsNonRoot: true
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: openldap-data
        - name: custom-ldif-files
          configMap:
            name: openldap-customldif
            defaultMode: 420
" | oc apply -f -

Create Service

echo "
kind: Service
apiVersion: v1
metadata:
  name: openldap
  namespace: cp4ba-openldap
  labels:
    app: cp4ba-openldap
spec:
  ports:
    - name: ldap-port
      protocol: TCP
      port: 389
      targetPort: ldap-port
  type: NodePort
  selector:
    app: cp4ba-openldap
" | oc apply -f -

Wait for pod in cp4ba-openldap Project to become Ready 1/1.

oc get pod -n cp4ba-openldap -w

Access info after deployment

OpenLDAP

• See Project cp4ba-openldap, Service openldap for assigned NodePort
• cn=admin,dc=cp,dc=internal / Password
• In OpenLDAP Pod terminal for regular attributes ldapsearch -x -b "dc=cp,dc=internal" -H ldap://localhost:1389 -D 'cn=admin,dc=cp,dc=internal' -w Password "objectclass=*"
• In OpenLDAP Pod terminal for hidden attributes ldapsearch -x -b "dc=cp,dc=internal" -H ldap://localhost:1389 -D 'cn=admin,dc=cp,dc=internal' -w Password "objectclass=*" '+'

PostgreSQL

Deployment of rootless bitnami PostgreSQL

Create cp4ba-postgresql Project

echo "
kind: Project
apiVersion: project.openshift.io/v1
metadata:
  name: cp4ba-postgresql
  labels:
    app: cp4ba-postgresql
" | oc apply -f -

Create Secret for passwords

echo "
kind: Secret
apiVersion: v1
metadata:
  name: postgresql-secret
  namespace: cp4ba-postgresql
stringData:
  postgres-password: Password
type: Opaque
" | oc apply -f -

Create ConfigMap for postgresql.conf extension

echo "
kind: ConfigMap
apiVersion: v1
metadata:
  name: postgresql-extended-config
  namespace: cp4ba-postgresql
data:
  override.conf: |
    max_connections=500
    max_prepared_transactions=500
" | oc apply -f -

Create StatefulSet - divided into two parts as it is too long to be handled via single copy paste into OCP Pod terminal

cat >/usr/install/postgresql.yaml <<EOF
kind: StatefulSet
apiVersion: apps/v1
metadata:
  name: postgresql
  namespace: cp4ba-postgresql
spec:
  serviceName: postgresql
  replicas: 1
  selector:
    matchLabels:
      app: cp4ba-postgresql
  template:
    metadata:
      labels:
        app: cp4ba-postgresql
    spec:
      terminationGracePeriodSeconds: 30
      containers:
        - name: postgresql
          resources:
            limits:
              cpu: 4000m
              memory: 4Gi
            requests:
              cpu: 200m
              memory: 4Gi
          startupProbe:
            exec:
              command:
                - /bin/sh
                - -c
                - -e
                - >
                  exec pg_isready

                  [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f
                  /bitnami/postgresql/.initialized ]
            failureThreshold: 18
            periodSeconds: 10
          readinessProbe:
            exec:
              command:
                - /bin/sh
                - -c
                - exec pg_isready
            timeoutSeconds: 5
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 6
          livenessProbe:
            exec:
              command:
                - /bin/sh
                - -c
                - exec pg_isready
            timeoutSeconds: 5
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 6
          env:
            - name: BITNAMI_DEBUG
              value: 'false'
            - name: POSTGRESQL_PORT_NUMBER
              value: '5432'
            - name: POSTGRESQL_VOLUME_DIR
              value: /bitnami/postgresql
            - name: PGDATA
              value: /bitnami/postgresql/data
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: postgresql-secret
                  key: postgres-password
            - name: POSTGRESQL_ENABLE_LDAP
              value: 'no'
            - name: POSTGRESQL_ENABLE_TLS
              value: 'no'
            - name: POSTGRESQL_LOG_HOSTNAME
              value: 'false'
            - name: POSTGRESQL_LOG_CONNECTIONS
              value: 'false'
            - name: POSTGRESQL_LOG_DISCONNECTIONS
              value: 'false'
            - name: POSTGRESQL_PGAUDIT_LOG_CATALOG
              value: 'off'
            - name: POSTGRESQL_CLIENT_MIN_MESSAGES
              value: error
            - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
              value: pgaudit
EOF

cat >>/usr/install/postgresql.yaml <<EOF
          securityContext:
            capabilities:
              drop:
                - ALL
            privileged: false
            runAsNonRoot: true
            allowPrivilegeEscalation: false
            seccompProfile:
              type: RuntimeDefault
          ports:
            - name: tcp-postgresql
              containerPort: 5432
              protocol: TCP
          imagePullPolicy: IfNotPresent
          volumeMounts:
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
            - name: empty-dir
              mountPath: /opt/bitnami/postgresql/conf
              subPath: app-conf-dir
            - name: empty-dir
              mountPath: /opt/bitnami/postgresql/tmp
              subPath: app-tmp-dir
            - name: empty-dir
              mountPath: /opt/bitnami/postgresql/logs
              subPath: app-logs-dir
            - name: data
              mountPath: /bitnami/postgresql
            - name: postgresql-extended-config
              mountPath: /bitnami/postgresql/conf/conf.d/
          terminationMessagePolicy: File
          image: 'docker.io/bitnami/postgresql:14.13.0-debian-12-r13'
      volumes:
        - name: empty-dir
          emptyDir: {}
        - name: postgresql-extended-config
          configMap:
            name: postgresql-extended-config
            defaultMode: 420
  volumeClaimTemplates:
    - kind: PersistentVolumeClaim
      apiVersion: v1
      metadata:
        name: data
      spec:
        accessModes:
          - ReadWriteOnce
        storageClassName: ocs-storagecluster-cephfs
        resources:
          requests:
            storage: 5Gi
        volumeMode: Filesystem
EOF

oc apply -f /usr/install/postgresql.yaml

Create Service

echo "
kind: Service
apiVersion: v1
metadata:
  name: postgresql
  namespace: cp4ba-postgresql    
  labels:
    app: cp4ba-postgresql
spec:
  type: NodePort
  ports:
    - port: 5432
  selector:
    app: cp4ba-postgresql
" | oc apply -f -

Wait for pod in cp4ba-postgresql Project to become Ready 1/1.

oc get pod -n cp4ba-postgresql -w

Create folder for tablespaces

oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'mkdir /bitnami/postgresql/tablespaces;'

Access info after deployment

PostgreSQL

• See Project cp4ba-postgresql, Service postgresql for assigned NodePort
• postgres / Password
• In PostgreSQL Pod terminal psql postgresql://postgres@localhost:5432

Cloud Pak for Business Automation Development Environment (Authoring)

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=deployments-installing-cp4ba-multi-pattern-production-deployment

Preparing a client to connect to the cluster

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=deployment-preparing-client-connect-cluster

# Create directory for cp4ba-dev
mkdir /usr/install/cp4ba-dev

# Download the package
git clone -b 24.0.0-IF002 https://github.com/icp4a/cert-kubernetes.git \
/usr/install/cp4ba-dev/cert-kubernetes

Setting up the cluster by running a script

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=cluster-recommended-setting-up-by-running-script

Prepare variables for silent setup

export CP4BA_AUTO_PLATFORM="OCP"
export CP4BA_AUTO_DEPLOYMENT_TYPE="production"
export CP4BA_AUTO_FIPS_CHECK="No" 
export CP4BA_AUTO_PRIVATE_CATALOG="Yes" 
export CP4BA_AUTO_NAMESPACE="cp4ba-dev"
export CP4BA_AUTO_CLUSTER_USER="kubeadmin"
export CP4BA_AUTO_ENTITLEMENT_KEY="PLACE_YOUR_ICR_KEY_HERE"
export CP4BA_AUTO_SEPARATE_OPERATOR="No"
export CP4BA_AUTO_AIRGAP_MODE="No"

Run cluster admin setup

/usr/install/cp4ba-dev/cert-kubernetes/scripts/cp4a-clusteradmin-setup.sh

... ending with the following
[INFO] Waiting for CP4BA Content operator pod initialization

CP4BA Content operator is running...
ibm-content-operator-5dd4b9f946-5kl7g


Label the default namespace to allow network policies to open traffic to the ingress controller using a namespaceSelector...namespace/default labeled
Done

Storage classes are needed to run the deployment script. For the Starter deployment scenario, you may use one (1) storage class.  For an Production deployment, the deployment script will ask for three (3) storage classes to meet the slow, medium, and fast storage for the configuration of CP4BA components.  If you don't have three (3) storage classes, you can use the same one for slow, medium, or fast.  Note that you can get the existing storage class(es) in the environment by running the following command: oc get storageclass. Take note of the storage classes that you want to use for deployment. 
...omitted list of storage classes

Wait until the script finishes. You can rerun the command if it times out like "Timeout waiting for CP4BA operator to start".

Wait until all Operators in Project cp4ba-dev are in Succeeded state. The script should have already takne care of this.

oc get csv -n cp4ba-dev -w

Prepare property files

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=pycc-recommended-preparing-databases-secrets-your-chosen-capabilities-by-running-script

Generate properties for components that you would like to deploy.

/usr/install/cp4ba-dev/cert-kubernetes/scripts/cp4a-prerequisites.sh -m property -n cp4ba-dev

Answer as follows.

Tips:Press [ENTER] to accept the default (None of the patterns is selected)
Enter a valid option [1 to 4, 5a, 5b, 6, 7a, 7b, 8]: 5a

Tips:Press [ENTER] to accept the default (None of the patterns is selected)
Enter a valid option [1 to 4, 5a, 5b, 6, 7a, 7b, 8]: 1

Hit Enter to continue.

Pattern "FileNet Content Manager": Select optional components: 
1) Content Search Services 
2) Content Management Interoperability Services 
3) IBM Enterprise Records 
4) IBM Content Collector for SAP 
5) Business Automation Insights 
6) Task Manager 

ATTENTION: IBM Content Collector for SAP (5) does NOT support a cluster running a Linux on Power architecture.

Tips: Press [ENTER] if you do not want any optional components or when you are finished selecting your optional components
Enter a valid option [1 to 6 or ENTER]: 

Hit Enter to continue.

Pattern "(a) Workflow Authoring": Select optional components: 
1) Business Automation Insights
2) Data Collector and Data Indexer
3) Exposed Kafka Services 

Tips: Press [ENTER] to accept the default (None of the components is selected)
Enter a valid option [1 to 3 or ENTER]:

Hit Enter to continue.

What is the LDAP type that is used for this deployment? 
1) Microsoft Active Directory
2) IBM Tivoli Directory Server / Security Directory Server
Enter a valid option [1 to 2]: 2
[*] You can change the parameter "LDAP_SSL_ENABLED" in the property file "/usr/install/cp4ba-dev/cert-kubernetes/scripts/cp4ba-prerequisites/project/cp4ba-dev/propertyfile/cp4ba_LDAP.property" later. "LDAP_SSL_ENABLED" is "TRUE" by default.


To provision the persistent volumes and volume claims
please enter the file storage classname for slow storage(RWX): ocs-storagecluster-cephfs
please enter the file storage classname for medium storage(RWX): ocs-storagecluster-cephfs
please enter the file storage classname for fast storage(RWX): ocs-storagecluster-cephfs
please enter the block storage classname for Zen(RWO): ocs-storagecluster-ceph-rbd

Please select the deployment profile (default: small).  Refer to the documentation in CP4BA Knowledge Center for details on profile.
1) small
2) medium
3) large
Enter a valid option [1 to 3]: 1

What is the Database type that is used for this deployment? 
1) IBM Db2 Database
2) Oracle
3) Microsoft SQL Server
4) PostgreSQL
5) PostgreSQL EDB (deployed by CP4BA Operator)
Enter a valid option [1 to 5]: 4

[*] You can change the parameter "DATABASE_SSL_ENABLE" in the property file "/usr/install/cp4ba-dev/cert-kubernetes/scripts/cp4ba-prerequisites/project/cp4ba-dev/propertyfile/cp4ba_db_server.property" later. "DATABASE_SSL_ENABLE" is "TRUE" by default.
[*] You can change the parameter "POSTGRESQL_SSL_CLIENT_SERVER" in the property file "/usr/install/cp4ba-dev/cert-kubernetes/scripts/cp4ba-prerequisites/project/cp4ba-dev/propertyfile/cp4ba_db_server.property" later. "POSTGRESQL_SSL_CLIENT_SERVER" is "TRUE" by default
[*] - POSTGRESQL_SSL_CLIENT_SERVER="True": For a PostgreSQL database with both server and client authentication
[*] - POSTGRESQL_SSL_CLIENT_SERVER="False": For a PostgreSQL database with server-only authentication

Enter the alias name(s) for the database server(s)/instance(s) to be used by the CP4BA deployment.
(NOTE: NOT the host name of the database server, and CANNOT include a dot[.] character)
(NOTE: This key supports comma-separated lists (for example: dbserver1,dbserver2,dbserver3)
The alias name(s): postgresql

Do you want to restrict network egress to unknown external destination for this CP4BA deployment? (Notes: CP4BA 24.0.0 prevents all network egress to unknown destinations by default. You can either (1) enable all egress or (2) accept the new default and create network policies to allow your specific communication targets as documented in the knowledge center.) (Yes/No, default: Yes): Yes

Do you want to use an external Postgres DB [YOU NEED TO CREATE THIS POSTGRESQL DB BY YOURSELF FIRST BEFORE APPLY CP4BA CUSTOM RESOURCE. PLEASE REFER THE KNOWLEDGE CENTER: https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.6?topic=im-setting-up-external-postgresql-database-server#dbcreate] as IM metastore DB for this CP4BA deployment? (Notes: IM service can use an external Postgres DB to store IM data. If select "Yes", IM service uses an external Postgres DB as IM metastore DB. If select "No", IM service uses an embedded cloud native postgresql DB as IM metastore DB.) (Yes/No, default: No): No

Do you want to use an external Postgres DB [YOU NEED TO CREATE THIS POSTGRESQL DB BY YOURSELF FIRST BEFORE APPLY CP4BA CUSTOM RESOURCE. PLEASE REFER THE KNOWLEDGE CENTER: https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.6?topic=im-setting-up-external-postgresql-database-server#dbcreate] as Zen metastore DB for this CP4BA deployment? (Notes: Zen stores all metadata such as users, groups, service instances, vault integration, secret references in metastore DB. If select "Yes", Zen service uses an external Postgres DB as Zen metastore DB. If select "No", Zen service uses an embedded cloud native postgresql DB as Zen metastore DB ) (Yes/No, default: No): No

Do you want to use an external Postgres DB [YOU NEED TO CREATE THIS POSTGRESQL DB BY YOURSELF FIRST BEFORE APPLY CP4BA CUSTOM RESOURCE, PLEASE REFER THE KNOWLEDGE CENTER: https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.6?topic=service-external-database#configuring-an-external-database-with-the-bts-custom-resource] as BTS metastore DB for this CP4BA deployment? (Notes: BTS service can use an external Postgres DB to store meta data. If select "Yes", BTS service uses an external Postgres DB as BTS metastore DB. If select "No", BTS service uses an embedded cloud native postgresql DB as BTS metastore DB ) (Yes/No, default: No): No

Do you want to use an external certificate (root CA) for this Opensearch/Kafka deployment? (Notes: Opensearch/Kafka operator can consume external tls certificate. If select "No", CP4BA operator will create leaf certificates based CP4BA's root CA ) (Yes/No, default: No): No

How many object stores will be deployed for the content pattern? 1


============== Creating database and LDAP property files for CP4BA ==============
Creating DB Server property file for CP4BA
[✔] Created the DB Server property file for CP4BA

Creating LDAP Server property file for CP4BA
[✔] Created the LDAP Server property file for CP4BA


============== Creating property file for database name and user required by CP4BA ==============
Creating Property file for IBM FileNet Content Manager GCD
[✔] Created Property file for IBM FileNet Content Manager GCD

Creating Property file for IBM FileNet Content Manager Object Store required by BAW authoring or BAW Runtime
[✔] Created Property file for IBM FileNet Content Manager Object Store required by BAW authoring or BAW Runtime

Creating Property file for IBM Business Automation Navigator
[✔] Created Property file for IBM Business Automation Navigator

Creating Property file for IBM Business Automation Studio
[✔] Created Property file for IBM Business Automation Studio


============== Created all property files for CP4BA ==============
[NEXT ACTIONS]
Enter the <Required> values in the property files under /usr/install/cp4ba-dev/cert-kubernetes/scripts/cp4ba-prerequisites/project/cp4ba-dev/propertyfile
[*] The key name in the property file is created by the cp4a-prerequisites.sh and is NOT EDITABLE.
[*] The value in the property file must be within double quotes.
[*] The value for User/Password in [cp4ba_db_name_user.property] [cp4ba_user_profile.property] file should NOT include special characters: single quotation "'"
[*] The value in [cp4ba_LDAP.property] or [cp4ba_External_LDAP.property] [cp4ba_user_profile.property] file should NOT include special character '"'
* [cp4ba_db_server.property]:
  - Properties for database server used by CP4BA deployment, such as DATABASE_SERVERNAME/DATABASE_PORT/DATABASE_SSL_ENABLE.

  - The value of "<DB_SERVER_LIST>" is an alias for the database servers. The key supports comma-separated lists.

* [cp4ba_db_name_user.property]:
  - Properties for database name and user name required by each component of the CP4BA deployment, such as GCD_DB_NAME/GCD_DB_USER_NAME/GCD_DB_USER_PASSWORD.

  - Change the prefix "<DB_SERVER_NAME>" to assign which database is used by the component.

  - The value of "<DB_SERVER_NAME>" must match the value of <DB_SERVER_LIST> that is defined in "<DB_SERVER_LIST>" of "cp4ba_db_server.property".

* [cp4ba_LDAP.property]:
  - Properties for the LDAP server that is used by the CP4BA deployment, such as LDAP_SERVER/LDAP_PORT/LDAP_BASE_DN/LDAP_BIND_DN/LDAP_BIND_DN_PASSWORD.

* [cp4ba_user_profile.property]:
  - Properties for the global value used by the CP4BA deployment, such as "sc_deployment_license".

  - properties for the value used by each component of CP4BA, such as <APPLOGIN_USER>/<APPLOGIN_PASSWORD>

Update values for cp4ba_db_server.property

# Backup generated file
cp /usr/install/cp4ba-dev/cert-kubernetes/scripts/\
\cp4ba-prerequisites/project/cp4ba-dev/propertyfile/cp4ba_db_server.property \
/usr/install/cp4ba-dev/cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-dev/propertyfile/cp4ba_db_server.property.bak

# Update generated file with real values
sed -i \
-e 's/postgresql.DATABASE_SERVERNAME="<Required>"/'\
'postgresql.DATABASE_SERVERNAME="postgresql.cp4ba-postgresql.svc.cluster.local"/g' \
-e 's/postgresql.DATABASE_PORT="<Required>"/'\
'postgresql.DATABASE_PORT="5432"/g' \
-e 's/postgresql.DATABASE_SSL_ENABLE="True"/'\
'postgresql.DATABASE_SSL_ENABLE="False"/g' \
-e 's/postgresql.POSTGRESQL_SSL_CLIENT_SERVER="True"/'\
'postgresql.POSTGRESQL_SSL_CLIENT_SERVER="False"/g' \
/usr/install/cp4ba-dev/cert-kubernetes/\
scripts/cp4ba-prerequisites/project/cp4ba-dev/propertyfile/cp4ba_db_server.property

Prepare BASE64 representation of password

export PASSWORD_BASE64=`echo -n 'Password' | base64 -w 0`

Update values for cp4ba_db_name_user.property

# Backup generated file
cp /usr/install/cp4ba-dev/cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-dev/propertyfile/cp4ba_db_name_user.property \
/usr/install/cp4ba-dev/cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-dev/propertyfile/cp4ba_db_name_user.property.bak

# Update generated file with real values
sed -i \
-e 's/postgresql.GCD_DB_NAME="gcddb"/'\
'postgresql.GCD_DB_NAME="devgcd"/g' \
-e 's/postgresql.GCD_DB_USER_NAME="<youruser1>"/'\
'postgresql.GCD_DB_USER_NAME="devgcd"/g' \
-e 's/postgresql.GCD_DB_USER_PASSWORD="{Base64}<yourpassword>"/'\
'postgresql.GCD_DB_USER_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/postgresql.OS1_DB_NAME="os1db"/'\
'postgresql.OS1_DB_NAME="devos1"/g' \
-e 's/postgresql.OS1_DB_USER_NAME="<youruser1>"/'\
'postgresql.OS1_DB_USER_NAME="devos1"/g' \
-e 's/postgresql.OS1_DB_USER_PASSWORD="{Base64}<yourpassword>"/'\
'postgresql.OS1_DB_USER_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/postgresql.BAWDOCS_DB_NAME="bawdocs"/'\
'postgresql.BAWDOCS_DB_NAME="devbawdocs"/g' \
-e 's/postgresql.BAWDOCS_DB_USER_NAME="<youruser1>"/'\
'postgresql.BAWDOCS_DB_USER_NAME="devbawdocs"/g' \
-e 's/postgresql.BAWDOCS_DB_USER_PASSWORD="{Base64}<yourpassword>"/'\
'postgresql.BAWDOCS_DB_USER_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/postgresql.BAWDOS_DB_NAME="bawdos"/'\
'postgresql.BAWDOS_DB_NAME="devbawdos"/g' \
-e 's/postgresql.BAWDOS_DB_USER_NAME="<youruser1>"/'\
'postgresql.BAWDOS_DB_USER_NAME="devbawdos"/g' \
-e 's/postgresql.BAWDOS_DB_USER_PASSWORD="{Base64}<yourpassword>"/'\
'postgresql.BAWDOS_DB_USER_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/postgresql.BAWTOS_DB_NAME="bawtos"/'\
'postgresql.BAWTOS_DB_NAME="devbawtos"/g' \
-e 's/postgresql.BAWTOS_DB_USER_NAME="<youruser1>"/'\
'postgresql.BAWTOS_DB_USER_NAME="devbawtos"/g' \
-e 's/postgresql.BAWTOS_DB_USER_PASSWORD="{Base64}<yourpassword>"/'\
'postgresql.BAWTOS_DB_USER_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/postgresql.CHOS_DB_NAME="chos"/'\
'postgresql.CHOS_DB_NAME="devchos"/g' \
-e 's/postgresql.CHOS_DB_USER_NAME="<youruser1>"/'\
'postgresql.CHOS_DB_USER_NAME="devchos"/g' \
-e 's/postgresql.CHOS_DB_USER_PASSWORD="{Base64}<yourpassword>"/'\
'postgresql.CHOS_DB_USER_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/postgresql.ICN_DB_NAME="icndb"/'\
'postgresql.ICN_DB_NAME="devicn"/g' \
-e 's/postgresql.ICN_DB_USER_NAME="<youruser1>"/'\
'postgresql.ICN_DB_USER_NAME="devicn"/g' \
-e 's/postgresql.ICN_DB_USER_PASSWORD="{Base64}<yourpassword>"/'\
'postgresql.ICN_DB_USER_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/postgresql.STUDIO_DB_NAME="basdb"/'\
'postgresql.STUDIO_DB_NAME="devbas"/g' \
-e 's/postgresql.STUDIO_DB_USER_NAME="<youruser1>"/'\
'postgresql.STUDIO_DB_USER_NAME="devbas"/g' \
-e 's/postgresql.STUDIO_DB_USER_PASSWORD="{Base64}<yourpassword>"/'\
'postgresql.STUDIO_DB_USER_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
/usr/install/cp4ba-dev/\
cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-dev/propertyfile/cp4ba_db_name_user.property

Update values for cp4ba_LDAP.property

# Backup generated file
cp /usr/install/cp4ba-dev/cert-kubernetes/\
scripts/cp4ba-prerequisites/project/cp4ba-dev/propertyfile/cp4ba_LDAP.property \
/usr/install/cp4ba-dev/cert-kubernetes/\
scripts/cp4ba-prerequisites/project/cp4ba-dev/propertyfile/cp4ba_LDAP.property.bak

# Update generated file with real values
sed -i \
-e 's/LDAP_TYPE="IBM Security Directory Server"/'\
'LDAP_TYPE="Custom"/g' \
-e 's/LDAP_SERVER="<Required>"/'\
'LDAP_SERVER="openldap.cp4ba-openldap.svc.cluster.local"/g' \
-e 's/LDAP_PORT="<Required>"/'\
'LDAP_PORT="389"/g' \
-e 's/LDAP_BASE_DN="<Required>"/'\
'LDAP_BASE_DN="dc=cp,dc=internal"/g' \
-e 's/LDAP_BIND_DN="<Required>"/'\
'LDAP_BIND_DN="cn=admin,dc=cp,dc=internal"/g' \
-e 's/LDAP_BIND_DN_PASSWORD="{Base64}<Required>"/'\
'LDAP_BIND_DN_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/LDAP_SSL_ENABLED="True"/'\
'LDAP_SSL_ENABLED="False"/g' \
-e 's/LDAP_GROUP_BASE_DN="<Required>"/'\
'LDAP_GROUP_BASE_DN="ou=Groups,dc=cp,dc=internal"/g' \
-e 's/LC_USER_FILTER="(\&(cn=%v)(objectclass=person))"/'\
'LC_USER_FILTER="(\&(uid=%v)(objectclass=inetOrgPerson))"/g' \
/usr/install/cp4ba-dev/cert-kubernetes/\
scripts/cp4ba-prerequisites/project/cp4ba-dev/propertyfile/cp4ba_LDAP.property

Update values for cp4ba_user_profile.property

# Backup generated file
cp /usr/install/cp4ba-dev/cert-kubernetes/\
scripts/cp4ba-prerequisites/project/cp4ba-dev/propertyfile/cp4ba_user_profile.property \
/usr/install/cp4ba-dev/cert-kubernetes/\
scripts/cp4ba-prerequisites/project/cp4ba-dev/propertyfile/cp4ba_user_profile.property.bak

# Update generated file with real values
sed -i \
-e 's/CP4BA.CP4BA_LICENSE="<Required>"/'\
'CP4BA.CP4BA_LICENSE="non-production"/g' \
-e 's/CP4BA.FNCM_LICENSE="<Required>"/'\
'CP4BA.FNCM_LICENSE="non-production"/g' \
-e 's/CP4BA.BAW_LICENSE="<Required>"/'\
'CP4BA.BAW_LICENSE="non-production"/g' \
-e 's/CONTENT.APPLOGIN_USER="<Required>"/'\
'CONTENT.APPLOGIN_USER="cpadmin"/g' \
-e 's/CONTENT.APPLOGIN_PASSWORD="{Base64}<Required>"/'\
'CONTENT.APPLOGIN_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/CONTENT.LTPA_PASSWORD="{Base64}<Required>"/'\
'CONTENT.LTPA_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/CONTENT.KEYSTORE_PASSWORD="{Base64}<Required>"/'\
'CONTENT.KEYSTORE_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/CONTENT_INITIALIZATION.LDAP_ADMIN_USER_NAME="<Required>"/'\
'CONTENT_INITIALIZATION.LDAP_ADMIN_USER_NAME="cpadmin"/g' \
-e 's/CONTENT_INITIALIZATION.LDAP_ADMINS_GROUPS_NAME="<Required>"/'\
'CONTENT_INITIALIZATION.LDAP_ADMINS_GROUPS_NAME="cpadmins"/g' \
-e 's/CONTENT_INITIALIZATION.CPE_OBJ_STORE_ADMIN_USER_GROUPS="<Required>"/'\
'CONTENT_INITIALIZATION.CPE_OBJ_STORE_ADMIN_USER_GROUPS="cpadmin,cpadmins"/g' \
-e 's/CONTENT_INITIALIZATION.CPE_OBJ_STORE_WORKFLOW_DATA_TBL_SPACE="bawtos_tbs"/'\
'CONTENT_INITIALIZATION.CPE_OBJ_STORE_WORKFLOW_DATA_TBL_SPACE="devbawtos_tbs"/g' \
-e 's/CONTENT_INITIALIZATION.CPE_OBJ_STORE_WORKFLOW_ADMIN_GROUP="<Required>"/'\
'CONTENT_INITIALIZATION.CPE_OBJ_STORE_WORKFLOW_ADMIN_GROUP="cpadmins"/g' \
-e 's/CONTENT_INITIALIZATION.CPE_OBJ_STORE_WORKFLOW_CONFIG_GROUP="<Required>"/'\
'CONTENT_INITIALIZATION.CPE_OBJ_STORE_WORKFLOW_CONFIG_GROUP="cpadmins"/g' \
-e 's/CONTENT_INITIALIZATION.CPE_OBJ_STORE_WORKFLOW_PE_CONN_POINT_NAME="<Required>"/'\
'CONTENT_INITIALIZATION.CPE_OBJ_STORE_WORKFLOW_PE_CONN_POINT_NAME="pe_conn_bawtos"/g' \
-e 's/BAN.APPLOGIN_USER="<Required>"/'\
'BAN.APPLOGIN_USER="cpadmin"/g' \
-e 's/BAN.APPLOGIN_PASSWORD="{Base64}<Required>"/'\
'BAN.APPLOGIN_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/BAN.LTPA_PASSWORD="{Base64}<Required>"/'\
'BAN.LTPA_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/BAN.KEYSTORE_PASSWORD="{Base64}<Required>"/'\
'BAN.KEYSTORE_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/BASTUDIO.ADMIN_USER="<Required>"/'\
'BASTUDIO.ADMIN_USER="cpadmin"/g' \
/usr/install/cp4ba-dev/cert-kubernetes/\
scripts/cp4ba-prerequisites/project/cp4ba-dev/propertyfile/cp4ba_user_profile.property

sed -i \
-e 's/SCIM.USER_UNIQUE_ID_ATTRIBUTE="ibm-entryuuid"/'\
'SCIM.USER_UNIQUE_ID_ATTRIBUTE="entryUUID"/g' \
-e 's/SCIM.USER_OBJECT_CLASS_ATTRIBUTE="person"/'\
'SCIM.USER_OBJECT_CLASS_ATTRIBUTE="inetOrgPerson"/g' \
-e 's/SCIM.GROUP_UNIQUE_ID_ATTRIBUTE="ibm-entryuuid"/'\
'SCIM.GROUP_UNIQUE_ID_ATTRIBUTE="entryUUID"/g' \
-e 's/SCIM.GROUP_OBJECT_CLASS_ATTRIBUTE="groupOfUniqueNames"/'\
'SCIM.GROUP_OBJECT_CLASS_ATTRIBUTE="groupOfNames"/g' \
-e 's/SCIM.GROUP_MEMBERS_ATTRIBUTE="uniqueMember"/'\
'SCIM.GROUP_MEMBERS_ATTRIBUTE="member"/g' \
/usr/install/cp4ba-dev/cert-kubernetes/\
scripts/cp4ba-prerequisites/project/cp4ba-dev/propertyfile/cp4ba_user_profile.property

Generate, update and apply SQL and Secret files

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=pycc-recommended-preparing-databases-secrets-your-chosen-capabilities-by-running-script

Generate SQL and Secrets

/usr/install/cp4ba-dev/cert-kubernetes/scripts/cp4a-prerequisites.sh -m generate -n cp4ba-dev

Look for all green checkmarks in the output.

Update tablespace path

find /usr/install/cp4ba-dev/cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-dev/dbscript -name '*.sql' \
| xargs sed -i 's|/pgsqldata|/bitnami/postgresql/tablespaces|g'

Copy create scripts to PostgreSQL instance

oc cp /usr/install/cp4ba-dev/cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-dev/dbscript \
cp4ba-postgresql/\
$(oc get pods --namespace cp4ba-postgresql -o name | cut -d"/" -f2):/tmp/dbscript-dev

Execute create scripts with table space directory creation

# Studio
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'psql postgresql://postgres:Password@localhost:5432/postgres \
--file=/tmp/dbscript-dev/bas/postgresql/postgresql/create_bas_studio_db.sql'

# BAW authoring DOCS
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'mkdir /bitnami/postgresql/tablespaces/devbawdocs;'
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'psql postgresql://postgres:Password@localhost:5432/postgres \
--file=/tmp/dbscript-dev/fncm/postgresql/postgresql/createdevbawdocs.sql'

# BAW authoring DOS
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'mkdir /bitnami/postgresql/tablespaces/devbawdos;'
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'psql postgresql://postgres:Password@localhost:5432/postgres \
--file=/tmp/dbscript-dev/fncm/postgresql/postgresql/createdevbawdos.sql'

# BAW authoring TOS
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'mkdir /bitnami/postgresql/tablespaces/devbawtos;'
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'psql postgresql://postgres:Password@localhost:5432/postgres \
--file=/tmp/dbscript-dev/fncm/postgresql/postgresql/createdevbawtos.sql'

# Navigator
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'mkdir /bitnami/postgresql/tablespaces/devicn;'
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'psql postgresql://postgres:Password@localhost:5432/postgres \
--file=/tmp/dbscript-dev/ban/postgresql/postgresql/createICNDB.sql'

# FNCM OS1
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'mkdir /bitnami/postgresql/tablespaces/devos1;'
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'psql postgresql://postgres:Password@localhost:5432/postgres \
--file=/tmp/dbscript-dev/fncm/postgresql/postgresql/createOS1DB.sql'

# FNCM GCD
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'mkdir /bitnami/postgresql/tablespaces/devgcd;'
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'psql postgresql://postgres:Password@localhost:5432/postgres \
--file=/tmp/dbscript-dev/fncm/postgresql/postgresql/createGCDDB.sql'

Apply secrets which are in /usr/install/cp4ba-dev/cert-kubernetes/scripts/cp4ba-prerequisites/project/cp4ba-dev/secret_template/.

/usr/install/cp4ba-dev/cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-dev/create_secret.sh

Validate connectivity

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=pycc-recommended-preparing-databases-secrets-your-chosen-capabilities-by-running-script

/usr/install/cp4ba-dev/cert-kubernetes/scripts/cp4a-prerequisites.sh -m validate -n cp4ba-dev

Look for all green checkmarks.

Generating the custom resource with the deployment script

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=cpd-option-1a-recommended-generating-custom-resource-deployment-script

Run deployment script

# Switch to Project
# TODO should not be needed, last seen 24.0.0 IF002 2024-10-15
oc project cp4ba-dev

/usr/install/cp4ba-dev/cert-kubernetes/scripts/cp4a-deployment.sh -n cp4ba-dev

IMPORTANT: Review the IBM Cloud Pak for Business Automation license information here: 

https://www14.software.ibm.com/cgi-bin/weblap/lap.pl?li_formnum=L-FNHF-F9RU7N

Press any key to continue

Do you accept the IBM Cloud Pak for Business Automation license (Yes/No, default: No): Yes

Did you deploy Content CR (CRD: contents.icp4a.ibm.com) in current cluster? (Yes/No, default: No): No

Starting to Install the Cloud Pak for Business Automation Operator...


What type of deployment is being performed?
1) Starter
2) Production
Enter a valid option [1 to 2]: 2

*******************************************************
            Summary of CP4BA capabilities              
*******************************************************
1. Cloud Pak capability to deploy: 
   * FileNet Content Manager
   * Business Automation Workflow
     (a) Workflow Authoring
2. Optional components to deploy: 
   * None
*******************************************************

[INFO] Above CP4BA capabilities is already selected in the cp4a-prerequisites.sh script
Press any key to continue

Select the cloud platform to deploy: 
1) RedHat OpenShift Kubernetes Service (ROKS) - Public Cloud
2) Openshift Container Platform (OCP) - Private Cloud
3) Other ( Certified Kubernetes Cloud Platform / CNCF)
Enter a valid option [1 to 3]: 2 # Based on your platform

ATTENTION: If you are unable to use [cpadmin] as the default IAM admin user due to it having the same user name in your LDAP Directory, you need to change the Cloud Pak administrator username. See: "https://www.ibm.com/docs/en/cpfs?topic=configurations-changing-cloud-pak-administrator-access-credentials#user-name"
Do you want to use the default IAM admin user: [cpadmin] (Yes/No, default: Yes): No

What is the non default IAM admin user you renamed?
Enter the admin user name: cpfsadmin

Provide a URL to zip file that contains JDBC and/or ICCSAP drivers.
(optional - if not provided, the Operator will configure using the default shipped JDBC driver): # Hit Enter - omit

The Operator will configure using the default shipped JDBC driver.

*******************************************************
                    Summary of input                   
*******************************************************
1. Cloud Pak capability to deploy: 
   * FileNet Content Manager
   * Business Automation Workflow
     (a) Workflow Authoring
2. Optional components to deploy: 
   * None
3. File storage classname(RWX):
   * Slow: ocs-storagecluster-cephfs
   * Medium: ocs-storagecluster-cephfs
   * Fast: ocs-storagecluster-cephfs
4. Block storage classname(RWO): ocs-storagecluster-ceph-rbd
5. URL to zip file for JDBC and/or ICCSAP drivers: 
*******************************************************

Verify that the information above is correct.
To proceed with the deployment, enter "Yes".
To make changes, enter "No" (default: No): Yes

Creating the Custom Resource of the Cloud Pak for Business Automation operator...

Applying value in property file into final CR
[✔] Applied value in property file into final CR under /usr/install/cp4ba-dev/cert-kubernetes/scripts/generated-cr/project/cp4ba-dev
Please confirm final custom resource under /usr/install/cp4ba-dev/cert-kubernetes/scripts/generated-cr/project/cp4ba-dev


[INFO] the script will set "cp4ba-dev" as namespace in the final custom resource.

[NOTE] The custom resource (CR) file has been generated, but is not yet deployed (applied).

[ATTENTION] Prior to deploying (applying) the custom resource (CR), please follow the steps in the Knowledge Center topic "Checking and completing your custom resource" to configure the custom resource file for the capabilities that you have selected: https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=deployment-checking-completing-your-custom-resource   

[ATTENTION] After you have finished configuring the custom resource (CR) file, please follow the steps in the Knowledge Center to deploy (apply) your custom resource: https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=cpd-option-1b-deploying-custom-resource-you-created-deployment-script  

The custom resource file located at: "/usr/install/cp4ba-dev/cert-kubernetes/scripts/generated-cr/project/cp4ba-dev/ibm_cp4a_cr_final.yaml"

[ATTENTION]: If the cluster is running a Linux on Z (s390x)/Power architecture, remove the baml_configuration section from "/usr/install/cp4ba-dev/cert-kubernetes/scripts/generated-cr/project/cp4ba-dev/ibm_cp4a_cr_final.yaml" before you apply the custom resource. Business Automation Machine Learning Server (BAML) is not supported on this architecture.


To monitor the deployment status, follow the Operator logs.
For details, refer to the troubleshooting section in Knowledge Center here: 
https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=automation-troubleshooting

Checking and completing your custom resource

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=deployment-checking-completing-your-custom-resource

Change LDAP sub settings from tds to custom

sed -i \
-e 's/tds:/custom:/g' \
/usr/install/cp4ba-dev/cert-kubernetes/\
scripts/generated-cr/project/cp4ba-dev/ibm_cp4a_cr_final.yaml

If you want to see all debug output in operator logs add the following properties (Not for production use, can leak sensitive info!)

yq -i '.spec.shared_configuration.no_log = false' \
/usr/install/cp4ba-dev/cert-kubernetes/scripts/\
generated-cr/project/cp4ba-dev/ibm_cp4a_cr_final.yaml
yq -i '.spec.shared_configuration.show_sensitive_log = true' \
/usr/install/cp4ba-dev/cert-kubernetes/scripts/\
generated-cr/project/cp4ba-dev/ibm_cp4a_cr_final.yaml

Deploying the custom resource you created with the deployment script

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=pycc-recommended-preparing-databases-secrets-your-chosen-capabilities-by-running-script

Add permissive network policy to enable anything from cp4ba-dev namespace to reach anything

echo "
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: custom-permit-all-communication
  namespace: cp4ba-dev
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - {}
" | oc apply -f -

Apply CR

oc apply -n cp4ba-dev -f /usr/install/cp4ba-dev/cert-kubernetes/scripts/\
generated-cr/project/cp4ba-dev/ibm_cp4a_cr_final.yaml

Wait for the deployment to be completed. This can be determined by looking in Project cp4ba-dev in Kind ICP4ACluster, instance named icp4adeploy to have the following conditions:

oc get -n cp4ba-dev icp4acluster icp4adeploy -o=jsonpath="{.status.conditions}" | jq

[
//...
  {
    "message": "",
    "reason": "Successful",
    "status": "True",
    "type": "Ready"
  },
//...
]

Access info after deployment

• https://cpd-cp4ba-dev.<ocp_apps_domain>/
• cpadmin / Password
• Additional capabilities based info in Project cp4ba-dev in ConfigMap icp4adeploy-cp4ba-access-info
• To get cpfsadmin password oc get secret platform-auth-idp-credentials -n cp4ba-dev -o jsonpath='{.data.admin_password}' | base64 -d

Completing post-installation tasks

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=deployment-completing-post-installation-tasks

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=cpbaf-business-automation-studio
You need to setup permissions for your users.

# Get password of zen initial admin
zen_admin_password=`oc get secret admin-user-details -n cp4ba-dev \
-o jsonpath='{.data.initial_admin_password}' | base64 -d`
echo $zen_admin_password

# Get apps endpoint of your openshift
apps_endpoint=`oc get ingress.v1.config.openshift.io cluster -n cp4ba-dev \
-o jsonpath='{.spec.domain}'`
echo $apps_endpoint

# Get zen token
# Based on https://cloud.ibm.com/apidocs/cloud-pak-data/cloud-pak-data-4.5.0#getauthorizationtoken
zen_token=`curl --silent -k -H "Content-Type: application/json" \
-d '{"username":"admin","password":"'$zen_admin_password'"}' \
https://cpd-cp4ba-dev.${apps_endpoint}/icp4d-api/v1/authorize | jq -r ".token"`
echo $zen_token

# Add all roles to cpadmin user to be usable for all tasks
curl -kv -X PUT -H "Content-Type: application/json" -H "Authorization: Bearer $zen_token" \
-d '{"username":"cpadmin", '\
'"user_roles":["zen_administrator_role","iaf-automation-admin","iaf-automation-analyst",'\
'"iaf-automation-developer","iaf-automation-operator","zen_user_role"]}' \
https://cpd-cp4ba-dev.${apps_endpoint}/usermgmt/v1/user/cpadmin?add_roles=true

Validating your production deployment

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=deployment-recommended-validating-your-production

You can further verify the environments and get important information. But before running anything else then --help follow additional steps for script configuration.

oc project cp4ba-dev
/usr/install/cp4ba-dev/cert-kubernetes/scripts/cp4a-post-install.sh --help

Perform setup for cp4a-post-install.sh script

# Get apps endpoint of your openshift
apps_endpoint=`oc get ingress.v1.config.openshift.io cluster \
-n cp4ba-dev -o jsonpath='{.spec.domain}'`
echo $apps_endpoint

# Get CPFS token
cpfs_token=`curl --silent -k --header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=cpadmin' \
--data-urlencode 'password=Password' \
--data-urlencode 'scope=openid' \
https://cp-console-cp4ba-dev.${apps_endpoint}/idprovider/v1/auth/identitytoken \
| jq -r ".access_token"`
echo $cpfs_token

# Exchange CPFS token for Zen token
zen_token=`curl --silent -k -H "Content-Type: application/json" \
--header "iam-token: ${cpfs_token}" \
--header 'username: cpadmin' \
https://cpd-cp4ba-dev.${apps_endpoint}/v1/preauth/validateAuth | jq -r ".accessToken"`
echo $zen_token

# Generate ZenApiKey
zen_api_key=`curl --silent -k -H "Content-Type: application/json" \
--header "Authorization: Bearer ${zen_token}" \
--header 'username: cpadmin' \
https://cpd-cp4ba-dev.${apps_endpoint}/usermgmt/v1/user/apiKey | jq -r ".apiKey"`
echo $zen_api_key

# Change CPFS namespace for cp4a-post-install.sh script and add password and zen api key
sed -i \
-e 's/CP4BA_COMMON_SERVICES_NAMESPACE="ibm-common-services"/'\
'CP4BA_COMMON_SERVICES_NAMESPACE="cp4ba-dev"/g' \
-e 's/PROBE_USER_API_KEY=/'\
'PROBE_USER_API_KEY="'${zen_api_key}'"/g' \
-e 's/PROBE_USER_NAME=/'\
'PROBE_USER_NAME="cpadmin"/g' \
-e 's/PROBE_USER_PASSWORD=/'\
'PROBE_USER_PASSWORD="Password"/g' \
/usr/install/cp4ba-dev/cert-kubernetes/scripts/helper/post-install/env.sh

Now you can run cp4a-post-install.sh with other parameters.

/usr/install/cp4ba-dev/cert-kubernetes/scripts/cp4a-post-install.sh --precheck
/usr/install/cp4ba-dev/cert-kubernetes/scripts/cp4a-post-install.sh --status
/usr/install/cp4ba-dev/cert-kubernetes/scripts/cp4a-post-install.sh --console
/usr/install/cp4ba-dev/cert-kubernetes/scripts/cp4a-post-install.sh --probe #Y to continue

Next steps

Follow https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=deployment-completing-post-installation-tasks as needed.

Optional custom CPFS console TLS - follow https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=security-customizing-cloud-pak-identity-management-im-service

Optional custom CPFS admin password - follow https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=tasks-cloud-pak-foundational-services

Optional custom Zen certificates - follow https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=security-customizing-cloud-pak-entry-point

Cloud Pak for Business Automation Test Environment (Runtime)

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=deployments-installing-cp4ba-multi-pattern-production-deployment

Preparing a client to connect to the cluster

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=deployment-preparing-client-connect-cluster

# Create directory for cp4ba-dev
mkdir /usr/install/cp4ba-test

# Download the package
git clone -b 24.0.0-IF002 https://github.com/icp4a/cert-kubernetes.git \
/usr/install/cp4ba-test/cert-kubernetes

Setting up the cluster by running a script

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=cluster-recommended-setting-up-by-running-script

Prepare variables for silent setup

export CP4BA_AUTO_PLATFORM="OCP"
export CP4BA_AUTO_DEPLOYMENT_TYPE="production"
export CP4BA_AUTO_FIPS_CHECK="No" 
export CP4BA_AUTO_PRIVATE_CATALOG="Yes" 
export CP4BA_AUTO_NAMESPACE="cp4ba-test"
export CP4BA_AUTO_CLUSTER_USER="kubeadmin"
export CP4BA_AUTO_ENTITLEMENT_KEY="PLACE_YOUR_ICR_KEY_HERE"
export CP4BA_AUTO_SEPARATE_OPERATOR="No"
export CP4BA_AUTO_AIRGAP_MODE="No"

Run cluster admin setup

/usr/install/cp4ba-dev/cert-kubernetes/scripts/cp4a-clusteradmin-setup.sh

... ending with the following
[INFO] Waiting for CP4BA Content operator pod initialization

CP4BA Content operator is running...
ibm-content-operator-fbf9559b4-rwfvc


Label the default namespace to allow network policies to open traffic to the ingress controller using a namespaceSelector...namespace/default not labeled
Done

Storage classes are needed to run the deployment script. For the Starter deployment scenario, you may use one (1) storage class.  For an Production deployment, the deployment script will ask for three (3) storage classes to meet the slow, medium, and fast storage for the configuration of CP4BA components.  If you don't have three (3) storage classes, you can use the same one for slow, medium, or fast.  Note that you can get the existing storage class(es) in the environment by running the following command: oc get storageclass. Take note of the storage classes that you want to use for deployment. 
...omitted list of storage classes

Wait until the script finishes. You can rerun the command if it times out like "Timeout waiting for CP4BA operator to start".

Wait until all Operators in Project cp4ba-dev are in Succeeded state. The script should have already takne care of this.

oc get csv -n cp4ba-test -w

Prepare property files

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=pycc-recommended-preparing-databases-secrets-your-chosen-capabilities-by-running-script

Generate properties for components that you would like to deploy.

/usr/install/cp4ba-test/cert-kubernetes/scripts/cp4a-prerequisites.sh -m property -n cp4ba-test

Answer as follows.

Tips:Press [ENTER] to accept the default (None of the patterns is selected)
Enter a valid option [1 to 4, 5a, 5b, 6, 7a, 7b, 8]: 5b

Tips:Press [ENTER] to accept the default (None of the patterns is selected)
Enter a valid option [1 to 4, 5a, 5b, 6, 7a, 7b, 8]: 1

Hit Enter to continue.

Pattern "FileNet Content Manager": Select optional components: 
1) Content Search Services 
2) Content Management Interoperability Services 
3) IBM Enterprise Records 
4) IBM Content Collector for SAP 
5) Business Automation Insights 
6) Task Manager 

ATTENTION: IBM Content Collector for SAP (5) does NOT support a cluster running a Linux on Power architecture.

Tips: Press [ENTER] if you do not want any optional components or when you are finished selecting your optional components
Enter a valid option [1 to 6 or ENTER]: 

Hit Enter to continue.

Pattern "(b) Workflow Runtime": Select optional components: 
1) Business Automation Insights 
2) Exposed Kafka Services 
3) Exposed Elasticsearch 

Tips: Press [ENTER] if you do not want any optional components or when you are finished selecting your optional components
Enter a valid option [1 to 3 or ENTER]: 

Hit Enter to continue.

What is the LDAP type used for this deployment? 
1) Microsoft Active Directory
2) Tivoli Directory Server / Security Directory Server
Enter a valid option [1 to 2]: 2
[*] You can change the parameter "LDAP_SSL_ENABLED" in the property file "/usr/install/cp4ba-test/cert-kubernetes/scripts/cp4ba-prerequisites/project/cp4ba-test/propertyfile/cp4ba_LDAP.property" later. "LDAP_SSL_ENABLED" is "TRUE" by default.

To provision the persistent volumes and volume claims
please enter the file storage classname for slow storage(RWX): ocs-storagecluster-cephfs
please enter the file storage classname for medium storage(RWX): ocs-storagecluster-cephfs
please enter the file storage classname for fast storage(RWX): ocs-storagecluster-cephfs
please enter the block storage classname for Zen(RWO): ocs-storagecluster-ceph-rbd

Please select the deployment profile (default: small).  Refer to the documentation in CP4BA Knowledge Center for details on profile.
1) small
2) medium
3) large
Enter a valid option [1 to 3]: 1

What is the Database type that is used for this deployment? 
1) IBM Db2 Database
2) Oracle
3) Microsoft SQL Server
4) PostgreSQL
5) PostgreSQL EDB (deployed by CP4BA Operator)
Enter a valid option [1 to 5]: 4

[*] You can change the parameter "DATABASE_SSL_ENABLE" in the property file "/usr/install/cp4ba-test/cert-kubernetes/scripts/cp4ba-prerequisites/project/cp4ba-test/propertyfile/cp4ba_db_server.property" later. "DATABASE_SSL_ENABLE" is "TRUE" by default.
[*] You can change the parameter "POSTGRESQL_SSL_CLIENT_SERVER" in the property file "/usr/install/cp4ba-test/cert-kubernetes/scripts/cp4ba-prerequisites/project/cp4ba-test/propertyfile/cp4ba_db_server.property" later. "POSTGRESQL_SSL_CLIENT_SERVER" is "TRUE" by default
[*] - POSTGRESQL_SSL_CLIENT_SERVER="True": For a PostgreSQL database with both server and client authentication
[*] - POSTGRESQL_SSL_CLIENT_SERVER="False": For a PostgreSQL database with server-only authentication

Enter the alias name(s) for the database server(s)/instance(s) to be used by the CP4BA deployment.
(NOTE: NOT the host name of the database server, and CANNOT include a dot[.] character)
(NOTE: This key supports comma-separated lists (for example: dbserver1,dbserver2,dbserver3)
The alias name(s): postgresql

Where do you want to deploy Cloud Pak for Business Automation?
Enter the name for an existing project (namespace): cp4ba-test
Using project cp4ba-test...


Do you want to restrict network egress to unknown external destination for this CP4BA deployment? (Notes: CP4BA 24.0.0 prevents all network egress to unknown destinations by default. You can either (1) enable all egress or (2) accept the new default and create network policies to allow your specific communication targets as documented in the knowledge center.) (Yes/No, default: Yes): Yes


Do you want to use an external Postgres DB [YOU NEED TO CREATE THIS POSTGRESQL DB BY YOURSELF FIRST BEFORE APPLY CP4BA CUSTOM RESOURCE. PLEASE REFER THE KNOWLEDGE CENTER: https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.6?topic=im-setting-up-external-postgresql-database-server#dbcreate] as IM metastore DB for this CP4BA deployment? (Notes: IM service can use an external Postgres DB to store IM data. If select "Yes", IM service uses an external Postgres DB as IM metastore DB. If select "No", IM service uses an embedded cloud native postgresql DB as IM metastore DB.) (Yes/No, default: No): no


Do you want to use an external Postgres DB [YOU NEED TO CREATE THIS POSTGRESQL DB BY YOURSELF FIRST BEFORE APPLY CP4BA CUSTOM RESOURCE. PLEASE REFER THE KNOWLEDGE CENTER: https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.6?topic=im-setting-up-external-postgresql-database-server#dbcreate] as Zen metastore DB for this CP4BA deployment? (Notes: Zen stores all metadata such as users, groups, service instances, vault integration, secret references in metastore DB. If select "Yes", Zen service uses an external Postgres DB as Zen metastore DB. If select "No", Zen service uses an embedded cloud native postgresql DB as Zen metastore DB ) (Yes/No, default: No): no


Do you want to use an external certificate (root CA) for this Opensearch/Kafka deployment? (Notes: Opensearch/Kafka operator can consume external tls certificate. If select "No", CP4BA operator will create leaf certificates based CP4BA's root CA ) (Yes/No, default: No): no

How many object stores will be deployed for the content pattern? 1

============== Creating database and LDAP property files for CP4BA ==============
Creating DB Server property file for CP4BA
[✔] Created the DB Server property file for CP4BA

Creating LDAP Server property file for CP4BA
[✔] Created the LDAP Server property file for CP4BA


============== Creating property file for database name and user required by CP4BA ==============
Creating Property file for IBM FileNet Content Manager GCD
[✔] Created Property file for IBM FileNet Content Manager GCD

Creating Property file for IBM FileNet Content Manager Object Store required by BAW authoring or BAW Runtime
[✔] Created Property file for IBM FileNet Content Manager Object Store required by BAW authoring or BAW Runtime

Creating Property file for IBM Business Automation Navigator
[✔] Created Property file for IBM Business Automation Navigator

Creating Property file for IBM Business Automation Workflow Runtime
[✔] Created Property file for IBM Business Automation Workflow Runtime


============== Created all property files for CP4BA ==============
[NEXT ACTIONS]
Enter the <Required> values in the property files under /usr/install/cp4ba-test/cert-kubernetes/scripts/cp4ba-prerequisites/project/cp4ba-test/propertyfile
[*] The key name in the property file is created by the cp4a-prerequisites.sh and is NOT EDITABLE.
[*] The value in the property file must be within double quotes.
[*] The value for User/Password in [cp4ba_db_name_user.property] [cp4ba_user_profile.property] file should NOT include special characters: single quotation "'"
[*] The value in [cp4ba_LDAP.property] or [cp4ba_External_LDAP.property] [cp4ba_user_profile.property] file should NOT include special character '"'
* [cp4ba_db_server.property]:
  - Properties for database server used by CP4BA deployment, such as DATABASE_SERVERNAME/DATABASE_PORT/DATABASE_SSL_ENABLE.

  - The value of "<DB_SERVER_LIST>" is an alias for the database servers. The key supports comma-separated lists.

* [cp4ba_db_name_user.property]:
  - Properties for database name and user name required by each component of the CP4BA deployment, such as GCD_DB_NAME/GCD_DB_USER_NAME/GCD_DB_USER_PASSWORD.

  - Change the prefix "<DB_SERVER_NAME>" to assign which database is used by the component.

  - The value of "<DB_SERVER_NAME>" must match the value of <DB_SERVER_LIST> that is defined in "<DB_SERVER_LIST>" of "cp4ba_db_server.property".

* [cp4ba_LDAP.property]:
  - Properties for the LDAP server that is used by the CP4BA deployment, such as LDAP_SERVER/LDAP_PORT/LDAP_BASE_DN/LDAP_BIND_DN/LDAP_BIND_DN_PASSWORD.

* [cp4ba_user_profile.property]:
  - Properties for the global value used by the CP4BA deployment, such as "sc_deployment_license".

  - properties for the value used by each component of CP4BA, such as <APPLOGIN_USER>/<APPLOGIN_PASSWORD>

Update values for cp4ba_db_server.property

# Backup generated file
cp /usr/install/cp4ba-test/cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-test/propertyfile/cp4ba_db_server.property \
/usr/install/cp4ba-test/cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-test/propertyfile/cp4ba_db_server.property.bak

# Update generated file with real values
sed -i \
-e 's/postgresql.DATABASE_SERVERNAME="<Required>"/'\
'postgresql.DATABASE_SERVERNAME="postgresql.cp4ba-postgresql.svc.cluster.local"/g' \
-e 's/postgresql.DATABASE_PORT="<Required>"/'\
'postgresql.DATABASE_PORT="5432"/g' \
-e 's/postgresql.DATABASE_SSL_ENABLE="True"/'\
'postgresql.DATABASE_SSL_ENABLE="False"/g' \
-e 's/postgresql.POSTGRESQL_SSL_CLIENT_SERVER="True"/'\
'postgresql.POSTGRESQL_SSL_CLIENT_SERVER="False"/g' \
/usr/install/cp4ba-test/cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-test/propertyfile/cp4ba_db_server.property

Prepare BASE64 representation of password

export PASSWORD_BASE64=`echo -n 'Password' | base64 -w 0`

Update values for cp4ba_db_name_user.property

# Backup generated file
cp /usr/install/cp4ba-test/cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-test/propertyfile/cp4ba_db_name_user.property \
/usr/install/cp4ba-test/cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-test/propertyfile/cp4ba_db_name_user.property.bak

# Update generated file with real values
sed -i \
-e 's/postgresql.GCD_DB_NAME="gcddb"/'\
'postgresql.GCD_DB_NAME="testgcd"/g' \
-e 's/postgresql.GCD_DB_USER_NAME="<youruser1>"/'\
'postgresql.GCD_DB_USER_NAME="testgcd"/g' \
-e 's/postgresql.GCD_DB_USER_PASSWORD="{Base64}<yourpassword>"/'\
'postgresql.GCD_DB_USER_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/postgresql.OS1_DB_NAME="os1db"/'\
'postgresql.OS1_DB_NAME="testos1"/g' \
-e 's/postgresql.OS1_DB_USER_NAME="<youruser1>"/'\
'postgresql.OS1_DB_USER_NAME="testos1"/g' \
-e 's/postgresql.OS1_DB_USER_PASSWORD="{Base64}<yourpassword>"/'\
'postgresql.OS1_DB_USER_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/postgresql.BAWDOCS_DB_NAME="bawdocs"/'\
'postgresql.BAWDOCS_DB_NAME="testbawdocs"/g' \
-e 's/postgresql.BAWDOCS_DB_USER_NAME="<youruser1>"/'\
'postgresql.BAWDOCS_DB_USER_NAME="testbawdocs"/g' \
-e 's/postgresql.BAWDOCS_DB_USER_PASSWORD="{Base64}<yourpassword>"/'\
'postgresql.BAWDOCS_DB_USER_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/postgresql.BAWDOS_DB_NAME="bawdos"/'\
'postgresql.BAWDOS_DB_NAME="testbawdos"/g' \
-e 's/postgresql.BAWDOS_DB_USER_NAME="<youruser1>"/'\
'postgresql.BAWDOS_DB_USER_NAME="testbawdos"/g' \
-e 's/postgresql.BAWDOS_DB_USER_PASSWORD="{Base64}<yourpassword>"/'\
'postgresql.BAWDOS_DB_USER_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/postgresql.BAWTOS_DB_NAME="bawtos"/'\
'postgresql.BAWTOS_DB_NAME="testbawtos"/g' \
-e 's/postgresql.BAWTOS_DB_USER_NAME="<youruser1>"/'\
'postgresql.BAWTOS_DB_USER_NAME="testbawtos"/g' \
-e 's/postgresql.BAWTOS_DB_USER_PASSWORD="{Base64}<yourpassword>"/'\
'postgresql.BAWTOS_DB_USER_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/postgresql.CHOS_DB_NAME="chos"/'\
'postgresql.CHOS_DB_NAME="testchos"/g' \
-e 's/postgresql.CHOS_DB_USER_NAME="<youruser1>"/'\
'postgresql.CHOS_DB_USER_NAME="testchos"/g' \
-e 's/postgresql.CHOS_DB_USER_PASSWORD="{Base64}<yourpassword>"/'\
'postgresql.CHOS_DB_USER_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/postgresql.ICN_DB_NAME="icndb"/'\
'postgresql.ICN_DB_NAME="testicn"/g' \
-e 's/postgresql.ICN_DB_USER_NAME="<youruser1>"/'\
'postgresql.ICN_DB_USER_NAME="testicn"/g' \
-e 's/postgresql.ICN_DB_USER_PASSWORD="{Base64}<yourpassword>"/'\
'postgresql.ICN_DB_USER_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/postgresql.BAW_RUNTIME_DB_NAME="bawdb"/'\
'postgresql.BAW_RUNTIME_DB_NAME="testbaw"/g' \
-e 's/postgresql.BAW_RUNTIME_DB_USER_NAME="<youruser1>"/'\
'postgresql.BAW_RUNTIME_DB_USER_NAME="testbaw"/g' \
-e 's/postgresql.BAW_RUNTIME_DB_USER_PASSWORD="{Base64}<yourpassword>"/'\
'postgresql.BAW_RUNTIME_DB_USER_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
/usr/install/cp4ba-test/\
cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-test/propertyfile/cp4ba_db_name_user.property

Update values for cp4ba_LDAP.property

# Backup generated file
cp /usr/install/cp4ba-test/cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-test/propertyfile/cp4ba_LDAP.property \
/usr/install/cp4ba-test/cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-test/propertyfile/cp4ba_LDAP.property.bak

# Update generated file with real values
sed -i \
-e 's/LDAP_TYPE="IBM Security Directory Server"/'\
'LDAP_TYPE="Custom"/g' \
-e 's/LDAP_SERVER="<Required>"/'\
'LDAP_SERVER="openldap.cp4ba-openldap.svc.cluster.local"/g' \
-e 's/LDAP_PORT="<Required>"/'\
'LDAP_PORT="389"/g' \
-e 's/LDAP_BASE_DN="<Required>"/'\
'LDAP_BASE_DN="dc=cp,dc=internal"/g' \
-e 's/LDAP_BIND_DN="<Required>"/'\
'LDAP_BIND_DN="cn=admin,dc=cp,dc=internal"/g' \
-e 's/LDAP_BIND_DN_PASSWORD="{Base64}<Required>"/'\
'LDAP_BIND_DN_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/LDAP_SSL_ENABLED="True"/'\
'LDAP_SSL_ENABLED="False"/g' \
-e 's/LDAP_GROUP_BASE_DN="<Required>"/'\
'LDAP_GROUP_BASE_DN="ou=Groups,dc=cp,dc=internal"/g' \
-e 's/LC_USER_FILTER="(\&(cn=%v)(objectclass=person))"/'\
'LC_USER_FILTER="(\&(uid=%v)(objectclass=inetOrgPerson))"/g' \
/usr/install/cp4ba-test/cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-test/propertyfile/cp4ba_LDAP.property

Update values for cp4ba_user_profile.property

# Backup generated file
cp /usr/install/cp4ba-test/cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-test/propertyfile/cp4ba_user_profile.property \
/usr/install/cp4ba-test/cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-test/propertyfile/cp4ba_user_profile.property.bak

# Update generated file with real values
sed -i \
-e 's/CP4BA.CP4BA_LICENSE="<Required>"/'\
'CP4BA.CP4BA_LICENSE="non-production"/g' \
-e 's/CP4BA.FNCM_LICENSE="<Required>"/'\
'CP4BA.FNCM_LICENSE="non-production"/g' \
-e 's/CP4BA.BAW_LICENSE="<Required>"/'\
'CP4BA.BAW_LICENSE="non-production"/g' \
-e 's/CONTENT.APPLOGIN_USER="<Required>"/'\
'CONTENT.APPLOGIN_USER="cpadmin"/g' \
-e 's/CONTENT.APPLOGIN_PASSWORD="{Base64}<Required>"/'\
'CONTENT.APPLOGIN_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/CONTENT.LTPA_PASSWORD="{Base64}<Required>"/'\
'CONTENT.LTPA_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/CONTENT.KEYSTORE_PASSWORD="{Base64}<Required>"/'\
'CONTENT.KEYSTORE_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/CONTENT_INITIALIZATION.LDAP_ADMIN_USER_NAME="<Required>"/'\
'CONTENT_INITIALIZATION.LDAP_ADMIN_USER_NAME="cpadmin"/g' \
-e 's/CONTENT_INITIALIZATION.LDAP_ADMINS_GROUPS_NAME="<Required>"/'\
'CONTENT_INITIALIZATION.LDAP_ADMINS_GROUPS_NAME="cpadmins"/g' \
-e 's/CONTENT_INITIALIZATION.CPE_OBJ_STORE_ADMIN_USER_GROUPS="<Required>"/'\
'CONTENT_INITIALIZATION.CPE_OBJ_STORE_ADMIN_USER_GROUPS="cpadmin,cpadmins"/g' \
-e 's/CONTENT_INITIALIZATION.CPE_OBJ_STORE_WORKFLOW_DATA_TBL_SPACE="bawtos_tbs"/'\
'CONTENT_INITIALIZATION.CPE_OBJ_STORE_WORKFLOW_DATA_TBL_SPACE="testbawtos_tbs"/g' \
-e 's/CONTENT_INITIALIZATION.CPE_OBJ_STORE_WORKFLOW_ADMIN_GROUP="<Required>"/'\
'CONTENT_INITIALIZATION.CPE_OBJ_STORE_WORKFLOW_ADMIN_GROUP="cpadmins"/g' \
-e 's/CONTENT_INITIALIZATION.CPE_OBJ_STORE_WORKFLOW_CONFIG_GROUP="<Required>"/'\
'CONTENT_INITIALIZATION.CPE_OBJ_STORE_WORKFLOW_CONFIG_GROUP="cpadmins"/g' \
-e 's/CONTENT_INITIALIZATION.CPE_OBJ_STORE_WORKFLOW_PE_CONN_POINT_NAME="<Required>"/'\
'CONTENT_INITIALIZATION.CPE_OBJ_STORE_WORKFLOW_PE_CONN_POINT_NAME="pe_conn_bawtos"/g' \
-e 's/BAN.APPLOGIN_USER="<Required>"/'\
'BAN.APPLOGIN_USER="cpadmin"/g' \
-e 's/BAN.APPLOGIN_PASSWORD="{Base64}<Required>"/'\
'BAN.APPLOGIN_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/BAN.LTPA_PASSWORD="{Base64}<Required>"/'\
'BAN.LTPA_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/BAN.KEYSTORE_PASSWORD="{Base64}<Required>"/'\
'BAN.KEYSTORE_PASSWORD="{Base64}'$PASSWORD_BASE64'"/g' \
-e 's/BAW_RUNTIME.ADMIN_USER="<Required>"/'\
'BAW_RUNTIME.ADMIN_USER="cpadmin"/g' \
/usr/install/cp4ba-test/cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-test/propertyfile/cp4ba_user_profile.property

sed -i \
-e 's/SCIM.USER_UNIQUE_ID_ATTRIBUTE="ibm-entryuuid"/'\
'SCIM.USER_UNIQUE_ID_ATTRIBUTE="entryUUID"/g' \
-e 's/SCIM.USER_OBJECT_CLASS_ATTRIBUTE="person"/'\
'SCIM.USER_OBJECT_CLASS_ATTRIBUTE="inetOrgPerson"/g' \
-e 's/SCIM.GROUP_UNIQUE_ID_ATTRIBUTE="ibm-entryuuid"/'\
'SCIM.GROUP_UNIQUE_ID_ATTRIBUTE="entryUUID"/g' \
-e 's/SCIM.GROUP_OBJECT_CLASS_ATTRIBUTE="groupOfUniqueNames"/'\
'SCIM.GROUP_OBJECT_CLASS_ATTRIBUTE="groupOfNames"/g' \
-e 's/SCIM.GROUP_MEMBERS_ATTRIBUTE="uniqueMember"/'\
'SCIM.GROUP_MEMBERS_ATTRIBUTE="member"/g' \
/usr/install/cp4ba-test/cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-test/propertyfile/cp4ba_user_profile.property

Generate, update and apply SQL and Secret files

Generate SQL and Secrets

/usr/install/cp4ba-test/cert-kubernetes/scripts/cp4a-prerequisites.sh -m generate -n cp4ba-test

Look for all green checkmarks in the output.

Update tablespace path

find /usr/install/cp4ba-test/cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-test/dbscript -name '*.sql' \
| xargs sed -i 's|/pgsqldata|/bitnami/postgresql/tablespaces|g'

Copy create scripts to PostgreSQL instance

oc cp /usr/install/cp4ba-test/cert-kubernetes/scripts/\
cp4ba-prerequisites/project/cp4ba-test/dbscript \
cp4ba-postgresql/\
$(oc get pods --namespace cp4ba-postgresql -o name | cut -d"/" -f2):/tmp/dbscript-test

Execute create scripts with table space directory creation

# BAW runtime
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'psql postgresql://postgres:Password@localhost:5432/postgres \
--file=/tmp/dbscript-test/baw-aws/postgresql/postgresql/create_baw_db_instance1_for_baw.sql'

# BAW runtime DOCS
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'mkdir /bitnami/postgresql/tablespaces/testbawdocs;'
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'psql postgresql://postgres:Password@localhost:5432/postgres \
--file=/tmp/dbscript-test/fncm/postgresql/postgresql/createtestbawdocs.sql'

# BAW runtime DOS
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'mkdir /bitnami/postgresql/tablespaces/testbawdos;'
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'psql postgresql://postgres:Password@localhost:5432/postgres \
--file=/tmp/dbscript-test/fncm/postgresql/postgresql/createtestbawdos.sql'

# BAW runtime TOS
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'mkdir /bitnami/postgresql/tablespaces/testbawtos;'
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'psql postgresql://postgres:Password@localhost:5432/postgres \
--file=/tmp/dbscript-test/fncm/postgresql/postgresql/createtestbawtos.sql'

# Navigator
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'mkdir /bitnami/postgresql/tablespaces/testicn;'
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'psql postgresql://postgres:Password@localhost:5432/postgres \
--file=/tmp/dbscript-test/ban/postgresql/postgresql/createICNDB.sql'

# FNCM OS1
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'mkdir /bitnami/postgresql/tablespaces/testos1;'
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'psql postgresql://postgres:Password@localhost:5432/postgres \
--file=/tmp/dbscript-test/fncm/postgresql/postgresql/createOS1DB.sql'

# FNCM GCD
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'mkdir /bitnami/postgresql/tablespaces/testgcd;'
oc --namespace cp4ba-postgresql exec statefulset/postgresql -- /bin/bash -c \
'psql postgresql://postgres:Password@localhost:5432/postgres \
--file=/tmp/dbscript-test/fncm/postgresql/postgresql/createGCDDB.sql'

Apply secrets which are in /usr/install/cp4ba-test/cert-kubernetes/scripts/cp4ba-prerequisites/project/cp4ba-test/secret_template/.

/usr/install/cp4ba-test/cert-kubernetes/scripts\
/cp4ba-prerequisites/project/cp4ba-test/create_secret.sh

Validate connectivity

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=pycc-recommended-preparing-databases-secrets-your-chosen-capabilities-by-running-script

/usr/install/cp4ba-test/cert-kubernetes/scripts/cp4a-prerequisites.sh -m validate -n cp4ba-test

Look for all green checkmarks.

Generating the custom resource with the deployment script

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=cpd-option-1a-recommended-generating-custom-resource-deployment-script

Run deployment script

# Switch to Project
# TODO should not be needed, last seen 24.0.0 IF002 2024-10-15
oc project cp4ba-test

/usr/install/cp4ba-test/cert-kubernetes/scripts/cp4a-deployment.sh -n cp4ba-test

IMPORTANT: Review the IBM Cloud Pak for Business Automation license information here: 

https://www14.software.ibm.com/cgi-bin/weblap/lap.pl?li_formnum=L-FNHF-F9RU7N

Press any key to continue

Do you accept the IBM Cloud Pak for Business Automation license (Yes/No, default: No): Yes

Did you deploy Content CR (CRD: contents.icp4a.ibm.com) in current cluster? (Yes/No, default: No): No
Continuing...

Starting to Install the Cloud Pak for Business Automation Operator...


What type of deployment is being performed?
1) Starter
2) Production
Enter a valid option [1 to 2]: 2

*******************************************************
            Summary of CP4BA capabilities              
*******************************************************
1. Cloud Pak capability to deploy: 
   * FileNet Content Manager
   * Business Automation Workflow
     (b) Workflow Runtime
2. Optional components to deploy: 
   * None
*******************************************************

[INFO] Above CP4BA capabilities is already selected in the cp4a-prerequisites.sh script
Press any key to continue

Select the cloud platform to deploy: 

[ATTENTION]: If you are unable to use [cpadmin] as the default IAM admin user due to it having the same user name in your LDAP Directory, you need to change the Cloud Pak administrator username. See: "https://www.ibm.com/docs/en/cpfs?topic=configurations-changing-cloud-pak-administrator-access-credentials#user-name"
Do you want to use the default IAM admin user: [cpadmin] (Yes/No, default: Yes): No

What is the non default IAM admin user you renamed?
Enter the admin user name: cpfsadmin

Provide a URL to zip file that contains JDBC and/or ICCSAP drivers.
(optional - if not provided, the Operator will configure using the default shipped JDBC driver): 

The Operator will configure using the default shipped JDBC driver.

[✔] Found "ibm-cp4ba-common-config" configMap in the project "cp4ba-test".

*******************************************************
                    Summary of input                   
*******************************************************
1. Cloud Pak capability to deploy: 
   * FileNet Content Manager
   * Business Automation Workflow
     (b) Workflow Runtime
2. Optional components to deploy: 
   * None
3. File storage classname(RWX):
   * Slow: ocs-storagecluster-cephfs
   * Medium: ocs-storagecluster-cephfs
   * Fast: ocs-storagecluster-cephfs
4. Block storage classname(RWO): ocs-storagecluster-ceph-rbd
5. URL to zip file for JDBC and/or ICCSAP drivers: 
*******************************************************

Verify that the information above is correct.
To proceed with the deployment, enter "Yes".
To make changes, enter "No" (default: No): Yes

Creating the Custom Resource of the Cloud Pak for Business Automation operator...



Applying value in property file into final CR
[✔] Applied value in property file into final CR under /usr/install/cp4ba-test/cert-kubernetes/scripts/generated-cr/project/cp4ba-test
Please confirm final custom resource under /usr/install/cp4ba-test/cert-kubernetes/scripts/generated-cr/project/cp4ba-test


[INFO] the script will set "cp4ba-test" as namespace in the final custom resource.

[NOTE] The custom resource (CR) file has been generated, but is not yet deployed (applied).

[ATTENTION] Prior to deploying (applying) the custom resource (CR), please follow the steps in the Knowledge Center topic "Checking and completing your custom resource" to configure the custom resource file for the capabilities that you have selected: https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=deployment-checking-completing-your-custom-resource   

[ATTENTION] After you have finished configuring the custom resource (CR) file, please follow the steps in the Knowledge Center to deploy (apply) your custom resource: https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=cpd-option-1b-deploying-custom-resource-you-created-deployment-script  

The custom resource file located at: "/usr/install/cp4ba-test/cert-kubernetes/scripts/generated-cr/project/cp4ba-test/ibm_cp4a_cr_final.yaml"

[ATTENTION]: If the cluster is running a Linux on Z (s390x)/Power architecture, remove the baml_configuration section from "/usr/install/cp4ba-test/cert-kubernetes/scripts/generated-cr/project/cp4ba-test/ibm_cp4a_cr_final.yaml" before you apply the custom resource. Business Automation Machine Learning Server (BAML) is not supported on this architecture.


To monitor the deployment status, follow the Operator logs.
For details, refer to the troubleshooting section in Knowledge Center here: 
https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=automation-troubleshooting

Checking and completing your custom resource

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=deployment-checking-completing-your-custom-resource

Change LDAP sub settings from tds to custom

sed -i \
-e 's/tds:/custom:/g' \
/usr/install/cp4ba-test/cert-kubernetes/scripts/\
generated-cr/project/cp4ba-test/ibm_cp4a_cr_final.yaml

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=parameters-business-automation-workflow-runtime-workstream-services
Set env type to Test

yq -i '.spec.baw_configuration[0].env_type = "Test"' \
/usr/install/cp4ba-test/cert-kubernetes/scripts/\
generated-cr/project/cp4ba-test/ibm_cp4a_cr_final.yaml

If you want to see all debug output in operator logs add the following properties (Not for production use, can leak sensitive info!)

yq -i '.spec.shared_configuration.no_log = false' \
/usr/install/cp4ba-test/cert-kubernetes/scripts/\
generated-cr/project/cp4ba-test/ibm_cp4a_cr_final.yaml
yq -i '.spec.shared_configuration.show_sensitive_log = true' \
/usr/install/cp4ba-test/cert-kubernetes/scripts/\
generated-cr/project/cp4ba-test/ibm_cp4a_cr_final.yaml

Deploying the custom resource you created with the deployment script

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=pycc-recommended-preparing-databases-secrets-your-chosen-capabilities-by-running-script

Add permissive network policy to enable anything from cp4ba-dev namespace to reach anything

echo "
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: custom-permit-all-communication
  namespace: cp4ba-test
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - {}
" | oc apply -f -

Apply CR

oc apply -n cp4ba-test -f /usr/install/cp4ba-test/cert-kubernetes/scripts/\
generated-cr/project/cp4ba-test/ibm_cp4a_cr_final.yaml

Wait for the deployment to be completed. This can be determined by looking in Project cp4ba-test in Kind ICP4ACluster, instance named icp4adeploy to have the following condition:

oc get -n cp4ba-test icp4acluster icp4adeploy -o=jsonpath="{.status.conditions}" | jq

[
//...
  {
    "message": "",
    "reason": "Successful",
    "status": "True",
    "type": "Ready"
  },
//...
]

Access info after deployment

• https://cpd-cp4ba-test.<ocp_apps_domain>/
• cpadmin / Password
• Additional capabilities based info in Project cp4ba-test in ConfigMap icp4adeploy-cp4ba-access-info
• To get cpfsadmin password oc get secret platform-auth-idp-credentials -n cp4ba-test -o jsonpath='{.data.admin_password}' | base64 -d

Completing post-installation tasks

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=deployment-completing-post-installation-tasks

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=cpbaf-business-automation-studio
You need to setup permissions for your users.

# Get password of zen initial admin
zen_admin_password=`oc get secret admin-user-details -n cp4ba-test \
-o jsonpath='{.data.initial_admin_password}' | base64 -d`
echo $zen_admin_password

# Get apps endpoint of your openshift
apps_endpoint=`oc get ingress.v1.config.openshift.io cluster -n cp4ba-test \
-o jsonpath='{.spec.domain}'`
echo $apps_endpoint

# Get zen token
# Based on https://cloud.ibm.com/apidocs/cloud-pak-data/cloud-pak-data-4.5.0#getauthorizationtoken
zen_token=`curl --silent -k -H "Content-Type: application/json" \
-d '{"username":"admin","password":"'$zen_admin_password'"}' \
https://cpd-cp4ba-test.${apps_endpoint}/icp4d-api/v1/authorize | jq -r ".token"`
echo $zen_token

# Also add all roles to cpadmin user to be usable for all tasks
curl -kv -X PUT -H "Content-Type: application/json" -H "Authorization: Bearer $zen_token" \
-d '{"username":"cpadmin", '\
'"user_roles":["zen_administrator_role","iaf-automation-admin","iaf-automation-analyst",'\
'"iaf-automation-developer","iaf-automation-operator","zen_user_role"]}' \
https://cpd-cp4ba-test.${apps_endpoint}/usermgmt/v1/user/cpadmin?add_roles=true

Validating your production deployment

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=deployment-recommended-validating-your-production

You can further verify the environemnts and get important information. But before running anything else then --help follow additional steps for script configuration.

oc project cp4ba-test
/usr/install/cp4ba-test/cert-kubernetes/scripts/cp4a-post-install.sh --help

Perform setup for cp4a-post-install.sh script

# Get apps endpoint of your openshift
apps_endpoint=`oc get ingress.v1.config.openshift.io cluster \
-n cp4ba-dev -o jsonpath='{.spec.domain}'`
echo $apps_endpoint

# Get CPFS token
cpfs_token=`curl --silent -k --header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=cpadmin' \
--data-urlencode 'password=Password' \
--data-urlencode 'scope=openid' \
https://cp-console-cp4ba-test.${apps_endpoint}/idprovider/v1/auth/identitytoken \
| jq -r ".access_token"`
echo $cpfs_token

# Exchange CPFS token for Zen token
zen_token=`curl --silent -k -H "Content-Type: application/json" \
--header "iam-token: ${cpfs_token}" \
--header 'username: cpadmin' \
https://cpd-cp4ba-test.${apps_endpoint}/v1/preauth/validateAuth | jq -r ".accessToken"`
echo $zen_token

# Generate ZenApiKey
zen_api_key=`curl --silent -k -H "Content-Type: application/json" \
--header "Authorization: Bearer ${zen_token}" \
--header 'username: cpadmin' \
https://cpd-cp4ba-test.${apps_endpoint}/usermgmt/v1/user/apiKey | jq -r ".apiKey"`
echo $zen_api_key

# Change CPFS namespace for cp4a-post-install.sh script and add password and zen api key
sed -i \
-e 's/CP4BA_COMMON_SERVICES_NAMESPACE="ibm-common-services"/'\
'CP4BA_COMMON_SERVICES_NAMESPACE="cp4ba-test"/g' \
-e 's/PROBE_USER_API_KEY=/'\
'PROBE_USER_API_KEY="'${zen_api_key}'"/g' \
-e 's/PROBE_USER_NAME=/'\
'PROBE_USER_NAME="cpadmin"/g' \
-e 's/PROBE_USER_PASSWORD=/'\
'PROBE_USER_PASSWORD="Password"/g' \
/usr/install/cp4ba-test/cert-kubernetes/scripts/helper/post-install/env.sh

Now you can run cp4a-post-install.sh with other parameters.

/usr/install/cp4ba-test/cert-kubernetes/scripts/cp4a-post-install.sh --precheck
/usr/install/cp4ba-test/cert-kubernetes/scripts/cp4a-post-install.sh --status
/usr/install/cp4ba-test/cert-kubernetes/scripts/cp4a-post-install.sh --console
/usr/install/cp4ba-test/cert-kubernetes/scripts/cp4a-post-install.sh --probe #Y to continue

Next steps

Follow https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=deployment-completing-post-installation-tasks as needed.

Optional custom CPFS console TLS - follow https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=security-customizing-cloud-pak-identity-management-im-service

Optional custom Zen certificates - follow https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=security-customizing-cloud-pak-entry-point

Optional custom CPFS admin password - follow https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=tasks-cloud-pak-foundational-services

Connect to Authoring

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=customizing-business-automation-workflow-runtime-connect-workflow-authoring The exchange needs to happen periodically based on the validity of the certificates.

# Get Zen CA from dev environment
oc get secret iaf-system-automationui-aui-zen-ca -n cp4ba-dev \
-o template --template='{{ index .data "tls.crt" }}' \
| base64 --decode > /usr/install/zenRootCAPC.cert

# Create secret on Test with Zen CA from Dev
oc create secret generic baw-tls-zen-secret -n cp4ba-test \
--from-file=tls.crt=/usr/install/zenRootCAPC.cert

# Get Zen CA from test environment
oc get secret iaf-system-automationui-aui-zen-ca -n cp4ba-test \
-o template --template='{{ index .data "tls.crt" }}' \
| base64 --decode > /usr/install/zenRootCAPS.cert

# Get CPFS CA from test environment
oc get secret cs-ca-certificate-secret -n cp4ba-test \
-o template --template='{{ index .data "tls.crt" }}' \
| base64 --decode > /usr/install/csRootCAPS.cert

# Create secret on Dev with Zen CA and CPFS CA from Test
oc create secret generic bawaut-tls-zen-secret -n cp4ba-dev \
--from-file=tls.crt=/usr/install/zenRootCAPS.cert
oc create secret generic bawaut-tls-cs-secret -n cp4ba-dev \
--from-file=tls.crt=/usr/install/csRootCAPS.cert

# Get Router CA from Test environment (We have same cluster for both Dev and Test in our scenario)
oc get secret router-ca -n openshift-ingress-operator \
-o template --template='{{ index .data "tls.crt" }}' \
| base64 --decode > /usr/install/routercaPS.cert

# Create secret on Dev with Router CA from Test
oc create secret generic bawaut-routerca-secret -n cp4ba-dev \
--from-file=tls.crt=/usr/install/routercaPS.cert

# Get Router CA from Dev environment (We have same cluster for both Dev and Test in our scenario)
oc get secret router-ca -n openshift-ingress-operator \
-o template --template='{{ index .data "tls.crt" }}' \
| base64 --decode > /usr/install/routercaPC.cert

# Create secret on Test with Router CA from Dev
oc create secret generic baw-routerca-secret -n cp4ba-test \
--from-file=tls.crt=/usr/install/routercaPC.cert

# Create secret with Workflow Authoring credentials in Test 
echo "
kind: Secret
apiVersion: v1
metadata:
  name: ibm-baw-wc-secret
  namespace: cp4ba-test
type: Opaque
stringData:
  username: cpadmin
  password: Password
" | oc apply -f -

# Configure Workflow Runtime to trust Workflow Authoring TLS
yq -i '.spec.baw_configuration[0].tls = {"tls_trust_list": '\
'["baw-tls-zen-secret", "baw-routerca-secret"]}' \
/usr/install/cp4ba-test/cert-kubernetes/scripts/\
generated-cr/project/cp4ba-test/ibm_cp4a_cr_final.yaml

# Get apps endpoint of your openshift
apps_endpoint=`oc get ingress.v1.config.openshift.io cluster \
-n cp4ba-dev -o jsonpath='{.spec.domain}'`
echo $apps_endpoint

# Configure Workflow Runtime to be able to connect to Workflow Authoring
yq -i '.spec.baw_configuration[0].workflow_center = '\
'{"url": "https://cpd-cp4ba-dev.'$apps_endpoint'/bas/ProcessCenter", '\
'"secret_name": "ibm-baw-wc-secret", "heartbeat_interval": 30}' \
/usr/install/cp4ba-test/cert-kubernetes/scripts/\
generated-cr/project/cp4ba-test/ibm_cp4a_cr_final.yaml

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=security-configuring-cluster#task_egd_lwt_wlb__external

# Add permissive Network Policy for Workflow Runtime to be able to reach Workflow Authoring
# This policy should be further limited to a specific IP of either internal router 
# if both Runtime and Authoring are running in the same cluster 
# or to a specific external IP of a different cluster if Runtime and Authoring
# are running in separate clusters
echo "
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: icp4adeploy-cp4a-egress-external-app-baw
  namespace: cp4ba-test
spec:
  podSelector:
    matchLabels:
      com.ibm.cp4a.networking/egress-external-app-component: BAW
  policyTypes:
    - Egress
  egress:
    - ports:
        - protocol: TCP
          port: 443
" | oc apply -f -

# Configure Workflow Authoring to trust Workflow Runtime TLS
yq -i '.spec.bastudio_configuration.tls = {"tlsTrustList": '\
'["bawaut-tls-zen-secret", "bawaut-tls-cs-secret", "bawaut-routerca-secret"]}' \
/usr/install/cp4ba-dev/cert-kubernetes/scripts/\
generated-cr/project/cp4ba-dev/ibm_cp4a_cr_final.yaml

# Get apps endpoint of your openshift
apps_endpoint=`oc get ingress.v1.config.openshift.io cluster \
-n cp4ba-test -o jsonpath='{.spec.domain}'`
echo $apps_endpoint

# Configure Workflow Authoring to trust Workflow Runtime URLs
yq -i '.spec.workflow_authoring_configuration.environment_config = '\
'{"content_security_policy_additional_all":'\
'["https://cpd-cp4ba-test.'$apps_endpoint'/baw-bawins1/"],'\
'"csrf":{"origin_allowlist":'\
'"https://cpd-cp4ba-test.'$apps_endpoint',https://cp-console-cp4ba-test.'$apps_endpoint'",'\
'"referer_allowlist":'\
'"cpd-cp4ba-test.'$apps_endpoint',cp-console-cp4ba-test.'$apps_endpoint'"}}' \
/usr/install/cp4ba-dev/cert-kubernetes/scripts/\
generated-cr/project/cp4ba-dev/ibm_cp4a_cr_final.yaml

Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=security-configuring-cluster#task_egd_lwt_wlb__external

# Add permissive Network Policy for Workflow Authoring to be able to reach Workflow Runtime
# This policy should be further limited to a specific IP of either internal router 
# if both Runtime and Authoring are running in the same cluster 
# or to a specific external IP of a different cluster if Runtime and Authroing
# are running in separate clusters
echo "
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: icp4adeploy-cp4a-egress-external-app-bas
  namespace: cp4ba-dev
spec:
  podSelector:
    matchLabels:
      com.ibm.cp4a.networking/egress-external-app-component: BAS
  policyTypes:
    - Egress
  egress:
    - ports:
        - protocol: TCP
          port: 443
" | oc apply -f -

# Apply updated cp4ba-dev CR
oc apply -n cp4ba-dev -f /usr/install/cp4ba-dev/cert-kubernetes/scripts/\
generated-cr/project/cp4ba-dev/ibm_cp4a_cr_final.yaml

# Apply updated cp4ba-test CR
oc apply -n cp4ba-test -f /usr/install/cp4ba-test/cert-kubernetes/scripts/\
generated-cr/project/cp4ba-test/ibm_cp4a_cr_final.yaml

Now you need to wait for next Operator cycle to propagate the changes from CR to BAW pods in both dev and test environment.

Good indicator of the change for cp4ba-test is existence of WORKFLOWCENTER environment parameter in Workflow Runtime

oc get statefulset icp4adeploy-bawins1-baw-server -n cp4ba-test -o yaml | grep WORKFLOWCENTER

Good indicator of the change for cp4ba-dev is existence of bawaut-tls-zen-secret secret mapping in Workflow Authoring

oc get statefulset icp4adeploy-bastudio-deployment -n cp4ba-dev -o yaml | grep bawaut-tls-zen-secret

Contacts

Jan Dušek
[email protected]
Business Automation Partner Technical Specialist
IBM Czech Republic

Notice

© Copyright IBM Corporation 2024.