Authors: Dhanesh M & Leela Chitta

             IBM Documentation Reference - https://www.ibm.com/docs/en/bai/25.0.0?topic=installing-business-automation-insights-deployment

Introduction

IBM Business Automation Insights (BAI) is a powerful analytics component within the IBM Cloud Pak for Business Automation ecosystem that enables real-time monitoring, visualization, and operational intelligence. In its standalone deployment mode, BAI runs independently from the other Cloud Pak components and can be integrated with external applications or deployed in air-gapped or restricted environments. This makes it particularly suitable for organizations that need to isolate BAI from the full Cloud Pak stack or wish to use it purely for analytics and monitoring purposes.

BAI Standalone supports deployment on multiple Kubernetes-based platforms, including Red Hat OpenShift (ROKS & OCP) and  Rancher.

In this blog, we’ll walk through the standalone deployment of IBM BAI on a CNCF platform. By the end of this blog, you’ll have a working standalone BAI setup running on a Rancher-managed Kubernetes cluster, along with practical insights into the configuration, prerequisites, and deployment sequence required in a CNCF-native environment.



Prerequisites for the Deployment

Before proceeding with the standalone deployment of IBM Business Automation Insights (BAI) on a Rancher-managed CNCF platform, ensure the following prerequisites are met:

• Rancher and RKE2 Cluster Setup
  A Kubernetes cluster must be provisioned using RKE2, with Rancher installed and configured to manage the cluster.
  
  
• KUBECTL Installed on the client machine
  Ensure the client machine has the kubectl CLI installed and properly configured to interact with the cluster.
  
  
• IBM Entitlement Registry Key
  Acquire a valid IBM Entitlement Registry Key, which is required to pull container images from IBM's container registry.
  
  
• Storage Requirements
  The cluster must have a supported Container Storage Interface (CSI) solution available. Compatible options include IBM Storage Fusion, AWS EFS, Azure Files, Portworx and other CNCF-compatible CSI drivers. Storage must meet the following access mode and binding requirements:

• • Block storage (ReadWriteOnce): must support VolumeBindingMode = WaitForFirstConsumer

  • File storage (ReadWriteMany): must support VolumeBindingMode = Immediate  
    

• NGINX Ingress Controller
  The NGINX ingress controller must be installed in the cluster. Ensure that enable-ssl-passthrough is set to true – this is critical for secure Kafka communication.
  In Rancher, this is typically done by creating or updating the HelmChartConfig object for the ingress controller to include the enable-ssl-passthrough annotation.
  
  

  apiVersion: helm.cattle.io/v1
  kind: HelmChartConfig
  metadata:
    name: rke2-ingress-nginx
    namespace: kube-system
  spec:
    valuesContent: |-
      controller:
        config:
          enable-underscores-in-headers: "true"
          use-forwarded-headers: true
        extraArgs:
          enable-ssl-passthrough: true

• System Configuration for OpenSearch
  Since OpenSearch is a component of BAI, configure all cluster nodes to support its memory requirements. This is essential for the OpenSearch pods to reach the Running state.

  To apply the required setting, SSH into each worker node of your Rancher-managed cluster and run the following command:

  ssh root@<worker-node>
  sysctl -w vm.max_map_count=262144

  Repeat this process for each worker node in the cluster. For reference and additional context, see the official OpenSearch documentation: https://docs.opensearch.org/docs/latest/install-and-configure/install-opensearch/index/#important-settings
  Alternatively, you can apply this configuration in a native and automated way using https://gist.github.com/brooksphilip/c9ed00c8db921b5e0a2a1c8c8903dfdb to persist the setting across reboots.

• Deployment Approach
  For this blog, we are going with the recommended way of deployment, using script-based deployment.

Installing the operators using scripts

To begin the deployment of IBM Business Automation Insights (BAI), a cluster administrator must first run the bai-clusteradmin-setup.sh script. This script prepares the cluster by:

• Creating or identifying the BAI namespace

• Applying necessary Custom Resource Definitions (CRDs)

• Setting up RBAC bindings for the specified user

• Deploying a namespace-scoped instance of IBM foundational services

The script can also be run in silent mode by exporting required environment variables in advance.
After the script completes, the administrator must share the output values with the non-admin user who will perform the actual BAI deployment.

Procedure

1. Open the terminal and clone the BAI deployment scripts from GitHub.
   This blog demonstrates a fresh production deployment for version 25.0.0. 
   

   git clone -b 25.0.0 https://github.com/icp4a/cert-kubernetes-bai.git --single-branch

2. Navigate to the Scripts Directory. 
   
   

   cd ${PATH_TO_EXTRACTED_FILES}/cert-kubernetes-bai/scripts

3. Start the setup by running the following script:

   ./bai-clusteradmin-setup.sh

   
   

   a. Would you like to set up the cluster for an online based IBM Business Automation Insights deployment or for an airgap/offline based IBM Business Automation Insights deployment:
   1) Online
   2) Offline/Airgap
   Enter a valid option [1 to 2]:

   
   Select: 1 (Online)
   
   

   b. Select the cloud platform to deploy:
   1) RedHat OpenShift Kubernetes Service (ROKS) - Public Cloud
   2) Openshift Container Platform (OCP) - Private Cloud
   3) Other - Cloud Native Computing Foundation ( CNCF )
   Enter a valid option [1 to 3]:
   
   
   Select: 3 (Other – Cloud Native Computing Foundation ( CNCF ))
   
   
   c. Where would you like to deploy IBM Business Automation Insights?
   Enter the name for a new project or an existing project (namespace):

   
   Example Input: bai2500 
   
   d. Do you have a IBM Business Automation Insights Entitlement Registry key (Yes/No, default: No):
   
   Enter: Yes 
   
   e. Enter your Entitlement Registry key:
   
   Input your acquired valid IBM Entitlement Registry Key
   
   f. Provide the domain name for your cluster (This is the ingress that must be created and provided as a prerequisite for the deployment):
   
    Enter the FQDN of your CNCF cluster.
   
   
   
   Wait for the script to execute completely before proceeding to the next step.
   
   

4. After the script completes, ensure that all required operators have been installed successfully in the specified namespace. Use the following command: 

   kubectl get csv -n <namespace>

   Example Output:

   [root@ranchernew1 scripts]# kubectl get csv -n bai2500
   NAME                                          DISPLAY                                VERSION   REPLACES   PHASE
   ibm-bai-foundation-operator.v25.0.0           IBM BAI Foundation                     25.0.0               Succeeded
   ibm-bai-insights-engine-operator.v25.0.0      IBM Business Automation Insights       25.0.0               Succeeded
   ibm-cert-manager-operator.v4.2.13             IBM Cert Manager                       4.2.13               Succeeded
   ibm-common-service-operator.v4.12.0           IBM Cloud Pak foundational services    4.12.0               Succeeded
   operand-deployment-lifecycle-manager.v4.5.0   Operand Deployment Lifecycle Manager   4.5.0                Succeeded

   All operators should show PHASE = Succeeded.
   
   

Preparing LDAP Secrets and Generating Property Files using the bai-prerequisites.sh script

The bai-prerequisites.sh script helps prepare your environment for BAI deployment by generating the required property files and secrets for LDAP integration.

Instead of manually creating LDAP secrets, this script simplifies the process by producing the necessary YAML templates.

The script supports three modes:

• property – Generates the required property files:
  bai_user_profile.property and bai_LDAP.property.
  Review and update these files with your LDAP server details and attributes.

• generate – Uses the updated property files to generate the YAML templates for secrets.

• validate – Verifies that the generated secrets are properly configured and ready for use.

Procedure

1. Open the terminal and navigate to the scripts directory. 
    

   cd ${PATH_TO_EXTRACTED_FILES}/cert-kubernetes-bai/scripts

2. Run the bai-prerequisites.sh script in property mode. 
    

   ./bai-prerequisites.sh -m property -n < namespace >

   a. Do you accept the IBM Business Automation Insights standalone license (Yes/No, default: No):
   
   Enter: Yes 

   b. Select the cloud platform to deploy: 
   1) RedHat OpenShift Kubernetes Service (ROKS) - Public Cloud
   2) Openshift Container Platform (OCP) - Private Cloud
   3) Other - Cloud Native Computing Foundation ( CNCF )
   Enter a valid option [1 to 3]:
   
   Select: 3 (Other – Cloud Native Computing Foundation ( CNCF ))
   
   c. Do you want to configure an LDAP for this IBM Business Automation Insights stand-alone deployment? (Yes/No, default: Yes): 
   
   Enter:Yes (or No if LDAP is not required)
   
   d. Please enter one LDAP user for BAI stand-alone: 
   
   Enter: <ldap_user>
   
   e. What is the LDAP type that will be used for this deployment? 
   1) Microsoft Active Directory
   2) IBM Tivoli Directory Server / Security Directory Server
   Enter a valid option [1 to 2]: 
   
   Enter:1 (Active Directory) or 2 (IBM Directory Server)
   
   f. To provision the persistent volumes and volume claims
   Please enter the file storage classname for medium storage(RWX):
   
   Enter the storage class configured in the cluster for medium storage.
   
   g. Please enter the file storage classname for fast storage(RWX):
   
   Enter the storage class configured in the cluster for fast storage.
   
   h. Please enter the block storage classname for Zen(RWO):
   
   Enter the storage class configured in the cluster for Zen.
   
   i. Please select the deployment profile (default: small).  Refer to the documentation in BAI stand-alone Knowledge Center for details on profile.
   1) small
   2) medium
   3) large
   Enter a valid option [1 to 3]: 
   
   Enter: 1 (small)
   
   j. Do you want to use the default IAM admin user: [cpadmin] (Yes/No, default: Yes): 
   
   Enter: Yes 
   
   k. Do you want to generate the network policy templates for this BAI stand-alone deployment? (Notes: Starting from 25.0.0, the BAI stand-alone operators no longer install network policies automatically. If you want the operators to generate network policies from a set of templates, select Yes. You can install the network policies by running a script after the BAI Deployment is installed. If you select No, then no network policies will be generated.) (Yes/No, default: No):
   
   Enter: No 
   
   l. Do you want to use an external Postgres DB*** If you select "Yes", IM service uses an external Postgres DB as IM metastore DB. If you select "No", IM service uses an embedded cloud native postgresql DB as IM metastore DB.) (Yes/No, default: No):
   
   Enter: No
   
   m. Do you want to use an external Postgres DB*** If you select "Yes", Zen service uses an external Postgres DB as Zen metastore DB.. If you select "No", Zen service uses an embedded cloud native postgresql DB as Zen metastore DB ) (Yes/No, default: No):
   
   Enter: No
   
   n. Do you want to use an external Postgres DB*** If select "Yes", BTS service uses an external Postgres DB as BTS metastore DB. If select "No", BTS service uses an embedded cloud native postgresql DB as BTS metastore DB ) (Yes/No, default: No): 
   
   Enter: No
   
   o. For which components do you want to enable the Flink job for: 
   1) BAW 
   2) BAW Advanced events 
   3) ICM 
   4) ODM 
   5) Content 
   6) ADS 
   7) Navigator 
   Tips:Press [ENTER] to accept the default (None of the components are selected)
   Enter a valid option [1 to 7]:
   
   Select all (1–7) as needed. Press Enter when done.
   
   
   
   
   

   p. Once completed, the script will generate:

   • bai_user_profile.property

   • bai_LDAP.property

   
   
   
3. Navigate to the property file folder 

   cd ${PATH_TO_EXTRACTED_FILES}/cert-kubernetes-bai/scripts/bai-prerequisites/project/<namespace>/propertyfile
   

4. Edit the bai_LDAP.property file:

   • Replace all <Required> placeholders with actual LDAP server details.
     
     

5. Edit the bai_user_profile.property file:

   • Replace all <Required> placeholders with actual values with details specific to your environment.
     
     

6. If LDAP_SSL_ENABLED="True", place your LDAP certificate file (ldap-cert.crt) under the following 

   cd ${PATH_TO_EXTRACTED_FILES}/cert-kubernetes-bai/scripts/bai-prerequisites/project/<namespace>/propertyfile/cert/ldap

7. Run the bai-prerequisites.sh script in generate mode. 
    

   ./bai-prerequisites.sh -m generate -n < namespace >
   

   
   a. This generates the create_secret.sh script in the path: 

   cert-kubernetes-bai/scripts/bai-prerequisites/project/<namespace>/create_secret.sh

   
   b. Set the current namespace context: 

   kubectl config set-context --current --namespace=<namespace>

   
   c. Navigate to the project-specific directory: 

   cd cert-kubernetes-bai/scripts/bai-prerequisites/project/<namespace>

   
   d. Run the create_secret.sh script to create the secrets in your cluster: 

   ./create_secret.sh

   
   After this step, your LDAP secrets will be available in the specified namespace and ready for the BAI deployment process.
   
   
8. Navigate to the scripts directory. 
    

   cd ${PATH_TO_EXTRACTED_FILES}/cert-kubernetes-bai/scripts

   
   
9. Run the bai-prerequisites.sh script in validate mode. 
    

   ./bai-prerequisites.sh -m validate -n < namespace >

   
   

   This command performs several checks:

   • Verifies that the storage classes provided earlier meet the required access modes:

     • RWX for file storage classes

     • RWO for block storage classes
       If valid, the result is marked PASSED.

   • Ensures the required secrets are created and accessible.

   • Submits a validation query to the LDAP server to verify connectivity.

   • (If configured) Checks the connection to an external PostgreSQL DB used for the Zen metastore.

   Note:
   This validation step does not modify any data. it only tests the connections and reports the results.

   If any validation step fails, review and correct the corresponding entries in the property files and re-run the validate mode.

   Once everything passes, you're ready to move on with the BAI deployment!

Generate the BAI Standalone Custom Resource file for deployment

The bai-deployment.sh script is used to generate the Custom Resource (CR) file required for deploying IBM Business Automation Insights (BAI) Standalone.

This CR file acts as the primary input for the BAI Operator to install and configure the BAI components based on the selected settings.

Procedure

1. Navigate to the scripts directory. 
    

   cd ${PATH_TO_EXTRACTED_FILES}/cert-kubernetes-bai/scripts

2. Set the current namespace context: 

   kubectl config set-context --current --namespace=<namespace>

3. Run the bai-deployment.sh script. 
    

   ./bai-deployment.sh -n <namespace>

   a. Do you accept the IBM Business Automation Insights standalone license (Yes/No, default: No):
   
   Enter: Yes 
   
   b. Do you want to generate the network policy templates for this BAI stand-alone deployment? (Notes: Starting from 25.0.0, the BAI stand-alone operators no longer install network policies automatically. If you want the operators to generate network policies from a set of templates, select Yes. You can install the network policies by running a script after the BAI Deployment is installed. If you select No, then no network policies will be generated.) (Yes/No, default: No):
   
   Enter: No 
   
   c. A summary of your selection is displayed. Verify the information is correct and Enter: Yes .
   
   
   A custom resource file is generated.
   
   

   ${PATH_TO_EXTRACTED_FILES}/cert-kubernetes-bai/scripts/ibm_bai_cr_final.yaml

   
   
   
   
   
   

Apply the BAI Custom Resource


Once the BAI Standalone Custom Resource (CR) has been generated, the next step is to apply it so that the BAI Operator can begin the deployment process.

Procedure

1. Set the current namespace context: 

   kubectl config set-context --current --namespace=<namespace>

2. To install the deployment, apply the CR using: 

   kubectl apply -f ${PATH_TO_EXTRACTED_FILES}/cert-kubernetes-bai/scripts/generated-cr/project/<namespace>/ibm_bai_cr_final.yaml

   kubectl apply -f /opt/bai2500/cert-kubernetes-bai/scripts/generated-cr/project/bai2500/ibm_bai_cr_final.yaml

3. Monitor the Operator Logs. Watch the BAI Insights Engine Operator logs to ensure the deployment is progressing correctly.
   
   You can also track the status of the deployed components using 

   kubectl get InsightsEngine -o json | grep -A100 "status"

   This will show the current state of each component in the deployment. 
   
   The deployment is successfully completed when the field insightsEngineStatus in the applied CR shows: 

   insightsEngineStatus: Ready

Create Ingress Resources

After the BAI deployment is completed, you must create ingress endpoints to access BAI services.



Procedure

1. Navigate to the scripts directory. 
    

   cd ${PATH_TO_EXTRACTED_FILES}/cert-kubernetes-bai/scripts

2. Set the current namespace context: 

   kubectl config set-context --current --namespace=<namespace>
   

3. Run the following command: 

   ./bai-deployment.sh --ingress -n <namespace>

   a. [WARNING]: Before proceeding with the ingress generation, make sure the BAI Standalone components have been installed by looking at the status section of the InsightsEngine Custom Resource file and monitoring the Insights Engine Operator logs 
   Confirm if you want to proceed with generating ingress templates required for a BAI Standalone deployment (Yes/No, default: No): 
   
   Enter: Yes 
   
   
4. Get the list of created ingresses.

   kubectl get ingress 

Verification and Access to Deployed Resources

After a successful deployment, you can verify and access the deployed BAI components using the generated ingress URLs.

1. Retrieve Ingress URLs 

   kubectl get configmap bai-bai-access-info -n <namespace> -o yaml

   From the retrieved ConfigMap, use the URLs to access the Business Performance Center (BPC) and OpenSearch dashboards in your browser.
   
   

Fresh IBM Business Automation Insights (BAI) Production Deployment in a CNCF Platform is now completed successfully!




Credits:

I would like to extend my sincere thanks to the reviewers Dheeraj Krishan, Akshay Rajan, Leela Chitta, Todd Deen, Justin wang and Jason Kahn for their valuable feedback and support throughout the development of this blog.