Decision Management (ODM, ADS)

 View Only

How do I install ODM 8.12.0.1 Silver topology on Certified Kubernetes?

By Johanne Sebaux posted Tue January 16, 2024 02:56 PM

  

Target audience: ODM user with Administrator role

Estimated duration: 120 minutes

This article is part of an article series around Operational Decision Manager (ODM) topologies on Certified

Kubernetes.  For more information about ODM environments and the topologies, see ODM topologies blog post. Note: Make sure you have read ODM 8.12 Bronze topology on Certified Kubernetes which is the base of ODM Silver topology installation.

1. Introduction

 

This document aims to describe how to make an ODM Silver topology deployment on Certified Kubernetes. The ODM Silver topology is a deployment of several ODM environments, each in an individual namespace, within a single cluster.  

Minimum Silver topology consists of an Authoring, a Sandbox, and a Production environment.  

Full Silver topology consists of an Authoring, Sandboxes, a Pre-prod and a Production environment.    

Schema of a full ODM Silver topology (fig. 1)

There is one Decision Center to govern all Decision Servers. The databases are externalized.

  

Silver topology is best suited for applications with medium production constraints (HA, Pre-Prod, ...). For more information, see ODM topologies blog post. 

2. Installing ODM Silver topology

 

Silver topology is based on default Bronze topology with additional customization to allow several ODM environments within the same cluster. To install ODM Silver topology, it is recommended to start with ODM Bronze topology on Certified Kubernetes to setup the cluster, create the database and then obtain a baseline configuration YAML (values.yaml) file. Use this YAML file and customize it per ODM environment. Other settings such as LDAP configuration and certificates management are discussed in the later part of this article.

 

2.1 Procedure:

1.     Follow the instructions in ODM Bronze topology on Certified Kubernetes to setup the cluster and prepare the ODM installation such as database creation.  

2.     Make sure to create a namespace for your ODM Silver environment. For example: 

kubectl new-project <silver_topo_name>

3.     Copy the sample values.yaml file of Bronze topology and rename it as

<your_silver_env>.yaml.  An example of a Bronze topology values.yaml file: 

customization:   

  runAsUser: ""

license: true

serviceAccountName: ''

usersPassword: odmAdminPassw0rd

service:   

  enableRoute: true

externalDatabase:

  type: db2

  secretCredentials: odm-prod-secret-db2   

  databaseName: odmbronz   

  serverName: db2ssl.mycompany.com   

  sslSecretRef: db2-ssl-secret   

  port: '60001'

image:

    repository: cp.icr.io/cp/cp4a/odm

4.     In externalDatabase section, complete the parameters per your database configuration. 

5.     Customize <your_silver_env>.yaml file according to the specific ODM environment. See the examples below for each ODM environment.  See ODM for production configuration parameters for more details.

2.2 Authoring environment  

1.     Authoring environment consists of Decision Server Console, 2 Decision Center and 2 Decision Runner.   

2.     Edit your Authoring YAML file to add in decisionCenter, decisionRunner and decisionServerConsole parameters to install these components. Set

decisionServerRuntime.enabled to false since there is no Decision Server Runtime component in Authoring environment. For example: 

customization:

  runAsUser: "" license: true ...

image:

  repository:cp.icr.io/cp/cp4a/odm decisionServerRuntime:

  enabled: false

decisionCenter:

  enabled: true

  replicaCount: 2

  resources:

    limits:

      cpu: '2'

      memory: 8Gi

    requests:

      cpu: '1'

      memory: 4Gi

decisionRunner:

  enabled: true

  resources:

    limits:

      cpu: '2'

      memory: 2Gi

    requests:

      cpu: 500m

      memory: 2Gi decisionServerConsole:

  resources:

    limits:

      cpu: '2'

      memory: 1Gi

    requests:

      cpu: 500m

      memory: 512Mi

2.3 Sandbox environment

1.     Sandbox environment only consists of Decision Server Console and a Decision Server Runtime.   

2.     Edit your Sandbox YAML file to only install Decision Server Console and Decision Server Runtime. Set both decisionCenter.enabled and decisionRunner.enabled to false.   

3.     For non-production environment like Sandbox, set customization.deployForProduction to false. For example: 

customization:

  runAsUser: ""

  deployForProduction:false

license: true

...

image:

  repository:cp.icr.io/cp/cp4a/odm decisionCenter:

  enabled: false decisionRunner:

  enabled: false decisionServerRuntime:

  enabled: true

  replicaCount: 1

  resources:

    limits:

      cpu: '2'

      memory: 2Gi

    requests:

      cpu: '2'

      memory: 2Gi decisionServerConsole:

  resources:

    limits:

      cpu: '2'

      memory: 1Gi

    requests:

      cpu: 500m

      memory: 512Mi

2.4 Production and Pre-Prod environment

1.     Production environment consists of Decision Server Console and 3 Decision Server Runtime.  Pre-prod environment is similar to Production environment with a Decision Server Console and several Decision Server Runtime depending on your needs.   

2.     For Pre-prod environment, set customization.deployForProduction to false.  Edit your YAML file to install these components. An example of a Pre-Prod environment: 

customization:

  runAsUser: ""

  deployForProduction:false

license: true ...

image:

  repository:cp.icr.io/cp/cp4a/odm decisionCenter:

  enabled: false

decisionRunner:

  enabled: false decisionServerRuntime:

  enabled: true

  replicaCount: 3

  resources:

    limits:

      cpu: '2'

      memory: 2Gi

    requests:

      cpu: '2'

      memory: 2Gi decisionServerConsole:

  resources:

    limits:

      cpu: '2'

      memory: 1Gi

    requests:

      cpu: 500m

      memory: 512Mi

3.     An example of a Production environment: 

customization:

  runAsUser: "" license: true ...

image:

  repository:cp.icr.io/cp/cp4a/odm decisionCenter:

  enabled: false

decisionRunner:

  enabled: false decisionServerRuntime:

  enabled: true

  replicaCount: 3

  resources:

    limits:

      cpu: '2'

      memory: 2Gi

    requests:

      cpu: '2'

      memory: 2Gi decisionServerConsole:

  resources:

    limits:

      cpu: '2'

      memory: 1Gi

    requests:

      cpu: 500m

      memory: 512Mi

After you have customized the <your_silver_env>.yaml file with your values, launch the installation of the helm chart for ODM 8.12.0.1 using the following command lines: 

helm repo add ibm-helm-repo

"https://raw.githubusercontent.com/IBM/charts/master/repo/entitled" helm repo update helm install ibm-odm-prod ibm-helm-repo/ibm-odm-prod  --version=23.2.0 -f "<your_silver_env>.yaml" -n <silver_topo_name>

 

Once the installation is complete, the information including default user (odmAdmin) credential and the commands to get ODM component URLs will be provided to you. For example:

ODM Information

----------------   Username/Password :

-        For Decision Center: odmAdmin/<password_for_odmAdmin>

-        For Decision Server Console: odmAdmin/<password_for_odmAdmin>     - For Decision Runner: odmAdmin/<password_for_odmAdmin>   Get the application URLs by running these commands:   export SCHEME=https

  -- Decision Center Business Console

     export DC_ROUTE=$(oc get routes ibm-odm-prod-odm-dc-route -o jsonpath='{.spec.host}')      echo $SCHEME://$DC_ROUTE/decisioncenter

  -- Decision Runner

     export DR_ROUTE=$(oc get routes ibm-odm-prod-odm-dr-route -o jsonpath='{.spec.host}')      echo $SCHEME://$DR_ROUTE/DecisionRunner

  -- Decision Server Console

     export DSC_ROUTE=$(oc get routes ibm-odm-prod-odm-ds-console-route -o jsonpath='{.spec.host}')      echo $SCHEME://$DSC_ROUTE/res

  To learn more about the ibm-odm-prod release, try:

    $ helm status ibm-odm-prod

    $ helm get values ibm-odm-prod

    $ helm get hooks ibm-odm-prod

3. Configuring User Access

 

By default, ODM is provided with a set of predefined users. To provide customized user access through an LDAP directory, some configurations need to be done. For more information, see Configuring user access.

To configure ODM with an external OpenID Connect server (OIDC provider) such as the Microsoft Entra ID (ex Azure Active Directory) cloud service, you can refer to the following two articles:

       Configure ODM with an Microsoft Entra ID (ex Azure Active Directory) service

       How to configure ODM on K8s OIDC with Microsoft Entra ID (ex Azure Active Directory)  

4. Managing TLS Certificates

 

By default, a secured connection between Decision Center in Authoring environment to Decision Server Console in another environment, leads to an error like the following one:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Path does not chain with any of the trust anchors

To overcome this issue, you need to import the certificate of Sandbox/Prep-prod/Production environment to Authoring environment:

1.     Extract the certificate by downloading it from the RES console (for example from Production environment) using a browser.

2.     Create a new secret in authoring namespace (key=tls.crt with cert content) 

kubectl create secret generic odm-prod-decisionserver-secret --fromfile=tls.crt=<your_path>/cpd.pem

3.     Specify this secret as your custom one in the list of secrets registered in the customization.trustedCertificateList parameter of your Silver Authoring values.yaml file. 

customization:   runAsUser: ''   trustedCertificateList:

    - odm-prod-decisionserver-secret

4.     Wait for some minutes while the ODM pods restart

4.1 Configuring Rule Designer

To be able to securely connect your Rule Designer to the Decision Server and Decision Center components that are running in an OCP cluster, you need to establish a Transport Layer Security (TLS) connection through a security certificate. For more information, see Importing a security certificate in Rule Designer.

4.2 Reaching out external services

Last but not least, to integrate with an external service in general, you must first import its TLS certificate into the operator trust list. These certificates are added to the truststore of each component. The procedure is described in Importing the certificate of an external service.

5. Installing the License Service 

 

As a IBM client, you have to be sure that the License Service 4.2 is up-and-running in your cluster topology.

To do so, follow the instructions in the dedicated documentation: Installing License Service. You can also refer to our blog entry : How do I easily install and use IBM License Service.

6. Validating your deployment

 

Once everything is well configured and deployed, you can perform post installation tasks as described in Completing post-installation tasks. Additional validations can be done at ODM level using Validate your ODM topology.  

#OperationalDecisionManager(ODM) #topology #businessrules #DecisionAutomation

 


#OperationalDecisionManager(ODM)
#AutomationDecisionServices(ADS)
#automation-featured-area-3
#automation-spotlight
#Spotlight
0 comments
24 views

Permalink