Introduction

Installing IBM Business Automation Insights (BAI) Standalone, in large-scale or multi-region deployments, quickly becomes repetitive and error-prone. Automating the process with CI/CD (Continuous Integration/Continuous Deployment) pipelines brings consistency, speed.

As a development team, we regularly install and test BAI Standalone. At certain stages of the release lifecycle, we do this daily. It will come as no surprise that we have automated the installation as part of our CI/CD pipelines. In this blog, we share a high-level overview of our automation approach, what we do at each stage, and why.

BAI-Install-Pipeline Overview

Our CI/CD pipeline follows these stages:

• Stage 1: Install Prerequisites.

• Stage 2: Install Storage class.

• Stage 3: Deploy Operators.

• Stage 4: Create LDAP Secrets.

• Stage 5: Generate CR (Custom Resource).

• Stage 6: Apply Generated CR.

• Stage 7: Validate Installation.

• Stage 8 : (Optional) Post-Install Steps.

This structure follows the natural dependency order of the BAI installation process. Breaking it into discrete stages makes the pipeline modular and easier to troubleshoot—if a step fails, you can fix it and resume without rerunning everything. It also aligns with CI/CD best practices for logging, monitoring, and maintainability.

Stage 1: Install Prerequisites

This stage prepares the environment with necessary tools:

• oc (OpenShift CLI) or kubectl (Kubernetes 1.21+ CLI)

• podman - make sure you initialize and start Podman (podman machine init, podman machine start)

• Text processing utilities for configuration generation.

For more information on prerequisites, refer to the System requirements for IBM Business Automation Insights and Preparing a client to connect to the cluster.

Stage 2: Install Storage Classes

BAI components rely on persistent storage for data retention. Ensure your cluster has a default StorageClass available.
Important considerations:

• Kafka, OpenSearch, and Flink all required persistent storage

• Storage classes should support ReadWriteOnce (RWO) and ReadWriteMany (RWX) access modes.

• Block storage (RWO) with WaitForFirstConsumer for VolumeBindingMode

• File storage class supports ReadWriteMany (RWX) and Immediate for VolumeBindingMode.

• Performance characteristics should match expected requirements.

For more information on Storage Classes, refer to Preparing a client to connect to the cluster and System requirements for IBM Business Automation Insights.

Stage 3: Deploy Operators

Operators manage the lifecycle of BAI components.

Clone the cert-kubernetes-bai git repository. For more information on downloading cert-kubernetes-bai, refer to Preparing your cluster for an online deployment and run the script: bai-clusteradmin-setup.sh as shown in Setting up the cluster by running a script

This step:

• Creates necessary namespaces, example Namespace: bai

• Deploys the BAI operator

• Configures operator permissions

• Sets up image pull secrets

You'll need to provide your IBM Entitlement Registry key (required to pull images). For instructions, refer to Getting access to images from the public IBM Entitled Registry

For more information on deploying operators, refer to Preparing your cluster for an online deployment.

Example of script execution:

Login to the cluster and change directory to the extracted cert-kubernetes-bai/scripts folder.

Note: Ensure the script runs to completion without exiting due to errors.

./bai-clusteradmin-setup.sh

Here is an example of prompt answers that allow you to perform an online deployment on the OpenShift platform. The operators will be deployed in the “bai” namespace at the end of the script execution.

Would you like to set up the cluster for an online based IBM Business Automation Insights deployment or for an airgap/offline based IBM Business Automation Insights deployment: 
1) Online
2) Offline/Airgap
Enter a valid option [1 to 2]: 1

Select the cloud platform to deploy: 
1) RedHat OpenShift Kubernetes Service (ROKS) - Public Cloud
2) Openshift Container Platform (OCP) - Private Cloud
3) Other - Cloud Native Computing Foundation ( CNCF )
Enter a valid option [1 to 3]: 2

Would you like to deploy IBM Business Automation Insights using a private catalog? (Yes/No, default: Yes): Yes

Would you like to deploy IBM Business Automation Insights with the separation of operators and operands? (Yes/No, default: No): No

Enter the name for a new project or an existing project (namespace): bai

Do you have a IBM Business Automation Insights Entitlement Registry key (Yes/No, default: No): Yes

Enter your Entitlement Registry key:

Here is an example of automation in shell script for bai-clusteradmin-setup script. Note: Make sure to initialize and start Podman before running the script.

deploy_operators_bai(){
    cd cert-kubernetes-bai/scripts || exit
    /usr/bin/expect <<EOD
    
    spawn ./bai-clusteradmin-setup.sh dev <<-EOF
    set timeout 1200
    expect "Would you like to set up the cluster for an online based IBM Business Automation Insights deployment or for an airgap/offline based IBM Business Automation Insights deployment:"
    send  "1\r"
    expect "Select the cloud platform to deploy:"
    send "2\r"
    expect "Would you like to deploy IBM Business Automation Insights using a private catalog? (Yes/No, default: Yes):"
    send "Yes\r"
    expect "Would you like to deploy IBM Business Automation Insights with the separation of operators and operands? (Yes/No, default: No):"
    send "No\r"
    expect "Enter the name for a new project or an existing project (namespace):"
    send "${BAI_NAMESPACE}\r"
    expect "Do you have a IBM Business Automation Insights Entitlement Registry key (Yes/No, default: No):"
    send "Yes\r"
    expect "Enter your Entitlement Registry key:"
    send "${ENTITLED_REGISTRY_KEY}\r"
    expect eof
EOD

}

Stage 4: Create LDAP Secrets

Prepare LDAP secrets using script: bai-prerequisites.sh which has 3 modes:

• property → Generates property files for LDAP details

• generate → Creates the Kubernetes secrets

• validate → Ensures LDAP connectivity is correct

In each mode, It will prompt you for the required details, and you’ll need to provide LDAP information.

For more information on LDAP configuration, refer to Preparing LDAP secrets for BAI by running a script.

Example of script execution:

change directory to the extracted cert-kubernetes-bai/scripts folder.

./bai-prerequisites.sh -m property -n <namespace>

Press Enter/Return to continue ...
Do you accept the IBM Business Automation Insights standalone license (Yes/No, default: No): Yes

Select the cloud platform to deploy: 
1) RedHat OpenShift Kubernetes Service (ROKS) - Public Cloud
2) Openshift Container Platform (OCP) - Private Cloud
3) Other - Cloud Native Computing Foundation ( CNCF )
Enter a valid option [1 to 3]: 2

Do you want to configure an LDAP for this IBM Business Automation Insights stand-alone deployment? (Yes/No, default: Yes): Yes

Please enter one LDAP user for BAI stand-alone: <enter-user>

What is the LDAP type that will be used for this deployment? 
1) Microsoft Active Directory
2) IBM Tivoli Directory Server / Security Directory Server
Enter a valid option [1 to 2]: 1

Please enter the file storage classname for medium storage(RWX): <enter-file-storage-class>
Please enter the file storage classname for fast storage(RWX): <enter-file-storage-class>
Please enter the block storage classname for Zen(RWO): <enter-block-storage-class>

Please select the deployment profile (default: small).  Refer to the documentation in BAI stand-alone Knowledge Center for details on profile.
1) small
2) medium
3) large
Enter a valid option [1 to 3]: 1

Do you want to use the default IAM admin user: [cpadmin] (Yes/No, default: Yes): Yes

Do you want to generate the network policy templates for this BAI stand-alone deployment? (Notes: Starting from 25.0.0, the BAI stand-alone operators no longer install network policies automatically. If you want the operators to generate network policies from a set of templates, select Yes. You can install the network policies by running a script after the BAI Deployment is installed. If you select No, then no network policies will be generated.) (Yes/No, default: No): No

Do you want to use an external Postgres DB [YOU NEED TO CREATE THIS POSTGRESQL DB BY YOURSELF FIRST BEFORE YOU APPLY THE BAI CUSTOM RESOURCE]PLEASE REFER THE KNOWLEDGE CENTER: https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.12.0?topic=im-setting-up-external-edb-postgresql-database-server#dbcreate ]as IM metastore DB for this BAI deployment? (Notes: IM service can use an external Postgres DB to store IM data. If you select "Yes", IM service uses an external Postgres DB as IM metastore DB. If you select "No", IM service uses an embedded cloud native postgresql DB as IM metastore DB.) (Yes/No, default: No): No

Do you want to use an external Postgres DB [YOU NEED TO CREATE THIS POSTGRESQL DB BY YOURSELF FIRST BEFORE YOU APPLY THE BAI CUSTOM RESOURCE]PLEASE REFER THE KNOWLEDGE CENTER: https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.12.0?topic=im-setting-up-external-edb-postgresql-database-server#dbcreate ] as Zen metastore DB for this BAI deployment? (Notes: Zen stores all metadata such as users, groups, service instances, vault integration and secret references in metastore DB. If you select "Yes", Zen service uses an external Postgres DB as Zen metastore DB.. If you select "No", Zen service uses an embedded cloud native postgresql DB as Zen metastore DB ) (Yes/No, default: No): No

Do you want to use an external Postgres DB [YOU NEED TO CREATE THIS POSTGRESQL DB BY YOURSELF FIRST BEFORE APPLY BAI CUSTOM RESOURCE]PLEASE REFER THE KNOWLEDGE CENTER: https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.12.0?topic=im-setting-up-external-edb-postgresql-database-server#dbcreate ] as BTS metastore DB for this BAI deployment? (Notes: BTS service can use an external Postgres DB to store meta data. If select "Yes", BTS service uses an external Postgres DB as BTS metastore DB. If select "No", BTS service uses an embedded cloud native postgresql DB as BTS metastore DB ) (Yes/No, default: No): No

For which components do you want to enable the Flink job for: 
1) BAW 
2) BAW Advanced events 
3) ICM 
4) ODM 
5) Content 
6) ADS 
7) Navigator 
Tips:Press [ENTER] to accept the default (None of the components are selected)
Enter a valid option [1 to 7]: <Example: enter 4, 5 and press enter to select ODM and Content.>

============== Created all property files for BAI stand-alone ==============
Enter the <Required> values in the property files under cert-kubernetes-bai/scripts/bai-prerequisites/project/bai/propertyfile
[*] The key name in the property file is created by the bai-prerequisites.sh and is NOT EDITABLE.
[*] The value in the property file must be within double quotes.
[*] The value for User/Password in [bai_user_profile.property] file should NOT include special characters: single quotation "'"
[*] The value in [bai_LDAP.property] [bai_user_profile.property] file should NOT include special character '"'
* [bai_LDAP.property]:
  - Contains Properties for the LDAP server that is used by the BAI stand-alone deployment, such as LDAP_SERVER/LDAP_PORT/LDAP_BASE_DN/LDAP_BIND_DN/LDAP_BIND_DN_PASSWORD.

* [bai_user_profile.property]:
  - Contains Properties for the global value used by the BAI stand-alone deployment, such as "sc_deployment_license".

  - Contains Properties for the value used by each component of BAI stand-alone, such as "sc_deployment_profile_size"

./bai-prerequisites.sh -m generate -n <namespace>

[✔] Created ldap-bind-secret secret YAML template
[✔] Created ldap ssl cert secret YAML template

[NEXT ACTIONS]
* Enter the <Required> values in the YAML templates for the secrets under cert-kubernetes-bai/scripts/bai-prerequisites/project/bai/secret_template
* Get the "ldap-cert.crt" from the remote LDAP server "<LDAP-SERVER>", and copy it into the folder "cert-kubernetes-bai/scripts/bai-prerequisites/project/bai/propertyfile/cert/ldap" before you create the Kubernetes secret for the LDAP SSL
* You can use this shell script to create the secret automatically: cert-kubernetes-bai/scripts/bai-prerequisites/project/bai/create_secret.sh

* Create the Kubernetes secrets manually based on your modified "YAML template for secret".
* And then run the  "bai-prerequisites.sh -m validate" command to verify that the secrets are created correctly

./bai-prerequisites.sh -m validate -n <namespace>

============== Checking Medium/Fast/Block storage class required by BAI stand-alone ==============
[✔] Verification storage class: "<STORAGE-CLASS>", PASSED!
[✔] Verification storage class: "<STORAGE-CLASS>", PASSED!
[✔] Verification storage class: "<BLOCK-STORAGE-CLASS>", PASSED!

============== Checking if the secrets required by BAI stand-alone are found in the cluster ==============
[✔] Secret "ldap-bind-secret" found in Kubernetes cluster, PASSED!
[✔] Secret "ibm-bai-ldap-ssl-secret" found in Kubernetes cluster, PASSED!
============== All secrets created in Kubernetes cluster, PASSED! ==============

============== Checking the LDAP connection required by BAI stand-alone ==============
Certificate was added to keystore
Checking connection for LDAP server "<LDAP-SERVER>" using Bind DN "<BIND-DN>"..
[✔] Connected to LDAP "<LDAP-SERVER>" using BindDN:"<BIND-DN>" successfuly, PASSED!

[INFO] If all prerequisites check have PASSED, you can run bai-deployment.sh script to deploy BAI stand-alone. Otherwise, please check the configuration again.

Stage 5: Generate Custom Resource (CR)

Use the deployment script bai-deployment.sh to generate the CR with your chosen options.

The Custom Resource defines your BAI deployment configuration with key configuration areas such as:

• Storage classes.

• Component enablement (Kafka, Flink, OpenSearch)

• Resource allocation based on deployment size

• LDAP integration settings

For more information on creating a custom resource, refer to Creating a production deployment.

./bai-deployment.sh -n <namespace>

Press Enter/Return to continue ...
Do you accept the IBM Business Automation Insights standalone license (Yes/No, default: No): Yes
Do you want to generate the network policy templates for this BAI stand-alone deployment? (Notes: Starting from 25.0.0, the BAI stand-alone operators no longer install network policies automatically. If you want the operators to generate network policies from a set of templates, select Yes. You can install the network policies by running a script after the BAI Deployment is installed. If you select No, then no network policies will be generated.)(B (Yes/No, default: No): No
*******************************************************
                    Summary of input                   
*******************************************************
1. Platform Type: (BOCP
2. LDAP Type: 
   * LDAP User Name onboarding Zen:
3. Profile Size:
4. IAM default admin user name: (Bcpadmin
5. File storage classname(RWX):
6. Block storage classname(RWO):
7. Target project for this BAI standalone deployment: (Bbai
8. Generate network policy templates for this BAI standalone deployment: (Bfalse
9. The Flink job for which components selected: (B
   * ODM
   * Content
*******************************************************
Verify that the information above is correct.
To proceed with the deployment, enter "Yes".
To make changes, enter "No" (default: No): Yes
Creating the Custom Resource of the IBM Business Automation Insights standalone Operator...

Applying value in property file into final CR
[✔] All values in the property file have been applied in the final CR under cert-kubernetes-bai/scripts/generated-cr/project/bai
Confirm final custom resource under cert-kubernetes-bai/scripts/generated-cr/project/bai

The custom resource file used is: "cert-kubernetes-bai/scripts/generated-cr/project/bai/ibm_bai_cr_final.yaml"

Sample CR: https://github.com/icp4a/cert-kubernetes-bai/blob/25.0.0/descriptors/patterns/ibm_cp4a_cr_production_bai.yaml

Here’s a sample CR which shows additional properties that can be set to customize installation: https://github.com/icp4a/cert-kubernetes-bai/blob/25.0.0/descriptors/patterns/ibm_cp4a_cr_production_FC_bai.yaml

Stage 6: Apply Generated CR

A custom resource file is created scripts/generated-cr/<BAI_NAMESPACE>/ibm_bai_cr_final.yaml. Apply the CR to the operator’s namespace, then wait for operator-managed resources to become Ready. This stage will create required resources (deployments, services, etc.).

Change directory to the extracted cert-kubernetes-bai/scripts/generated-cr folder.

Verify the file: <custom-resource-file>.yaml

kubectl apply -f generated-cr/<custom-resource-file>.yaml

For more details on applying the CR, refer to Deploying the custom resource you created.

Stage 7: Validate Installation

Verification ensures all components are functioning correctly.

Validation includes:

• Checking the insightsengine status is True which means the BAI operator has successfully deployed all required components and they are functioning correctly.

• To see the status of the insightsengine: kubectl -n <namespace> get insightsEngine <name> -o=jsonpath='{.status}'

• In the insightsengine status it also displays URL of cockpit i.e, BPC and Management.
  For more information you can refer what to do next in Deploying the custom resource you created

• Verifying all deployment jobs completed successfully

• To Retrieve the names of the jobs: oc get jobs -l 'app.kubernetes.io/name in (ibm-business-automation-insights)' -o=custom-columns=Name:.metadata.name --no-headers
  For more information about Flink jobs refer: Troubleshooting Apache Flink jobs

• Validating Production deployment by running script: ./bai-post-install.sh

  Running BAI Post install Check
  Validate OCP Access
  ################################################################
  ✔ PASSED  Access to cluster via oc command
  Cluster name                                  : <CLUSTER-NAME>
  Cluster version                               : <CLUSTER-VERSION>
  Console URL                                   : <CONSOLE-URL> 
  Logged in as user                             : <USER-NAME>
  Using namespace                               : <NAMESPACE>
  Deployment name                               : <NAMESPACE>
  
  BAI Status - InsightsEngine
  ################################################################
  InsightsEngine:                               :  Installed
  InsightsEngine Version:                       : <VERSION>
  
  BAI - Business Automation Insights Console
  ################################################################
  Business Performance Center URL               : <BPC-URL>
  
  CPFS Status - Common Service Components status
  ################################################################
  ibm-iam-operator : Installed -  Version : <VERSION>
  cloud-native-postgresql : Installed -  Version : <VERSION>
  ibm-opencontent-flink : Installed -  Version : <VERSION>
  ibm-bts-operator : Installed -  Version : <VERSION>

  For more information on validation, see Recommended: Validating your production deployment

Stage 8: Post-Install Steps (Optional)

Final configuration enhances security and usability. Consider implementing:

• Importing sample data - For testing and exploring IBM BAI functionality

• Setting up permissions for Business Performance Center - For defining who can access business data

• Configuring OpenSearch security plug-in - For custom dashboard creation

• Changing Cloud Pak foundational services defaults - Including administrator password, Platform UI customization, certificates, and storage class

• Network policies for enhanced security. For more information you can refer: Optional: Installing network policies

• Smoke tests that verify the complete data flow, for smoke tests, inject sample events into Kafka topics, confirm BAI processes them, and verify they appear in Business Performance Center (BPC) dashboards. This checks not just component health, but the entire data pipeline.

For more information on post-installation tasks, refer to Completing post-installation tasks.

Best Practices to Follow

Based on our experience automating the installation of BAI Standalone we recommend:

1. Parameterize everything: Make your pipeline flexible by parameterizing environment-specific values

2. Version control configurations: Store all configuration templates in version control

3. Implement timeouts: Add appropriate timeouts for long-running operations

4. Progressive validation: Check component status after each significant step

5. Idempotent scripts: Ensure scripts can be run multiple times without issues

Conclusion:

Automating BAI Standalone installation through CI/CD pipelines transforms a complex, error-prone process into a reliable, repeatable operation. This approach not only saves time but also ensures consistency across environments, from development to production.

By following the structured approach outlined in this blog, you can implement your own BAI Standalone installation pipeline, tailored to your specific requirements and environment.

For more information, refer to the IBM Business Automation Insights deployment documentation

------------------------------

Pierre Pisot, Nithya Velma, Umamaheswararao Mallipudi
from the BAI Development team
------------------------------