Added ALB Gateway api tutorial for EKS

.pre-commit-config.yaml

@@ -10,7 +10,7 @@ repos:
     # You are encouraged to use static refs such as tags, instead of branch name
     #
     # Running "pre-commit autoupdate" automatically updates rev to latest tag
-    rev: 0.13.1+ibm.62.dss
+    rev: 0.13.1+ibm.64.dss
     hooks:
       - id: detect-secrets # pragma: whitelist secret
         # Add options for detect-secrets-hook binary. You can run `detect-secrets-hook --help` to list out all possible options.

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2026-05-04T13:40:10Z",
+  "generated_at": "2026-05-12T08:54:38Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -1336,15 +1336,25 @@
         "hashed_secret": "8b712744eee080d5fe6048e4f589235d00435559",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 134,
+        "line_number": 148,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "b11974a9da0d56698df935ab86e19b127804d6d4",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 158,
+        "line_number": 172,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ],
+    "platform/eks/eks-gateway-values.yaml": [
+      {
+        "hashed_secret": "fd1daf2e350a06b865f4a1e17bb39183b806c1e9",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 2,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -1359,6 +1369,24 @@
         "verified_result": null
       }
     ],
+    "platform/eks/eks-rds-gateway-values.yaml": [
+      {
+        "hashed_secret": "fd1daf2e350a06b865f4a1e17bb39183b806c1e9",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 2,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "aef505a4c9ac97451f163d4b5d27cc7e3c437dc3",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 11,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ],
     "platform/eks/eks-rds-nginx-values.yaml": [
       {
         "hashed_secret": "fd1daf2e350a06b865f4a1e17bb39183b806c1e9",

platform/eks/README-ECR.md

@@ -191,4 +191,4 @@ The related instructions in the online documentation are:
   ```
 
   > **Note:**
-  > By using `eks-values.yaml`, ODM with a PostgreSQL internal database will be installed. It requires an ALB ingress controller and a server certificate. For more information, see [Provision an AWS Load Balancer Controller](README.md#d-provision-an-aws-load-balancer-controller) and [Manage a digital certificate](README.md#4-manage-a-digital-certificate-10-min).
+  > By using `eks-values.yaml`, ODM with a PostgreSQL internal database will be installed. It requires an ALB ingress controller and a server certificate. For more information, see [Provision an AWS Load Balancer Controller](README.md#d-provision-an-aws-load-balancer-controller) and [Manage a digital certificate](README.md#4-manage-adigital-certificate-10-min).

platform/eks/eks-gateway-values.yaml

@@ -0,0 +1,13 @@
+license: true
+usersPassword: "odmAdmin"
+
+image:
+  repository: cp.icr.io/cp/cp4a/odm
+  pullSecrets:
+  - ibm-entitlement-key
+
+internalDatabase:
+  populateSampleData: true
+  persistence:
+    enabled: false
+    useDynamicProvisioning: true

platform/eks/eks-rds-gateway-values.yaml

@@ -0,0 +1,14 @@
+license: true
+usersPassword: "odmAdmin"
+
+image:
+  repository: cp.icr.io/cp/cp4a/odm
+  pullSecrets:
+  - ibm-entitlement-key
+
+externalDatabase:
+  type: postgres
+  secretCredentials: odm-db-secret
+  port: 5432
+  serverName: <RDS_DB_ENDPOINT>
+  databaseName: <RDS_DATABASE_NAME>

platform/eks/ils-alb-ingress.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ibm-licensing-svc-ingress
+  annotations:
+    alb.ingress.kubernetes.io/backend-protocol: HTTPS
+    alb.ingress.kubernetes.io/certificate-arn: arn:aws:iam::<AWS-AccountId>:server-certificate/mycompany
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/target-type: ip
+spec:
+  ingressClassName: alb
+  rules:
+  - http:
+      paths:
+      - path: /*
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: ibm-licensing-service-instance
+            port:
+              number: 8080
+

platform/eks/ils-gateway-api.yaml

@@ -0,0 +1,86 @@
+---
+# GatewayClass - Defines the controller for the Gateway
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: ils-alb-gateway-class
+spec:
+  controllerName: gateway.k8s.aws/alb
+---
+# LoadBalancerConfiguration - AWS-specific configuration for the ILS ALB
+apiVersion: gateway.k8s.aws/v1beta1
+kind: LoadBalancerConfiguration
+metadata:
+  name: ils-alb-config
+spec:
+  scheme: internet-facing
+  listenerConfigurations:
+    - protocolPort: HTTPS:443
+      #Provide the ARN of the certificate created in ACM/IAM
+      defaultCertificate: arn:aws:iam::<AWS-AccountId>:server-certificate/mycompany
+---
+# TargetGroupConfiguration for IBM Licensing Service
+apiVersion: gateway.k8s.aws/v1beta1
+kind: TargetGroupConfiguration
+metadata:
+  name: ibm-licensing-service-tgc
+spec:
+  targetReference:
+    kind: Service
+    name: ibm-licensing-service-instance
+  defaultConfiguration:
+    targetType: ip
+    protocol: HTTPS
+    protocolVersion: HTTP1
+    healthCheckConfig:
+      healthCheckProtocol: HTTPS
+      healthCheckPath: /
+      healthCheckInterval: 30
+      healthCheckTimeout: 5
+      healthyThresholdCount: 2
+      unhealthyThresholdCount: 2
+---
+# Gateway - Creates a dedicated AWS Application Load Balancer for IBM Licensing Service
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: ils-gateway
+spec:
+  gatewayClassName: ils-alb-gateway-class
+  infrastructure:
+    parametersRef:
+      kind: LoadBalancerConfiguration
+      name: ils-alb-config
+      group: gateway.k8s.aws
+  listeners:
+  - name: https
+    protocol: HTTPS
+    port: 443
+    allowedRoutes:
+      namespaces:
+        from: Same
+---
+# HTTPRoute for IBM Licensing Service
+# Based on IBM documentation: path /ibm-licensing-service-instance with URL rewrite to /
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: ibm-licensing-route
+spec:
+  parentRefs:
+  - name: ils-gateway
+    sectionName: https
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /ibm-licensing-service-instance
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /
+    backendRefs:
+    - name: ibm-licensing-service-instance
+      port: 8080

platform/eks/odm-gateway-api.yaml

@@ -0,0 +1,178 @@
+---
+# GatewayClass - Defines the controller that will manage Gateways
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: odm-alb-gateway-class
+spec:
+  controllerName: gateway.k8s.aws/alb
+---
+# LoadBalancerConfiguration - AWS-specific configuration for the ALB
+apiVersion: gateway.k8s.aws/v1beta1
+kind: LoadBalancerConfiguration
+metadata:
+  name: odm-alb-config
+spec:
+  scheme: internet-facing
+  listenerConfigurations:
+    - protocolPort: HTTPS:443
+      #Provide the ARN of the certificate created in ACM/IAM
+      defaultCertificate: arn:aws:iam::<AWS-AccountId>:server-certificate/mycompany
+---
+# TargetGroupConfiguration for Decision Server Console
+apiVersion: gateway.k8s.aws/v1beta1
+kind: TargetGroupConfiguration
+metadata:
+  name: odm-decisionserverconsole-tgc
+spec:
+  targetReference:
+    kind: Service
+    name: mycompany-odm-decisionserverconsole
+  defaultConfiguration:
+    protocol: HTTPS
+    protocolVersion: HTTP1
+    healthCheckConfig:
+      healthCheckProtocol: HTTPS
+      healthCheckPath: /res
+      healthCheckInterval: 30
+      healthCheckTimeout: 5
+      healthyThresholdCount: 2
+      unhealthyThresholdCount: 2
+---
+# TargetGroupConfiguration for Decision Center
+apiVersion: gateway.k8s.aws/v1beta1
+kind: TargetGroupConfiguration
+metadata:
+  name: odm-decisioncenter-tgc
+spec:
+  targetReference:
+    kind: Service
+    name: mycompany-odm-decisioncenter
+  defaultConfiguration:
+    protocol: HTTPS
+    protocolVersion: HTTP1
+    healthCheckConfig:
+      healthCheckProtocol: HTTPS
+      healthCheckPath: /decisioncenter
+      healthCheckInterval: 30
+      healthCheckTimeout: 5
+      healthyThresholdCount: 2
+      unhealthyThresholdCount: 2
+    targetGroupAttributes:
+    - key: stickiness.enabled
+      value: "true"
+    - key: stickiness.type
+      value: lb_cookie
+    - key: stickiness.lb_cookie.duration_seconds
+      value: "86400"
+---
+# TargetGroupConfiguration for Decision Server Runtime
+apiVersion: gateway.k8s.aws/v1beta1
+kind: TargetGroupConfiguration
+metadata:
+  name: odm-decisionserverruntime-tgc
+spec:
+  targetReference:
+    kind: Service
+    name: mycompany-odm-decisionserverruntime
+  defaultConfiguration:
+    protocol: HTTPS
+    protocolVersion: HTTP1
+    healthCheckConfig:
+      healthCheckProtocol: HTTPS
+      healthCheckPath: /DecisionService
+      healthCheckInterval: 30
+      healthCheckTimeout: 5
+      healthyThresholdCount: 2
+      unhealthyThresholdCount: 2
+---
+# TargetGroupConfiguration for Decision Runner
+apiVersion: gateway.k8s.aws/v1beta1
+kind: TargetGroupConfiguration
+metadata:
+  name: odm-decisionrunner-tgc
+spec:
+  targetReference:
+    kind: Service
+    name: mycompany-odm-decisionrunner
+  defaultConfiguration:
+    protocol: HTTPS
+    protocolVersion: HTTP1
+    healthCheckConfig:
+      healthCheckProtocol: HTTPS
+      healthCheckPath: /DecisionRunner
+      healthCheckInterval: 30
+      healthCheckTimeout: 5
+      healthyThresholdCount: 2
+      unhealthyThresholdCount: 2
+---
+# Gateway - Creates the AWS Application Load Balancer
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: odm-gateway
+spec:
+  gatewayClassName: odm-alb-gateway-class
+  infrastructure:
+    parametersRef:
+      kind: LoadBalancerConfiguration
+      name: odm-alb-config
+      group: gateway.k8s.aws
+  listeners:
+  - name: https
+    protocol: HTTPS
+    port: 443
+    allowedRoutes:
+      namespaces:
+        from: Same
+---
+# HTTPRoute - Routes traffic to all ODM services
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: odm-services-route
+spec:
+  parentRefs:
+  - name: odm-gateway
+    sectionName: https
+  rules:
+  # Decision Server Console
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /res
+    backendRefs:
+    - name: mycompany-odm-decisionserverconsole
+      port: 443
+  # Decision Center
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /decisioncenter
+    backendRefs:
+    - name: mycompany-odm-decisioncenter
+      port: 443
+  # Decision Center API
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /decisioncenter-api
+    backendRefs:
+    - name: mycompany-odm-decisioncenter
+      port: 443
+  # Decision Server Runtime
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /DecisionService
+    backendRefs:
+    - name: mycompany-odm-decisionserverruntime
+      port: 443
+  # Decision Runner
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /DecisionRunner
+    backendRefs:
+    - name: mycompany-odm-decisionrunner
+      port: 443