diff --git a/.github/workflows/check-links.yml b/.github/workflows/check-links.yml new file mode 100644 index 00000000..6acb504b --- /dev/null +++ b/.github/workflows/check-links.yml @@ -0,0 +1,25 @@ +name: Check Markdown links + +#on: +# push: +# branches: +# - master +# pull_request: +# branches: [master] +on: push +jobs: + markdown-link-check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: technote-space/get-diff-action@v6 + with: + PATTERNS: | + **/**.md + + - uses: gaurav-nelson/github-action-markdown-link-check@v1 + with: + use-quiet-mode: 'yes' + use-verbose-mode: 'yes' + config-file: '.md_check_config.json' + diff --git a/.gitignore b/.gitignore index 92e8a8c1..3044f462 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ *.iml output +/.vscode diff --git a/.md_check_config.json b/.md_check_config.json new file mode 100644 index 00000000..a59c004f --- /dev/null +++ b/.md_check_config.json @@ -0,0 +1,9 @@ +{ + "replacementPatterns": [ + { + "pattern": "^/LICENSE", + "replacement": "{{BASEURL}}/LICENSE" + } + ], + "timeout": "20s" + } \ No newline at end of file diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 34ade528..a9390a04 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -244,7 +244,7 @@ request. [help documentation]: http://help.github.com/send-pull-requests -[bug database]: ../../issues +[bug database]: https://github.com/DecisionsDev/odm-docker-kubernetes/issues [ml-users]: mailto:odmdev_open_source_user@wwpdl.vnet.ibm.com [Creating a Pull Request]: https://help.github.com/articles/creating-a-pull-request [Fork a Repo]: https://help.github.com/articles/fork-a-repo diff --git a/README.md b/README.md index 4721cfd6..df0a3218 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,9 @@ # IBM-ODM-Kubernetes IBM Operational Decision Manager on Certified Kubernetes - [![GitHub release](https://img.shields.io/github/release/ODMDev/odm-docker-kubernetes.svg)](https://github.com/ODMDev/odm-docker-kubernetes/releases) ![GitHub last commit](https://img.shields.io/github/last-commit/ODMDev/odm-docker-kubernetes) -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) +[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0) [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/ibm-odm-charts)](https://artifacthub.io/packages/search?repo=ibm-odm-charts) @@ -45,7 +44,7 @@ Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/authentication/AzureAD/README.md b/authentication/AzureAD/README.md index 3d151d16..6da109f5 100644 --- a/authentication/AzureAD/README.md +++ b/authentication/AzureAD/README.md @@ -2,35 +2,16 @@ -- [Configuration of ODM with Azure AD](#configuration-of-odm-with-azure-ad) -- [Introduction](#introduction) - - [What is Azure AD?](#what-is-azure-ad) - - [About this task](#about-this-task) - - [ODM OpenID flows](#odm-openid-flows) - - [Prerequisites](#prerequisites) - - [Create an Azure AD account](#create-an-azure-ad-account) -- [Configure an Azure AD instance for ODM Part 1](#configure-an-azure-ad-instance-for-odm-part-1) - - [Log into the Azure AD instance](#log-into-the-azure-ad-instance) - - [Manage groups and users](#manage-groups-and-users) - - [Set up an application](#set-up-an-application) -- [Deploy ODM on a container configured with Azure AD Part 2](#deploy-odm-on-a-container-configured-with-azure-ad-part-2) - - [Prepare your environment for the ODM installation](#prepare-your-environment-for-the-odm-installation) - - [Create a secret to use the Entitled Registry](#create-a-secret-to-use-the-entitled-registry) - - [Create secrets to configure ODM with Azure AD](#create-secrets-to-configure-odm-with-azure-ad) - - [Install your ODM Helm release](#install-your-odm-helm-release) - - [Add the public IBM Helm charts repository](#add-the-public-ibm-helm-charts-repository) - - [Check that you can access the ODM chart](#check-that-you-can-access-the-odm-chart) - - [Run the helm install command](#run-the-helm-install-command) - - [a. Installation on OpenShift using Routes](#a-installation-on-openshift-using-routes) - - [b. Installation using Ingress](#b-installation-using-ingress) - - [Complete post-deployment tasks](#complete-post-deployment-tasks) - - [Register the ODM redirect URLs](#register-the-odm-redirect-urls) - - [Access the ODM services](#access-the-odm-services) - - [Set up Rule Designer](#set-up-rule-designer) - - [Getting Started with IBM Operational Decision Manager for Containers](#getting-started-with-ibm-operational-decision-manager-for-containers) - - [Calling the ODM Runtime Service](#calling-the-odm-runtime-service) -- [Troubleshooting](#troubleshooting) -- [License](#license) +- [What is Azure AD?](#what-is-azure-ad) +- [About this task](#about-this-task) +- [ODM OpenID flows](#odm-openid-flows) +- [Prerequisites](#prerequisites) +- [Log into the Azure AD instance](#log-into-the-azure-ad-instance) +- [Manage groups and users](#manage-groups-and-users) +- [Set up an application](#set-up-an-application) +- [Prepare your environment for the ODM installation](#prepare-your-environment-for-the-odm-installation) +- [Install your ODM Helm release](#install-your-odm-helm-release) +- [Complete post-deployment tasks](#complete-post-deployment-tasks) @@ -47,7 +28,7 @@ Azure Active Directory ([Azure AD](https://azure.microsoft.com/en-us/services/ac You need to create a number of secrets before you can install an ODM instance with an external OIDC provider such as the Azure AD service, and use web application single sign-on (SSO). The following diagram shows the ODM services with an external OIDC provider after a successful installation. -![ODM web application SSO](/images/AzureAD/diag_azuread_interaction.jpg) +![ODM web application SSO](images/diag_azuread_interaction.jpg) The following procedure describes how to manually configure ODM with an Azure AD service. @@ -65,15 +46,15 @@ Terminology: The Authorization Code flow is best used by server-side apps in which the source code is not publicly exposed. The apps must be server-side because the request that exchanges the authorization code for a token requires a client secret, which has to be stored in your client. However, the server-side app requires an end user because it relies on interactions with the end user's web browser which redirects the user and then receives the authorization code. -![Authentication flow](/images/AzureAD/AuthenticationFlow.png) (© Microsoft) +![Authentication flow](images/AuthenticationFlow.png) (© Microsoft) The Client Credentials flow is intended for server-side (AKA "confidential") client applications with no end user, which normally describes machine-to-machine communication. The application must be server-side because it must be trusted with the client secret, and since the credentials are hard-coded, it cannot be used by an actual end user. It involves a single, authenticated request to the token endpoint which returns an access token. -![Azure AD Client Credential Flow](/images/AzureAD/ClientCredential.png) (© Microsoft) +![Azure AD Client Credential Flow](images/ClientCredential.png) (© Microsoft) The Microsoft identity platform supports the OAuth 2.0 Resource Owner Password Credentials (ROPC) grant, which allows an application to sign in the user by directly handling their password. Microsoft recommends you do not use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows cannot be used. -![Azure AD Password Flow](/images/AzureAD/PasswordFlow.png) (© Microsoft) +![Azure AD Password Flow](images/PasswordFlow.png) (© Microsoft) ## Prerequisites @@ -113,11 +94,11 @@ After activating your account by email, you should have access to your Aure AD i * Membership type: Assigned * Click **Create** - ![Add Group](/images/AzureAD/NewGroup.png) + ![Add Group](images/NewGroup.png) In **Azure Active Directory** / **Groups** take note of the Object ID. It will be referenced as ``GROUP_ID`` later in this tutorial. - ![GroupID](/images/AzureAD/GroupID.png) + ![GroupID](images/GroupID.png) 2. Create at least one user that belongs to this new group. @@ -135,8 +116,8 @@ After activating your account by email, you should have access to your Aure AD i * Click **Review + create** and then **Create**. - ![New User Basics](/images/AzureAD/NewUserBasics.png) - ![New User Assignments](/images/AzureAD/NewUserAssignments.png) + ![New User Basics](images/NewUserBasics.png) + ![New User Assignments](images/NewUserAssignments.png) * Click the **myodmuser** user previously created * Edit properties @@ -157,7 +138,7 @@ After activating your account by email, you should have access to your Aure AD i * Supported account types / Who can use this application or access this API?: select `Accounts in this organizational directory only (Default Directory only - Single tenant)` * Click **Register** - ![New Web Application](/images/AzureAD/RegisterApp.png) + ![New Web Application](images/RegisterApp.png) 2. Generate an OpenID client secret. @@ -218,7 +199,7 @@ After activating your account by email, you should have access to your Aure AD i * Application (client) ID: **Client ID**. It will be referenced as `CLIENT_ID` in the next steps. * Directory (tenant) ID: **Your Tenant ID**. It will be referenced as `TENANT_ID` in the next steps. - ![Tenant ID](/images/AzureAD/GetTenantID.png) + ![Tenant ID](images/GetTenantID.png) 7. Check the configuration. @@ -407,7 +388,7 @@ After activating your account by email, you should have access to your Aure AD i ```shell helm search repo ibm-odm-prod - NAME CHART VERSION APP VERSION DESCRIPTION + NAME CHART VERSION APP VERSION DESCRIPTION ibm-helm/ibm-odm-prod 23.1.0 8.12.0.0 IBM Operational Decision Manager ``` @@ -416,9 +397,9 @@ After activating your account by email, you should have access to your Aure AD i You can now install the product. We will use the PostgreSQL internal database and disable the data persistence (`internalDatabase.persistence.enabled=false`) to avoid any platform complexity concerning persistent volume allocation. #### a. Installation on OpenShift using Routes - + See the [Preparing to install](https://www.ibm.com/docs/en/odm/8.12.0?topic=production-preparing-install-operational-decision-manager) documentation for additional information. - + ```shell helm install my-odm-release ibm-helm/ibm-odm-prod \ --set image.repository=cp.icr.io/cp/cp4a/odm --set image.pullSecrets=icregistry-secret \ @@ -431,14 +412,14 @@ You can now install the product. We will use the PostgreSQL internal database an ``` #### b. Installation using Ingress - + Refer to the following documentation to install an NGINX Ingress Controller on: - [Microsoft Azure Kubernetes Service](../../platform/azure/README.md#create-a-nginx-ingress-controller) - [Amazon Elastic Kubernetes Service](../../platform/eks/README-NGINX.md) - [Google Kubernetes Engine](../../platform/gcloud/README_NGINX.md) - + When the NGINX Ingress Controller is ready, you can install the ODM release with: - + ``` helm install my-odm-release ibm-helm/ibm-odm-prod \ --set image.repository=cp.icr.io/cp/cp4a/odm --set image.pullSecrets=icregistry-secret \ @@ -519,7 +500,7 @@ You can now install the product. We will use the PostgreSQL internal database an - Repeat the previous steps for all other redirect URIs. - Click **Save** at the bottom of the page. - ![Add URI](/images/AzureAD/AddURI.png) + ![Add URI](images/AddURI.png) ### Access the ODM services @@ -567,11 +548,11 @@ To manage ODM runtime call on the next steps, we used the [Loan Validation Decis Import the **Loan Validation Service** in Decision Center connected as John Doe -![Import project](/images/Keycloak/import_project.png) +![Import project](../Keycloak/images/import_project.png) Deploy the **Loan Validation Service** production_deployment ruleapps using the **production deployment** deployment configuration in the Deployments>Configurations tab. -![Deploy project](/images/Keycloak/deploy_project.png) +![Deploy project](../Keycloak/images/deploy_project.png) You can retrieve the payload.json from the ODM Decision Server Console or use [the provided payload](payload.json). diff --git a/images/AzureAD/AddURI.png b/authentication/AzureAD/images/AddURI.png similarity index 100% rename from images/AzureAD/AddURI.png rename to authentication/AzureAD/images/AddURI.png diff --git a/images/AzureAD/AuthenticationFlow.png b/authentication/AzureAD/images/AuthenticationFlow.png similarity index 100% rename from images/AzureAD/AuthenticationFlow.png rename to authentication/AzureAD/images/AuthenticationFlow.png diff --git a/images/AzureAD/ClientCredential.png b/authentication/AzureAD/images/ClientCredential.png similarity index 100% rename from images/AzureAD/ClientCredential.png rename to authentication/AzureAD/images/ClientCredential.png diff --git a/images/AzureAD/ClientID.png b/authentication/AzureAD/images/ClientID.png similarity index 100% rename from images/AzureAD/ClientID.png rename to authentication/AzureAD/images/ClientID.png diff --git a/images/AzureAD/GetTenantID.png b/authentication/AzureAD/images/GetTenantID.png similarity index 100% rename from images/AzureAD/GetTenantID.png rename to authentication/AzureAD/images/GetTenantID.png diff --git a/images/AzureAD/GroupID.png b/authentication/AzureAD/images/GroupID.png similarity index 100% rename from images/AzureAD/GroupID.png rename to authentication/AzureAD/images/GroupID.png diff --git a/images/AzureAD/NewGroup.png b/authentication/AzureAD/images/NewGroup.png similarity index 100% rename from images/AzureAD/NewGroup.png rename to authentication/AzureAD/images/NewGroup.png diff --git a/images/AzureAD/NewUserAssignments.png b/authentication/AzureAD/images/NewUserAssignments.png similarity index 100% rename from images/AzureAD/NewUserAssignments.png rename to authentication/AzureAD/images/NewUserAssignments.png diff --git a/images/AzureAD/NewUserBasics.png b/authentication/AzureAD/images/NewUserBasics.png similarity index 100% rename from images/AzureAD/NewUserBasics.png rename to authentication/AzureAD/images/NewUserBasics.png diff --git a/images/AzureAD/PasswordFlow.png b/authentication/AzureAD/images/PasswordFlow.png similarity index 100% rename from images/AzureAD/PasswordFlow.png rename to authentication/AzureAD/images/PasswordFlow.png diff --git a/images/AzureAD/RedirectURL.png b/authentication/AzureAD/images/RedirectURL.png similarity index 100% rename from images/AzureAD/RedirectURL.png rename to authentication/AzureAD/images/RedirectURL.png diff --git a/images/AzureAD/RegisterApp.png b/authentication/AzureAD/images/RegisterApp.png similarity index 100% rename from images/AzureAD/RegisterApp.png rename to authentication/AzureAD/images/RegisterApp.png diff --git a/images/AzureAD/diag_azuread_interaction.ai b/authentication/AzureAD/images/diag_azuread_interaction.ai similarity index 100% rename from images/AzureAD/diag_azuread_interaction.ai rename to authentication/AzureAD/images/diag_azuread_interaction.ai diff --git a/images/AzureAD/diag_azuread_interaction.jpg b/authentication/AzureAD/images/diag_azuread_interaction.jpg similarity index 100% rename from images/AzureAD/diag_azuread_interaction.jpg rename to authentication/AzureAD/images/diag_azuread_interaction.jpg diff --git a/authentication/Keycloak/README.md b/authentication/Keycloak/README.md index 84d02146..dfe672b2 100644 --- a/authentication/Keycloak/README.md +++ b/authentication/Keycloak/README.md @@ -1,36 +1,38 @@ # Configuration of ODM with Keycloak - -## Table of Contents -- [Introduction](#introduction) - - [What is Keycloak?](#what-is-keycloak) - - [About this task](#about-this-task) - - [ODM OpenID flows](#odm-openid-flows) - - [Prerequisites](#prerequisites) - - [Install a Keycloak instance](#install-a-keycloak-instance) -- [Configure a Keycloak instance for ODM (Part 1)](#configure-a-keycloak-instance-for-odm-part-1) - - [Log into the Keycloak Admin Console](#log-into-the-keycloak-admin-console) - - [Create a dedicated odm realm](#create-a-dedicated-odm-realm) - - [Manage roles, groups, and users](#manage-roles-groups-and-users) - - [Set up the client](#set-up-the-client) -- [Deploy ODM on a container configured with Keycloak (Part 2)](#deploy-odm-on-a-container-configured-with-keycloak-part-2) - - [Prepare your environment for the ODM installation](#prepare-your-environment-for-the-odm-installation) - - [Create a secret to use the Entitled Registry](#create-a-secret-to-use-the-entitled-registry) - - [Create secrets to configure ODM with Keycloak](#create-secrets-to-configure-odm-with-keycloak) - - [Install your ODM Helm release](#install-your-odm-helm-release) - - [1. Add the public IBM Helm charts repository](#1-add-the-public-ibm-helm-charts-repository) - - [2. Check that you can access the ODM chart](#2-check-that-you-can-access-the-odm-chart) - - [3. Run the `helm install` command](#3-run-the-helm-install-command) - - [a. Installation on OpenShift using Routes](#a-installation-on-openshift-using-routes) - - [b. Installation using Ingress](#b-installation-using-ingress) - - [Complete post-deployment tasks](#complete-post-deployment-tasks) - - [Register the ODM redirect URL](#register-the-odm-redirect-url) - - [Access the ODM services](#access-the-odm-services) - - [Set up Rule Designer](#set-up-rule-designer) - - [Getting Started with IBM Operational Decision Manager for Containers](#getting-started-with-ibm-operational-decision-manager-for-containers) - - [Calling the ODM Runtime Service](#calling-the-odm-runtime-service) -- [Troubleshooting](#troubleshooting) -- [License](#license) + + +- Configuration of ODM with Keycloak +- Introduction + - What is Keycloak? + - About this task + - ODM OpenID flows + - Prerequisites + - Install a Keycloak instance +- Configure a Keycloak instance for ODM (Part 1) + - Log into the Keycloak Admin Console + - Create a dedicated odm realm + - Manage roles, groups, and users + - Set up the client +- Deploy ODM on a container configured with Keycloak (Part 2) + - Prepare your environment for the ODM installation + - Create a secret to use the Entitled Registry + - Create secrets to configure ODM with Keycloak + - Install your ODM Helm release + - Add the public IBM Helm charts repository + - Check that you can access the ODM chart + - Run the `helm install` command + - a. Installation on OpenShift using Routes + - b. Installation using Ingress + - Complete post-deployment tasks + - Register the ODM redirect URL + - Access the ODM services + - Set up Rule Designer + - Getting Started with IBM Operational Decision Manager for Containers + - Calling the ODM Runtime Service +- Troubleshooting +- License + # Introduction @@ -50,7 +52,7 @@ An other tutorial explains how to manage [fine grain permission with Decision Ce You need to create a number of secrets before you can install an ODM instance with an external OIDC provider such as the Keycloak service, and use web application single sign-on (SSO). The following diagram shows the ODM services with an external OIDC provider after a successful installation. -![ODM web application SSO](/images/Keycloak/diag_keycloak_interaction.jpg) +![ODM web application SSO](images/diag_keycloak_interaction.jpg) The following procedure describes how to manually configure ODM with a Keycloak service. @@ -69,16 +71,15 @@ Terminology: The [Authorization Code flow](https://www.keycloak.org/docs/latest/server_admin/index.html#_oidc-auth-flows-authorization) is best used by server-side apps where the source code is not publicly exposed. The apps must be server-side because the request that exchanges the authorization code for a token requires a client secret, which has to be stored in your client. However, the server-side app requires an end user because it relies on interactions with the end user's web browser, which redirects the user and then receives the authorization code. - -![Authentication flow](/images/Okta/Authentication_flow.png) (© Okta) +![Authentication flow](../Okta/images/Authentication_flow.png) (© Okta) The [Client Credentials flow](https://www.keycloak.org/docs/latest/server_admin/index.html#_client_credentials_grant) is intended for server-side (AKA "confidential") client applications with no end user, which normally describes machine-to-machine communication. The application must be server-side because it must be trusted with the client secret, and since the credentials are hard-coded, it cannot be used by an actual end user. It involves a single, authenticated request to the token endpoint, which returns an access token. -![Client Credential Flow](/images/Okta/oauth_client_creds_flow.png) (© Okta) +![Client Credential Flow](../Okta/images/oauth_client_creds_flow.png) (© Okta) The resource owner password flow allows an application to sign in a user by directly handling their password. It is not recommended to use this flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows cannot be used. -![Password Flow](/images/Okta/password_flow.png) (© Okta) +![Password Flow](../Okta/images/password_flow.png) (© Okta) ## Prerequisites @@ -86,8 +87,8 @@ You need the following elements: - [Helm v3](https://helm.sh/docs/intro/install/) - [Kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) -- Access to an Operational Decision Manager product -- Access to a CNCF Kubernetes cluster +- Access to an Operational Decision Manager product +- Access to a CNCF Kubernetes cluster - A Keycloak Instance ### Install a Keycloak instance @@ -96,8 +97,11 @@ We have tested with a Keycloak instance (version 21.1.1) that is installed on O If you already have an Openshift cluster, you can skip the section [Before you start](https://www.keycloak.org/getting-started/getting-started-openshift#_before_you_start) and use the following steps: - oc login to your cluster -- Create a namespace "keycloak": 
 oc new-project keycloak -- Continue from the section [Start Keycloak](https://www.keycloak.org/getting-started/getting-started-openshift#_start_keycloak)
 +- Create a namespace "keycloak": + ```shell + oc new-project keycloak + ``` +- Continue from the section [Start Keycloak](https://www.keycloak.org/getting-started/getting-started-openshift#_start_keycloak) If you want to install on another Kubernetes platform, follow these instructions: [Get started with Keycloak on Kubernetes](https://www.keycloak.org/getting-started/getting-started-kube). @@ -131,12 +135,12 @@ But to avoid getting mixing up with existing configurations, it is preferable to 1. Create an odm realm On the Main page, click **Master**: - * Click **Create Realm** + * Click **Create Realm** * Realm Name: *odm* * Enabled: On * Click **Create** - - ![Create Realm](/images/Keycloak/create_realm.png) + + ![Create Realm](images/create_realm.png) ## Manage roles, groups, and users @@ -152,7 +156,7 @@ You can also create groups and do a mapping between groups and roles. This way, * Role name: *rtsAdministrators* * Click **Save** - ![Create Roles](/images/Keycloak/create_roles.png) + ![Create Roles](images/create_roles.png) Do the same for the other ODM J2EE roles: * rtsConfigManagers @@ -169,10 +173,10 @@ You can also create groups and do a mapping between groups and roles. This way, 2. Create a group for ODM administrators. In Menu **Manage** / **Groups**: - * Click **Create group** + * Click **Create group** * Name: *odm-admin* - ![Create Group](/images/Keycloak/create_group.png) + ![Create Group](images/create_group.png) In Menu **Manage** / **Groups**: * Click **Create odm-admin** @@ -181,12 +185,12 @@ You can also create groups and do a mapping between groups and roles. This way, * Select all previously created ODM roles * Click **Assign** - ![Assign Roles](/images/Keycloak/assign_roles.png) + ![Assign Roles](images/assign_roles.png) 3. Create at least one user that belongs to this new group. In Menu **Manage** / **Users**: - * Click **Create new user** + * Click **Create new user** * Username: ``johndoe@mycompany.com`` * Email: ``johndoe@mycompany.com`` * Email Verified: On @@ -197,26 +201,26 @@ You can also create groups and do a mapping between groups and roles. This way, * Groups : Click **Join Groups** , select ***odm-admin***, and click **Join** * Click **Create** - ![Create User](/images/Keycloak/create_user.png) - - * In User Details, select the **Credentials** tab + ![Create User](images/create_user.png) + + * In User Details, select the **Credentials** tab * Click **Set password** * Fill the Password and Password confirmation fields with **johndoe** - * Temporary: Off + * Temporary: Off * Click *Save Password* * Click Details tab * Click **Save** - + (Optional) Every user is created with a predefined role named **default-roles-**. This role has no interest. So, here is the way to unassign this role. - - * In User Details, select the **Role mapping** tab + + * In User Details, select the **Role mapping** tab * Select **default-roles-** * Click **Unassign** * Click **Remove** - - ![Unassign default role](/images/Keycloak/unassign_default_role.png) - + + ![Unassign default role](images/unassign_default_role.png) + Repeat this step for each user you want to add. ## Set up the client @@ -229,66 +233,67 @@ You can also create groups and do a mapping between groups and roles. This way, * Name: **ODM Application** * Always display in UI: On - ![Create Client 1](/images/Keycloak/create_client_1.png) - + ![Create Client 1](images/create_client_1.png) + * Click **Next** - * Client Authentication: On + * Client Authentication: On * Authorization: On * Click *Save* - ![Create Client 2](/images/Keycloak/create_client_2.png) + ![Create Client 2](images/create_client_2.png) * Click **Credentials** tab * Take a note of the **Client secret** value. It will be referenced as ``CLIENT_SECRET`` in the next steps. - - ![Get Client Secret](/images/Keycloak/client_secret.png) + + ![Get Client Secret](images/client_secret.png) * Click **Service Account Roles** tab * Select all res* and rts* roles in the "Available Roles" list and click on "Add selected" to move it to the "Assigned Roles" list - ![Set Service Account Roles](/images/Keycloak/service_account_roles.png) - + ![Set Service Account Roles](images/service_account_roles.png) + + 2. Add the GROUPS predefined mapper on the ROLES client scope In Menu **Manage** / **Client scopes**, click the existing **roles** scope: * Select the **Mappers** tab * Click **Add mapper>From predefined mappers** - * Search for mapper : **groups** + * Search for mapper : **groups** * Select **groups** * Click *Add* * Click *Settings tab* - * Click *Save* + * Click *Save* - ![Add group mapper](/images/Keycloak/add_group_mapper_to_role_scope.png) + ![Add group mapper](images/add_group_mapper_to_role_scope.png) 3. Retrieve the Keycloak Server URL In Menu **Configure**/**Realm settings**, in the **General** tab, click the **OpenID Endpoint Configuration** link. - Take note of the issuer URL. + Take note of the issuer URL. It will be referenced as ``KEYCLOAK_SERVER_URL`` in the next steps. - + 4. Check the configuration - + Download the [keycloak-odm-script.zip](keycloak-odm-script.zip) file to your machine and unzip it in your working directory. This .zip file contains scripts and templates to verify and set up ODM. - - 7.1 Verify the Client Credentials Token - + + 7.1 Verify the Client Credentials Token + You can request an access token using the Client-Credentials flow to verify the format of the token. - This token is used for the deployment between Decision Cennter and the Decision Server Console: - + This token is used for the deployment between Decision Cennter and the Decision Server Console: + ```shell $ ./get-client-credential-token.sh -i -x -n ``` - + Where: - + - *CLIENT_ID* is your ODM Application, default is **odm**, can be retrieve in the **Manage** / **Clients** menu - *CLIENT_SECRET* is listed in your ODM Application, in the **Credentials** tab - *KEYCLOAK_SERVER_URL* is the issuer that can be retrieved using the **OpenID Endpoint Configuration** link of the **General** tab in the **Configure**/**Realm settings** menu - + By introspecting the access_token value with the online tool [https://jwt.io](https://jwt.io), you should get: - + ``` { .. @@ -297,27 +302,27 @@ You can also create groups and do a mapping between groups and roles. This way, "preferred_username": "service-account-", ... } - ``` - - 7.2 Verify the Client Password Token + ``` + + 7.2 Verify the Client Password Token To check that it has been correctly taken into account, you can request an access token using the Client password flow. This token is used for the invocation of the ODM components like the Decision Center, Decision Server console, and the invocation of the Decision Server Runtime REST API. - + ```shell - $ ./get-user-password-token.sh -i -x -n -u -p + $ ./get-user-password-token.sh -i -x -n -u -p ``` - + Where: - + - *CLIENT_ID* is your ODM Application, default is odm, can be retrieved in the **Manage** / **Clients** menu - *CLIENT_SECRET* is listed in your ODM Application, in the **Credentials** tab - *KEYCLOAK_SERVER_URL* is the issuer that can be retrieved using the **OpenID Endpoint Configuration** link of the **General** tab in the **Configure**/**Realm settings** menu - *USERNAME* *PASSWORD* have been created from 'Create at least one user that belongs to this new group.' section. - + By introspecting the id_token value with the online tool [https://jwt.io](https://jwt.io), you should get: - + ``` { .. @@ -382,11 +387,11 @@ You can also create groups and do a mapping between groups and roles. This way, ``` Where: - KEYCLOAK_SERVER_URL_WITHOUT_HTTPS is KEYCLOAK_SERVER_URL by removing https:// prefix - + 2. Generate the ODM configuration file for Keycloak - - If you have not yet done so, download the [keycloak-odm-script.zip](keycloak-odm-script.zip) file to your machine. This .zip file contains the [script](generateTemplate.sh) and the content of the [templates](templates) directory. + + If you have not yet done so, download the [keycloak-odm-script.zip](keycloak-odm-script.zip) file to your machine. This .zip file contains the [script](generateTemplate.sh) and the content of the [templates](templates) directory. The [script](generateTemplate.sh) allows you to generate the necessary configuration files. Generate the files with the following command: ``` @@ -397,9 +402,9 @@ You can also create groups and do a mapping between groups and roles. This way, - *CLIENT_SECRET* is listed in your ODM Application, section **General** / **Client Credentials** The following four files are generated into the `output` directory: - + - webSecurity.xml contains the mapping between Liberty J2EE ODM roles and Keycloak groups and users: - * rtsAdministrators/resAdministrators/resExecutors ODM roles are given to the CLIENT_ID (which is seen as a user) to manage the client-credentials flow + * rtsAdministrators/resAdministrators/resExecutors ODM roles are given to the CLIENT_ID (which is seen as a user) to manage the client-credentials flow - openIdWebSecurity.xml contains two openIdConnectClient Liberty configurations: * for web access to Decision Center an Decision Server consoles using userIdentifier="preferred_username" with the Authorization Code flow * for the rest-api call using userIdentifier="preferred_username" with the client-credentials flow @@ -428,7 +433,7 @@ You can also create groups and do a mapping between groups and roles. This way, ```shell helm search repo ibm-odm-prod - NAME CHART VERSION APP VERSION DESCRIPTION + NAME CHART VERSION APP VERSION DESCRIPTION ibm-helm/ibm-odm-prod 23.1.0 8.12.0.0 IBM Operational Decision Manager ``` @@ -437,9 +442,9 @@ You can also create groups and do a mapping between groups and roles. This way, You can now install the product. We will use the PostgreSQL internal database and disable data persistence (`internalDatabase.persistence.enabled=false`) to avoid any platform complexity with persistent volume allocation. #### a. Installation on OpenShift using Routes - + See the [Preparing to install](https://www.ibm.com/docs/en/odm/8.12.0?topic=production-preparing-install-operational-decision-manager) documentation for more information. - + ```shell helm install my-odm-release ibm-helm/ibm-odm-prod \ --set image.repository=cp.icr.io/cp/cp4a/odm --set image.pullSecrets=icregistry-secret \ @@ -451,18 +456,18 @@ You can now install the product. We will use the PostgreSQL internal database an --set customization.authSecretRef=keycloak-auth-secret \ --set internalDatabase.runAsUser='' --set customization.runAsUser='' --set service.enableRoute=true ``` - + #### b. Installation using Ingress - + Refer to the following documentation to install an NGINX Ingress Controller on: - [Microsoft Azure Kubernetes Service](../../platform/azure/README.md#create-a-nginx-ingress-controller) - [Amazon Elastic Kubernetes Service](../../platform/eks/README-NGINX.md) - [Google Kubernetes Engine](../../platform/gcloud/README_NGINX.md) - + When the NGINX Ingress Controller is ready, you can install the ODM release with: - + ``` - helm install my-odm-release ibmcharts/ibm-odm-prod \ + helm install my-odm-release ibm-helm/ibm-odm-prod \ --set image.repository=cp.icr.io/cp/cp4a/odm --set image.pullSecrets=icregistry-secret \ --set oidc.enabled=true \ --set license=true \ @@ -478,7 +483,7 @@ You can now install the product. We will use the PostgreSQL internal database an ### Register the ODM redirect URL - + 1. Get the ODM endpoints. Refer to [this documentation](https://www.ibm.com/docs/en/odm/8.12.0?topic=tasks-configuring-external-access) to retrieve the endpoints. For example, on OpenShift you can get the route names and hosts with: @@ -494,13 +499,13 @@ You can now install the product. We will use the PostgreSQL internal database an my-odm-release-odm-ds-console-route my-odm-release-odm-ds-runtime-route ``` - + Using an Ingress, the endpoint is the address of the ODM ingress and is the same for all components. You can get it with: - + ``` kubectl get ingress my-odm-release-odm-ingress ``` - + You get the following ingress address: ``` NAME CLASS HOSTS ADDRESS PORTS AGE @@ -517,7 +522,7 @@ You can now install the product. We will use the PostgreSQL internal database an - Decision Server Console redirect URI: `https:///res/openid/redirect/odm` - Decision Server Runtime redirect URI: `https:///DecisionService/openid/redirect/odm` - Rule Designer redirect URI: `https://127.0.0.1:9081/oidcCallback` - + Using Ingress: - Decision Center redirect URI: `https:///decisioncenter/openid/redirect/odm` - Decision Runner redirect URI: `https:///DecisionRunner/openid/redirect/odm` @@ -525,15 +530,15 @@ You can now install the product. We will use the PostgreSQL internal database an - Decision Server Runtime redirect URI: `https:///DecisionService/openid/redirect/odm` - Rule Designer redirect URI: `https://127.0.0.1:9081/oidcCallback` - From the Keycloak admin console, in **Manage** / **Clients** / **odm** + From the Keycloak admin console, in **Manage** / **Clients** / **odm** - In the tab **Settings** * Add the redirect URIs in the **Valid redirect URIs** field for each components. - + For example, add the Decision Center redirect URI that you got earlier (`https:///decisioncenter/openid/redirect/odm` -- do not forget to replace with your actual host name!) - Click **Save** at the bottom of the page. - ![Add URI](/images/Keycloak/redirect_uris.png) - + ![Add URI](images/redirect_uris.png) + ### Access the ODM services @@ -563,7 +568,7 @@ To be able to securely connect your Rule Designer to the Decision Server and Dec 4. Restart Rule Designer. For more information, refer to [this documentation](https://www.ibm.com/docs/en/odm/8.12.0?topic=designer-importing-security-certificate-in-rule). - + ### Getting Started with IBM Operational Decision Manager for Containers Get hands-on experience with IBM Operational Decision Manager in a container environment by following this [Getting started tutorial](https://github.com/DecisionsDev/odm-for-container-getting-started/blob/master/README.md). @@ -574,41 +579,41 @@ To manage ODM runtime calls, we use the [Loan Validation Decision Service projec Import the **Loan Validation Service** in Decision Center connected as John Doe. -![Import project](/images/Keycloak/import_project.png) +![Import project](images/import_project.png) Deploy the **Loan Validation Service** production_deployment ruleapps using the **production deployment** deployment configuration in the Deployments>Configurations tab. -![Deploy project](/images/Keycloak/deploy_project.png) +![Deploy project](images/deploy_project.png) You can retrieve the payload.json from the ODM Decision Server Console or use [the provided payload](payload.json). - + As explained in the ODM on Certified Kubernetes documentation [Configuring user access with OpenID](https://www.ibm.com/docs/en/odm/8.12.0?topic=access-configuring-user-openid), we advise you to use basic authentication for the ODM runtime call for better performance and to avoid token expiration and revocation. You perform a basic authentication ODM runtime call in the following way: - + ``` $ curl -H "Content-Type: application/json" -k --data @payload.json \ -H "Authorization: Basic b2RtQWRtaW46b2RtQWRtaW4=" \ https:///DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0 ``` - + Where `b2RtQWRtaW46b2RtQWRtaW4=` is the base64 encoding of the current username:password odmAdmin:odmAdmin If you want to perform a bearer authentication ODM runtime call using the Client Credentials flow, you must get a bearer access token: - + ``` $ curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded" \ -d 'client_id=&scope=openid&client_secret=&grant_type=client_credentials' \ '/protocol/openid-connect/token' ``` - + And use the retrieved access token in the following way: - + ``` $ curl -H "Content-Type: application/json" -k --data @payload.json \ -H "Authorization: Bearer " \ https:///DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0 - ``` + ``` # Troubleshooting diff --git a/authentication/Keycloak/README_FINE_GRAIN_PERMISSION.md b/authentication/Keycloak/README_FINE_GRAIN_PERMISSION.md index e01917f6..a8001c8c 100644 --- a/authentication/Keycloak/README_FINE_GRAIN_PERMISSION.md +++ b/authentication/Keycloak/README_FINE_GRAIN_PERMISSION.md @@ -27,14 +27,14 @@ # Introduction -ODM Decision Center allows to [manage users and groups from the Business console](https://www.ibm.com/docs/en/odm/8.11.1?topic=center-managing-users-groups-from-business-console) in order to set access security on specific projects. +ODM Decision Center allows to [manage users and groups from the Business console](https://www.ibm.com/docs/en/odm/8.11.1?topic=center-managing-users-groups-from-business-console) in order to set access security on specific projects. The Groups and Users import can be done using an LDAP connection. But, if the openId server also provides a SCIM server, then it can also be managed using a SCIM connection. Keycloak server doesn't provide a SCIM server by default. But, it's possible to manage it using the following opensource contribution [https://github.com/Captain-P-Goldfish/scim-for-keycloak](https://github.com/Captain-P-Goldfish/scim-for-keycloak). As the project [https://scim-for-keycloak.de/](https://scim-for-keycloak.de) will become Enterprise ready soon, we realized this tutorial using the last available open source version : kc-20-b1 for Keycloak 20.0.5. -# Deploy on OpenShift a custom Keycloak service with a SCIM Server +# Deploy on OpenShift a custom Keycloak service with a SCIM Server ## Build the Keycloak docker image embbeding the open source SCIM plug-in @@ -79,7 +79,7 @@ Note: To avoid an error on the image push, perhaps you will have to add $REGISTR ## Deploy Keycloak Service using the keycloak-scim image - Get the [keycloak.yaml](https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/openshift/keycloak.yaml) file -- Replace the provided image: input using image-registry.openshift-image-registry.svc:5000/keycloak2/keycloak-scim:latest +- Replace the provided image: input using image-registry.openshift-image-registry.svc:5000/\/keycloak-scim:latest ```shell ... @@ -155,7 +155,7 @@ oc exec -ti bash -- ldapsearch -x -Z -H ldap://ldap-service..svc:389 (PROJECT is the name of the current project) * Bind type: simple @@ -199,7 +199,7 @@ oc exec -ti bash -- ldapsearch -x -Z -H ldap://ldap-service. bash -- ldapsearch -x -Z -H ldap://ldap-service. bash -- ldapsearch -x -Z -H ldap://ldap-service. bash -- ldapsearch -x -Z -H ldap://ldap-service. bash -- ldapsearch -x -Z -H ldap://ldap-service. ```shell - $ curl -k -H "Authorization: Bearer " /scim/v2/Groups + $ curl -k -H "Authorization: Bearer " /scim/v2/Groups ``` - - Result should looks like : + + Result should looks like : ```shell {"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"totalResults":10,"itemsPerPage":10,"startIndex":1,"Resources":[{"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"id":"ef20202e-20e3-44f3-8d70-b1cf2d2c2d7d","displayName":"ADPEnvironmentOwners","members":[{"value":"35560439-88a3-4a56-bb67-384f024bfd7a","$ref":"https://9.46.78.129:8443/realms/odm/scim/v2/Users/35560439-88a3-4a56-bb67-384f024bfd7a","type":"User"},{"value":"7d995178-294a-4175-91f4-43cd9f5906aa","$ref":"https://9.46.78.129:8443/realms/odm/scim/v2/Users/7d995178-294a-4175-91f4-43cd9f5906aa","type":"User"},{"value":"6c74e271-ae1c-4849-aa67-8351f1c816c5","$ref":"https://9.46.78.129:8443/realms/odm/scim/v2/Users/6c74e271-ae1c-4849-aa67-8351f1c816c5","type":"User"}],"meta":{"resourceType":"Group","created":"2023-08-09T13:09:44.164Z","lastModified":"2023-08-09T13:09:44.164Z","location":"https://9.46.78.129:8443/realms/odm/scim/v2/Groups/ef20202e-20e3-44f3-8d70-b1cf2d2c2d7d"}},{"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"id":"f671e618-ef45-41d4-bd0b-c134536edf45","displayName":"CE_EnvironmentOwners","members":[{"value":"35560439-88a3-4a56-bb67-384f024bfd7a","$ref":"https://9.46.78.129:8443/realms/odm/scim/v2/Users/35560439-88a3-4a56-bb67-384f024bfd7a","type":"User"}],"meta":{"resourceType":"Group","created":"2023-08-09T13:09:44.207Z","lastModified":"2023-08-09T13:09:44.207Z","location":"https://9.46.78.129:8443/realms/odm/scim/v2/Groups/f671e618-ef45-41d4-bd0b-c134536edf45"}},{"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"id":"7f767eac-0950-4e71-b2ec-b9e04a10be04","displayName":"GeneralUsers","members":[{"value":"88094536-a059-4383-8bf4-1dcb65457bb9","$ref":"https://9.46.78.129:8443/realms/odm/scim/v2/Users/88094536-a059-4383-8bf4-1dcb65457bb9","type":"User"},{"value":"94a6b972-04aa-4394-89b8-f16a875fe54d","$ref":"https://9.46.78.129:8443/realms/odm/scim/v2/Users/94a6b972-04aa-4394-89b8-f16a875fe54d","type":"User"},{"value":"9a37726a-2a69-4f97-a892-ef38d566c94f","$ref":"https://9.46.78.129:8443/realms/odm/scim/v2/Users/9a37726a-2a69-4f97-a892-ef38d566c94f","type":"User"},{"value":"35774b15-42bc-4c05-bcc9-145fbf075ace","$ref":"https://9.46.78.129:8443/realms/odm/scim/v2/Users/35774b15-42bc-4c05-bcc9-145fbf075ace","type":"User"}, @@ -321,10 +321,10 @@ oc exec -ti bash -- ldapsearch -x -Z -H ldap://ldap-service.Groups Tab - Double-Click on TaskAdmins - Select the Role Mappings Tab - - Select all rts*** roles in the "Available Roles" list and click on "Add selected" to move it to the "Assigned Roles" list + - Select all rts*** roles in the "Available Roles" list and click on "Add selected" to move it to the "Assigned Roles" list + + ![Assign Admin Roles](images/assign_rtsadministrators_role.png) - ![Assign Admin Roles](/images/Keycloak/assign_rtsadministrators_role.png) +We also need to declare TaskAuditors and TaskUsers groups having rtsUSers roles. If you dn't do this, users are not authorized to login into the Business Console. -We also need to declare TaskAuditors and TaskUsers groups having rtsUSers roles. If you dn't do this, users are not authorized to login into the Business Console. - - Select the Manage>Groups Tab - Double-Click on TaskAuditors - Select the Role Mappins Tab - Select the "rtsUsers" role in the "Available Roles" list and click on "Add selected" to move it to the "Assigned Roles" list - Repeat the same for the TaskUsers group - ![Assign User Roles](/images/Keycloak/assign_rtsusers_role.png) + ![Assign User Roles](images/assign_rtsusers_role.png) ## Load projects - + For all the coming steps, the users password can be found in the ldap_user.ldif file of the openldap-customldif secret - Log into the ODM Decision Center Business Console using the cp4admin user - Select the LIBRARY tab - Import the [Loan Validation Service](https://github.com/DecisionsDev/odm-for-container-getting-started/blob/master/Loan%20Validation%20Service.zip) and [Miniloan Service](https://github.com/DecisionsDev/odm-for-container-getting-started/blob/master/Miniloan%20Service.zip) projects - ![Load Projects](/images/Keycloak/load_projects.png) + ![Load Projects](images/load_projects.png) ## Import Groups and Users @@ -382,7 +382,7 @@ We also need to declare TaskAuditors and TaskUsers groups having rtsUSers roles. - Select the "TaskAuditors" and "TaskUsers" groups - Click on the "Import groups and users" button - ![DC Import Groups and Users](/images/Keycloak/dc_import_groups_users.png) + ![DC Import Groups and Users](images/dc_import_groups_users.png) ## Set the project security @@ -392,14 +392,14 @@ We also need to declare TaskAuditors and TaskUsers groups having rtsUSers roles. - Below the Groups section, select the TaskAuditors group - Click on the Done button - ![Set Loan Validation Service Security](/images/Keycloak/set_loan_validation_service_security.png) + ![Set Loan Validation Service Security](images/set_loan_validation_service_security.png) - Click on the "Edit decision service security" of the "Miniloan Service" project - Below the Security section, select "Enforce Security" - Below the Groups section, select the TaskUsers group - Click on the Done button - ![Security Results](/images/Keycloak/security_results.png) + ![Security Results](images/security_results.png) ## Check the project security @@ -413,16 +413,16 @@ We also need to declare TaskAuditors and TaskUsers groups having rtsUSers roles. - Select "Profile" link - The "user1" User Profile is showing the "TaskUsers" group - ![User1 Check](/images/Keycloak/user1_check.png) + ![User1 Check](images/user1_check.png) - Login with user6 > the ADMINISTRATION tab is not available - Click on LIBRARY tab > only the "Loan Validation Service" project must be available - Click on top-right user6 link - Select "Profile" link - - The "user6" User Profile is showing the "TaskAuditors" group + - The "user6" User Profile is showing the "TaskAuditors" group + + ![User6 Check](images/user6_check.png) - ![User6 Check](/images/Keycloak/user6_check.png) - # Synchonize Decision Center when updating Keycloak During the life of a project, common situation can happen like : @@ -432,7 +432,4 @@ We also need to declare TaskAuditors and TaskUsers groups having rtsUSers roles. - a user change of group - ... - All these operation are done using the Keycloak dashboard and are reflected on Decision Center. It can be done manually using the Decision Center Synchronize button or using the automatic synchronization happening by default every 2 hours. You can change the frequency using the "-Dcom.ibm.rules.decisioncenter.ldap.sync.refresh.period=60000 -" Decision Center JVM options expressed in milliseconds. - - + All these operation are done using the Keycloak dashboard and are reflected on Decision Center. It can be done manually using the Decision Center Synchronize button or using the automatic synchronization happening by default every 2 hours. You can change the frequency using the "-Dcom.ibm.rules.decisioncenter.ldap.sync.refresh.period=60000" Decision Center JVM options expressed in milliseconds. diff --git a/images/Keycloak/add_group_mapper_to_role_scope.png b/authentication/Keycloak/images/add_group_mapper_to_role_scope.png similarity index 100% rename from images/Keycloak/add_group_mapper_to_role_scope.png rename to authentication/Keycloak/images/add_group_mapper_to_role_scope.png diff --git a/images/Keycloak/assign_roles.png b/authentication/Keycloak/images/assign_roles.png similarity index 100% rename from images/Keycloak/assign_roles.png rename to authentication/Keycloak/images/assign_roles.png diff --git a/images/Keycloak/assign_rtsadministrators_role.png b/authentication/Keycloak/images/assign_rtsadministrators_role.png similarity index 100% rename from images/Keycloak/assign_rtsadministrators_role.png rename to authentication/Keycloak/images/assign_rtsadministrators_role.png diff --git a/images/Keycloak/assign_rtsusers_role.png b/authentication/Keycloak/images/assign_rtsusers_role.png similarity index 100% rename from images/Keycloak/assign_rtsusers_role.png rename to authentication/Keycloak/images/assign_rtsusers_role.png diff --git a/images/Keycloak/client_secret.png b/authentication/Keycloak/images/client_secret.png similarity index 100% rename from images/Keycloak/client_secret.png rename to authentication/Keycloak/images/client_secret.png diff --git a/images/Keycloak/create_client_1.png b/authentication/Keycloak/images/create_client_1.png similarity index 100% rename from images/Keycloak/create_client_1.png rename to authentication/Keycloak/images/create_client_1.png diff --git a/images/Keycloak/create_client_2.png b/authentication/Keycloak/images/create_client_2.png similarity index 100% rename from images/Keycloak/create_client_2.png rename to authentication/Keycloak/images/create_client_2.png diff --git a/images/Keycloak/create_group.png b/authentication/Keycloak/images/create_group.png similarity index 100% rename from images/Keycloak/create_group.png rename to authentication/Keycloak/images/create_group.png diff --git a/images/Keycloak/create_realm.png b/authentication/Keycloak/images/create_realm.png similarity index 100% rename from images/Keycloak/create_realm.png rename to authentication/Keycloak/images/create_realm.png diff --git a/images/Keycloak/create_roles.png b/authentication/Keycloak/images/create_roles.png similarity index 100% rename from images/Keycloak/create_roles.png rename to authentication/Keycloak/images/create_roles.png diff --git a/images/Keycloak/create_user.png b/authentication/Keycloak/images/create_user.png similarity index 100% rename from images/Keycloak/create_user.png rename to authentication/Keycloak/images/create_user.png diff --git a/images/Keycloak/dc_import_groups_users.png b/authentication/Keycloak/images/dc_import_groups_users.png similarity index 100% rename from images/Keycloak/dc_import_groups_users.png rename to authentication/Keycloak/images/dc_import_groups_users.png diff --git a/images/Keycloak/deploy_project.png b/authentication/Keycloak/images/deploy_project.png similarity index 100% rename from images/Keycloak/deploy_project.png rename to authentication/Keycloak/images/deploy_project.png diff --git a/images/Keycloak/diag_keycloak_interaction.ai b/authentication/Keycloak/images/diag_keycloak_interaction.ai similarity index 100% rename from images/Keycloak/diag_keycloak_interaction.ai rename to authentication/Keycloak/images/diag_keycloak_interaction.ai diff --git a/images/Keycloak/diag_keycloak_interaction.jpg b/authentication/Keycloak/images/diag_keycloak_interaction.jpg similarity index 100% rename from images/Keycloak/diag_keycloak_interaction.jpg rename to authentication/Keycloak/images/diag_keycloak_interaction.jpg diff --git a/images/Keycloak/import_openldap_groups.png b/authentication/Keycloak/images/import_openldap_groups.png similarity index 100% rename from images/Keycloak/import_openldap_groups.png rename to authentication/Keycloak/images/import_openldap_groups.png diff --git a/images/Keycloak/import_openldap_users.png b/authentication/Keycloak/images/import_openldap_users.png similarity index 100% rename from images/Keycloak/import_openldap_users.png rename to authentication/Keycloak/images/import_openldap_users.png diff --git a/images/Keycloak/import_project.png b/authentication/Keycloak/images/import_project.png similarity index 100% rename from images/Keycloak/import_project.png rename to authentication/Keycloak/images/import_project.png diff --git a/images/Keycloak/load_projects.png b/authentication/Keycloak/images/load_projects.png similarity index 100% rename from images/Keycloak/load_projects.png rename to authentication/Keycloak/images/load_projects.png diff --git a/images/Keycloak/redirect_uris.png b/authentication/Keycloak/images/redirect_uris.png similarity index 100% rename from images/Keycloak/redirect_uris.png rename to authentication/Keycloak/images/redirect_uris.png diff --git a/images/Keycloak/scim_configuration.png b/authentication/Keycloak/images/scim_configuration.png similarity index 100% rename from images/Keycloak/scim_configuration.png rename to authentication/Keycloak/images/scim_configuration.png diff --git a/images/Keycloak/scim_groups_authorization.png b/authentication/Keycloak/images/scim_groups_authorization.png similarity index 100% rename from images/Keycloak/scim_groups_authorization.png rename to authentication/Keycloak/images/scim_groups_authorization.png diff --git a/images/Keycloak/scim_resources.png b/authentication/Keycloak/images/scim_resources.png similarity index 100% rename from images/Keycloak/scim_resources.png rename to authentication/Keycloak/images/scim_resources.png diff --git a/images/Keycloak/scim_user_authorization.png b/authentication/Keycloak/images/scim_user_authorization.png similarity index 100% rename from images/Keycloak/scim_user_authorization.png rename to authentication/Keycloak/images/scim_user_authorization.png diff --git a/images/Keycloak/security_results.png b/authentication/Keycloak/images/security_results.png similarity index 100% rename from images/Keycloak/security_results.png rename to authentication/Keycloak/images/security_results.png diff --git a/images/Keycloak/service_account_roles.png b/authentication/Keycloak/images/service_account_roles.png similarity index 100% rename from images/Keycloak/service_account_roles.png rename to authentication/Keycloak/images/service_account_roles.png diff --git a/images/Keycloak/set_loan_validation_service_security.png b/authentication/Keycloak/images/set_loan_validation_service_security.png similarity index 100% rename from images/Keycloak/set_loan_validation_service_security.png rename to authentication/Keycloak/images/set_loan_validation_service_security.png diff --git a/images/Keycloak/unassign_default_role.png b/authentication/Keycloak/images/unassign_default_role.png similarity index 100% rename from images/Keycloak/unassign_default_role.png rename to authentication/Keycloak/images/unassign_default_role.png diff --git a/images/Keycloak/user1_check.png b/authentication/Keycloak/images/user1_check.png similarity index 100% rename from images/Keycloak/user1_check.png rename to authentication/Keycloak/images/user1_check.png diff --git a/images/Keycloak/user6_check.png b/authentication/Keycloak/images/user6_check.png similarity index 100% rename from images/Keycloak/user6_check.png rename to authentication/Keycloak/images/user6_check.png diff --git a/authentication/Okta/README.md b/authentication/Okta/README.md index ee58f257..5ef5eb6a 100644 --- a/authentication/Okta/README.md +++ b/authentication/Okta/README.md @@ -41,7 +41,7 @@ In the context of the ODM on Certified Kubernetes offering, Operational Decision You need to create a number of secrets before you can install an ODM instance with an external OIDC provider such as the Okta service and use web application single sign-on (SSO). The following diagram shows the ODM services with an external OIDC provider after a successful installation. -![ODM web application SSO](/images/Okta/diag_okta_interaction.jpg) +![ODM web application SSO](images/diag_okta_interaction.jpg) The following procedure describes how to manually configure ODM with an Okta service. @@ -59,13 +59,13 @@ Terminology: The Client Credentials flow is intended for server-side (AKA "confidential") client applications with no end user, which normally describes machine-to-machine communication. The application must be server-side because it must be trusted with the client secret, and since the credentials are hard coded, it cannot be used by an actual end user. It involves a single, authenticated request to the token endpoint, which returns an access token. -![Okta Client Credential Flow](/images/Okta/oauth_client_creds_flow.png) (© Okta) +![Okta Client Credential Flow](images/oauth_client_creds_flow.png) (© Okta) The Authorization Code flow is best used by server-side apps where the source code is not publicly exposed. The apps must be server-side because the request that exchanges the authorization code for a token requires a client secret, which has to be stored in your client. However, the server-side app requires an end user because it relies on interactions with the end user's web browser, which redirects the user and then receives the authorization code. Auth Code flow width: -![Authentication flow](/images/Okta/Authentication_flow.png) (© Okta) +![Authentication flow](images/Authentication_flow.png) (© Okta) ## Prerequisites @@ -101,7 +101,7 @@ After activating your account by email, you should have access to your Okta inst * Name: *odm-admin* * Group Description: *ODM Admin group* - ![Add Group](/images/Okta/AddGroup.png) + ![Add Group](images/AddGroup.png) 2. Create at least one user that belongs to this new group. @@ -115,7 +115,7 @@ After activating your account by email, you should have access to your Okta inst * Groups (optional): ***odm-admin*** * Click **Save** - ![Add Person](/images/Okta/add_person.png) + ![Add Person](images/add_person.png) Repeat this step for each user you want to add. @@ -128,7 +128,7 @@ After activating your account by email, you should have access to your Okta inst * Select **Web Application** * Click **Next** - ![Add Application](/images/Okta/AddApplication.png) + ![Add Application](images/AddApplication.png) 2. Configure the new web app integration. @@ -142,9 +142,9 @@ After activating your account by email, you should have access to your Okta inst * Under **Controlled access**: * Check **Limit access to selected groups** * Fill the **Selected group(s)** : ***odm-admin*** - * Click **Save** + * Click **Save** - ![New Web Application](/images/Okta/NewWebAppIntegration.png) + ![New Web Application](images/NewWebAppIntegration.png) ## Configure the *default* Authorization Server @@ -156,9 +156,9 @@ In this step, we augment the token with meta-information that is required by the To be more secure, we will use the client credentials flow for the ODM REST API call. This requires to create a specific restricted scope (named *OKTA_API_SCOPE* later in this article). - In the **Scopes** tab, click **Add Scope** + In the **Scopes** tab, click **Add Scope** - Name : *odmapiusers* - - Click **Create** + - Click **Create** 3. Add the identifier and group claims. @@ -166,7 +166,7 @@ In this step, we augment the token with meta-information that is required by the In **Claims** tab, create the following claims: - * Click **Add claim** + * Click **Add claim** * *groups - Access Token* claim: * Name: *groups* * Include in token type: *Access Token* @@ -178,7 +178,7 @@ In this step, we augment the token with meta-information that is required by the * Value type: *Groups* * Filter: **Equals**: odm-admin - ![Add Claim Result](/images/Okta/ResultAddClaims.png) + ![Add Claim Result](images/ResultAddClaims.png) 4. Verify the content of the token. @@ -190,7 +190,7 @@ In this step, we augment the token with meta-information that is required by the * User: ```` * Scopes: *openid* *email* * Click **Preview Token** - * Select the *Token* tab + * Select the *Token* tab As a result, the payload should contain: @@ -202,7 +202,7 @@ In this step, we augment the token with meta-information that is required by the ] ``` - ![Token Preview](/images/Okta/TokenPreview.png) + ![Token Preview](images/TokenPreview.png) >Note: The discovery endpoint can be found in **Security** / **API** / **default** / **Settings** in **Metadata URI**. @@ -293,7 +293,7 @@ In this step, we augment the token with meta-information that is required by the ``` helm search repo ibm-odm-prod - NAME CHART VERSION APP VERSION DESCRIPTION + NAME CHART VERSION APP VERSION DESCRIPTION ibmcharts/ibm-odm-prod 23.1.0 8.12.0.0 IBM Operational Decision Manager ``` @@ -354,7 +354,7 @@ In this step, we augment the token with meta-information that is required by the - Repeat the previous step for all other redirect URIs. - Click **Save** at the bottom of the LOGIN section. - ![Sign-in redirect URIs](/images/Okta/Sign-in_redirect_URIs.png) + ![Sign-in redirect URIs](images/Sign-in_redirect_URIs.png) ### Access the ODM services @@ -398,36 +398,36 @@ To manage ODM runtime call on the next steps, we used the [Loan Validation Decis Import the **Loan Validation Service** in Decision Center connected as John Doe -![Import project](/images/Keycloak/import_project.png) +![Import project](../Keycloak/images/import_project.png) Deploy the **Loan Validation Service** production_deployment ruleapps using the **production deployment** deployment configuration in the Deployments>Configurations tab. -![Deploy project](/images/Keycloak/deploy_project.png) +![Deploy project](../Keycloak/images/deploy_project.png) You can retrieve the payload.json from the ODM Decision Server Console or use [the provided payload](payload.json) - + As explained in the ODM on Certified Kubernetes documentation [Configuring user access with OpenID](https://www.ibm.com/docs/en/odm/8.12.0?topic=access-configuring-user-openid), we advise to use basic authentication for the ODM runtime call for performance reasons and to avoid the issue of token expiration and revocation. You can realize a basic authentication ODM runtime call in the following way: - + ``` $ curl -H "Content-Type: application/json" -k --data @payload.json \ -H "Authorization: Basic b2RtQWRtaW46b2RtQWRtaW4=" \ https:///DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0 ``` - + Where b2RtQWRtaW46b2RtQWRtaW4= is the base64 encoding of the current username:password odmAdmin:odmAdmin But if you want to execute a bearer authentication ODM runtime call using the Client Credentials flow, you have to get a bearer access token: - + ``` $ curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded" \ -d 'client_id=&scope=&client_secret=&grant_type=client_credentials' \ ' https:///default/v1/token' ``` - + And use the retrieved access token in the following way: - + ``` $ curl -H "Content-Type: application/json" -k --data @payload.json \ -H "Authorization: Bearer " \ diff --git a/images/Okta/AddApplication.png b/authentication/Okta/images/AddApplication.png similarity index 100% rename from images/Okta/AddApplication.png rename to authentication/Okta/images/AddApplication.png diff --git a/images/Okta/AddClaim.png b/authentication/Okta/images/AddClaim.png similarity index 100% rename from images/Okta/AddClaim.png rename to authentication/Okta/images/AddClaim.png diff --git a/images/Okta/AddGroup.png b/authentication/Okta/images/AddGroup.png similarity index 100% rename from images/Okta/AddGroup.png rename to authentication/Okta/images/AddGroup.png diff --git a/images/Okta/ApiClaim.png b/authentication/Okta/images/ApiClaim.png similarity index 100% rename from images/Okta/ApiClaim.png rename to authentication/Okta/images/ApiClaim.png diff --git a/images/Okta/ApplicationInfo.png b/authentication/Okta/images/ApplicationInfo.png similarity index 100% rename from images/Okta/ApplicationInfo.png rename to authentication/Okta/images/ApplicationInfo.png diff --git a/images/Okta/Authentication_flow.png b/authentication/Okta/images/Authentication_flow.png similarity index 100% rename from images/Okta/Authentication_flow.png rename to authentication/Okta/images/Authentication_flow.png diff --git a/images/Okta/EditServer.png b/authentication/Okta/images/EditServer.png similarity index 100% rename from images/Okta/EditServer.png rename to authentication/Okta/images/EditServer.png diff --git a/images/Okta/NewWebAppIntegration.png b/authentication/Okta/images/NewWebAppIntegration.png similarity index 100% rename from images/Okta/NewWebAppIntegration.png rename to authentication/Okta/images/NewWebAppIntegration.png diff --git a/images/Okta/OpenIDProvider.png b/authentication/Okta/images/OpenIDProvider.png similarity index 100% rename from images/Okta/OpenIDProvider.png rename to authentication/Okta/images/OpenIDProvider.png diff --git a/images/Okta/ResultAddClaims.png b/authentication/Okta/images/ResultAddClaims.png similarity index 100% rename from images/Okta/ResultAddClaims.png rename to authentication/Okta/images/ResultAddClaims.png diff --git a/images/Okta/Sign-in_redirect_URIs.png b/authentication/Okta/images/Sign-in_redirect_URIs.png similarity index 100% rename from images/Okta/Sign-in_redirect_URIs.png rename to authentication/Okta/images/Sign-in_redirect_URIs.png diff --git a/images/Okta/TokenPreview.png b/authentication/Okta/images/TokenPreview.png similarity index 100% rename from images/Okta/TokenPreview.png rename to authentication/Okta/images/TokenPreview.png diff --git a/images/Okta/add_person.png b/authentication/Okta/images/add_person.png similarity index 100% rename from images/Okta/add_person.png rename to authentication/Okta/images/add_person.png diff --git a/images/Okta/diag_okta_interaction.ai b/authentication/Okta/images/diag_okta_interaction.ai similarity index 100% rename from images/Okta/diag_okta_interaction.ai rename to authentication/Okta/images/diag_okta_interaction.ai diff --git a/images/Okta/diag_okta_interaction.jpg b/authentication/Okta/images/diag_okta_interaction.jpg similarity index 100% rename from images/Okta/diag_okta_interaction.jpg rename to authentication/Okta/images/diag_okta_interaction.jpg diff --git a/images/Okta/oauth_client_creds_flow.png b/authentication/Okta/images/oauth_client_creds_flow.png similarity index 100% rename from images/Okta/oauth_client_creds_flow.png rename to authentication/Okta/images/oauth_client_creds_flow.png diff --git a/images/Okta/password_flow.png b/authentication/Okta/images/password_flow.png similarity index 100% rename from images/Okta/password_flow.png rename to authentication/Okta/images/password_flow.png diff --git a/contrib/authentication/openid/README.md b/contrib/authentication/openid/README.md index 09fbc49d..9a5516cc 100644 --- a/contrib/authentication/openid/README.md +++ b/contrib/authentication/openid/README.md @@ -252,7 +252,7 @@ If you need to add or modify a parameter to the `openidConnectClient` tag in the - If you want to call the REST API, you must get an access token by running a cURL command with the following endpoint: `https:///oidc/endpoint//token`. - You can then authenticate with the "Bearer ". For more information, see [How a Liberty-based application obtains an access token from UMS SSO](con_ums_sso_liberty.dita). + You can then authenticate with the "Bearer ". For more information, see How a Liberty-based application obtains an access token from UMS SSO. The following diagram shows the API invocations with an external OIDC provider. @@ -307,7 +307,7 @@ If you need to add or modify a parameter to the `openidConnectClient` tag in the ``` - The mapping itself is done with variable definitions and key-value pairs. A cert-kubernetes/ODM/configuration/security/sample-webSecurity-OIDC.xml file can be used as a starting point to map your ODM users and groups to the users and groups. For more information about downloading cert-kubernetes, see [Preparing for an Enterprise deployment](../../com.ibm.dba.install/op_topics/tsk_prep_operator.html). The variable definitions in the sample file use the following scenario: + The mapping itself is done with variable definitions and key-value pairs. A cert-kubernetes/ODM/configuration/security/sample-webSecurity-OIDC.xml file can be used as a starting point to map your ODM users and groups to the users and groups. For more information about downloading cert-kubernetes, see "Preparing for an Enterprise deployment". The variable definitions in the sample file use the following scenario: - A user `generalAdmin` (defined through an LDAP registry). A user that has access to all applications. - A group `oidcAllRoles` (defined through a basic registry). A group of users that has access to all applications. diff --git a/platform/azure/README.md b/platform/azure/README.md index b3e04610..cbd2a591 100644 --- a/platform/azure/README.md +++ b/platform/azure/README.md @@ -103,8 +103,7 @@ Use the `az aks create` command to create an AKS cluster. The following example ```shell az aks create --name --resource-group --node-count 2 \ - --enable-cluster-autoscaler --min-count 2 --max-count 4 \ - --enable-addons monitoring --generate-ssh-keys [--location ] + --enable-cluster-autoscaler --min-count 2 --max-count 4 ``` After a few minutes, the command completes and returns JSON-formatted information about the cluster. Make a note of the newly-created Resource Group that is displayed in the JSON output (e.g. "nodeResourceGroup": "") if you have to tag it, for example: @@ -158,7 +157,7 @@ To get a good bandwidth between ODM containers and the database, choose the same ```shell az postgres server create --name --resource-group \ --admin-user myadmin --admin-password 'passw0rd!' \ - --sku-name GP_Gen5_2 --version 11 [--location ] + --sku-name GP_Gen5_2 --version 11 ``` > Note: The PostgreSQL server name must be unique within Azure. @@ -219,7 +218,7 @@ To make sure your database and your AKS cluster can communicate, put in place fi ```shell az postgres server firewall-rule create --resource-group --server-name \ - --name --start-ip-address 0.0.0.0 --end-ip-address 255.255.255.255 + --name --start-ip-address 0.0.0.0 --end-ip-address 255.255.255.255 ``` ## Prepare your environment for the ODM installation @@ -263,7 +262,7 @@ Check that you can access the ODM charts: ```shell helm search repo ibm-odm-prod NAME CHART VERSION APP VERSION DESCRIPTION -ibmcharts/ibm-odm-prod 23.1.0 8.12.0.0 IBM Operational Decision Manager License By in... +ibmcharts/ibm-odm-prod 23.2.0 8.12.0.1 IBM Operational Decision Manager License By in... ``` ### Create the database credentials secret for Azure PostgreSQL @@ -312,7 +311,7 @@ You can now install the product: ```shell helm install ibmcharts/ibm-odm-prod --version 23.1.0 \ --set image.repository=cp.icr.io/cp/cp4a/odm --set image.pullSecrets= \ - --set image.arch=amd64 --set image.tag=${ODM_VERSION:-8.12.0.0} --set service.type=LoadBalancer \ + --set image.arch=amd64 --set image.tag=${ODM_VERSION:-8.12.0.1} --set service.type=LoadBalancer \ --set externalDatabase.type=postgres \ --set externalDatabase.serverName=.postgres.database.azure.com \ --set externalDatabase.databaseName=postgres \ @@ -344,9 +343,8 @@ NAME READY STATUS RESTART By setting `service.type=LoadBalancer`, the services are exposed with public IPs to be accessed with the following command: ```shell -kubectl get services +kubectl get services --selector release= NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE -kubernetes ClusterIP 10.0.0.1 443/TCP 26h -odm-decisioncenter LoadBalancer 10.0.141.125 xxx.xxx.xxx.xxx 9453:31130/TCP 22m -odm-decisionrunner LoadBalancer 10.0.157.225 xxx.xxx.xxx.xxx 9443:31325/TCP 22m -odm-decisionserverconsole LoadBalancer 10.0.215.192 xxx.xxx.xxx.xxx 9443:32448/TCP 22m @@ -354,7 +352,9 @@ kubernetes ClusterIP 10.0.0.1 -odm-decisionserverruntime LoadBalancer 10.0.177.153 xxx.xxx.xxx.xxx 9443:31921/TCP 22m ``` -You can then open a browser on https://xxx.xxx.xxx.xxx:9453 to access Decision Center, and on https://xxx.xxx.xxx.xxx:9443 to access Decision Server console, Decision Server Runtime, and Decision Runner. + +You can then open a browser on `https://xxx.xxx.xxx.xxx:9453` to access Decision Center, and on `https://xxx.xxx.xxx.xxx:9443` to access Decision Server console, Decision Server Runtime, and Decision Runner. + ## Create an NGINX Ingress controller @@ -363,20 +363,30 @@ Installing an NGINX Ingress controller allows you to access ODM components throu 1. Use the official YAML manifest: ```shell - kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/cloud/deploy.yaml + kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/cloud/deploy.yaml ``` > Note: The version will probably change after the publication of our documentation so please refer to the actual [documentation](https://kubernetes.github.io/ingress-nginx/deploy/#azure)! -2. Get the Ingress controller external IP address: +2. Get the Ingress controller external IP address (it will appear 80 seconds or so after the resource application above): ```shell - kubectl get service -l app.kubernetes.io/name=ingress-nginx -n ingress-nginx + kubectl get service --selector app.kubernetes.io/name=ingress-nginx --namespace ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx-controller LoadBalancer 10.0.78.246 20.19.105.130 80:32208/TCP,443:30249/TCP 2m12s ingress-nginx-controller-admission ClusterIP 10.0.229.164 443/TCP 2m12s ``` +3. Verify the name of the new IngressClass: + + ```shell + kubectl get ingressclass + NAME CONTROLLER PARAMETERS AGE + nginx k8s.io/ingress-nginx 5h38m + ``` + + It should be "nginx" but if different please update the next command accordingly. + ## (Optional) Install an ODM Helm release and expose it with the NGINX Ingress controller (10 min) You might want to access ODM components through a single external IP address. @@ -386,9 +396,9 @@ You might want to access ODM components through a single external IP address. You can reuse the secret with TLS certificate created [above](#manage-adigital-certificate-10-min): ```shell -helm install ibmcharts/ibm-odm-prod --version 23.1.0 \ +helm install ibmcharts/ibm-odm-prod --version 23.2.0 \ --set image.repository=cp.icr.io/cp/cp4a/odm --set image.pullSecrets= \ - --set image.arch=amd64 --set image.tag=${ODM_VERSION:-8.12.0.0} \ + --set image.arch=amd64 --set image.tag=${ODM_VERSION:-8.12.0.1} \ --set externalDatabase.type=postgres \ --set externalDatabase.serverName=.postgres.database.azure.com \ --set externalDatabase.databaseName=postgres \ @@ -396,7 +406,8 @@ helm install ibmcharts/ibm-odm-prod --version 23.1.0 \ --set externalDatabase.secretCredentials= \ --set service.ingress.enabled=true --set service.ingress.tlsSecretRef= \ --set service.ingress.tlsHosts={myodmcompany.com} --set service.ingress.host=myodmcompany.com \ - --set service.ingress.annotations={"kubernetes.io/ingress.class: nginx"\,"nginx.ingress.kubernetes.io/backend-protocol: HTTPS"} \ + --set service.ingress.annotations={"nginx.ingress.kubernetes.io/backend-protocol: HTTPS"} \ + --set service.ingress.class=nginx \ --set license=true --set usersPassword= ``` @@ -415,7 +426,7 @@ helm install ibmcharts/ibm-odm-prod --version 23.1.0 \ Check that ODM services are in NodePort type: ```shell -kubectl get services -l app.kubernetes.io/name=ibm-odm-prod +kubectl get services --selector release= NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE release-odm-decisioncenter NodePort 10.0.178.43 9453:32720/TCP 16m release-odm-decisionrunner NodePort 10.0.171.46 9443:30223/TCP 16m @@ -426,6 +437,7 @@ release-odm-decisionserverruntime NodePort 10.0.232.212 < ODM services are available through the following URLs: + | SERVICE NAME | URL | USERNAME/PASSWORD | --- | --- | --- | Decision Server Console | https://myodmcompany.com/res | odmAdmin/\ @@ -433,6 +445,7 @@ ODM services are available through the following URLs: | Decision Server Runtime | https://myodmcompany.com/DecisionService | odmAdmin/\ | Decision Runner | https://myodmcompany.com/DecisionRunner | odmAdmin/\ + Where: * \ is the password provided to the **usersPassword** helm chart parameter @@ -458,14 +471,14 @@ kubectl create -f licensing-instance.yml After a couple of minutes, the NGINX load balancer reflects the Ingress configuration and you will be able to access the IBM License Service by retrieving the URL with this command: ```shell -export LICENSING_URL=$(kubectl get ingress ibm-licensing-service-instance -n ibm-common-services |awk '{print $4}' |tail -1)/ibm-licensing-service-instance -export TOKEN=$(oc get secret ibm-licensing-token -o jsonpath={.data.token} -n ibm-common-services |base64 -d) +export LICENSING_URL=$(kubectl get ingress ibm-licensing-service-instance --namespace ibm-common-services --no-headers | awk '{print $4}')/ibm-licensing-service-instance +export TOKEN=$(kubectl get secret ibm-licensing-token --output jsonpath={.data.token} --namespace ibm-common-services | base64 -d) ``` You can access the `http://${LICENSING_URL}/status?token=${TOKEN}` URL to view the licensing usage, or retrieve the licensing report .zip file by running: ```shell -curl -v "http://${LICENSING_URL}/snapshot?token=${TOKEN}" --output report.zip +curl "http://${LICENSING_URL}/snapshot?token=${TOKEN}" --output report.zip ``` If your IBM License Service instance is not running properly, refer to this [troubleshooting page](https://www.ibm.com/docs/en/cpfs?topic=software-troubleshooting). diff --git a/platform/azure/README_PPA.md b/platform/azure/README_PPA.md deleted file mode 100644 index d9a7fa59..00000000 --- a/platform/azure/README_PPA.md +++ /dev/null @@ -1,103 +0,0 @@ -# Deploying ODM from images in Azure Container Registry - -If you can't use IBM Entitled registry, then you have to download the ODM on Kubernetes package (.tgz file) from Passport Advantage® (PPA) and then push it to the Azure Container Registry. - -#### Using the download archives from IBM Passport Advantage (PPA) - -Prerequisites: You must install Docker. - -Download the IBM Operational Decision Manager chart and images from [IBM Passport Advantage (PPA)](https://www.ibm.com/software/passportadvantage/pao_customer.html). - -Refer to the [ODM download document](https://www.ibm.com/support/pages/node/310661) to view the list of Passport Advantage eAssembly installation images. - -Extract the file that contains both the Helm chart and the images. The name of the file includes the chart version number: - -``` -$ mkdir ODM-PPA -$ cd ODM-PPA -$ tar zxvf PPA_NAME.tar.gz -charts/ibm-odm-prod-23.1.0.tgz -images/odm-decisionserverconsole_8.12.0.0-amd64.tar.gz -images/odm-decisionserverruntime_8.12.0.0-amd64.tar.gz -images/odm-decisionrunner_8.12.0.0-amd64.tar.gz -images/odm-decisioncenter_8.12.0.0-amd64.tar.gz -images/dbserver_8.12.0.0-amd64.tar.gz -manifest.json -manifest.yaml -``` - -In order to load the container images from the extracted folder into your Docker registry, you must: - -1. Create an [ACR registry](https://docs.microsoft.com/en-US/azure/container-registry/container-registry-get-started-azure-cli): - - ``` - az acr create --resource-group --name --sku Basic - ``` - - Make a note of the `loginServer` that will be displayed in the JSON output (e.g.: "loginServer": ".azurecr.io"): - - ``` - export DOCKER_REGISTRY=.azurecr.io - ``` - - > Note: The registry name must be unique within Azure. - -2. Log in to the ACR registry - - ``` - az acr login --name - ``` - -3. Load the container images into your internal Docker registry. - - ``` - $ for name in images/*.tar.gz; do echo $name; docker image load --input $name; done - ``` - -4. Tag the images loaded locally with your registry name. - - ``` - export IMAGE_TAG_NAME=${ODM_VERSION:-8.12.0.0}-amd64 - docker tag odm-decisionserverconsole:${IMAGE_TAG_NAME} ${DOCKER_REGISTRY}/odm-decisionserverconsole:${IMAGE_TAG_NAME} - docker tag dbserver:${IMAGE_TAG_NAME} ${DOCKER_REGISTRY}/dbserver:${IMAGE_TAG_NAME} - docker tag odm-decisioncenter:${IMAGE_TAG_NAME} ${DOCKER_REGISTRY}/odm-decisioncenter:${IMAGE_TAG_NAME} - docker tag odm-decisionserverruntime:${IMAGE_TAG_NAME} ${DOCKER_REGISTRY}/odm-decisionserverruntime:${IMAGE_TAG_NAME} - docker tag odm-decisionrunner:${IMAGE_TAG_NAME} ${DOCKER_REGISTRY}/odm-decisionrunner:${IMAGE_TAG_NAME} - ``` - -5. Push the images to your registry. - - ``` - docker push ${DOCKER_REGISTRY}/odm-decisioncenter:${IMAGE_TAG_NAME} - docker push ${DOCKER_REGISTRY}/odm-decisionserverconsole:${IMAGE_TAG_NAME} - docker push ${DOCKER_REGISTRY}/odm-decisionserverruntime:${IMAGE_TAG_NAME} - docker push ${DOCKER_REGISTRY}/odm-decisionrunner:${IMAGE_TAG_NAME} - docker push ${DOCKER_REGISTRY}/dbserver:${IMAGE_TAG_NAME} - ``` - -6. Create a registry key to access the ACR registry. Refer to the [documentation](https://docs.microsoft.com/en-US/azure/container-registry/container-registry-tutorial-prepare-registry#enable-admin-account) to enable the registry's admin account and get the credentials in the Container registry portal, then: - - ```shell - kubectl create secret docker-registry --docker-server="${DOCKER_REGISTRY}" \ - --docker-username="" \ - --docker-password="" \ - --docker-email= - ``` - - Make a note of the secret name so that you can set it for the image.pullSecrets parameter when you run a helm install of your containers. The image.repository parameter must be set to \ (ie ${DOCKER_REGISTRY}). - -You can now proceed to the [datasource secret's creation](README.md#create-the-database-credentials-secret-for-azure-postgresql). - -Note that instead of using - -```shell -helm install ibmcharts/ibm-odm-prod --version 23.1.0 --set image.repository=cp.icr.io/cp/cp4a/odm [...] -``` - -in later steps, you will have to use - -```shell -helm install charts/ibm-odm-prod-23.1.0.tgz --set image.repository=${DOCKER_REGISTRY} [...] -``` - -instead. diff --git a/platform/azure/licensing-instance.yml b/platform/azure/licensing-instance.yml index b1183a85..221aabb9 100644 --- a/platform/azure/licensing-instance.yml +++ b/platform/azure/licensing-instance.yml @@ -3,8 +3,8 @@ kind: IBMLicensing metadata: name: instance spec: + apiSecretToken: ibm-licensing-token datasource: datacollector - instanceNamespace: ibm-common-services httpsEnable: false ingressEnabled: true ingressOptions: diff --git a/platform/gcloud/README.md b/platform/gcloud/README.md index d098fe46..40bfc20b 100644 --- a/platform/gcloud/README.md +++ b/platform/gcloud/README.md @@ -330,6 +330,7 @@ We only have to manage a configuration to simulate the mycompany.com access. - You can now access all ODM services with the following URLs: + | SERVICE NAME | URL | USERNAME/PASSWORD | --- | --- | --- | Decision Server Console | https://mycompany.com/res | odmAdmin/odmAdmin @@ -337,7 +338,7 @@ We only have to manage a configuration to simulate the mycompany.com access. | Decision Center REST-API | https://mycompany.com/decisioncenter-api | odmAdmin/odmAdmin | Decision Server Runtime | https://mycompany.com/DecisionService | odmAdmin/odmAdmin | Decision Runner | https://mycompany.com/DecisionRunner | odmAdmin/odmAdmin - + > NOTE:You can also click the Ingress routes accessible from the Google Cloud console under the [Kubernetes Engine/Services & Ingress Details Panel](https://console.cloud.google.com/kubernetes/ingresses). > diff --git a/platform/gcloud/README_NGINX.md b/platform/gcloud/README_NGINX.md index 365d300f..04cf68f6 100644 --- a/platform/gcloud/README_NGINX.md +++ b/platform/gcloud/README_NGINX.md @@ -46,4 +46,4 @@ If your ODM instances are not running properly, please refer to [our dedicated t # License -[Apache 2.0](../LICENSE) +[Apache 2.0](/LICENSE) diff --git a/platform/minikube/README.md b/platform/minikube/README.md index 9d89dcfc..63fdc6d2 100644 --- a/platform/minikube/README.md +++ b/platform/minikube/README.md @@ -33,13 +33,13 @@ This tutorial was tested on macOS and Linux. #### a. Start Minikube with sufficient resources ``` - minikube start --cpus 6 --memory 8GB --kubernetes-version=v1.23.0 + minikube start --cpus 6 --memory 8GB --kubernetes-version=v1.25.0 ``` The kubectl context is automatically set to point to the created Minikube cluster. > **Note** - > This installation guide has been tested with the Kubernetes version v1.23.0 to v1.25.0 + > This installation guide has been tested with the Kubernetes version v1.25.0 onwards #### b. Check your environment @@ -52,7 +52,7 @@ This tutorial was tested on macOS and Linux. ``` > **Note** - > You can access the [Kubernetes Dashboard](http://kubernetes.io/docs/user-guide/ui/) by running the `minikube dashboard` command. + > You can access the [Kubernetes Dashboard](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/) by running the `minikube dashboard` command. ### 2. Prepare your environment for the ODM installation @@ -92,7 +92,7 @@ helm repo update ``` $ helm search repo ibm-odm-prod NAME CHART VERSION APP VERSION DESCRIPTION -ibmcharts/ibm-odm-prod 23.1.0 8.12.0.0 IBM Operational Decision Manager +ibmcharts/ibm-odm-prod 23.2.0 8.12.0.1 IBM Operational Decision Manager ``` ### 3. Install an IBM Operational Decision Manager release @@ -102,7 +102,7 @@ ibmcharts/ibm-odm-prod 23.1.0 8.12.0.0 IBM Operational Deci Get the [minikube-values.yaml](./minikube-values.yaml) file and run the following command: ``` -helm install my-odm-release ibmcharts/ibm-odm-prod --version 23.1.0 -f minikube-values.yaml +helm install my-odm-release ibmcharts/ibm-odm-prod --version 23.2.0 -f minikube-values.yaml ``` #### b. Check the topology @@ -160,4 +160,4 @@ kubectl logs Get hands-on experience with IBM Operational Decision Manager in a container environment by following this [Getting started tutorial](https://github.com/DecisionsDev/odm-for-container-getting-started/blob/master/README.md). # License -[Apache 2.0](LICENSE) +[Apache 2.0](/LICENSE)