This article is part of an article series around Operational Decision Manager (ODM) topologies on Certified Kubernetes. For more information about ODM environments and the topologies, see ODM topologies blog post.
1. Introduction
This document aims to describe how to make an ODM Silver topology deployment on Certified Kubernetes.
The ODM Silver topology is a deployment of several ODM environments, each in an individual namespace, within a single cluster.
Minimum Silver topology consists of an Authoring, a Sandbox, and a Production environment.
Full Silver topology consists of an Authoring, Sandboxes, a Pre-prod and a Production environment.
Schema of a full ODM Silver topology (fig. 1)
There is one Decision Center to govern all Decision Servers. The databases are externalized.
Silver topology is best suited for applications with medium production constraints (HA, Pre-Prod, ...). For more information, see ODM topologies blog post.
2. Installing ODM Silver topology
Silver topology is based on default Bronze topology with additional customization to allow several ODM environments within the same cluster. To install ODM Silver topology, it is recommended to start with ODM Bronze topology on Certified Kubernetes to setup the cluster, create the database and then obtain a baseline configuration YAML (values.yaml) file. Use this YAML file and customize it per ODM environment. Other settings such as LDAP configuration and certificates management are discussed in the later part of this article.
Procedure:
- Follow the instructions in ODM Bronze topology on Certified Kubernetes to setup the cluster and prepare the ODM installation such as database creation.
- Make sure to create a namespace for your ODM Silver environment. For example:
kubectl new-project <silver_topo_name>
|
- Copy the sample values.yaml file of Bronze topology and rename it as <your_silver_env>.yaml. An example of a Bronze topology values.yaml file:
customization:
runAsUser: ""
license: true
serviceAccountName: ''
usersPassword: odmAdminPassw0rd
service:
enableRoute: true
externalDatabase:
type: db2
secretCredentials: odm-prod-secret-db2
databaseName: odmbronz
serverName: db2ssl.mycompany.com
sslSecretRef: db2-ssl-secret
port: '60001'
image:
repository: cp.icr.io/cp/cp4a/odm
|
- In externalDatabase section, complete the parameters per your database configuration.
-
Customize <your_silver_env>.yaml file according to the specific ODM environment. See the examples below for each ODM environment. See ODM for production configuration parameters for more details.
Authoring environment
- Authoring environment consists of Decision Server Console, 2 Decision Center and 2 Decision Runner.
- Edit your Authoring YAML file to add in decisionCenter, decisionRunner and decisionServerConsole parameters to install these components. Set decisionServerRuntime.enabled to false since there is no Decision Server Runtime component in Authoring environment. For example:
customization:
runAsUser: ""
license: true
...
image:
repository: cp.icr.io/cp/cp4a/odm
decisionServerRuntime:
enabled: false
decisionCenter:
enabled: true
replicaCount: 2
resources:
limits:
cpu: '2'
memory: 8Gi
requests:
cpu: '1'
memory: 4Gi
decisionRunner:
enabled: true
resources:
limits:
cpu: '2'
memory: 2Gi
requests:
cpu: 500m
memory: 2Gi
decisionServerConsole:
resources:
limits:
cpu: '2'
memory: 1Gi
requests:
cpu: 500m
memory: 512Mi
|
Sandbox environment
- Sandbox environment only consists of Decision Server Console and a Decision Server Runtime.
- Edit your Sandbox YAML file to only install Decision Server Console and Decision Server Runtime. Set both decisionCenter.enabled and decisionRunner.enabled to false.
- For non-production environment like Sandbox, set customization.deployForProduction to false. For example:
customization:
runAsUser: ""
deployForProduction: false
license: true
...
image:
repository: cp.icr.io/cp/cp4a/odm
decisionCenter:
enabled: false
decisionRunner:
enabled: false
decisionServerRuntime:
enabled: true
replicaCount: 1
resources:
limits:
cpu: '2'
memory: 2Gi
requests:
cpu: '2'
memory: 2Gi
decisionServerConsole:
resources:
limits:
cpu: '2'
memory: 1Gi
requests:
cpu: 500m
memory: 512Mi
|
Production and Pre-Prod environment
- Production environment consists of Decision Server Console and 3 Decision Server Runtime. Pre-prod environment is similar to Production environment with a Decision Server Console and several Decision Server Runtime depending on your needs.
- For Pre-prod environment, set customization.deployForProduction to false. Edit your YAML file to install these components. An example of a Pre-Prod environment:
customization:
runAsUser: ""
deployForProduction: false
license: true
...
image:
repository: cp.icr.io/cp/cp4a/odm
decisionCenter:
enabled: false
decisionRunner:
enabled: false
decisionServerRuntime:
enabled: true
replicaCount: 3
resources:
limits:
cpu: '2'
memory: 2Gi
requests:
cpu: '2'
memory: 2Gi
decisionServerConsole:
resources:
limits:
cpu: '2'
memory: 1Gi
requests:
cpu: 500m
memory: 512Mi
|
- An example of a Production environment:
customization:
runAsUser: ""
license: true
...
image:
repository: cp.icr.io/cp/cp4a/odm
decisionCenter:
enabled: false
decisionRunner:
enabled: false
decisionServerRuntime:
enabled: true
replicaCount: 3
resources:
limits:
cpu: '2'
memory: 2Gi
requests:
cpu: '2'
memory: 2Gi
decisionServerConsole:
resources:
limits:
cpu: '2'
memory: 1Gi
requests:
cpu: 500m
memory: 512Mi
|
After you have customized the <your_silver_env>.yaml file with your values, launch the installation of the helm chart for ODM 8.11.0.1 using the following command lines:
helm repo update
helm install ibm-odm-prod ibm-helm-repo/ibm-odm-prod --version=22.1.0 -f "<your_silver_env>.yaml" -n <silver_topo_name>
|
Once the installation is complete, the information including default user (odmAdmin) credential and the commands to get ODM component URLs will be provided to you. For example:
ODM Information
----------------
Username/Password :
- For Decision Center: odmAdmin/<password_for_odmAdmin>
- For Decision Server Console: odmAdmin/<password_for_odmAdmin>
- For Decision Runner: odmAdmin/<password_for_odmAdmin>
Get the application URLs by running these commands:
export SCHEME=https
-- Decision Center Business Console
export DC_ROUTE=$(oc get routes ibm-odm-prod-odm-dc-route -o jsonpath='{.spec.host}')
echo $SCHEME://$DC_ROUTE/decisioncenter
-- Decision Runner
export DR_ROUTE=$(oc get routes ibm-odm-prod-odm-dr-route -o jsonpath='{.spec.host}')
echo $SCHEME://$DR_ROUTE/DecisionRunner
-- Decision Server Console
export DSC_ROUTE=$(oc get routes ibm-odm-prod-odm-ds-console-route -o jsonpath='{.spec.host}')
echo $SCHEME://$DSC_ROUTE/res
To learn more about the ibm-odm-prod release, try:
$ helm status ibm-odm-prod
$ helm get values ibm-odm-prod
$ helm get hooks ibm-odm-prod
|
3. Configuring User Access
By default, ODM is provided with a set of predefined users. To provide customized user access through an LDAP directory, some configurations need to be done. For more information, see Configuring user access.
To configure ODM with an external OpenID Connect server (OIDC provider) such as the Azure AD cloud service, you can refer to the following two articles:
4. Managing TLS Certificates
By default, a secured connection between Decision Center in Authoring environment to Decision Server Console in another environment, leads to an error like the following one:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Path does not chain with any of the trust anchors
To overcome this issue, you need to import the certificate of Sandbox/Prep-prod/Production environment to Authoring environment:
- Extract the certificate by downloading it from the RES console (for example from Production environment) using a browser.
- Create a new secret in authoring namespace (key=tls.crt with cert content)
kubectl create secret generic odm-prod-decisionserver-secret --from-file=tls.crt=<your_path>/cpd.pem
|
- Specify this secret as your custom one in the list of secrets registered in the customization.trustedCertificateList parameter of your Silver Authoring values.yaml file.
customization:
runAsUser: ''
trustedCertificateList:
- odm-prod-decisionserver-secret
|
- Wait for some minutes while the ODM pods restart
Configuring Rule Designer
To be able to securely connect your Rule Designer to the Decision Server and Decision Center components that are running in an OCP cluster, you need to establish a Transport Layer Security (TLS) connection through a security certificate. For more information, see Importing a security certificate in Rule Designer.
Reaching out external services
Last but not least, to integrate with an external service in general, you must first import its TLS certificate into the operator trust list. These certificates are added to the truststore of each component. The procedure is described in Importing the certificate of an external service.
5. Installing the License Service
As a IBM client, you have to be sure that the License Service is up-and-running in your cluster topology.
6. Validating your deployment
#businessrules#DecisionAutomation#OperationalDecisionManager(ODM)#topology