How do I install ODM Bronze topology with CP4BA 23.0.1?

View Only

How do I install ODM Bronze topology with CP4BA 23.0.1?

By Johanne Sebaux posted Wed August 02, 2023 10:13 AM

Like

Target audience: ODM user with ODM Administrator role
Estimated duration: 120 minutes.

This article is part of an article series around Operational Decision Manager (ODM) topologies in context of Cloud Pak for Business Automation (CP4BA). For more
information about ODM environments and the topologies, see CP4BA ODM topologies on OpenShift.

1. Introduction

This document aims to describe how to make an ODM Bronze topology deployment on OpenShift as a component of CP4BA 23.0.1.

ODM Bronze topology is an enterprise deployment of ODM in a single namespace of a cluster. It corresponds to the default production pattern deployment.

Schema of an ODM bronze topology (fig. 1)
Bronze topology is best suited for prototypes or applications with low production constraints (Small, no HA). It can also be seen as the baseline for Silver and Gold topologies and will be referenced as such in other articles.

2. Installation

Prior to installation, go through Planning for a CP4BA multi-pattern production deployment guide to understand what you need, what options you have, storage classes, security, license entitlements, and how you can measure the usage of your deployments.

Deploying ODM production pattern comes with some choices which can lead to different installation instructions. In Review your options, there are several production deployment guides for CP4BA 23.0.1. In this article, we focus on CP4BA single-pattern production deployment on ROKS classic and OCP by following installation guides in PDF to guide you in implementing your deployment in an OpenShift cluster.

As a prerequisite, follow the various topics in Option 1: Preparing your cluster for an online deployment to set up your cluster before you create the ODM deployment in a specified namespace. The next section helps you to go through this preparation.

NB : in case of air gap environment, see Option 2: Preparing your cluster for an air gapped (offline) deployment.

2.1 Cluster preparation steps

Topic	Awaited action and results
Preparing your cluster	This is an action. Before you install any of the automation containers, you must prepare a cluster for the patterns that you want to use.
Preparing a client to connect to the cluster	This is an action. You must make sure that the client that you intend to use to connect to the OpenShift cluster has all the necessary tools.
Preparing a namespace for the Cloud Pak operator	This is an action. All instances of an operator need a namespace whether it is on a private cloud (OCP) or on IBM Cloud® Public (ROKS). Depending on your platform type, either prepare the namespace on OCP or on ROKS. An example to create a namespace (bronze) for ODM Bronze topology: oc new-project bronze Now using project "bronze" on server "https://api.<my_company_ocp_cluster>.com:6443".
Getting access to container images	This is a decision to be made. You must get access to the Cloud Pak container images before you edit the custom resource file. You can use the IBM Entitled Registry or a local image registry or deployments scripts which will handle the secret creation for you.
Setting up the cluster	This is an action. If you plan to use the Form view in Operator Hub, then set up the cluster with the OpenShift console. You can also follow the procedure described in this section to set up the cluster by running Shell scripts:. Install IBM License Service and IBM Certificate Manager git clone -b scripts https://github.com/IBM/ibm-common-service-operator.git cd ibm-common-service-operator/cp3pt0-deployment ./setup_singleton.sh --enable-licensing --license-accept * Setup cluster: cd cert-kubernetes/scripts ./cp4a-clusteradmin-setup.sh" ** Nota: this later Script is located in the cert-kubernetes repository which has been issued at the Preparing a client to connect to the cluster step above.

At this stage, you have been through the checklist to prepare your cluster.

*: Sample output of the ./setup_singleton.sh --enable-licensing --license-accept script execution

./setup_singleton.sh --enable-licensing --license-accept

[✔] oc command available

[✔] oc command logged in as ocadmin

[✔] Channel is valid

# Installing cert-manager

# Creating namespace ibm-cert-manager

namespace/ibm-cert-manager created

[INFO] Checking existing OperatorGroup in ibm-cert-manager:

[INFO] Creating following OperatorGroup:

apiVersion: operators.coreos.com/v1

kind: OperatorGroup

metadata:

name: ibm-cert-manager-operator

namespace: ibm-cert-manager

spec: {}

operatorgroup.operators.coreos.com/ibm-cert-manager-operator created

[INFO] Creating following Subscription:

apiVersion: operators.coreos.com/v1alpha1

kind: Subscription

metadata:

name: ibm-cert-manager-operator

namespace: ibm-cert-manager

spec:

channel: v4.0

installPlanApproval: Automatic

name: ibm-cert-manager-operator

source: ibm-cert-manager-catalog

sourceNamespace: openshift-marketplace

subscription.operators.coreos.com/ibm-cert-manager-operator created

[INFO] Waiting for operator ibm-cert-manager-operator in namespace ibm-cert-manager to be made available

[✔] Operator ibm-cert-manager-operator in namespace ibm-cert-manager is available

certmanagerconfig.operator.ibm.com/default patched

[INFO] License accepted for certmanagerconfig.operator.ibm.com default.

# Installing licensing

# Creating namespace ibm-licensing

namespace/ibm-licensing created

[INFO] Checking existing OperatorGroup in ibm-licensing:

[INFO] Creating following OperatorGroup:

apiVersion: operators.coreos.com/v1

kind: OperatorGroup

metadata:

name: ibm-licensing-operator-app

namespace: ibm-licensing

spec:

targetNamespaces:

- ibm-licensing

operatorgroup.operators.coreos.com/ibm-licensing-operator-app created

[INFO] Creating following Subscription:

apiVersion: operators.coreos.com/v1alpha1

kind: Subscription

metadata:

name: ibm-licensing-operator-app

namespace: ibm-licensing

spec:

channel: v4.0

installPlanApproval: Automatic

name: ibm-licensing-operator-app

source: ibm-licensing-catalog

sourceNamespace: openshift-marketplace

subscription.operators.coreos.com/ibm-licensing-operator-app created

[INFO] Waiting for operator ibm-licensing-operator in namespace ibm-licensing to be made available

[✔] Operator ibm-licensing-operator in namespace ibm-licensing is available

[INFO]

[✔] ibmlicensing instance present

ibmlicensing.operator.ibm.com/instance patched

[INFO] License accepted for ibmlicensing instance.

** : Sample output of the ./cp4a-clusteradmin-setup.sh script execution.

./cp4a-clusteradmin-setup.sh

[INFO] Checking the IBM Cert-manager Operator ready or not

[INFO] Checking for IBM Cert-Manager Operator ready or not...

[✔] IBM Cert-manager Operator is running:

[INFO] Pod: cert-manager-controller-5c875b7cd8-mwv8m

cert-manager-webhook-6ffd9d67f4-q2d79

cert-manager-cainjector-5dcd976f6d-r5f9f

ibm-cert-manager-operator-f9c4495dc-lbwz6

[INFO] Starting to set up the cluster for CP4BA deployment

Select the cloud platform to deploy:

1) RedHat OpenShift Kubernetes Service (ROKS) - Public Cloud

2) Openshift Container Platform (OCP) - Private Cloud

3) Other ( Certified Kubernetes Cloud Platform / CNCF)

Enter a valid option [1 to 3]: 2

This script prepares the OLM for the deployment of some Cloud Pak for Business Automation capabilities

What type of deployment is being performed?

1) Starter

2) Production

Enter a valid option [1 to 2]: 2

Do you want CP4BA Operator support 'All Namespaces'? (Yes/No, default: No) No

Where do you want to deploy Cloud Pak for Business Automation?

Enter the name for a new project or an existing project (namespace): bronze

The Cloud Pak for Business Automation Operator (Pod, CSV, Subscription) not found in cluster

Continue....

Project "bronze" already exists! Continue...

Here are the existing users on this cluster:

1) Cluster Admin

2) <my_company_non_admin_user>

Enter an existing username in your cluster, valid option [1 to 2], non-admin is suggested: 2

Follow the instructions on how to get your Entitlement Key:

https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/23.0.1?topic=deployment-getting-access-images-from-public-entitled-registry

Do you have a Cloud Pak for Business Automation Entitlement Registry key (Yes/No, default: No): Yes

Enter your Entitlement Registry key:

Verifying the Entitlement Registry key...

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

Login Succeeded

Entitlement Registry key is valid.

The existing storage classes in the cluster:

NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE

managed-nfs-storage (default) redhat-emea-ssa-team/hetzner-ocp4 Delete Immediate false 21h

Creating docker-registry secret for Entitlement Registry key in project bronze...

secret/ibm-entitlement-key created

Done

Waiting for the Cloud Pak for Business Automation operator to be ready. This might take a few minutes...

catalogsource.operators.coreos.com/ibm-cp4a-operator-catalog created

catalogsource.operators.coreos.com/ibm-cs-flink-operator-catalog created

catalogsource.operators.coreos.com/ibm-cs-elastic-operator-catalog created

Warning: resource catalogsources/ibm-cert-manager-catalog is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by oc apply. oc apply should only be used on resources created declaratively by either oc create --save-config or oc apply. The missing annotation will be patched automatically.

catalogsource.operators.coreos.com/ibm-cert-manager-catalog configured

Warning: resource catalogsources/ibm-licensing-catalog is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by oc apply. oc apply should only be used on resources created declaratively by either oc create --save-config or oc apply. The missing annotation will be patched automatically.

catalogsource.operators.coreos.com/ibm-licensing-catalog configured

catalogsource.operators.coreos.com/opencloud-operators-v4-0 created

catalogsource.operators.coreos.com/bts-operator created

catalogsource.operators.coreos.com/cloud-native-postgresql-catalog created

catalogsource.operators.coreos.com/ibm-fncm-operator-catalog created

IBM Operator Catalog source created!

[INFO] Waiting for CP4BA Operator Catalog pod initialization

[INFO] CP4BA Operator Catalog is running...

ibm-cp4a-operator-catalog-8gc2h 1/1 Running 0 16s

operatorgroup.operators.coreos.com/ibm-cp4a-operator-catalog-group created

CP4BA Operator Group Created!

subscription.operators.coreos.com/ibm-cp4a-operator-catalog-subscription created

CP4BA Operator Subscription Created!

[INFO] Waiting for CP4BA operator pod initialization

......CP4BA operator is running...

ibm-cp4a-operator-596779864c-z648c

[INFO] Waiting for CP4BA Content operator pod initialization

CP4BA Content operator is running...

ibm-content-operator-84467c8648-s6g9n

Adding the user ocadmin to the ibm-cp4a-operator role...Done!

Label the default namespace to allow network policies to open traffic to the ingress controller using a namespaceSelector...namespace/default labeled

Done

Storage classes are needed to run the deployment script. For the Starter deployment scenario, you may use one (1) storage class. For an Production deployment, the deployment script will ask for three (3) storage classes to meet the slow, medium, and fast storage for the configuration of CP4BA components. If you don't have three (3) storage classes, you can use the same one for slow, medium, or fast. Note that you can get the existing storage class(es) in the environment by running the following command: oc get storageclass. Take note of the storage classes that you want to use for deployment.

NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE

managed-nfs-storage (default) redhat-emea-ssa-team/hetzner-ocp4 Delete Immediate false 21h

At this stage, you have a cluster and a project namespace ready for your ODM deployment.

2.2 Following the installation guide for CP4BA 23.0.1 ODM

The next stage is fully explained in the installation PDF guide: CP4BA single-pattern production deployment on ROKS classic and OCP by following installation guides in PDF.

It helps you to architecture, execute and validate an ODM Bronze topology deployment. The following topics provide you with an overview of the instructions to prepare and install the deployment.

Topic	Awaited action and results
Preparing databases and secrets for your chosen capabilities by running a script	This is an action. Use the "cert-kubernetes/scripts/cp4a-prerequisites.sh" script to: Create the property files (DB/LDAP/user) ./cp4a-prerequisites.sh -m property Modify the property files – manual action Generate the DB SQL statement file and the YAML template for the secrets of your chosen capability (ODM) ./cp4a-prerequisites.sh -m generate Run the DB scripts against your database servers Create the secrets in your project namespace ./cp4ba-prerequisites/create_secret.sh Validate your DB / LDAP connections and secrets ./cp4a-prerequisites.sh -m validate
Preparing to install Operational Decision Manager	This is a decision to be made. For a Bronze installation, we recommend to include all ODM components in the same project namespace.
Creating a production deployment	This is an action You follow the instructions to generate an ODM Bronze topology CR YAML file by running "cert-kubernetes/scripts/cp4a-deployment.sh" script. A custom resource file is created scripts/generated-cr/ibm_cp4a_cr_final.yaml. In the generated CR YAML file, check the custom resource parameter values which have been filled in for you by the script: - Check the data source, - Check the LDAP configuration, - Check the ODM configuration, as explained in « *Checking and completing your custom resource* » section.

Some modifications can be done to the generated CR YAML file. Use the following table to help you identify the customizable parameters.

Action	Parameter	New value
Replace	metadata.name	Add a meaningful name which will is the name of your ICP4Cluster instance. e.g. odmbronze
Delete	spec.shared_configuration.sc_iam.default_admin_username
Update	spec.odm_configuration.deployment_profile_size	Possible values are: small, medium, and large. To compute the best size, see System requirements.

Having modified the custom resource parameters, proceed with the deployment as explained in « Deploying the custom resource you created with the deployment script ». At this stage, the ICP4Cluster instance that you named odmbronze is created. After a couple of reconcile loops of the CP4BA operator, you can verify the deployment.

Some basic tuning can be done on the foundation layer to maximize ODM capabilities. Follow the instruction below.

Update	oc patch zenservice iaf-zen-cpdservice --type=json -p '[{ "op": "replace", "path": "/spec/scaleConfig", "value": "<size>" }]' ;;	It is recommended that you set the IBM Cloud Platform UI (Zen) service to the same size as Cloud Pak for Business Automation. The possible values are small, medium, and large.
Update	oc patch CommonService common-service -n $NAMESPACE --type=json -p '[{ "op": "replace", "path": "/spec/size", "value": "small" }]' ;;	It is recommended that you set the IBM Common Services to small as it has no impacts on ODM capabilities.

3. Validation

To ensure that the environment works correctly at CP4BA level, follow the steps in “Validating your production deployment”. Additional validations can be done at ODM level using Validate your ODM topology - 23.0.1. To review the installed ODM services and also install Rule Designer, see “Completing post-installation tasks for Operational Decision Manager”.

Lastly, here is a sample of CR YAML file allowing an ODM Bronze topology with DB2 with SSL external database and Active Directory LDAP:

apiVersion: icp4a.ibm.com/v1

kind: ICP4ACluster

metadata:

name: odmbronze

labels:

app.kubernetes.io/instance: ibm-dba

app.kubernetes.io/managed-by: ibm-dba

app.kubernetes.io/name: ibm-dba

release: 23.0.1

spec:

appVersion: 23.0.1

ibm_license: accept

shared_configuration:

sc_deployment_license: production

sc_deployment_context: "CP4A"

sc_image_repository: cp.icr.io

root_ca_secret: icp4a-root-ca

sc_deployment_patterns: "foundation,decisions"

sc_optional_components: "decisionCenter,decisionRunner,decisionServerRuntime"

sc_deployment_type: "Production"

sc_deployment_platform: "OCP"

sc_deployment_profile_size: medium

trusted_certificate_list: []

storage_configuration:

sc_slow_file_storage_classname: managed-nfs-storage

sc_medium_file_storage_classname: managed-nfs-storage

sc_fast_file_storage_classname: managed-nfs-storage

sc_block_storage_classname: managed-nfs-storage

image_pull_secrets:

- admin.registrykey

## The beginning section of LDAP configuration for CP4A

ldap_configuration:

lc_selected_ldap_type: Microsoft Active Directory

lc_ldap_server: *****

lc_ldap_port: '***'

lc_bind_secret: topology-ad-ldap-bind-secret

lc_ldap_base_dn: *****

lc_ldap_ssl_enabled: true

lc_ldap_ssl_secret_name: topology-ad-ldap-ssl-cert

lc_ldap_user_name_attribute: *****

lc_ldap_user_display_name_attr: cn

lc_ldap_group_base_dn: *****

lc_ldap_group_name_attribute: *:cn

lc_ldap_group_display_name_attr: cn

lc_ldap_group_membership_search_filter: *****

lc_ldap_group_member_id_map: *****

ad:

lc_ad_gc_host: *****

lc_ad_gc_port: '***'

tds:

lc_user_filter: "(&(cn=%v)(objectclass=person))"

lc_group_filter: "(&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))"

## The beginning section of database configuration for CP4A

datasource_configuration:

dc_ssl_enabled: true

dc_icn_datasource:

database_ssl_secret_name: ''

dc_hadr_retry_interval_for_client_reroute: 15

dc_hadr_max_retries_for_client_reroute: 3

database_port: '***'

dc_common_icn_datasource_name: ECMClientDS

dc_hadr_standby_port: ''

database_name: *****

database_servername: *****

dc_hadr_validation_timeout: 15

dc_oracle_icn_jdbc_url: ''

dc_hadr_standby_servername: ''

dc_database_type: db2

dc_odm_datasource:

database_servername: *****

dc_common_database_name: *****

dc_common_database_instance_secret: topology-odm-db-secret

dc_common_database_port: '***'

dc_common_ssl_enabled: true

dc_database_type: db2

dc_ssl_secret_name: topology-db2-ssl-cert-for-odm

########################################################################

######## IBM Operational Decision Manager configuration ########

########################################################################

# odm_configuration:

odm_configuration:

decisionCenter:

enabled: true

decisionServerRuntime:

enabled: true

decisionRunner:

enabled: true

#OperationalDecisionManager(ODM) #topology #businessrules #CloudPakforBusinessAutomation

0 comments

26 views

IBM Business Automation Community

Come for answers. Stay for best practices. All we’re missing is you.

Decision Management (ODM, ADS)