Decision Management (ODM, ADS)

 View Only

How do I install ODM Bronze topology with CP4BA 22.0.2?

By Sia Sin Tay posted Thu January 12, 2023 10:31 AM

  
This article is part of an article series around Operational Decision Manager (ODM) topologies in context of Cloud Pak for Business Automation (CP4BA).  For more information about ODM environments and the topologies, see CP4BA ODM topologies on OpenShift.

Please find a PDF version of this article here.

1. Introduction
This document aims to describe how to make an ODM Bronze topology deployment on OpenShift as a component of CP4BA 22.0.2.
ODM Bronze topology is an enterprise deployment of ODM in a single namespace of a cluster. It corresponds to the default production pattern deployment. 
                • Schema of an ODM bronze topology (fig. 1)
Bronze topology is best suited for prototypes or applications with low production constraints (Small, no HA). It can also be seen as the baseline for Silver and Gold topologies and will be referenced as such in other articles.

2. Installation
Prior to installation, go through Planning for a CP4BA multi-pattern production deployment guide to understand what you need, what options you have, storage classes, security, license entitlements, and how you can measure the usage of your deployments. 
Deploying ODM production pattern comes with some choices which can lead to different installation instructions. In Review your options, there are several production deployment guides for CP4BA 22.0.2. In this article, we focus on CP4BA multi-pattern production deployment on ROKS classic and OCP to guide you in implementing your deployment in an OpenShift cluster
Follow the various topics in Option 1: Preparing your cluster for an online deployment to set up your cluster before you create the ODM deployment in a specified namespace. In case of air gap environment, see Option 2: Preparing your cluster for an air gapped (offline) deployment.

Preparation steps
Topic
Awaited action and results
This is an action. 
Before you install any of the automation containers, you must prepare a cluster for the patterns that you want to use.
This is an action. 
You must make sure that the client that you intend to use to connect to the OpenShift cluster has all the necessary tools.
This is an action. 
All instances of an operator need a namespace whether it is on a private cloud (OCP) or on IBM Cloud® Public (ROKS). Depending on your platform type, either prepare the namespace on OCP or on ROKS.
An example to create a namespace (bronze) for ODM Bronze topology:
oc new-project bronze
This is a decision to be made. 
You must get access to the Cloud Pak container images before you edit the custom resource file. You can use the IBM Entitled Registry or a local image registry.
This is an action. 
If you plan to use the Form view in Operator Hub, then set up the cluster with the OpenShift console. You can also use the admin script to set up the cluster by running the following Shell script: "cert-kubernetes/scripts/cp4a-clusteradmin-setup.sh"
This is an action.
Use the "cert-kubernetes/scripts/cp4a-prerequisites.sh" script to generate the DB SQL statement file and the YAML template for the secret of your chosen capability (ODM) before you create your deployment.
 
Optional
The Cloud Pak operator includes a single version of Db2 (db2jcc4.jar), Oracle (ojdbc8.jar), Microsoft SQL Server (mssql-jdbc.jre8.jar), and PostgreSQL (postgresql-42.3.3.jar) JDBC drivers to use in your production deployments. If you need to use other versions, then you must package these files into a compressed file and use the sc_drivers_url configuration parameter to download them from an accessible web server. 
Optional
You can enable the containers' logging capabilities and monitoring at deployment time if you have access to either Graphite or Prometheus.
At this stage, you should have your target cluster ready to be used with the Cloud Pak operators up and running. 
The next stage is to architecture, execute and validate an ODM Bronze topology deployment.  The following topics provide you further instructions to prepare and install the deployment.
Topic
Awaited action and results
This is an action
Before you install ODM, check your environment to make sure that you have everything that are needed for the installation. Follow the guide to configure database, user access and ODM components.
This is an action
You can follow the instructions in Option 2: Generating the custom resource with the deployment script to generate an ODM Bronze topology CR YAML file by running "cert-kubernetes/scripts/cp4a-deployment.sh" script.  Check and fill up the custom resource parameter values for the data source, the LDAP configuration in the generated CR YAML file as explained in Checking and completing your custom resource. Lastly, install the deployment (Option 2: Deploying the custom resource you created with the deployment script).
Refer to the next section for more details about modifying the custom resource parameters.
Some modifications can be done to the generated CR YAML file. Use the following table to help you identify the customizable parameters.
Action
Parameter
New value
Replace
metadata.name
Add a meaningful name which will is the name of your ICP4Cluster instance.
e.g. odmbronze
Delete
spec.shared_configuration.sc_deployment_fncm_license
Delete
spec.shared_configuration.sc_deployment_baw_license
Delete
spec.shared_configuration.sc_ingress_enable
Delete
spec.shared_configuration.sc_ingress_tls_secret_name
Delete
spec.shared_configuration.sc_cpe_limited_storage
Update
spec.*.*port
The awaited value type is a string and must be between quotes
e.g. database_port: '60001'
Update
spec.odm_configuration.deployment_profile_size
Possible values are: small, medium, and large.
To compute the best size, see System requirements.
Update
oc patch AutomationUIConfig iaf-system --type=merge -p '{"spec":{"zenService":{"scaleConfig":"<size>"}}}'
It is recommended that you set the IBM Cloud Platform UI (Zen) service to the same size as Cloud Pak for Business Automation. The possible values are small, medium, and large.
Update
spec.datasource_configuration.dc_ssl_enabled
true
ODM Topology guidelines prescribe the usage of SSL
Create secret
spec.datasource_configuration.dc_odm_datasource.dc_ssl_secret_name
Secret used for DB2 SSL configuration for ODM.
e.g. odm-db2-ssl-secret

The secret is created if you run the "cert-kubernetes/scripts/cp4a-prerequisites.sh"script in Preparing databases and secrets for your chosen capabilities by running a script.

Otherwise, you can manually create this secret, run the command: oc create secret generic odm-db2-ssl-secret --from-file=db2-server-certificate=<your_path>/server.crt  
whereby server.crt is the Db2 SSL certificate public key in ASCII format. For more information, see Step 2 of Configuring an external database.
Create secret
spec.datasource_configuration.dc_odm_datasource.dc_common_database_instance_secret
Secret used to keep Db2 login credentials.

The secret is created if you run the "cert-kubernetes/scripts/cp4a-prerequisites.sh"script in Preparing databases and secrets for your chosen capabilities by running a script.

Otherwise, to manually create this secret, run the following command
oc create secret generic <odm-db-secret> --from-literal=db-user=<user_name> --from-literal=db-password=<user_password>
e.g. topology-odm-db-secret
Create secret
spec.ldap_configuration.lc_ldap_ssl_secret_name
Secret used for LDAP SSL configuration.

The secret is created if you run the "cert-kubernetes/scripts/cp4a-prerequisites.sh"script in Preparing databases and secrets for your chosen capabilities by running a script.

To manually configure
the LDAP certificate, follow the instructions from this page: Configuring LDAP over SSL.
e.g. topology-ad-ldap-ssl-cert 
Create secret
 spec.ldap_configuration.lc_bind_secret
Secret used for LDAP configuration.

The secret is created if you run the "cert-kubernetes/scripts/cp4a-prerequisites.sh"script in Preparing databases and secrets for your chosen capabilities by running a script.

To manually configure
the LDAP certificate following instructions from this page: LDAP configuration.
e.g. topology-ad-ldap-bind-secret

In CP4BA 22.0.2, several new features have been introduced. Here are some features that might benefit your ODM deployment.

New topic
Awaited action and results

Optional

If you have different databases for your Decision Center and Decision Server instances, you can now configure dc_odm_decisioncenter_datasource and dc_odm_decisionserver_datasource under the datasource_configuration tag of the custom resource file.

Optional

You configure multi-zone support by setting the nodeAffinity parameter.

Using this parameter, the ODM service pods can be deployed on nodes in a specific zone. This way, you can organize and optimize access to the underlying resources, like storage and database, by region.

Optional

You can now configure multiple directories in the LDAP configuration in your CP4BA deployment and as a result authenticate users across multiple LDAPs. A mix of directory types is supported, which allows administrators to isolate teams with a specific domain.

For more information about all the new features, see What's new in 22.0.2 - December 2022.

Having modified the custom resource parameters, proceed with the deployment. At this stage, the ICP4Cluster instance that you named odmbronze is created. After a couple of reconcile loops of the CP4BA operator, you can verify the deployment.


3. Validation
To ensure that the environment works correctly, follow the steps in Validating your production deployment. To review the installed ODM services and also install Rule Designer, see Completing post-installation tasks for Operational Decision Manager.  Additional validations can be done at ODM level using Validate your ODM topology - 22.0.1.
Lastly, here is a sample of CR YAML file allowing an ODM Bronze topology with DB2 with SSL external database and Active Directory LDAP:
apiVersion: icp4a.ibm.com/v1
kind: ICP4ACluster
metadata:
  name: odmbronze
  labels:
    app.kubernetes.io/instance: ibm-dba
    app.kubernetes.io/managed-by: ibm-dba
    app.kubernetes.io/name: ibm-dba
    release: 22.0.2
spec:
  appVersion: 22.0.2
  ibm_license: accept
  shared_configuration:
    sc_deployment_license: production
    sc_deployment_context: "CP4A"
    sc_image_repository: cp.icr.io
    root_ca_secret: icp4a-root-ca
    sc_deployment_patterns: "foundation,decisions"
    sc_optional_components: "decisionCenter,decisionRunner,decisionServerRuntime"
    sc_deployment_type: "Production"
    sc_deployment_platform: "OCP"
    sc_deployment_profile_size: medium
    trusted_certificate_list: []
    storage_configuration:
      sc_slow_file_storage_classname: managed-nfs-storage
      sc_medium_file_storage_classname: managed-nfs-storage
      sc_fast_file_storage_classname: managed-nfs-storage
      sc_block_storage_classname: managed-nfs-storage
    image_pull_secrets:
    - admin.registrykey
    
  ## The beginning section of LDAP configuration for CP4A
  ldap_configuration:
    lc_selected_ldap_type: Microsoft Active Directory
    lc_ldap_server: *****
    lc_ldap_port: '***'
    lc_bind_secret: topology-ad-ldap-bind-secret
    lc_ldap_base_dn: *****
    lc_ldap_ssl_enabled: true
    lc_ldap_ssl_secret_name: topology-ad-ldap-ssl-cert
    lc_ldap_user_name_attribute: *****
    lc_ldap_user_display_name_attr: cn
    lc_ldap_group_base_dn: *****
    lc_ldap_group_name_attribute: *:cn
    lc_ldap_group_display_name_attr: cn
    lc_ldap_group_membership_search_filter: *****
    lc_ldap_group_member_id_map: *****
    ad:
      lc_ad_gc_host: *****
      lc_ad_gc_port: '***'
    tds:
      lc_user_filter: "(&(cn=%v)(objectclass=person))"
      lc_group_filter: "(&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))"
## The beginning section of database configuration for CP4A
  datasource_configuration:
    dc_ssl_enabled: true
    dc_icn_datasource:
      database_ssl_secret_name: ''
      dc_hadr_retry_interval_for_client_reroute: 15
      dc_hadr_max_retries_for_client_reroute: 3
      database_port: '***'
      dc_common_icn_datasource_name: ECMClientDS
      dc_hadr_standby_port: ''
      database_name: *****
      database_servername: *****
      dc_hadr_validation_timeout: 15
      dc_oracle_icn_jdbc_url: ''
      dc_hadr_standby_servername: ''
      dc_database_type: db2
    dc_odm_datasource:
      database_servername: *****
      dc_common_database_name: *****
      dc_common_database_instance_secret: topology-odm-db-secret
      dc_common_database_port: '***'
      dc_common_ssl_enabled: true
      dc_database_type: db2
      dc_ssl_secret_name: topology-db2-ssl-cert-for-odm
      ########################################################################
      ########      IBM Operational Decision Manager configuration    ########
      ########################################################################
    #  odm_configuration:
  odm_configuration:
    decisionCenter:
      enabled: true
    decisionServerRuntime:
      enabled: true
    decisionRunner:
      enabled: true

#topology
#OperationalDecisionManager(ODM)#CloudPakforBusinessAutomation#businessrules

0 comments
92 views

Permalink