Decision Management (ODM, ADS)

 View Only

How do I install ODM 8.11.0.1 Silver topology on Certified Kubernetes?

By Sia Sin Tay posted Tue September 20, 2022 03:25 AM

  
This article is part of an article series around Operational Decision Manager (ODM) topologies on Certified Kubernetes.  For more information about ODM environments and the topologies, see ODM topologies blog post.
Note: Make sure you have read ODM Bronze topology on Certified Kubernetes which is the base of ODM Silver topology installation.

Please find a PDF version of this article here.

1. Introduction
This document aims to describe how to make an ODM Silver topology deployment on Certified Kubernetes.
The ODM Silver topology is a deployment of several ODM environments, each in an individual namespace, within a single cluster. 
Minimum Silver topology consists of an Authoring, a Sandbox, and a Production environment. 
Full Silver topology consists of an Authoring, Sandboxes, a Pre-prod and a Production environment.   

Schema of a full ODM Silver topology (fig. 1)

There is one Decision Center to govern all Decision Servers. The databases are externalized.
 
Silver topology is best suited for applications with medium production constraints (HA, Pre-Prod, ...). For more information, see ODM topologies blog post.

2. Installing ODM Silver topology
Silver topology is based on default Bronze topology with additional customization to allow several ODM environments within the same cluster. To install ODM Silver topology, it is recommended to start with ODM Bronze topology on Certified Kubernetes to setup the cluster, create the database and then obtain a baseline configuration YAML (values.yaml) file. Use this YAML file and customize it per ODM environment. Other settings such as LDAP configuration and certificates management are discussed in the later part of this article.
Procedure:
  1. Follow the instructions in ODM Bronze topology on Certified Kubernetes to setup the cluster and prepare the ODM installation such as database creation. 
  2. Make sure to create a namespace for your ODM Silver environment. For example:
    kubectl new-project <silver_topo_name>
  3. Copy the sample values.yaml file of Bronze topology and rename it as <your_silver_env>.yaml. An example of a Bronze topology values.yaml file:
    customization:
      runAsUser: ""
    license: true
    serviceAccountName: ''
    usersPassword: odmAdminPassw0rd
    service:
      enableRoute: true
    externalDatabase:
      type: db2
      secretCredentials: odm-prod-secret-db2
      databaseName: odmbronz
      serverName: db2ssl.mycompany.com
      sslSecretRef: db2-ssl-secret
      port: '60001'
    image:
      repository: cp.icr.io/cp/cp4a/odm
  4. In externalDatabase section, complete the parameters per your database configuration.
  5. Customize <your_silver_env>.yaml file according to the specific ODM environment. See the examples below for each ODM environment. See ODM for production configuration parameters for more details.

Authoring environment 
  1. Authoring environment consists of Decision Server Console, 2 Decision Center and 2 Decision Runner. 
  2. Edit your Authoring YAML file to add in decisionCenter, decisionRunner and decisionServerConsole parameters to install these components. Set decisionServerRuntime.enabled to false since there is no Decision Server Runtime component in Authoring environment. For example:
    customization:
      runAsUser: ""
    license: true
    ...
    image:
      repository: cp.icr.io/cp/cp4a/odm
    decisionServerRuntime:
      enabled: false
    decisionCenter:
      enabled: true
      replicaCount: 2
      resources:
        limits:
          cpu: '2'
          memory: 8Gi
        requests:
          cpu: '1'
          memory: 4Gi
    decisionRunner:
      enabled: true
      resources:
        limits:
          cpu: '2'
          memory: 2Gi
        requests:
          cpu: 500m
          memory: 2Gi
    decisionServerConsole:
      resources:
        limits:
          cpu: '2'
          memory: 1Gi
        requests:
          cpu: 500m
          memory: 512Mi
Sandbox environment
  1. Sandbox environment only consists of Decision Server Console and a Decision Server Runtime.  
  2. Edit your Sandbox YAML file to only install Decision Server Console and Decision Server Runtime. Set both decisionCenter.enabled and decisionRunner.enabled to false.  
  3. For non-production environment like Sandbox, set customization.deployForProduction to false. For example:
    customization:
      runAsUser: ""
      deployForProduction: false
    license: true
    ...
    image:
      repository: cp.icr.io/cp/cp4a/odm
    decisionCenter:
      enabled: false
    decisionRunner:
      enabled: false
    decisionServerRuntime:
      enabled: true
      replicaCount: 1
      resources:
        limits:
          cpu: '2'
          memory: 2Gi
        requests:
          cpu: '2'
          memory: 2Gi
    decisionServerConsole:
      resources:
        limits:
          cpu: '2'
          memory: 1Gi
        requests:
          cpu: 500m
          memory: 512Mi
Production and Pre-Prod environment
  1. Production environment consists of Decision Server Console and 3 Decision Server Runtime.  Pre-prod environment is similar to Production environment with a Decision Server Console and several Decision Server Runtime depending on your needs.  
  2. For Pre-prod environment, set customization.deployForProduction to false.  Edit your YAML file to install these components. An example of a Pre-Prod environment:
    customization:
      runAsUser: ""
      deployForProduction: false
    license: true
    ...
    image:
      repository: cp.icr.io/cp/cp4a/odm
    decisionCenter:
      enabled: false
    decisionRunner:
      enabled: false
    decisionServerRuntime:
      enabled: true
      replicaCount: 3
      resources:
        limits:
          cpu: '2'
          memory: 2Gi
        requests:
          cpu: '2'
          memory: 2Gi
    decisionServerConsole:
      resources:
        limits:
          cpu: '2'
          memory: 1Gi
        requests:
          cpu: 500m
          memory: 512Mi
  3. An example of a Production environment:
    customization:
      runAsUser: ""
    license: true
    ...
    image:
      repository: cp.icr.io/cp/cp4a/odm
    decisionCenter:
      enabled: false
    decisionRunner:
      enabled: false
    decisionServerRuntime:
      enabled: true
      replicaCount: 3
      resources:
        limits:
          cpu: '2'
          memory: 2Gi
        requests:
          cpu: '2'
          memory: 2Gi
    decisionServerConsole:
      resources:
        limits:
          cpu: '2'
          memory: 1Gi
        requests:
          cpu: 500m
          memory: 512Mi
    After you have customized the <your_silver_env>.yaml file with your values, launch the installation of the helm chart for ODM 8.11.0.1 using the following command lines:
    helm repo update
    helm install ibm-odm-prod ibm-helm-repo/ibm-odm-prod  --version=22.1.0 -f "<your_silver_env>.yaml" -n <silver_topo_name>

    Once the installation is complete, the information including default user (odmAdmin) credential and the commands to get ODM component URLs will be provided to you. For example:
    ODM Information
    ----------------
      Username/Password :
        - For Decision Center: odmAdmin/<password_for_odmAdmin>
        - For Decision Server Console: odmAdmin/<password_for_odmAdmin>
        - For Decision Runner: odmAdmin/<password_for_odmAdmin>
      Get the application URLs by running these commands:
      export SCHEME=https
      -- Decision Center Business Console
         export DC_ROUTE=$(oc get routes ibm-odm-prod-odm-dc-route -o jsonpath='{.spec.host}')
         echo $SCHEME://$DC_ROUTE/decisioncenter
      -- Decision Runner
         export DR_ROUTE=$(oc get routes ibm-odm-prod-odm-dr-route -o jsonpath='{.spec.host}')
         echo $SCHEME://$DR_ROUTE/DecisionRunner
      -- Decision Server Console
         export DSC_ROUTE=$(oc get routes ibm-odm-prod-odm-ds-console-route -o jsonpath='{.spec.host}')
         echo $SCHEME://$DSC_ROUTE/res
      To learn more about the ibm-odm-prod release, try:
        $ helm status ibm-odm-prod
        $ helm get values ibm-odm-prod
        $ helm get hooks ibm-odm-prod

    3. Configuring User Access

    By default, ODM is provided with a set of predefined users. To provide customized user access through an LDAP directory, some configurations need to be done. For more information, see Configuring user access.
    To configure ODM with an external OpenID Connect server (OIDC provider) such as the Azure AD cloud service, you can refer to the following two articles:

    4. Managing TLS
    Certificates
    By default, a secured connection between Decision Center in Authoring environment to Decision Server Console in another environment, leads to an error like the following one:
    javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Path does not chain with any of the trust anchors
    To overcome this issue, you need to import the certificate of Sandbox/Prep-prod/Production environment to Authoring environment:
    1. Extract the certificate by downloading it from the RES console (for example from Production environment) using a browser.
    2. Create a new secret in authoring namespace (key=tls.crt with cert content)
      kubectl create secret generic odm-prod-decisionserver-secret --from-file=tls.crt=<your_path>/cpd.pem
    3. Specify this secret as your custom one in the list of secrets registered in the customization.trustedCertificateList parameter of your Silver Authoring values.yaml file.
      customization:
        runAsUser: ''
        trustedCertificateList:
          - odm-prod-decisionserver-secret
    4. Wait for some minutes while the ODM pods restart

    Configuring Rule Designer
    To be able to securely connect your Rule Designer to the Decision Server and Decision Center components that are running in an OCP cluster, you need to establish a Transport Layer Security (TLS) connection through a security certificate. For more information, see Importing a security certificate in Rule Designer.

    Reaching out external services
    Last but not least, to integrate with an external service in general, you must first import its TLS certificate into the operator trust list. These certificates are added to the truststore of each component. The procedure is described in Importing the certificate of an external service.

    5. Installing the License Service 
    As a IBM client, you have to be sure that the License Service is up-and-running in your cluster topology.
    To do so, follow the instructions in this documentation: Tracking license usage of stand-alone IBM Containerized Software. You can also refer to ODM Bronze topology on Certified Kubernetes for more details about this topic. 

    6. Validat
    ing your deployment
    Once everything is well configured and deployed, you can perform post installation tasks as described in Completing post-installation tasks.  Additional validations can be done at ODM level using Validate your ODM topology.

      #businessrules
      #DecisionAutomation
      #OperationalDecisionManager(ODM)
      #topology
      0 comments
      43 views

      Permalink