Provision optional configuration
The following configurations are optional:
- ArgoCD: Configures the properties to access ArgoCD service (this configuration is needed for Application composition projects)
- AI provider configuration: Optional - Configures the LLM provider and credentials for AI-based capabilities
- Redis: Optional - Configures the properties to access a Redis
- Schema Registry: Configures the connection to Schema Registry (this configuration is needed for Event Support)
- Vault: Optional - Configures the properties to access a HashiCorp Vault
- Audit binding: Optional - Configure connection to the audit logging collector
In the following "solution-workbench" is the name of the namespace where IBM DevOps Solution Workbench is installed.
AI providers
Use this section to connect the platform to a single LLM provider via the k5-ai-credentials secret (configured below). That shared connection powers generative AI features for all users, including the Design Assistant, ADR Sidekick, and Diagram Assistant (beta). Design Assistant requires this central setup; for the other two features, users can instead use a personal OpenAI key—see AI key configuration below.
The following AI providers are supported:
- OpenAI platform
- OpenAI on Azure
- Amazon Bedrock
Configure the desired provider and the corresponding connection details in the k5-ai-credentials secret. The keys you need depend on the selected provider — see the examples below.
Configuration description:
| Key | Description |
|---|---|
llm-provider | The LLM provider to use. Supported values: openai (OpenAI platform), azure_openai (OpenAI on Azure), or bedrock (Amazon Bedrock). |
design-assistant-llm-model | The model ID used by the Design Assistant. |
adr-sidekick-llm-model | The model ID used by ADR Sidekick. |
generic-chat-completion-llm-model | The model ID used by the Diagram Assistant. |
llm-temperature | Optional. Controls response randomness (0.0 = more deterministic, higher values = more creative). Default: 0.0. |
Each AI capability uses its own -llm-model key in the secret. Set these to the model ID expected by your provider. Provider-specific connection details (API keys, endpoints, regions) are documented in the examples for each provider below.
AI key configuration
To use the Design Assistant, the central k5-ai-credentials secret is required, including a valid API key. When set, this key applies globally to all users.
The ADR Sidekick and Diagram Assistant can also use this central configuration. In addition, users can provide their own OpenAI API key in User settings. When a personal key is configured, it takes precedence over the central key.
Recommended models
You can choose any model supported by your provider. The following models are recommended and have been verified for each capability:
| Capability | OpenAI platform / Azure OpenAI | Amazon Bedrock |
|---|---|---|
| Design Assistant | GPT-5.4 | Claude Sonnet 4.5 |
| ADR Sidekick, Diagram Assistant | GPT-4o or GPT-5.1 | comparable model |
Open AI platform
Secret configuration:
kind: Secret
apiVersion: v1
metadata:
name: k5-ai-credentials
namespace: <solution-workbench>
stringData:
llm-provider: "openai"
# API key used for calls
openaiapi.key: "<your-openai-api-key>"
# llm model used for design assistant feature (GPT-5.4 recommended)
design-assistant-llm-model: "gpt-5.4"
# llm model used for ADR sidekick feature (gpt-4o or gpt-5.1 recommended)
adr-sidekick-llm-model: "gpt-5.1"
# llm model used for diagram assistant feature (gpt-4o or gpt-5.1 recommended)
generic-chat-completion-llm-model: "gpt-5.1"
# optional temperature configuration
llm-temperature: "0.0"
Open AI on Azure
Secret configuration:
kind: Secret
apiVersion: v1
metadata:
name: k5-ai-credentials
namespace: <solution-workbench>
stringData:
llm-provider: "azure_openai"
# your azure openai endpoint
azure-openai-endpoint: "https://<resource-name>.openai.azure.com/openai/v1"
# API key used for calls
openaiapi.key: "<your-openai-api-key>"
# llm model used for design assistant feature (GPT-5.4 recommended)
design-assistant-llm-model: "gpt-5.4"
# llm model used for ADR sidekick feature (gpt-4o or gpt-5.1 recommended)
adr-sidekick-llm-model: "gpt-5.1"
# llm model used for diagram assistant feature (gpt-4o or gpt-5.1 recommended)
generic-chat-completion-llm-model: "gpt-5.1"
# optional temperature configuration
llm-temperature: "0.0"
Amazon Bedrock
Secret configuration:
kind: Secret
apiVersion: v1
metadata:
name: k5-ai-credentials
namespace: <solution-workbench>
stringData:
llm-provider: "bedrock"
# AWS region
aws-default-region: "<aws-region>"
# AWS API key
aws-bedrock-api-key: "<aws-api-key>"
# Alternative to API key: aws-access-key-id
aws-access-key-id: "<access-key-id>"
# Alternative to API key: aws-access-key-id
aws-access-key-id: "aws-secret-access-key"
# llm model used for design assistant feature (Claude Sonnet 4.5 recommended)
design-assistant-llm-model: "eu.anthropic.claude-sonnet-4-5-20250929-v1:0"
# llm model used for ADR sidekick feature (Amazon Nova Pro or comparable models)
adr-sidekick-llm-model: "eu.amazon.nova-pro-v1:0"
# llm model used for diagram assistant feature (Amazon Nova Pro or comparable models)
generic-chat-completion-llm-model: "eu.amazon.nova-pro-v1:0"
# optional temperature configuration
llm-temperature: "0.0"
Adjust metadata.namespace and stringData for your chosen provider, then create this secret via UI or save it as a file and apply it with the following command:
oc apply -f secret.yaml
ArgoCD
These configurations are required to connect to the ArgoCD service.
Configuration description:
| Key | Description |
|---|---|
| url | The url of the ArgoCD service |
| username | The username to login into the ArgoCD service |
| password | The password to login into the ArgoCD service |
| namespace | The namespace (or OpenShift project) of the ArgoCD installation |
Please use the public route URL as url or ensure that all certificates (whole chain) of the
ArgoCD Service are included in the Truststore.
Apply Configuration:
kind: Secret
apiVersion: v1
metadata:
name: k5-argocd-binding
namespace: <solution-workbench>
stringData:
url: "https://openshift-gitops-server.apps.openshift-cluster.mydomain.cloud"
username: "user"
password: "pw123"
namespace: "openshift-gitops"
Adjust metadata.namespace and stringData and then create this secret via UI or save it as a file and apply it with
the following command:
oc apply -f secret.yaml
Redis
These configurations are required to connect to the Redis service.
Configuration description:
| Key | Description |
|---|---|
| host | The host of the Redis service |
| password | The password to login into the Redis service |
| port | The port of the Redis service |
Please use the internal service URL as host, e.g. redis-master.redis-namespace.svc.cluster.local.
If you have configured a Redis service you can enable Horizontal Pod Autoscaling for k5-diagram-modelling service, see Extended configuration
Apply Configuration:
kind: Secret
apiVersion: v1
metadata:
name: k5-redis-binding
namespace: <solution-workbench>
stringData:
host: "redis-master.redis-namespace.svc.cluster.local"
password: "pw123"
port: "6379"
Adjust metadata.namespace and stringData and then create this secret via UI or save it as a file and apply it with
the following command:
oc apply -f secret.yaml
Schema Registry
This configuration is necessary to connect to the Schema Registry.
Configuration description:
| Parameter | Description |
|---|---|
| cleanUpTaskTime (optional) | The time when the clean up job should be run. Please use cron schedule expressions. (Default: 0 0 20 * * Saturday) |
| cleanUpTaskTimeZone (optional) | The timezone you're in. Example: Europe/Berlin (Default timezone: UTC) |
| url | Url of the Schema Registry. |
Apply Configuration:
kind: Secret
apiVersion: v1
metadata:
name: k5-schema-registry-binding
namespace: <solution-workbench>
stringData:
url: "https://schema-registry.apps.openshift-cluster.mydomain.cloud"
Adjust metadata.namespace and stringData and then create this secret via UI or save it as a file and apply it with
the following command:
oc apply -f secret.yaml
Vault
Configures properties to access a HashiCorp Vault. This configuration is not mandatory!
Configuration description:
| Parameter | Description |
|---|---|
| url | The url of the HashiCorp Vault |
| role | The name of the role you configured in your vault. You can find information how to do that here. |
Losing/changing the vault configuration can cause errors and secrets need to be recreated.
Apply Configuration:
kind: Secret
apiVersion: v1
metadata:
name: k5-vault-binding
namespace: <solution-workbench>
labels:
k5-configuration: 'true'
stringData:
url: "string"
role: "string"
Adjust metadata.namespace and stringData and then create this secret via UI or save it as a file and apply it with
the following command:
oc apply -f secret.yaml
Audit Binding
This configuration is necessary to connect to your audit logging collector (e.g. Fluentd). By default, the audit logging is disabled since it is not meant to be used without a connection to an audit logging collector. If you do not wish Audit Logging, you can skip this configuration.
Configuration description:
| Parameter | Description |
|---|---|
| auditEnabled | Enables or disables the Audit logging. |
| connectionString | The Fluentd connectionString for Audit logging. |
Apply Configuration:
kind: Secret
apiVersion: v1
metadata:
name: k5-auditlog-settings
namespace: <solution-workbench>
labels:
k5-configuration: 'true'
stringData:
auditEnabled: "boolean"
connectionString: "string"
Adjust metadata.namespace and stringData and then create this secret via UI or save it as a file and apply it with
the following command:
oc apply -f secret.yaml