Configuring PMF Custom Resource (CR)

PMF CR parameters

Following are the configurable parameters of the PMF CR.

Qualifier	Parameter	Definition
global.arch	`amd64`	Specifies the amd64 worker node scheduler preference in a hybrid cluster. Possible values 3 - Most preferred 2 - No preference 0 - Do not use Default value 3
	ppc64le	Specifies the ppc64le worker node scheduler preference in a hybrid cluster. Possible values 3 - Most preferred 2 - No preference 0 - Do not use Default value 0
	s390x	Specify the s390x worker node scheduler preference in a hybrid cluster. Possible values 3 - Most preferred 2 - No preference 0 - Do not use Default value 0
global.image	`pullPolicy`	Specifies the image pull policy. Possible values Always Never IfNotPresent Default value IfNotPresent
global.image	`pullSecret`	Specifies the image pull secret. Required only if the images are not hosted on Red Hat® OpenShift® Container Platform image registry.
global.ingress	`hostname`	Specifies the external hostname or IP address to be used by external clients. Default value Blank (IP address of the cluster proxy node)
	`secret`	Specifies the name of the secret for the certificate that has to be used in the Ingress definition. This secret has to be pre-created using the relevant certificate and key. This is a mandatory property if SSL/TLS is enabled. Pre-create the secret with a certificate and key before supplying the name for this property. For more information, see Creating TLS secret for ingress configuration section below.
	`sslPassThrough`	Specifies whether the SSL request should be passed through to the PMF service SSL termination occurs in the PMF service. Default value false
global.timezone		Specifies the timezone value. For more information, see List of tz database time zones. Example Asia/Kolkata Africa/Abidjan Default value UTC timezone
global.dbinit	`enabled`	Specifies whether to enable initialization of Server, Push, and Application Center databases.
	`repository`	Specifies the Docker image repository for database initialization.
	`tag`	Specifies the docker image tag.
mfpserver	`enabled`	Specifies the flag to enable the PMF server.
mfpserver.image	`repository`	Specifies the Docker image repository.
	`tag`	Specifies the docker image tag.
	`consoleSecret`	Specifies a pre-created secret for login.
mfpserver.db	`type`	Specifies the supported database vendor name..
	`host`	Specifies the IP address or hostname of the database where PMF Server tables need to be configured.
	`port`	Specifies the port where the database is set up.
	`secret`	Specifies the pre-created secret that has database credentials.
	`name`	Specifies the name of the PMF Server database.
	`schema`	Specifies the server database schema that is to be created.
	`ssl`	Specifies the database connection type.
	`driverPvc`	Specifies the PersistentVolume (PVC) to access the JDBC Database Driver.
	`adminCredentialsSecret`	Specifies the MFPServer DB Admin secret.
mfpserver	`adminClientSecret`	Specifies the Admin client secret.
	`pushClientSecret`	Specifies the Push client secret.
	`liveupdateClientSecret`	Specifies the LiveUpddate client secret.
mfpserver.replicas		Specifies the number of instances (pods) of PMF Server that needs to be created.
mfpserver.autoscaling	`enabled`	Specifies whether a horizontal pod autoscaler (HPA) is deployed. Note that enabling this field disables the replicas field.
	min	Specifies the lower limit for the number of pods that can be set by the autoscaler.
	max	Specifies the upper limit for the number of pods that can be set by the autoscaler. The value of this parameter cannot be lower than the value of the min parameter.
	targetcpu	Specifies the target average CPU utilization (represented as a percentage of requested CPU) over all the pods.
mfpserver.pdb	enabled	Specifies the whether to Specifies whether to enable/disable PDB.
mfpserver.pdb	min	Specifies the minimum available pods.
mfpserver.customConfiguration		Custom server configuration (Optional)
mfpserver	keystoreSecret	Specifies keystore secret. For more information on pre-creating the secret with keystores and their passwords, see Creating TLS secret for ingress configuration section below.
mfpserver.resources	limits.cpu	Specifies the maximum amount of allowed CPU.
	limits.memory	Specifies the maximum amount of allowed memory.
	requests.cpu	Specifies the minimum amount of required CPU. If the parameter is not specified defaults to limit (if specified) or else the implementation-defined value.
	requests.memory	Specifies the minimum amount of required memory. If the parameter is not specified defaults to limit (if specified) or else the implementation-defined value.
mfppush	enabled	Specifies the flag to enable PMF Push.
	repository	Specifies the Docker image repository.
	tag	Specifies the docker image tag.
mfppush.replicas		Specifies the number of instances (pods) of PMF Server that needs to be created.
mfppush.autoscaling	enabled	Specifies whether a horizontal pod autoscaler (HPA) is deployed. Note that enabling this field disables the replicaCount field.
	min	Specifies the lower limit for the number of pods that can be set by the autoscaler.
	max	Specifies the upper limit for the number of pods that can be set by the autoscaler. The value of this parameter cannot be lower than the value of the min parameter.
	targetcpu	Specifies the target average CPU utilization (represented as a percentage of requested CPU) over all the pods.
mfppush.pdb	enabled	Specifies whether to enable PDB.
mfppush.pdb	min	Specifies the minimum available pods.
mfppush.customConfiguration		Specifies a custom configuration. This parameter is optional.
mfppush	keystoresSecretName	Specifies keystore secret. For more information on pre-creating the secret with keystores and their passwords, see Creating TLS secret for ingress configuration section below.
mfppush.resources	limits.cpu	Specifies the maximum amount of allowed CPU.
	limits.memory	Specifies the maximum amount of allowed memory.
	requests.cpu	Specifies the minimum amount of required CPU. If the parameter is not specified defaults to limit (if specified) or else the implementation-defined value.
	requests.memory	Specifies the minimum amount of required memory. If the parameter is not specified defaults to limit (if specified) or else the implementation-defined value.
mfpliveupdate	enabled	Flag to enable Liveupdate
mfpliveupdate.image	repository	Specifies the Docker image repository.
	tag	Specifies the docker image tag.
	consoleSecret	A pre-created secret for login
mfpliveupdate.db	type	Specifies the supported database vendor name.
	host	IP address or hostname of the database where PMF Server tables need to be configured.
	port	Database Port number.
	secret	A pre-created secret, which has database credentials.
	name	Name of the PMF Server database.
	schema	Server db schema to be created.
	ssl	Specifies the database connection type..
	driverPvc	Persistent Volume Claim to access the JDBC Database Driver.
	adminCredentialsSecret	MFPServer DB Admin Secret.
mfpliveupdate.replicas		The number of instances (pods) of PMF Liveupdate that need to be created.
mfpliveupdate.autoscaling	enabled	Specifies whether a horizontal pod autoscaler (HPA) is deployed. Note that enabling this field disables the replicas field.
	min	Specifies the lower limit for the number of pods that can be set by the autoscaler.
	max	Specifies the upper limit for the number of pods that can be set by the autoscaler. The value of this paramter cannot be lower than the value of the min parameter.
	targetcpu	Specifies the target average CPU utilization (represented as a percentage of requested CPU) over all the pods.
mfpliveupdate.pdb	enabled	Specify whether to enable PDB.
mfpliveupdate.pdb	min	Specifies the minimum available pods.
mfpliveupdate.customConfiguration		Specifies the custom server configuration. This is an optional parameter.
mfpliveupdate	keystoreSecret	Specifies keystore secret. For more information on pre-creating the secret with keystores and their passwords, see Creating TLS secret for ingress configuration section below.
mfpliveupdate.resources	limits.cpu	Specifies the maximum amount of allowed CPU.
	limits.memory	Specifies the maximum amount of allowed memory.
	requests.cpu	Specifies the minimum amount of required CPU. If the parameter is not specified defaults to limit (if specified) or else the implementation-defined value.
	requests.memory	Specifies the minimum amount of required memory. If the parameter is not specified defaults to limit (if specified) or else the implementation-defined value.
mfpanalytics	enabled	Flag to enable analytics
mfpanalytics.image	repository	Specifies the Docker image repository.
	tag	Specifies the docker image tag.
	consoleSecret	A pre-created secret for login
mfpanalytics.replicas		Specifies the number of instances (pods) of PMF Operational Analytics that needs to be created.
mfpanalytics.autoscaling	enabled	Specifies whether a horizontal pod autoscaler (HPA) is deployed. Note that enabling this field disables the replicaCount field.
	min	Specifies the lower limit for the number of pods that can be set by the autoscaler.
	max	Specifies the upper limit for the number of pods that can be set by the autoscaler. The value of this parameter cannot be lower than the value of the min parameter.
	targetcpu	Specifies the target average CPU utilization (represented as a percentage of requested CPU) over all the pods.
mfpanalytics.shards		Specifies the number of Elasticsearch shards for PMF Analytics.
mfpanalytics.replicasPerShard		Specifies the number of Elasticsearch replicas to be maintained per each shard for PMF Analytics.
mfpanalytics.persistence	enabled	Specifies to use a PersistentVolumeClaim to persist data.
	useDynamicProvisioning	Specify a storageclass or else leave blank.
	volumeName	Specify a volume name.
	claimName	Specify an existing PVC.
	storageClassName	Specify the storage class of the backing PVC.
	size	Specify the size of data volume.
mfpanalytics.pdb	enabled	Specify whether to enable PDB.
mfpanalytics.pdb	min	Specifies the minimum available pods.
mfpanalytics.customConfiguration		Specifies a custom configuration. This parameter is optional.
mfpanalytics	keystoreSecret	Specifies keystore secret. For more information on pre-creating the secret with keystores and their passwords, see Creating TLS secret for ingress configuration section below.
mfpanalytics.resources	limits.cpu	Specifies the maximum amount of allowed CPU.
	limits.memory	Specifies the maximum amount of allowed memory.
	requests.cpu	Specifies the minimum amount of required CPU. If the parameter is not specified defaults to limit (if specified) or else the implementation-defined value.
	requests.memory	Specifies the minimum amount of required memory. If the parameter is not specified defaults to limit (if specified) or else the implementation-defined value.
mfpanalytics_recvr	enabled	Specify the flag to enable Analytics Receiver.
mfpanalytics_recvr.image	repository	Specifies the Docker image repository.
mfpanalytics_recvr.image	tag	Specifies the docker image tag.
mfpanalytics_recvr.replicas		Specify the number of instances (pods) of PMF Analytics Receiver that needs to be created.
mfpanalytics_recvr.autoscaling	enabled	Specifies whether a horizontal pod autoscaler (HPA) is deployed. Note that enabling this field disables the replicaCount field.
	min	Specifies the lower limit for the number of pods that can be set by the autoscaler.
	max	Specifies the upper limit for the number of pods that can be set by the autoscaler. The value of this parameter cannot be lower than the value of the min parameter.
	targetcpu	Specifies the target average CPU utilization (represented as a percentage of requested CPU) over all the pods.
mfpanalytics_recvr.pdb	enabled	Specify whether to enable PDB.
mfpanalytics_recvr.pdb	min	Specifies the minimum available pods..
mfpanalytics_recvr	analyticsRecvrSecret	Specifies a pre-created secret for the receiver.
mfpanalytics_recvr.customConfiguration		Specifies a custom configuration. This parameter is optional.
mfpanalytics_recvr	keystoreSecret	Specifies keystore secret. For more information on pre-creating the secret with keystores and their passwords, see Creating TLS secret for ingress configuration section below.
mfpanalytics_recvr.resources	limits.cpu	Specifies the maximum amount of allowed CPU.
	limits.memory	Specifies the maximum amount of allowed memory.
	requests.cpu	Specifies the minimum amount of required CPU. If the parameter is not specified defaults to limit (if specified) or else the implementation-defined value.
	requests.memory	Specifies the minimum amount of required memory. If the parameter is not specified defaults to limit (if specified) or else the implementation-defined value.
mfpappcenter	enabled	Specify the flag to enable Application Center.
mfpappcenter.image	repository	Specifies the Docker image repository.
	tag	Specifies the docker image tag.
	consoleSecret	Specify a pre-created secret for login.
mfpappcenter.db	type	Specifies the supported database vendor name.
	host	Specify the IP address or hostname of the database where the Appcenter database needs to be configured.
	port	Specify the database port.
	name	Specify the database name.
	secret	Specify a pre-created secret that has database credentials.
	schema	Specify the Application Center database schema to be created.
	ssl	Specifies the database connection type.
	driverPvc	Specify the PVC to access the JDBC Database Driver.
	adminCredentialsSecret	Specify the Application Center DB Admin Secret.
mfpappcenter.autoscaling	enabled	Specifies whether a horizontal pod autoscaler (HPA) is deployed. Note that enabling this field disables the replicaCount field.
	min	Specifies the lower limit for the number of pods that can be set by the autoscaler.
	max	Specifies the upper limit for the number of pods that can be set by the autoscaler. The value of this parameter cannot be lower than the value of the min parameter.
	targetcpu	Specifies the target average CPU utilization (represented as a percentage of requested CPU) over all the pods.
mfpappcenter.pdb	enabled	Specifies whether to enable PDB.
mfpappcenter.pdb	min	Specifies the minimum available pods.
mfpappcenter.customConfiguration		Specifies a custom configuration. This parameter is optional.
mfpappcenter	keystoreSecret	Specifies keystore secret. For more information on pre-creating the secret with keystores and their passwords, see the Creating custom-defined console login secrets section below.
mfpappcenter.resources	limits.cpu	Specifies the maximum amount of allowed CPU.
	limits.memory	Specifies the maximum amount of allowed memory.
	requests.cpu	Specifies the minimum amount of required CPU. If the parameter is not specified defaults to the limit (if specified) or else the implementation-defined value.
	requests.memory	Specifies the minimum amount of required memory. If the parameter is not specified defaults to the limit (if specified) or else the implementation-defined value.

Optional tasks

Following are additional optional tasks you can perform.

By default, the console login secrets for all the PMF components are created automatically during the deployment.

One though choose to create Login Secret to access Server, Analytics, and Application Center console explictly. The secret created should be provided for the property consoleSecret in the charts_v1_mfoperator_cr.yaml file.

Example for PMF Server

kubectl create secret generic serverlogin --from-literal=MFPF_ADMIN_USER=admin --from-literal=MFPF_ADMIN_PASSWORD=admin

Example for Analytics

kubectl create secret generic analyticslogin --from-literal=MFPF_ANALYTICS_ADMIN_USER=admin --from-literal=MFPF_ANALYTICS_ADMIN_PASSWORD=admin

Example for Analytics Receiver

kubectl create secret generic analytics_recvrsecret --from-literal=MFPF_ANALYTICS_RECVR_USER=admin --from-literal=MFPF_ANALYTICS_RECVR_PASSWORD=admin

Example for Application Center

kubectl create secret generic appcenterlogin --from-literal=MFPF_APPCNTR_ADMIN_USER=admin --from-literal=MFPF_APPCNTR_ADMIN_PASSWORD=admin

Note: If these secrets are not provided, they are created with default username and password of admin/{random-password} during the installation of PMF.

Creating TLS secret for ingress configuration

PMF components can be configured with hostname-based Ingress for external clients to reach them using hostname. The Ingress can be secured by using a TLS private key and certificate. The TLS private key and certificate must be defined in a secret with key names tls.key and tls.crt.

The mf-tls-secret is created in the same namespace as the Ingress resource by using the following command.

kubectl create secret tls mf-tls-secret --key=/path/to/tls.key --cert=/path/to/tls.crt

The name of the secret is then provided in the field global.ingress.secret in the custom resource configuration yaml.

Creating custom keyStore secret for the deployments

You can provide your own keystore and truststore to Server, Push, Analytics, and Application Center deployment by creating a secret with your own keystore and truststore.

Pre-create a secret with thekeystore.jks and truststore.jks along with keystore and trustore password using the literals KEYSTORE_PASSWORD and TRUSTSTORE_PASSWORD provide the secret name in the field keystoreSecret of respective component.

Following is an example of creating keystore secret for the server deployment using keystore.jks, truststore.jks and set their passwords.

kubectl create secret generic server-secret --from-file=./keystore.jks --from-file=./truststore.jks --from-literal=KEYSTORE_PASSWORD=worklight --from-literal=TRUSTSTORE_PASSWORD=worklight

Note: The names of the files and literals should be the same as mentioned in above command. Provide this secret name in keystoresSecretName input field of respective component to override the default keystores when configuring the helm chart.

Creating secrets for confidential clients

PMF Server is predefined with confidential clients for Admin Service. The credentials for these clients are provided in the mfpserver.adminClientSecret and mfpserver.pushClientSecret fields.

Create these secrets by using the following commands.

kubectl create secret generic mf-admin-client --from-literal=MFPF_ADMIN_AUTH_CLIENTID=admin --from-literal=MFPF_ADMIN_AUTH_SECRET=admin

kubectl create secret generic mf-push-client --from-literal=MFPF_PUSH_AUTH_CLIENTID=admin --from-literal=MFPF_PUSH_AUTH_SECRET=admin

If the values for these fields mfpserver.pushClientSecret, mfpserver.adminClientSecret and mfpserver.liveupdateClientSecret are not provided during helm chart installation, default client secrets are created respectively with the following credentials.

admin/nimda for mfpserver.adminClientSecret
push/hsup for mfpserver.pushClientSecret
liveupdate/etadpuevil for mfpserver.liveupdateClientSecret

Configuring custom server

To customise the configuration (for example, to modify a log trace setting or add a new jndi property and so on), you need to create a configmap with the configuration XML file. This allows you to add a new configuration setting or override the existing configurations of the PMF components.

The custom configuration is accessed by the PMF components through a mfpserver-custom-configconfigMap which can be created as follows -

kubectl create configmap mfpserver-custom-config --from-file=<configuration file in XML format>

The configmap created by using the above command should be provided in the Custom Server Configuration in the Helm chart while deploying PMF.

Following is an example of setting the trace log specification to warning (Default setting is info) using mfpserver-custom-config configmap.

Sample config XML (logging.xml file)

  <server>
    <logging maxFiles="5" traceSpecification="com.ibm.mfp.*=debug:*=warning" 
    maxFileSize="20" />
  </server>

Create configmap and add the above logging.xml during the helm chart deployment.

  kubectl create configmap mfpserver-custom-config --from-file=logging.xml

Notice the change in the messages.log (of PMF components) - The traceSpecification property is set to com.ibm.mfp.=debug:\*=warning.

Using custom-generated Lightweight Third-Party Authentication (LTPA) keys

By default, the images of PMF bundles a set of ltpa.keys for each PMF component. In production environment, when there is a need to update the out-of-the-box ltpa.keys with custom generated ones, you can use custom configuration to add any custom generated ltpa.keys along with the config xml.

Sample config sample ltpa.xml

<server description="mfpserver">
    <ltpa
        keysFileName="ltpa.keys" />
    <webAppSecurity ssoUseDomainFromURL="true" />
</server>

Example command for adding the custom LTPA keys

kubectl create configmap mfpserver-custom-config --from-file=ltpa.xml --from-file=ltpa.keys

For more details about the LTPA keys generation and other details, see Configuring LTPA in Liberty.

Multiple custom-configmaps is not supported for adding custom configuration, instead it is recommended to create the custom configuration configmap as follows.

kubectl create configmap mfpserver-custom-config --from-file=ltpa.xml --from-file=ltpa.keys --from-file=moreconfig.xml

Using Taint and Tolerations

Taints and tolerations allow the node to control which pods should (or should not) be scheduled on them.

Adding a Taint to an Existing Node

You add a taint to a node using the oc adm taint command. For more information on the parameter usage, see Taint and Tolerations on the Redhat OpenShift Container Platform documentation site.

oc adm taint nodes <node-name> <key>=<value>:<effect>

Example

oc adm taint nodes worker-node1 dedicated=ibm-mf-server:NoExecute

Enabling a Toleration in CR

You can add toleration to a pod by enabling the tolerations property in the Custom Resource.yaml and by setting the required properties key, value, operator, and effect. By default, tolerations are set to false.