Installation Parameters¶
The parameters order¶
The installer is strictly command line based and all configuration and parameters are passed in values files or as single arguments to the installer script.
If the same parameter is passed to the installer several times the last in order will override the previous ones.
If a values yaml file that can hold many parameters structured in the yaml standard with the values:
**example-values.yaml
global:
namespace: exampleprod
customerCode: example
environmentType: prod
solutionSetName: My Groovy Solution!!
replicas: 2
ifsappproxy:
accessLog: enabled
If above ifscloud-values.yaml is passed to the installer, and the parameter is also passed to the installer like this:
.\installer.cmd --values ifscloud-values.yaml --set ifsappproxy.accessLog=enabled --set global.replicas=1
the installer will use the "enabled" value of the parameter ifsappproxy.accessLog and "1" of the global.replicas since that was passed as a "--set" in the command line. So "--set" wins over "values" and if the same parameter is "--set" several times the last will win.
.\installer.cmd --values ifscloud-values.yaml --values solutionset.yaml
in this example the "solutionSetName: My Groovy Solution!!" will be overwritten by the solutionSetName that is always defined parameter in a solutionset.yaml files.
IFS cloud values file¶
All configuration files and certificates should be placed in the config folder according to the folder structure in Windows Management Server.
**This is a good starting point: Follow this link to get an example template of ifscloud-values.yaml . **
Use the parameter guidance in the sections below to fill in the values in the ifscloud-values.yaml file and add optional parameters.
Password limitations¶
As IFS Cloud has many underlying password dependencies and locales, we restrict the passwords to fulfil all limitations. The following restrictions and recommendations apply:
-
Must start with an alphanumerical character [a-z] [A-Z]
-
Passwords should have least 15 characters (recommended)
-
These special characters are not allowed: \ / @ ' " | - * $ & # § [] {} () (and other language specific characters )
General Parameters¶
Bold parameters are mandatory others are optional
Parameter | Purpose | Examples/Defaults |
---|---|---|
chart | specifies which master-chart to be used | Default: ifscloud/ifs-cloud can be a path to a local master-chart as well (only used by RnD). To use the local master-chart set e.g. " chart: .\master-chart " |
chartVersion | Normally only used by RnD to specify specific helm chart version. | |
certificateFile | Location of the pfx file that holds the certificate and private key. See Certificate Handling for more certificate requirements and info. If the certificateFile is omitted or the file can not be found, a new selfsigned certificate will be automatically generated and used. |
e.g. /path/to/yourcert.pfx or c:\path\to\yourcert.pfx |
certificatePassword | password for the pfx file. | Note the pwd need to be a string. e.g. ifs123 or "12345" |
helmRepo | The url of the Helm Chart repository. | Use - https://ifscloud.jfrog.io/artifactory/helm |
helmUser | The service principal user name. This username should be provided per customer by IFS. | |
helmPwd | The service principal password. This password should be provided per customer by IFS. | |
global.namespace | Sets the namespace in the k8s cluster norally you would set is as a concatination of the customerCode and environmentType | none, but the parameter is mandatory and must consist of only lowercase alphanumeric characters or '-' volvobnt |
global.customerCode | This is a label of the system. All monitoring metrics will be tagged with this label. Typically the label would be an abriviation of the company name. | none, but the parameter is mandatory e.g. volvo |
global.environmentType | This is a label of the system. All monitoring metrics will be tagged with this label. Typical values prod/test/bnt/dev | none, but the parameter is mandatory e.g. bnt |
global.customerId | Used in the License report. The id can be found in the Build Place portal. | The parameter is mandatory |
global.customerName | Used in the License report. The id can be found in the Build Place portal. | The parameter is mandatory |
global.installationId | Used in the License report. Just an environment identifier that is unique per customerId e.g. TEST/PROD/DEV/MIG/TRAIN/CFG | The parameter is mandatory is typically the same as the parameter environmentType |
global.systemUrl | The FQDN of the primary url where the system is accessed. Note: the https:// is not part of the FQDN |
e.g. ifscloud.corpnet.ifs.com |
global.secondarySystemUrl | The FQDN of the secondary url where the system is accessed. This could be an internet facing external proxy that only allows b2b and mobile client requests. This FQDN could have a different domain than the normal systemUrl. If the entire system is exposed to internet, the secondarySystemUrl is not needed. |
e.g. ifscloud.ifs.com |
global.containerRegistry | The url of the docker container registry, where all containers will be fetched from. Note: Always append a trailing slash. Note: the https:// is not part of the FQDN |
Use - ifscloud.jfrog.io/docker/ |
global.imageCredentials.username | The service principal user name. This username should be provided per customer by IFS. | |
global.imageCredentials.password | The service principal password. This password should be provided per customer by IFS. | |
global.scale | Defines the scaling of cpu/memory compared to the production mode 100%. | Default: 100 A scale of 10-20 is a small development environment. A scale of aprox 50 is a small test environment. Scale should be set to 100 in all production like environments. |
global.replicas | Sets how many containers should be started by default | The default number of replicas to be started of each type of container. Can be overridden by the containers local replicas parameter. |
global.cpuRatio | This will set the k8s CPU request/limit ratio on all containers. | Default: 50 This will set the CPU request to 50% of the CPU limit on the containers. Read more on k8s CPU request & limits on k8s user documentation for more infomation. |
global.httpConnectTimeout | This will set the timeout of http connection to the ingress proxy and the ifsapp-proxy | Default: 60 |
global.httpSendTimeout | This will set the Send timeout of http connection to the ingress proxy and the ifsapp-proxy | Default: 600 |
global.httpReadTimeout | This will set the Read timeout of http connection to the ingress proxy and the ifsapp-proxy | Default: 600 |
global.ingressLimitRps | Limits requests per second that the ingress will pass through. Can be used to prevent DoS attacks | Default: not set set with care, highly dependant on the workload of the specific environment. |
global.ingressLimitRpm | Limits requests per minute that the ingress will pass through. Can be used to prevent DoS attacks | Default: not set set with care, highly dependant on the workload of the specific environment. |
global.sslCiphers | The SSL ciphers used by the ifsapp-proxy To set cipher on ingress edit ifs-ingress-values.yaml in Remote installation. |
Default: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"<br |
global.sslProtocols | The TLS versions used by the ifsapp-proxy To set TLSv in ingress edit ifs-ingress-values.yaml in Remote installation. |
Default: "TLSv1.2 TLSv1.3" |
global.demandPort | Demand Server Port number | Default: 5010 |
global.crystalPort | Crystal Server Port number | Default: 443 |
global.ssrsPort | SSRS Server Port number | Default: 80 |
global.nodeSelector or pod.nodeSelector |
Can be used to define nodeSelector on namespace or pod | global: nodeSelector: | IFSCloud: "true" or e.g. ifsapp-odata: nodeSelector: | IFSCloud: "true" |
global.tolerations or pod.tolerations |
Can be used to define tolerations on namespace or pod | global: tolerations: | - key: "IFSCloud" operator: "Equal" value: "true" effect: "NoSchedule" |
global.affinity or pod.affinity |
Can be used to define affinity on namespace or pod | ifsapp-odata: affinity: | nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: -key: "beta.kubernetes.io/os" operator: "In" values: - "linux" |
ifscore.secrets.jdbcUrl.name | ifs-jdbc-url | |
ifscore.secrets.jdbcUrl.data | The host should be the DB server's IP address. Oracle db service name or sid. Oracle db listener port. Advanced jdbc strings to support failover/RAC or TCPS can be defined here. |
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=10.241.0.4)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=CLOUD))) Note: If passing the jdbcUrl as a command line argument it needs to be quoted and escaped. set ifscore.secrets.jdbcUrl.data= \" jdbc:or......D)) \" |
ifscore.networkpolicy.enabled | Set to true to activate network policy | default: true |
ifscore.networkpolicy.internetAccess ExceptionList |
Optional if network policy is enabled. A list of subnets that should be blocked for access from containers Note: the DB server will always be automatically opened on port 1521 even if behind internetAccessExceptionList subnet. |
ifscore: networkpolicy: enabled: true demandhost: 10.0.2.4 internetAccessExceptionList: - ip: 10.0.0.0/16 - ip: 193.41.170.171/32 |
ifscore.networkpolicy.demandhost | Can only be set if network policy and internetAccessExceptionList is enabled. The IP's of servers that can have Demand Server (as e.g. Cold standby). This IP will be opened even if behind a restricted subnet (internetAccessExceptionList) |
ifscore: networkpolicy: enabled: true demandhost: 10.0.2.4,10.0.2.10 internetAccessExceptionList: - ip: 10.0.0.0/16 - ip: 193.41.170.171/32 |
ifscore.networkpolicy.crystalhost | Can only be set if network policy and internetAccessExceptionList is enabled. The IP's of servers that can have Crystal Services. This IP will be opened even if behind a restricted subnet (internetAccessExceptionList) |
ifscore: networkpolicy: enabled: true crystalhost: 10.0.2.5 internetAccessExceptionList: - ip: 10.0.0.0/16 - ip: 193.41.170.171/32 |
ifscore.networkpolicy.ssrshost | Can only be set if network policy and internetAccessExceptionList is enabled. The IP of a server that can have SSRS Services. This IP will be opened even if behind a restricted subnet (internetAccessExceptionList) |
ifscore: networkpolicy: enabled: true ssrshost: 10.0.2.6 internetAccessExceptionList: - ip: 10.0.0.0/16 - ip: 193.41.170.171/32 |
ifscore.networkpolicy.connecthost | Can only be set if network policy and internetAccessExceptionList is enabled. The IP's of servers that can have service that the ifsapp-connect pod need to reach. This IP will be opened even if behind a restricted subnet (internetAccessExceptionList) |
ifscore: networkpolicy: enabled: true connecthost: 10.0.2.7 internetAccessExceptionList: - ip: 10.0.0.0/16 - ip: 193.41.170.171/32 |
ifscore.networkpolicy.systemurlhost | Can only be set if network policy and internetAccessExceptionList is enabled. If the IP of system_url is behind a internetAccessExceptionList subnet and a pod with internet access need access to the system url, this IP will be opened even if behind a restricted subnet (internetAccessExceptionList) |
ifscore: networkpolicy: enabled: true systemurlhost: 10.0.5.1 internetAccessExceptionList: - ip: 10.0.0.0/16 - ip: 193.41.170.171/32 |
ifscore.passwords.ifssysPassword.data | Set the ifssys-password for the IFSSYS user in the DB. | |
ifscore.passwords.ifsadminPassword.data | The iifsadmin-pw of the IFSADMIN is the initial user defined in IAM. This user is the only user that can logon to Cloud Web in a fresh installed system. With this user the additional users are defined in Solution Manager | |
Path to a.cer file or a key as a string The string certname1 can be named a more descriptive name read special section below. |
e.g. certificates.database.dbcert: /path/to/dbcert.cer |
|
global.certificates.database.certname1 | As a encryption certificate for the db connection are common for all pods the database cetificate is a global (ifscore) parameter. |
e.g. global.certificates.database.dbcert: /path/to/dbcert.cer |
global.serverTimeZone | Time zone of the database server. Valid time zone should be provided. Value cannot be changed after been set. | e.g. Asia/Colombo |
Specific Certificate for pods¶
Certificates can be imported per pod, and will then be added to the java truststore (cacerts) at pod startup. Under each pod parameter section a certificate section can be added.
e.g:
ifsappconnect:
certificates:
mycertintext: |
-----BEGIN CERTIFICATE-----
MIIDHzdIZ3+TSgCbI2tupJsv1FRWV3pMg3pdIGo7Ia
FyJKCqEj4rV/q7MW2a4JQJF8ykXixZ4YTLwi67VFMSfd2D516r1Xx2k617B+01dg
GRwQDY3H2NWh1QjBoyIOJKklLd/fEPzm+UU/JH8K/yBQdVZBaxw4KjU0xyqQFTd0
jhsIc1pqf2aVEsejwyNLhs9DnZyvzRBNsyvuVm//0gWV4OPDAa/i0BULgHnjJF2y
2M8H0QgLNafuaVxL2K6jArHg5JB1Qgkd7jxvmylwQhelfV86MmO9cy7f3gIRcX52
lU+UKetAgt4koD5opvDOzWtToavXGALzFjMxMN9iyGEfFf8=
-----END CERTIFICATE-----
mycertfromfile: C:\remote\ifsroot\config\certs\mycert.crt
Note: All certificate names (e.g. mycertintext, mycertfromfile ) need to be unique over the entire ifscloud-values.yaml
Parameters for DB installer and DB import¶
Parameter | Purpose | Examples/Defaults |
---|---|---|
dbInstaller.ifsappPassword | The IFS Cloud application schema owner's password. Used when creating the application owner in prepares.sql |
|
dbInstaller.deliveryPath | Path to DELIVERY or BUILD_HOME (this is normally passed as an argument since it should not be persisted in a ifscloud-values.yaml file.) | It default to the delivery or build home from where the installer was started. |
ifscore.users.ifsappUser.data | If the IFS Cloud schema owner is not IFSAPP, this parameter can set a different schema owner name | defaults to IFSAPP, All new system should use IFSAPP. |
dbInstaller.jdbcUrl | Only one of the jdbcUrl's is required. This param will win over the ifscore.secrets.jdbcUrl.data parameter. But the ifscore.secrets.jdbcUrl.data should be used if it is a simple jdbcUrl. | |
ifscore.secrets.jdbcUrl.data | This is the default jdbcUrl used by all contaniers, it can/should also be used by the db installer. If the ifscore.secrets.jdbcUrl.data points to an Oracle RAC cluster or Oracle Dataguard the dbInstaller.jdbcUrl should be used to deploy to the DB. | |
dbInstaller.fileName | Full path to a file to be deployed. (this is normally passed as an argument since it should not be persisted in a ifscloud-values.yaml file.) | |
dbInstaller.sysAdminUser | Admin user (PDB common user) when running Prepare Database, i.e. used when deliveryPath is set and delivery contains prepare.sql. If no value is given, SYS will be used as fallback. | SYS |
dbInstaller.sysPassword | Password for the SYS Admin user (e.g. SYS) in DB. Only used when deliveryPath is set and delivery contains prepare.sql. If sysPassword not defined, prepare.sql as the admin user will not be run. (this is normally passed as an argument since it should not be persisted in a ifscloud-values.yaml file.) | |
dbInstaller.connectRole | If connection must be done as SYSDBA or SYSOPER, instead of NORMAL. Only relevant when action is FILEXEC. When running Prepare Database, the connect role is always set to SYSDBA | |
dbInstaller.ialOwner | If the IAL schema owner is not IFSINFO, this parameter can set a different schema owner name. | defaults to IFSINFO |
dbInstaller.extLogging | Extended logging. | defaults to N |
dbInstaller.waitingTime | Waiting time for still running processes, e.g. background jobs. | default = 3600 (one hour) |
dbInstaller.exitOnWaitingTime | Terminating installation with exit code 10, if dbInstaller.waitingTime reached | defaults to N |
dbInstaller.dbServerSize | Number of parallel threads when running independent file types | default = 12 |
logFileLocation | Path to where all logs will be placed | defaults to %TEMP%/ifsinstaller_<namespace> --set logFileLocation=c:\logs |
ifscore.passwords.ifsiamPassword.data | Password when creating the user ifsiamsys in prepare.sql | Random value set as fallback in define.tem |
ifscore.passwords.ifssysPassword.data | Password when creating the user ifssys in prepare.sql | Random value set as fallback in define.tem |
ifscore.passwords.ifsmonPassword.data | Password when creating the user ifsmonitoring in prepare.sql | Random value set as fallback in define.tem |
Parameters for AMM¶
Parameter | Purpose | Examples/Defaults |
---|---|---|
ifsappamm.replicas | Sets how many containers of this type should be started | Defaults to 1 Note: this container should not have more than 1 container running. |
ifscore.passwords.ifsmonPassword.name | ifsmon-password | ifsmon-password |
ifscore.passwords.ifsmonPassword.data | ifsmonitoring password | |
ifscore.passwords.ifsappmonitorPw.name | ifsappmonitor-pw | ifsappmonitor-pw |
ifscore.passwords.ifsappmonitorPw.data | ifsappmonitor password used by AMM to do login validation tests |
Parameters for BUSMOD¶
Should only be set if component PBIES is active
Parameter | Purpose | Examples/Defaults |
---|---|---|
ifsappbusmod.replicas | Sets how many containers of this type should be started | Default set to global.replicas parameter |
ifsappbusmod.assServerName | The Fully qualified name of the Azure Analysis Service to connect to, required for v1 endpoints < 22R1 | Optional |
ifsappbusmod.authService | The authentiction url | Required |
ifsappbusmod.appId | The app id (client id) of the azure application registration or managed identity that is linked to the service, this needs to be created before the service can be installed, this should be handled when a new customer is provisioned in azure. | Required |
ifsappbusmod.tenantId | The Azure tenant id where the app id (client id) is created | Required |
ifsappbusmod.logLevel | The minimal level of messages that needs to be logged | Optional, Default set to warn |
ifsappbusmod.serviceAccountEnabled | Set to true when using managed identities | Optional |
ifsappbusmod.managedIdentityEnabled | Set to true when using managed identities | Optional |
ifsappbusmod.pbiBaseUri | Url used to connect to the power bi service | Optional, Default set to http://ifsapp-powerbi-svc:8080/ |
ifsappbusmod.dataLakeAccountName | The account name of the ADLS Gen2 to create sas tokens for | Optional when only using Advanced Analytics features, required when using analysis models framework features. |
ifsappbusmod.dataLakeContainer | The container of the ADLS Gen2 to create sas tokens for | Optional when only using Advanced Analytics features, required when using analysis models framework features. Default set to AMC. |
ifsappbusmod.targetWorkspaces | The area to workspace mapping. | Optional when only using Advanced Analytics features, required when using analysis models framework features. Example content that maps the HCM and the Finance area to 2 workspace ids: {HCM;3d43b5b3-cfa9-43a1-9839-490afba6c1b4}|{Finance;3efd157f-f356-4160-90d4-6747827519d4} |
ifscore.passwords.busmodAadSecret.data | value for the busmod-aad-secret this is used to get a OAuth token for the service principal to invoke Azure and Office 365 services | Required when not using a managed identity |
ifscore.users.ifsamfwUser.data | value for the ifsamfw-user, the username of the database user that is used to maintain the administration tables | Optional when only using Advanced Analytics features, required when using analysis models framework features, default value: IFSAMFW |
ifscore.passwords.ifsamfwPassword.data | value for the ifsamfw-password, the password of the database user that is used to maintain the administration tables | Optional when only using Advanced Analytics features, required when using analysis models framework features |
ifscore.secrets.jdbcUrl.data | value for the ifs-jdbc-url, used to connect to the oracle database (see ## General Parameters for more info) | Optional when only using Advanced Analytics features, required when using analysis models framework features |
ifscore.secrets.ifsAmDataLakeAppKey.data | value for the ifs-am-datalake-appkey, used to configure the gateway connections so the datasources of a Power BI Dataset can access the datalake content | Optional when only using Advanced Analytics features, required when using Analysis Models Framework features |
Parameters for Power BI Service (PBIES)¶
Should only be set if component PBIES is active
Parameter | Required | Purpose | Examples/Defaults |
---|---|---|---|
ifsapppowerbisvc.replicas | Sets how many containers of this type should be started | Optional, Default set to global.replicas parameter | |
ifsapppowerbisvc.serviceConfigEnabled | Indicate whether the service is configured or not, if false then the readiness probe will not fail. | Optional, Default set to false | |
ifsapppowerbisvc.azureAdClientId | The app id (client id) of the azure application registration or managed identity that is linked to the service, this needs to be created before the service can be installed, this should be handled when a new customer is provisioned in azure. | Required | |
ifsapppowerbisvc.azureAdTenantId | The Azure tenant id where the app id (client id) is created | Required | |
ifsapppowerbisvc.azureAdServicePrincipalObjectId | Required | Required, the object id of the service principal of the Azure application registration | |
ifsapppowerbisvc.authConfigUserNameClaim | The claim of the OpenIdConnect token to use to send in the effective identity to an SQL Server Analysis Services (SSAS) when Row Level Security (RLS) is turned on for the model | Optional, Default set to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | |
ifsapppowerbisvc.authConfigCustomDataClaim | The claim of the OpenIdConnect token to use to send in the effective identity to an Azure Analysis Services (AAS) when Row Level Security (RLS) is turned on for the model | Optional, Default set to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | |
ifsapppowerbisvc.serviceAccountEnabled | Set to true when using managed identities | Optional | |
ifsapppowerbisvc.managedIdentityEnabled | Set to true when using managed identities | Optional | |
ifsapppowerbis |