diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 50c1a6ea..b96dd6d3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -10,7 +10,7 @@ repos: # You are encouraged to use static refs such as tags, instead of branch name # # Running "pre-commit autoupdate" automatically updates rev to latest tag - rev: 0.13.1+ibm.62.dss + rev: 0.13.1+ibm.64.dss hooks: - id: detect-secrets # pragma: whitelist secret # Add options for detect-secrets-hook binary. You can run `detect-secrets-hook --help` to list out all possible options. diff --git a/.secrets.baseline b/.secrets.baseline index bed6b5ba..c7c550d6 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2026-05-04T13:40:10Z", + "generated_at": "2026-05-12T08:54:38Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -1336,7 +1336,7 @@ "hashed_secret": "8b712744eee080d5fe6048e4f589235d00435559", "is_secret": false, "is_verified": false, - "line_number": 134, + "line_number": 148, "type": "Secret Keyword", "verified_result": null }, @@ -1344,7 +1344,17 @@ "hashed_secret": "b11974a9da0d56698df935ab86e19b127804d6d4", "is_secret": false, "is_verified": false, - "line_number": 158, + "line_number": 172, + "type": "Secret Keyword", + "verified_result": null + } + ], + "platform/eks/eks-gateway-values.yaml": [ + { + "hashed_secret": "fd1daf2e350a06b865f4a1e17bb39183b806c1e9", + "is_secret": false, + "is_verified": false, + "line_number": 2, "type": "Secret Keyword", "verified_result": null } @@ -1359,6 +1369,24 @@ "verified_result": null } ], + "platform/eks/eks-rds-gateway-values.yaml": [ + { + "hashed_secret": "fd1daf2e350a06b865f4a1e17bb39183b806c1e9", + "is_secret": false, + "is_verified": false, + "line_number": 2, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "aef505a4c9ac97451f163d4b5d27cc7e3c437dc3", + "is_secret": false, + "is_verified": false, + "line_number": 11, + "type": "Secret Keyword", + "verified_result": null + } + ], "platform/eks/eks-rds-nginx-values.yaml": [ { "hashed_secret": "fd1daf2e350a06b865f4a1e17bb39183b806c1e9", diff --git a/platform/eks/README-ECR.md b/platform/eks/README-ECR.md index 488e206c..2e09a38d 100644 --- a/platform/eks/README-ECR.md +++ b/platform/eks/README-ECR.md @@ -191,4 +191,4 @@ The related instructions in the online documentation are: ``` > **Note:** - > By using `eks-values.yaml`, ODM with a PostgreSQL internal database will be installed. It requires an ALB ingress controller and a server certificate. For more information, see [Provision an AWS Load Balancer Controller](README.md#d-provision-an-aws-load-balancer-controller) and [Manage a digital certificate](README.md#4-manage-a-digital-certificate-10-min). + > By using `eks-values.yaml`, ODM with a PostgreSQL internal database will be installed. It requires an ALB ingress controller and a server certificate. For more information, see [Provision an AWS Load Balancer Controller](README.md#d-provision-an-aws-load-balancer-controller) and [Manage a digital certificate](README.md#4-manage-adigital-certificate-10-min). diff --git a/platform/eks/README-GATEWAY-API.md b/platform/eks/README-GATEWAY-API.md new file mode 100644 index 00000000..44a81560 --- /dev/null +++ b/platform/eks/README-GATEWAY-API.md @@ -0,0 +1,336 @@ +# Deploying IBM Operational Decision Manager with AWS Load Balancer Controller supporting Gateway API on Amazon EKS + + +The aim of this complementary documentation is to explain how to replace the deprecated **NGINX Ingress Controller** using the **AWS Load Balancer Controller that supports Kubernetes Gateway API**. For more information, see [AWS Load Balancer Controller for Kubernetes Gateway API](https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/how-it-works/#gateway-api). + +## 1. Prerequisites + +Follow [Step 1 of Preparing your environment](README.md#1-prepare-your-environment-20-min) to create an EKS cluster and set up your environment. **Important:** After completing steps 1.a-1.c, install the Gateway API CRDs below before proceeding to step 1.d (Provision an AWS Load Balancer Controller). + + +You must first install the following Gateway API CRDs before you provision the ALB controller: + +- Installation of Gateway API CRDs: + +```bash +kubectl apply --server-side=true -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.0/standard-install.yaml +``` + +- Installation of LBC Gateway API specific CRDs: + +```bash +kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/config/crd/gateway/gateway-crds.yaml +``` + +For more information, see [AWS Load Balancer Controller Gateway prerequisites](https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/gateway/gateway/#prerequisites). + + +You can then go back to the main documentation to continue [Step 2: Create an RDS database](README.md#2-create-an-rds-database-10-min) and [Step 3: Prepare your environment for the ODM installation](README.md#3-prepare-your-environment-for-the-odm-installation-5-min). + +## 2. Install an ODM release with Gateway API + +In this tutorial, you will use [eks-gateway-values.yaml](./eks-gateway-values.yaml) or [eks-rds-gateway-values.yaml](./eks-rds-gateway-values.yaml) file for the installation. We assume that ODM is installed in the namespace `default`. + +To install ODM with the AWS RDS PostgreSQL database created in [step 2](README.md#2-create-an-rds-database-10-min): + +- Get the [eks-rds-gateway-values.yaml](./eks-rds-gateway-values.yaml) file and replace the following keys: + - ``: your database server endpoint (of the form: `.xxxxxxxx..rds.amazonaws.com`) + - ``: the initial database name defined when creating the RDS database + +```bash +helm install mycompany ibm-helm/ibm-odm-prod -f eks-rds-gateway-values.yaml +``` + +> **Note** +> +> - The above command installs the **latest available version** of the chart. If you want to install a **specific version**, add the `--version` option: +> +> ```bash +> helm install mycompany ibm-helm/ibm-odm-prod --version -f eks-rds-gateway-values.yaml +> ``` +> +> - You can list all available versions using: +> +> ```bash +> helm search repo ibm-helm/ibm-odm-prod -l +> ``` +> +> - If you prefer to install ODM for prototyping (not for production) with the ODM PostgreSQL internal database. Get the [eks-gateway-values.yaml](./eks-gateway-values.yaml) file: +> +> ```bash +> helm install mycompany ibm-helm/ibm-odm-prod -f eks-gateway-values.yaml +> ``` + +After ODM is installed, you will proceed to create the relevant Gateway using [odm-gateway-api.yaml](./odm-gateway-api.yaml) file. + +Edit the [odm-gateway-api.yaml](./odm-gateway-api.yaml) file and replace the `` placeholder with your account ID. This can be found at the `defaultCertificate` parameter of `LoadBalancerConfiguration`. Save the file. + +> **Note** +> - You can replace the `defaultCertificate` value with the ARN of the digital certificate that you have created in [Manage a digital certificate](README.md#4-manage-adigital-certificate-10-min) section. If you have an existing digital certificate in ACM, you can use it instead of creating a new one. +> - The `odm-gateway-api.yaml` file assumes ODM's release name is `mycompany`. If you used a different release name during installation, you must update all service name references in the file: +> - In each `TargetGroupConfiguration`, update the `targetReference.name` field (e.g., `mycompany-odm-decisionserverconsole` to `-odm-decisionserverconsole`). +> - In the `HTTPRoute`, update all `backendRefs.name` fields to match your release name. + +Apply the changes to the Gateway: +```bash +kubectl apply -f odm-gateway-api.yaml +``` + +You should see the Gatewayclass, AWS Load Balancer configuration, Target Group configurations for each ODM components, Gateway and Httproute being created: +```bash +gatewayclass.gateway.networking.k8s.io/odm-alb-gateway-class created +loadbalancerconfiguration.gateway.k8s.aws/odm-alb-config created +targetgroupconfiguration.gateway.k8s.aws/odm-decisionserverconsole-tgc created +targetgroupconfiguration.gateway.k8s.aws/odm-decisioncenter-tgc created +targetgroupconfiguration.gateway.k8s.aws/odm-decisionserverruntime-tgc created +targetgroupconfiguration.gateway.k8s.aws/odm-decisionrunner-tgc created +gateway.gateway.networking.k8s.io/odm-gateway created +httproute.gateway.networking.k8s.io/odm-services-route created +``` + +Wait a couple of minutes for the gateway to be programmed. + +Run this command to see the status of Gateway instance: + +```bash +kubectl get gateway +``` + +You will find the address and other details about the newly created `odm-gateway` gateway. +```bash +NAME CLASS ADDRESS PROGRAMMED AGE +odm-gateway odm-alb-gateway-class k8s-default-odmgatew-abcdefgh-123456789..elb.amazonaws.com True 10m +``` + +When the Gateway is programmed (set to `True`), you can then access the ODM services by retrieving the URL with this command: + +```bash +export ROOTURL=$(kubectl get gateway odm-gateway -o jsonpath='{.status.addresses[*].value}') +echo $ROOTURL +``` + +With this ODM topology in place, you can access web applications to author, deploy, and test your rule-based decision services. + +The ODM services are accessible from the following URLs: + +| *Component* | *URL* | *Username/Password* | +|---|---|---| +| Decision Center | https://${ROOTURL}/decisioncenter | odmAdmin/odmAdmin | +| Decision Center Swagger | https://${ROOTURL}/decisioncenter-api | odmAdmin/odmAdmin | +| Decision Server Console |https://${ROOTURL}/res| odmAdmin/odmAdmin | +| Decision Server Runtime | https://${ROOTURL}/DecisionService | odmAdmin/odmAdmin | +| Decision Runner | https://${ROOTURL}/DecisionRunner | odmAdmin/odmAdmin | + +## 3. Track ODM usage + +### 3.1. Install the IBM Usage Metering service + +IBM Usage Metering Service gathers metrics to monitor compliance and create reports. It captures business value metrics for auditing purposes and to visualize metric usage in reporting tools, and sends the information to IBM Software Central. For more details, see [Collecting and sending usage metrics](https://www.ibm.com/docs/en/odm/9.6.0?topic=production-collecting-sending-usage-metrics) + +From ODM 9.6.0 onwards, it is required to install this metering service in the same namespace as ODM. ODM will systematically report usage metrics to the metering service through a CronJob. If the service is not installed, the job fails when it runs. For more information about the installation and configuration of UMS, see [Installing the usage metering service](https://www.ibm.com/docs/en/odm/9.6.0?topic=metrics-installing-metering). In this tutorial, we assume that ODM and UMS are installed in the same namespace `default`. + +#### 3.1.1. Troubleshooting + +If the CronJob fails, check the pod logs: +```bash +kubectl logs -n -l job-name= +``` + +#### 3.1.2. Data transmission options + +After installing the IBM Usage Metering service, choose one of the following modes to transmit the usage metering data based on your environment: + +1. **Online mode** (Recommended): Automatic data transmission to IBM Software Central +2. **Offline mode** (Air-gapped): Manual data download and upload process + +##### 3.1.2.1. Online mode (Recommended) + +In online mode, the Usage Metering Service automatically sends usage data to IBM Software Central on a scheduled basis every 24 hours. This is the recommended configuration for environments with internet connectivity. + +*Configuration requirements*: +- IBM Entitlement Key (required for authentication) +- Network connectivity to IBM Software Central (`swc.saas.ibm.com`) + +For complete step-by-step instructions on configuring online mode, see [Automatic data transmission to IBM Software Central](https://www.ibm.com/docs/en/odm/9.6.0?topic=metrics-automatic-data-transmission). + +##### 3.1.2.2. Offline mode (Air-gapped environments) + +For offline/air-gapped environments where the Usage Metering Service cannot connect directly to IBM Software Central, you need to manually download and upload usage data. + +###### 3.1.2.2.1. Expose the IBM Usage Metering service using a Gateway API + +First, you will need to expose the service to have the access. + +Edit the [ums-gateway-api.yaml](./ums-gateway-api.yaml) file and replace the `` placeholder with your account ID. This can be found at the `defaultCertificate` parameter of `LoadBalancerConfiguration`. Save the file. + +> **Note** +> You can replace the `defaultCertificate` value with the ARN of the digital certificate that you have created in [Manage a  digital certificate](README.md#4-manage-adigital-certificate-10-min) section. If you have an existing digital certificate in ACM, you can use it instead of creating a new one. + +Run the command to create UMS's gateway: +```bash +kubectl apply -f ums-gateway-api.yaml +``` + +You should see the Gatewayclass, AWS Load Balancer configuration, Target Group configuration, Gateway and Httproute being created: +```bash +gatewayclass.gateway.networking.k8s.io/ums-alb-gateway-class created +loadbalancerconfiguration.gateway.k8s.aws/ums-alb-config created +targetgroupconfiguration.gateway.k8s.aws/ibm-usage-metering-tgc created +gateway.gateway.networking.k8s.io/ums-gateway created +httproute.gateway.networking.k8s.io/usage-metering-route created +``` + +Wait a couple of minutes for the gateway to be programmed. + +Run this command to see the status of Gateway instance: +```bash +kubectl get gateway +``` + +You will find the address and other details about the gateway pertaining to UMS `ums-gateway`. +```bash +NAME CLASS ADDRESS PROGRAMMED AGE +odm-gateway odm-alb-gateway-class k8s-default-odmgatew-abcdefgh-123456789..elb.amazonaws.com True 20m +ums-gateway ums-alb-gateway-class k8s-default-umsgatew-ijklmnop-987654321..elb.amazonaws.com True 1m +``` + +Wait for the Gateway to be programmed to `True` to access the UMS service to retrieve the report. + +###### 3.1.2.2.2. Retrieve metering usage data + +To get the Usage Metering report, run the command below: +```bash +export UMS_URL=$(kubectl get gateway ums-gateway -o jsonpath='{.status.addresses[*].value}') +export UMS_TOKEN=$(kubectl get secret ibm-usage-metering-upload-token -o jsonpath='{.data.token}' | base64 -d) +curl -k --output "swc_payload.tar.gz" \ + --header "Authorization: Bearer ${UMS_TOKEN}" \ + --url "https://${UMS_URL}/api/v1/swc" +``` + +The `swc_payload.tar.gz` contains the following files: +- manifest.json +- usage.json + +###### 3.1.2.2.3. Sending data to IBM Software Central + +Transfer the downloaded `swc_payload.tar.gz` file to a system with internet connectivity. + +Run the command to upload the file to IBM Software Central through its API: +```bash +curl -X POST "https://swc.saas.ibm.com/metering/api/v2/metrics" \ + -H "Authorization: Bearer " \ + -F "file=@swc_payload.tar.gz;type=application/gzip" +``` +> **Note** +> Replace the `` placeholder with IBM Entitlement Key. You can obtain it from [IBM Container Software Library](https://myibm.ibm.com/products-services/containerlibrary). + +For complete instructions, see [Uploading usage metrics to IBM Software Central](https://www.ibm.com/docs/en/odm/9.6.0?topic=metrics-uploading-usage-software-central). + +#### 3.1.3. Additional resources + +For general information about collecting and sending usage metrics, see [Collecting and sending usage metrics](https://www.ibm.com/docs/en/odm/9.6.0?topic=production-collecting-sending-usage-metrics). + +### 3.2. Install IBM License Service + +Follow the **Installation** section of the [Installation License Service without Operator Lifecycle Manager (OLM)](https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.x_cd?topic=ilsfpcr-installing-license-service-without-operator-lifecycle-manager-olm) documentation, **except for the step 7** which must be replaced by the following: + +> 7. Update the License Service instance that was created during installation to accept the license. At the same time, the default gateway configuration must be deactivated. We will apply the configuration that is adapted for AWS Load Balancer controller. +> - Create the `accept-license.yaml` file with the following content: +> +>```yaml +>spec: +> gatewayEnabled: false +> license: +> accept: true +>``` +> +> - Patch the IBM Licensing instance +>```bash +>kubectl patch IBMLicensing instance --type merge --patch-file accept-license.yaml +>``` + +#### 3.2.1. Create the Gateway for the IBM License Service instance + +Edit the file [ils-gateway-api.yaml](./ils-gateway-api.yaml) and replace the `` placeholder with your account ID. This can be found at the `defaultCertificate` parameter of `LoadBalancerConfiguration`. Save the file. + +> **Note** +> You can replace the `defaultCertificate` value with the ARN of the digital certificate that you have created in [Manage a  digital certificate](README.md#4-manage-adigital-certificate-10-min) section. If you have an existing digital certificate in ACM, you can use it instead of creating a new one. + +Run this command to create the Gateway for the License Service instance: +```bash +kubectl apply -f ils-gateway-api.yaml +``` + +You should see the Gatewayclass, AWS Load Balancer configuration, Target Group configuration, Gateway and Httproute being created: +```bash +gatewayclass.gateway.networking.k8s.io/ils-alb-gateway-class created +loadbalancerconfiguration.gateway.k8s.aws/ils-alb-config created +targetgroupconfiguration.gateway.k8s.aws/ibm-licensing-service-tgc created +gateway.gateway.networking.k8s.io/ils-gateway created +httproute.gateway.networking.k8s.io/ibm-licensing-route created +``` + +Wait a couple of minutes for the changes to be applied. + +Run the following command to see the status of Gateway instance: + +```bash +kubectl get gateway -n ibm-licensing +``` + +You will find the address and other details about `ibm-licensing-service-gateway`. +```bash +NAME CLASS ADDRESS PROGRAMMED AGE +ils-gateway ils-alb-gateway-class k8s-ibmlicen-ilsgatew-3xxxxxyyyyzzzzzz..elb.amazonaws.com True 3m30s +``` + +When the Gateway is programmed (set to `True`), you will be able to access the IBM License Service by retrieving the URL with this command: + +```bash +export TOKEN=$(kubectl get secret ibm-licensing-token -n ibm-licensing -o jsonpath='{.data.token}' |base64 -d) +export LICENSING_URL=$(kubectl get gateway ils-gateway -n ibm-licensing -o jsonpath='{.status.addresses[*].value}')/ibm-licensing-service-instance +echo https://${LICENSING_URL}/status?token=${TOKEN} +``` + +You can access the `https://${LICENSING_URL}/status?token=${TOKEN}` URL to view the licensing usage. + +Otherwise, you can also retrieve the licensing report .zip file by running: + +```bash +curl -k "https://${LICENSING_URL}/snapshot?token=${TOKEN}" --output report.zip +``` + +#### 3.2.2. Reporting License Usage to IBM Software Central + +IBM License Service can optionally send collected license usage data directly to IBM Software Central. For more information about the configuration, see [Reporting license usage to IBM Software Central](https://www.ibm.com/docs/en/odm/9.6.0?topic=metering-reporting-license-usage-software-central). + +##### 3.2.2.1. Online mode + +For detailed steps on configuring online mode (automatic data transmission), including creating the IBM Entitlement Key secret, configuring the IBMLicensing Custom Resource, and verifying the setup, refer to the [online mode documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=central-online-mode-configuration). + + +##### 3.2.2.2. Offline mode (Air-gapped environments) + +For air-gapped environments where ILS cannot directly connect to IBM Software Central, download the usage data using the following commands: + +```bash +export TOKEN=$(kubectl get secret ibm-licensing-token -n ibm-licensing -o jsonpath='{.data.token}' |base64 -d) +export LICENSING_URL=$(kubectl get gateway ils-gateway -n ibm-licensing -o jsonpath='{.status.addresses[*].value}')/ibm-licensing-service-instance +curl --insecure --output "ils_swc_payload.tar.gz" \ + "https://${LICENSING_URL}/swc_aggregations?token=${TOKEN}" +``` + +Transfer the downloaded `ils_swc_payload.tar.gz` file to a system with internet connectivity. + +Run the command to upload the file to IBM Software Central: +```bash +curl -X POST "https://swc.saas.ibm.com/metering/api/v2/metrics" \ + -H "Authorization: Bearer " \ + -F "file=@ils_swc_payload.tar.gz;type=application/gzip" +``` +> **Note** +> Replace the `` placeholder with IBM Entitlement Key. You can obtain it from [IBM Container Software Library](https://myibm.ibm.com/products-services/containerlibrary). + +For complete instructions, see the [offline mode documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=central-offline-mode-air-gapped-environments). + +If your IBM License Service instance is not running properly, refer to this [troubleshooting page](https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.x_cd?topic=service-troubleshooting-license). diff --git a/platform/eks/README.md b/platform/eks/README.md index 4ad98d2c..c8e4fbc5 100644 --- a/platform/eks/README.md +++ b/platform/eks/README.md @@ -7,6 +7,17 @@ This project demonstrates how to deploy an IBM® Operational Decision Manager (O The ODM on Kubernetes Docker images are available in the [IBM Cloud Container Registry](https://www.ibm.com/cloud/container-registry). The ODM Helm chart is available in the [IBM Helm charts repository](https://github.com/IBM/charts). +> [!IMPORTANT] +> **Deployment Options:** +> +> There are three ways to expose ODM services on EKS: +> +> 1. **AWS Application Load Balancer (ALB) Ingress (Default - Documented in this README):** Uses the [AWS Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller#aws-load-balancer-controller) with Kubernetes [Ingress resources](https://kubernetes.io/docs/concepts/services-networking/ingress/). This is the standard approach documented in the steps below. +> +> 2. **AWS Application Load Balancer (ALB) Gateway API (Recommended for Advanced Features):** Uses the AWS Load Balancer Controller with [Gateway resources](https://gateway-api.sigs.k8s.io/). This approach provides more advanced routing capabilities and better session affinity management. It is the future direction for Kubernetes networking. See the [Deploying IBM Operational Decision Manager with AWS Load Balancer Controller supporting Gateway API on Amazon EKS](README-GATEWAY-API.md) guide. +> +> 3. **NGINX Ingress Controller (Deprecated):** The [Deploying IBM Operational Decision Manager with NGINX Ingress Controller on Amazon EKS](README-NGINX.md) guide is deprecated and will be removed in the coming months. Please use AWS ALB Ingress or AWS ALB Gateway API instead. + ## Included components The project uses the following components: - [IBM Operational Decision Manager](https://www.ibm.com/docs/en/odm/9.6.0?topic=operational-decision-manager-certified-kubernetes-960) @@ -32,7 +43,7 @@ Then, create an [AWS Account](https://aws.amazon.com/getting-started/). - [1. Prepare your environment (20 min)](#1-prepare-your-environment-20-min) - [2. Create an RDS database (10 min)](#2-create-an-rds-database-10-min) - [3. Prepare your environment for the ODM installation (5 min)](#3-prepare-your-environment-for-the-odm-installation-5-min) -- [4. Manage a  digital certificate (10 min)](#4-manage-a-digital-certificate-10-min) +- [4. Manage a digital certificate (10 min)](#4-manage-adigital-certificate-10-min) - [5. Install an IBM Operational Decision Manager release (10 min)](#5-install-an-ibm-operational-decision-manager-release-10-min) - [6. Access the ODM services](#6-access-the-odm-services) - [7. Track ODM usage](#7-track-odm-usage) @@ -62,7 +73,10 @@ eksctl create cluster --version 1.34 --nodes 3 --alb-ingress-acce > The tutorial has been tested with the Kubernetes version 1.34. Check the supported kubernetes version in the [Detailed System Requirements](https://www.ibm.com/software/reports/compatibility/clarity/product.html?id=C88B83D2853E4A628442E38C1194FF8F) page. > **Warning** -> If you prefer to use the NGINX Ingress Controller instead of the ALB Load Balancer to expose ODM services, don't use the --alb-ingress-access option during the creation of the cluster. +> If you prefer to use the **Deprecated** NGINX Ingress Controller instead of the AWS Load Balancer to expose ODM services, don't use the --alb-ingress-access option during the creation of the cluster. + +> **New** +> Instead of the NGINX Ingress Controller, it is possible to use the AWS Load Balancer with Gateway API instead. Refer to the new [Deploying IBM Operational Decision Manager with AWS Load Balancer Controller supporting Gateway API on Amazon EKS](README-GATEWAY-API.md) tutorial. To see the options that you can specify when creating a cluster with `eksctl`, use the `eksctl create cluster --help` command. For more information, refer to [Creating an Amazon EKS cluster](https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html). @@ -94,7 +108,7 @@ helm install aws-load-balancer-controller eks/aws-load-balancer-controller \ For more information, refer to [Installing the AWS Load Balancer Controller add-on](https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html). > **Note** -> If you prefer to use the NGINX Ingress Controller instead of the AWS Load Balancer Controller, refer to [Deploying IBM Operational Decision Manager with NGINX Ingress Controller on Amazon EKS](README-NGINX.md) +> This tutorial illustrates accessing the services using Ingress. Since AWS Load Balancer now supports Gateway API, if you prefer to use Gateway API instead of Ingress, see the [Deploying IBM Operational Decision Manager with AWS Load Balancer Controller supporting Gateway API on Amazon EKS](README-GATEWAY-API.md) tutorial for more information. ### 2. Create an RDS database (10 min) @@ -113,7 +127,7 @@ For more information, refer to [Creating an Amazon RDS DB instance](https://docs #### b. Get the database endpoint (10 min) -Wait a few minutes for the RDS PostgreSQL database to be created and take note of the its public endpoint. It will be referred to as `RDS_DB_ENDPOINT` in the next sections. +Wait a few minutes for the RDS PostgreSQL database to be created and take note of its public endpoint. It will be referred to as `RDS_DB_ENDPOINT` in the next sections. Use the following command to get the RDS instance's endpoint: @@ -122,7 +136,7 @@ aws rds describe-db-instances | jq -r ".DBInstances[].Endpoint.Address" ``` > **Note** -> If `jq` is not installed, remove the second part above and look for the endpoint address; it looks like `.xxxxxxxx..rds.amazonaws.com`.) +> If `jq` is not installed, remove the second part above and look for the endpoint address; it looks like `.xxxxxxxx..rds.amazonaws.com`. #### c. Create the database secret @@ -143,7 +157,7 @@ kubectl create secret generic odm-db-secret \ To get access to the ODM material, you must have an IBM entitlement key to pull the images from the IBM Cloud Container registry. This is what will be used in the next step of this tutorial. -You can also download the ODM CASE package from IBM Cloud Container Registry, and then push the contained images to the EKS Container Registry (ECR). If you prefer to manage the ODM images this way, see the details [here](README-ECR.md) +You can also download the ODM CASE package from IBM Cloud Container Registry, and then push the contained images to the EKS Container Registry (ECR). If you prefer to manage the ODM images this way, see the details [here](README-ECR.md). #### a. Retrieve your entitled registry key @@ -181,11 +195,11 @@ NAME CHART VERSION APP VERSION DESCRIPTION ibm-helm/ibm-odm-prod 26.0.0 9.6.0.0 IBM Operational Decision Manager ``` -### 4. Manage a  digital certificate (10 min) +### 4. Manage a digital certificate (10 min) -#### a. (Optional) Generate a self-signed certificate +#### a. Generate a self-signed certificate -If you do not have a trusted certificate, you can use OpenSSL and other cryptography and certificate management libraries to generate a `.crt` certificate file and a private key, to define the domain name, and to set the expiration date. +If you have a trusted certificate, you can use it to access the ODM container. Otherwise you can use OpenSSL and other cryptography and certificate management libraries to generate a `.crt` certificate file and a private key, to define the domain name, and to set the expiration date. The following command creates a self-signed certificate (`.crt` file) and a private key (`.key` file) that accept the domain name `.mycompany.com`. The expiration is set to 1000 days: ```bash @@ -301,67 +315,127 @@ The ODM services are accessible from the following URLs: IBM Usage Metering Service gathers metrics to monitor compliance and create reports. It captures business value metrics for auditing purposes and to visualize metric usage in reporting tools, and sends the information to IBM Software Central. For more details, see [Collecting and sending usage metrics](https://www.ibm.com/docs/en/odm/9.6.0?topic=production-collecting-sending-usage-metrics) -From ODM 9.6.0 onwards, it is required to install this metering service in the same namespace as ODM. ODM will systematically reports usage metrics to the metering service through a CronJob. If the service is not installed, the job fails when it runs. For more information about the installation and configuration of UMS, see [Installing the usage metering service](https://www.ibm.com/docs/en/odm/9.6.0?topic=metrics-installing-metering). +From ODM 9.6.0 onwards, it is required to install this metering service in the same namespace as ODM. ODM will systematically report usage metrics to the metering service through a CronJob. If the service is not installed, the job fails when it runs. For more information about the installation and configuration of UMS, see [Installing the usage metering service](https://www.ibm.com/docs/en/odm/9.6.0?topic=metrics-installing-metering). + +#### 7.1.1. Troubleshooting + +If the CronJob fails, check the pod logs: +```bash +kubectl logs -n -l job-name= +``` + +#### 7.1.2. Data transmission options + +After installing the IBM Usage Metering service, choose one of the following modes to transmit the usage metering data based on your environment: + +1. **Online mode** (Recommended): Automatic data transmission to IBM Software Central +2. **Offline mode** (Air-gapped): Manual data download and upload process -#### 7.1.1 Expose IBM Usage Metering service using an ingress. +##### 7.1.2.1. Online mode (Recommended) -- Edit the [alb-ums-ingress.yaml](./alb-ums-ingress.yaml) file - - Update `` with the namespace that you installed UMS - - Update `` with your AWS Account Id. The certificate is the one that was created in Step 4a. +In online mode, the Usage Metering Service automatically sends usage data to IBM Software Central on a scheduled basis every 24 hours. This is the recommended configuration for environments with internet connectivity. -- Save the file +*Configuration requirements*: +- IBM Entitlement Key (required for authentication) +- Network connectivity to IBM Software Central (`swc.saas.ibm.com`) -- Run the command to create UMS's Ingress +For complete step-by-step instructions on configuring online mode, see [Automatic data transmission to IBM Software Central](https://www.ibm.com/docs/en/odm/9.6.0?topic=metrics-automatic-data-transmission). + +##### 7.1.2.2. Offline mode (Air-gapped environments) + +For offline/air-gapped environments where the Usage Metering Service cannot connect directly to IBM Software Central, you need to manually download and upload usage data. + +###### 7.1.2.2.1. Expose the IBM Usage Metering service using an ingress + +Edit the [ums-alb-ingress.yaml](./ums-alb-ingress.yaml) file. + - Update `` with your AWS Account Id. The certificate is the one that was created in Step 4a. + - Save the file. + +Run the command to create UMS's Ingress: ```bash -kubectl apply -f alb-ums-ingress.yaml +kubectl apply -f ums-alb-ingress.yaml ``` -- Run the following command to see the status of Ingress instance: +Run the following command to see the status of Ingress instance: ```bash kubectl get ingress ``` -You should be able to see the address and other details about `usage-metering-svc-ingress` instance. +You should be able to see the address and other details about `usage-metering-svc-ingress` instance: ```bash NAME CLASS HOSTS ADDRESS PORTS AGE mycompany-odm-ingress alb * abcdefghijklmnopqrstuvqxyz.elb..amazonaws.com 80 30m usage-metering-svc-ingress alb * xxxxxxxyyyyyyzzzzzz.elb..amazonaws.com 80 1m ``` -- Note down the address of the `usage-metering-svc-ingress` instance. It will be used to retrieve the metering usage report in the next step. -#### Retrieve metering usage +###### 7.1.2.2.2. Retrieve metering usage To get the Usage Metering report, run the command below: ```bash -UMS_TOKEN=$(kubectl get secret ibm-usage-metering-upload-token -n "${NAMESPACE}" -o jsonpath='{.data.token}' 2>/dev/null | base64 -d || echo "") +export UMS_TOKEN=$(kubectl get secret ibm-usage-metering-upload-token -n "${NAMESPACE}" -o jsonpath='{.data.token}' 2>/dev/null | base64 -d || echo "") +export UMS_URL=$(kubectl get ingress usage-metering-svc-ingress --no-headers |awk '{print $4}') +curl -k --output "swc_payload.tar.gz" \ + --header "Authorization: Bearer ${UMS_TOKEN}" \ + --url "https://${UMS_URL}/api/v1/swc" +``` + +The `swc_payload.tar.gz` contains the following files: +- manifest.json +- usage.json + +###### 7.1.2.2.3. Sending data to IBM Software Central -curl -k --output report.zip \ - --header "Authorization: Bearer ${UMS_TOKEN}" \ - --url "https://xxxxxxxyyyyyyzzzzzz.elb..amazonaws.com/api/v1/snapshot" +Transfer the downloaded `swc_payload.tar.gz` file to a system with internet connectivity. + +Run the command to upload the file to IBM Software Central through its API: +```bash +curl -X POST "https://swc.saas.ibm.com/metering/api/v2/metrics" \ + -H "Authorization: Bearer " \ + -F "file=@swc_payload.tar.gz;type=application/gzip" ``` +> **Note** +> Replace the `` placeholder with IBM Entitlement Key. You can obtain it from [IBM Container Software Library](https://myibm.ibm.com/products-services/containerlibrary). + +For complete instructions, see [Uploading usage metrics to IBM Software Central](https://www.ibm.com/docs/en/odm/9.6.0?topic=metrics-uploading-usage-software-central). + +#### 7.1.3. Additional resources + +For general information about collecting and sending usage metrics, see [Collecting and sending usage metrics](https://www.ibm.com/docs/en/odm/9.6.0?topic=production-collecting-sending-usage-metrics). + #### 7.2. Install the IBM License Service -Follow the **Installation** section of the [Installation License Service without Operator Lifecycle Manager (OLM)](https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.14.0?topic=ilsfpcr-installing-license-service-without-operator-lifecycle-manager-olm) documentation, **except for the step 3** which should be replaced by: +Follow the **Installation** section of the [Installation License Service without Operator Lifecycle Manager (OLM)](https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.x_cd?topic=ilsfpcr-installing-license-service-without-operator-lifecycle-manager-olm) documentation, **except for the step 7** which must be replaced by the following: -> 3. Use `git clone`. +> 7. Update the License Service instance that was created during installation to accept the license. At the same time, the default gateway configuration must be deactivated. We will create an Ingress that is adapted for AWS Load Balancer controller. +> - Create the `accept-license.yaml` file with the following content: > >```bash ->export operator_release_version=4.2.20 ->git clone -b ${operator_release_version} https://github.com/IBM/ibm-licensing-operator.git ->cd ibm-licensing-operator/ +>spec: +> gatewayEnabled: false +> license: +> accept: true >``` +> +> - Patch the IBM Licensing instance +>```bash +>kubectl patch IBMLicensing instance --type merge --patch-file accept-license.yaml +>``` + +##### 7.2.1. Expose the IBM Licensing service using an ingress -###### 7.2.1. Patch the IBM Licensing instance +Edit the [ils-alb-ingress.yaml](./ils-alb-ingress.yaml) file. + - Update `` with your AWS Account Id. The certificate is the one that was created in Step 4a. + - Save the file. -Get the [licensing-instance.yaml](./licensing-instance.yaml) file and run the command: +Run the following command to create the ingress: ```bash -kubectl patch IBMLicensing instance --type merge --patch-file licensing-instance.yaml -n ibm-licensing +kubectl apply -f ils-alb-ingress.yaml -n ibm-licensing ``` Wait a couple of minutes for the changes to be applied. @@ -372,15 +446,14 @@ Run the following command to see the status of Ingress instance: kubectl get ingress -n ibm-licensing ``` -You should be able to see the address and other details about `ibm-licensing-service-instance`. +You should be able to see the address and other details about `ibm-licensing-svc-ingress`. ``` NAME CLASS HOSTS ADDRESS PORTS AGE -ibm-licensing-service-instance alb * k8s-ibmlicen-ibmlicen-xxxxxxxx-yyyyyyy..elb.amazonaws.com 80 44m +ibm-licensing-svc-ingress alb * k8s-ibmlicen-ibmlicen-xxxxxxxx-yyyyyyy..elb.amazonaws.com 80 44m ``` -You can find more information and use cases on [this page](https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.14.0?topic=configuring-kubernetes-ingress). > **Note** -> If you choose to use the NGINX Ingress Controller, you must use the [licensing-instance-nginx.yaml](./licensing-instance-nginx.yaml) file. Refer to [Install IBM License Service](README-NGINX.md#install-ibm-license-service) for NGINX. +> If you choose to use the AWS Load Balancer with Gateway API, refer to [Deploying IBM Operational Decision Manager with AWS Load Balancer Controller supporting Gateway API on Amazon EKS](README-GATEWAY-API.md) tutorial. > **NGINX Ingress Controller (Deprecated):** The [NGINX Ingress Controller deployment guide](README-NGINX.md) is deprecated and will be removed in the coming months. For more information, see [Ingress NGINX Retirement: What You Need to Know](https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/). @@ -389,24 +462,50 @@ You can find more information and use cases on [this page](https://www.ibm.com/d The ALB address should be reflected in the Ingress configuration. You will be able to access the IBM License Service by retrieving the URL with this command: ```bash -export LICENSING_URL=$(kubectl get ingress ibm-licensing-service-instance -n ibm-licensing -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') +export LICENSING_URL=$(kubectl get ingress ibm-licensing-svc-ingress -n ibm-licensing -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') export TOKEN=$(kubectl get secret ibm-licensing-token -n ibm-licensing -o jsonpath='{.data.token}' |base64 -d) -echo http://${LICENSING_URL}/status?token=${TOKEN} +echo https://${LICENSING_URL}/status?token=${TOKEN} ``` -> **Note** -> If `LICENSING_URL` is empty, take a look at the [troubleshooting](#troubleshooting) section. - -You can access the `http://${LICENSING_URL}/status?token=${TOKEN}` URL to view the licensing usage or retrieve the licensing report .zip file by running: +You can access the `https://${LICENSING_URL}/status?token=${TOKEN}` URL to view the licensing usage or retrieve the licensing report .zip file by running: ```bash -curl "http://${LICENSING_URL}/snapshot?token=${TOKEN}" --output report.zip +curl -k "https://${LICENSING_URL}/snapshot?token=${TOKEN}" --output report.zip ``` -#### 7.2.3. Reporting license usage to IBM Software Central +##### 7.2.3. Reporting license usage to IBM Software Central IBM License Service can optionally send collected license usage data directly to IBM Software Central. For more information about the configuration, see [Reporting license usage to IBM Software Central](https://www.ibm.com/docs/en/odm/9.6.0?topic=metering-reporting-license-usage-software-central). +##### 7.2.3.1. Online mode + +For detailed steps on configuring online mode (automatic data transmission), including creating the IBM Entitlement Key secret, configuring the IBMLicensing Custom Resource, and verifying the setup, refer to the [online mode documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=central-online-mode-configuration). + + +##### 7.2.3.2. Offline mode (Air-gapped environments) + +For air-gapped environments where ILS cannot directly connect to IBM Software Central, download the usage data using these commands below: + +```bash +export TOKEN=$(kubectl get secret ibm-licensing-token -n ibm-licensing -o jsonpath='{.data.token}' |base64 -d) +export LICENSING_URL=$(kubectl get ingress ibm-licensing-svc-ingress -n ibm-licensing -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') +curl --insecure --output "ils_swc_payload.tar.gz" \ + "https://${LICENSING_URL}/swc_aggregations?token=${TOKEN}" +``` + +Transfer the downloaded `ils_swc_payload.tar.gz` file to a system with internet connectivity. + +Run the command to upload the file to IBM Software Central: +```bash +curl -X POST "https://swc.saas.ibm.com/metering/api/v2/metrics" \ + -H "Authorization: Bearer " \ + -F "file=@ils_swc_payload.tar.gz;type=application/gzip" +``` +> **Note** +> Replace the `` placeholder with IBM Entitlement Key. You can obtain it from [IBM Container Software Library](https://myibm.ibm.com/products-services/containerlibrary). + +For complete instructions, see the [offline mode documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=central-offline-mode-air-gapped-environments). + ## Troubleshooting @@ -424,8 +523,6 @@ IBM License Service can optionally send collected license usage data directly to Check the ALB configuration if you get a message like: `"msg"="Reconciler error" "error"="failed to reconcile ...` - For more information, refer to [Using a Network Load Balancer with the NGINX Ingress Controller on Amazon EKS](https://aws.amazon.com/blogs/opensource/network-load-balancer-nginx-ingress-controller-eks/). - ## Getting Started with IBM Operational Decision Manager for Containers Get hands-on experience with IBM Operational Decision Manager in a container environment by following this [Getting started tutorial](https://github.com/DecisionsDev/odm-for-container-getting-started/blob/master/README.md). diff --git a/platform/eks/eks-gateway-values.yaml b/platform/eks/eks-gateway-values.yaml new file mode 100644 index 00000000..51cc2c5d --- /dev/null +++ b/platform/eks/eks-gateway-values.yaml @@ -0,0 +1,13 @@ +license: true +usersPassword: "odmAdmin" + +image: + repository: cp.icr.io/cp/cp4a/odm + pullSecrets: + - ibm-entitlement-key + +internalDatabase: + populateSampleData: true + persistence: + enabled: false + useDynamicProvisioning: true diff --git a/platform/eks/eks-rds-gateway-values.yaml b/platform/eks/eks-rds-gateway-values.yaml new file mode 100644 index 00000000..64812711 --- /dev/null +++ b/platform/eks/eks-rds-gateway-values.yaml @@ -0,0 +1,14 @@ +license: true +usersPassword: "odmAdmin" + +image: + repository: cp.icr.io/cp/cp4a/odm + pullSecrets: + - ibm-entitlement-key + +externalDatabase: + type: postgres + secretCredentials: odm-db-secret + port: 5432 + serverName: + databaseName: diff --git a/platform/eks/ils-alb-ingress.yaml b/platform/eks/ils-alb-ingress.yaml new file mode 100644 index 00000000..4d939eb7 --- /dev/null +++ b/platform/eks/ils-alb-ingress.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ibm-licensing-svc-ingress + annotations: + alb.ingress.kubernetes.io/backend-protocol: HTTPS + alb.ingress.kubernetes.io/certificate-arn: arn:aws:iam:::server-certificate/mycompany + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/target-type: ip +spec: + ingressClassName: alb + rules: + - http: + paths: + - path: /* + pathType: ImplementationSpecific + backend: + service: + name: ibm-licensing-service-instance + port: + number: 8080 + diff --git a/platform/eks/ils-gateway-api.yaml b/platform/eks/ils-gateway-api.yaml new file mode 100644 index 00000000..547a14cb --- /dev/null +++ b/platform/eks/ils-gateway-api.yaml @@ -0,0 +1,86 @@ +--- +# GatewayClass - Defines the controller for the Gateway +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: ils-alb-gateway-class +spec: + controllerName: gateway.k8s.aws/alb +--- +# LoadBalancerConfiguration - AWS-specific configuration for the ILS ALB +apiVersion: gateway.k8s.aws/v1beta1 +kind: LoadBalancerConfiguration +metadata: + name: ils-alb-config +spec: + scheme: internet-facing + listenerConfigurations: + - protocolPort: HTTPS:443 + #Provide the ARN of the certificate created in ACM/IAM + defaultCertificate: arn:aws:iam:::server-certificate/mycompany +--- +# TargetGroupConfiguration for IBM Licensing Service +apiVersion: gateway.k8s.aws/v1beta1 +kind: TargetGroupConfiguration +metadata: + name: ibm-licensing-service-tgc +spec: + targetReference: + kind: Service + name: ibm-licensing-service-instance + defaultConfiguration: + targetType: ip + protocol: HTTPS + protocolVersion: HTTP1 + healthCheckConfig: + healthCheckProtocol: HTTPS + healthCheckPath: / + healthCheckInterval: 30 + healthCheckTimeout: 5 + healthyThresholdCount: 2 + unhealthyThresholdCount: 2 +--- +# Gateway - Creates a dedicated AWS Application Load Balancer for IBM Licensing Service +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: ils-gateway +spec: + gatewayClassName: ils-alb-gateway-class + infrastructure: + parametersRef: + kind: LoadBalancerConfiguration + name: ils-alb-config + group: gateway.k8s.aws + listeners: + - name: https + protocol: HTTPS + port: 443 + allowedRoutes: + namespaces: + from: Same +--- +# HTTPRoute for IBM Licensing Service +# Based on IBM documentation: path /ibm-licensing-service-instance with URL rewrite to / +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: ibm-licensing-route +spec: + parentRefs: + - name: ils-gateway + sectionName: https + rules: + - matches: + - path: + type: PathPrefix + value: /ibm-licensing-service-instance + filters: + - type: URLRewrite + urlRewrite: + path: + type: ReplacePrefixMatch + replacePrefixMatch: / + backendRefs: + - name: ibm-licensing-service-instance + port: 8080 diff --git a/platform/eks/odm-gateway-api.yaml b/platform/eks/odm-gateway-api.yaml new file mode 100644 index 00000000..4efab22b --- /dev/null +++ b/platform/eks/odm-gateway-api.yaml @@ -0,0 +1,178 @@ +--- +# GatewayClass - Defines the controller that will manage Gateways +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: odm-alb-gateway-class +spec: + controllerName: gateway.k8s.aws/alb +--- +# LoadBalancerConfiguration - AWS-specific configuration for the ALB +apiVersion: gateway.k8s.aws/v1beta1 +kind: LoadBalancerConfiguration +metadata: + name: odm-alb-config +spec: + scheme: internet-facing + listenerConfigurations: + - protocolPort: HTTPS:443 + #Provide the ARN of the certificate created in ACM/IAM + defaultCertificate: arn:aws:iam:::server-certificate/mycompany +--- +# TargetGroupConfiguration for Decision Server Console +apiVersion: gateway.k8s.aws/v1beta1 +kind: TargetGroupConfiguration +metadata: + name: odm-decisionserverconsole-tgc +spec: + targetReference: + kind: Service + name: mycompany-odm-decisionserverconsole + defaultConfiguration: + protocol: HTTPS + protocolVersion: HTTP1 + healthCheckConfig: + healthCheckProtocol: HTTPS + healthCheckPath: /res + healthCheckInterval: 30 + healthCheckTimeout: 5 + healthyThresholdCount: 2 + unhealthyThresholdCount: 2 +--- +# TargetGroupConfiguration for Decision Center +apiVersion: gateway.k8s.aws/v1beta1 +kind: TargetGroupConfiguration +metadata: + name: odm-decisioncenter-tgc +spec: + targetReference: + kind: Service + name: mycompany-odm-decisioncenter + defaultConfiguration: + protocol: HTTPS + protocolVersion: HTTP1 + healthCheckConfig: + healthCheckProtocol: HTTPS + healthCheckPath: /decisioncenter + healthCheckInterval: 30 + healthCheckTimeout: 5 + healthyThresholdCount: 2 + unhealthyThresholdCount: 2 + targetGroupAttributes: + - key: stickiness.enabled + value: "true" + - key: stickiness.type + value: lb_cookie + - key: stickiness.lb_cookie.duration_seconds + value: "86400" +--- +# TargetGroupConfiguration for Decision Server Runtime +apiVersion: gateway.k8s.aws/v1beta1 +kind: TargetGroupConfiguration +metadata: + name: odm-decisionserverruntime-tgc +spec: + targetReference: + kind: Service + name: mycompany-odm-decisionserverruntime + defaultConfiguration: + protocol: HTTPS + protocolVersion: HTTP1 + healthCheckConfig: + healthCheckProtocol: HTTPS + healthCheckPath: /DecisionService + healthCheckInterval: 30 + healthCheckTimeout: 5 + healthyThresholdCount: 2 + unhealthyThresholdCount: 2 +--- +# TargetGroupConfiguration for Decision Runner +apiVersion: gateway.k8s.aws/v1beta1 +kind: TargetGroupConfiguration +metadata: + name: odm-decisionrunner-tgc +spec: + targetReference: + kind: Service + name: mycompany-odm-decisionrunner + defaultConfiguration: + protocol: HTTPS + protocolVersion: HTTP1 + healthCheckConfig: + healthCheckProtocol: HTTPS + healthCheckPath: /DecisionRunner + healthCheckInterval: 30 + healthCheckTimeout: 5 + healthyThresholdCount: 2 + unhealthyThresholdCount: 2 +--- +# Gateway - Creates the AWS Application Load Balancer +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: odm-gateway +spec: + gatewayClassName: odm-alb-gateway-class + infrastructure: + parametersRef: + kind: LoadBalancerConfiguration + name: odm-alb-config + group: gateway.k8s.aws + listeners: + - name: https + protocol: HTTPS + port: 443 + allowedRoutes: + namespaces: + from: Same +--- +# HTTPRoute - Routes traffic to all ODM services +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: odm-services-route +spec: + parentRefs: + - name: odm-gateway + sectionName: https + rules: + # Decision Server Console + - matches: + - path: + type: PathPrefix + value: /res + backendRefs: + - name: mycompany-odm-decisionserverconsole + port: 443 + # Decision Center + - matches: + - path: + type: PathPrefix + value: /decisioncenter + backendRefs: + - name: mycompany-odm-decisioncenter + port: 443 + # Decision Center API + - matches: + - path: + type: PathPrefix + value: /decisioncenter-api + backendRefs: + - name: mycompany-odm-decisioncenter + port: 443 + # Decision Server Runtime + - matches: + - path: + type: PathPrefix + value: /DecisionService + backendRefs: + - name: mycompany-odm-decisionserverruntime + port: 443 + # Decision Runner + - matches: + - path: + type: PathPrefix + value: /DecisionRunner + backendRefs: + - name: mycompany-odm-decisionrunner + port: 443 diff --git a/platform/eks/alb-ums-ingress.yaml b/platform/eks/ums-alb-ingress.yaml similarity index 90% rename from platform/eks/alb-ums-ingress.yaml rename to platform/eks/ums-alb-ingress.yaml index 6490a074..84881eca 100644 --- a/platform/eks/alb-ums-ingress.yaml +++ b/platform/eks/ums-alb-ingress.yaml @@ -2,10 +2,9 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: usage-metering-svc-ingress - namespace: annotations: alb.ingress.kubernetes.io/backend-protocol: HTTPS - alb.ingress.kubernetes.io/certificate-arn: arn:aws:iam:::server-certificate/mycompany + alb.ingress.kubernetes.io/certificate-arn: arn:aws:iam:::server-certificate/mycompany alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/target-type: ip diff --git a/platform/eks/ums-gateway-api.yaml b/platform/eks/ums-gateway-api.yaml new file mode 100644 index 00000000..e0b8ab8c --- /dev/null +++ b/platform/eks/ums-gateway-api.yaml @@ -0,0 +1,82 @@ +--- +# GatewayClass - Defines the controller that will manage UMS Gateway +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: ums-alb-gateway-class +spec: + controllerName: gateway.k8s.aws/alb +--- +# LoadBalancerConfiguration - AWS-specific configuration for the UMS ALB +apiVersion: gateway.k8s.aws/v1beta1 +kind: LoadBalancerConfiguration +metadata: + name: ums-alb-config +spec: + scheme: internet-facing + listenerConfigurations: + - protocolPort: HTTPS:443 + #Provide the ARN of the certificate created in ACM/IAM + defaultCertificate: arn:aws:iam:::server-certificate/mycompany +--- +# TargetGroupConfiguration for IBM Usage Metering Service +apiVersion: gateway.k8s.aws/v1beta1 +kind: TargetGroupConfiguration +metadata: + name: ibm-usage-metering-tgc +spec: + targetReference: + kind: Service + name: ibm-usage-metering-instance + defaultConfiguration: + # Using IP target type to support ClusterIP service + targetType: ip + protocol: HTTPS + protocolVersion: HTTP1 + healthCheckConfig: + healthCheckProtocol: HTTPS + healthCheckPath: /ready + healthCheckInterval: 30 + healthCheckTimeout: 5 + healthyThresholdCount: 2 + unhealthyThresholdCount: 2 +--- +# Gateway - Creates a dedicated AWS Application Load Balancer for UMS +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: ums-gateway +spec: + gatewayClassName: ums-alb-gateway-class + infrastructure: + parametersRef: + kind: LoadBalancerConfiguration + name: ums-alb-config + group: gateway.k8s.aws + listeners: + - name: https + protocol: HTTPS + port: 443 + allowedRoutes: + namespaces: + from: Same +--- +# HTTPRoute for IBM Usage Metering Service +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: usage-metering-route +spec: + parentRefs: + - name: ums-gateway + sectionName: https + rules: + # Match all paths and pass through to backend + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: ibm-usage-metering-instance + port: 8080 +