diff --git a/.secrets.baseline b/.secrets.baseline index bed6b5ba..8f57e335 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2026-05-04T13:40:10Z", + "generated_at": "2026-05-13T10:04:02Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -1410,7 +1410,7 @@ "hashed_secret": "dc081999b19ee322ee45e3d4451246b7c449db0a", "is_secret": false, "is_verified": false, - "line_number": 142, + "line_number": 150, "type": "Secret Keyword", "verified_result": null }, @@ -1418,7 +1418,43 @@ "hashed_secret": "5a2ea68e9ea943ea31948fe51388c798e13346a9", "is_secret": false, "is_verified": false, - "line_number": 184, + "line_number": 192, + "type": "Secret Keyword", + "verified_result": null + } + ], + "platform/gcloud/README_GATEWAY.md": [ + { + "hashed_secret": "dc081999b19ee322ee45e3d4451246b7c449db0a", + "is_secret": false, + "is_verified": false, + "line_number": 141, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "5a2ea68e9ea943ea31948fe51388c798e13346a9", + "is_secret": false, + "is_verified": false, + "line_number": 183, + "type": "Secret Keyword", + "verified_result": null + } + ], + "platform/gcloud/gcp-values-gateway.yaml": [ + { + "hashed_secret": "fd1daf2e350a06b865f4a1e17bb39183b806c1e9", + "is_secret": false, + "is_verified": false, + "line_number": 2, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "e6a8430b6dc3747f44d258a127b11f4705d9ee01", + "is_secret": false, + "is_verified": false, + "line_number": 15, "type": "Secret Keyword", "verified_result": null } @@ -1436,7 +1472,7 @@ "hashed_secret": "e6a8430b6dc3747f44d258a127b11f4705d9ee01", "is_secret": false, "is_verified": false, - "line_number": 20, + "line_number": 24, "type": "Secret Keyword", "verified_result": null } diff --git a/platform/gcloud/README.md b/platform/gcloud/README.md index 129b4b0b..8e94c8d0 100644 --- a/platform/gcloud/README.md +++ b/platform/gcloud/README.md @@ -9,12 +9,23 @@ Here is the Google Cloud home page: ![Architecture](images/architecture.png) The ODM on Kubernetes Docker images are available in the [IBM Entitled Registry](https://www.ibm.com/cloud/container-registry). The ODM Helm chart is available in the [IBM Helm charts repository](https://github.com/IBM/charts). +> [!IMPORTANT] +> **Deployment Options:** +> +> There are three ways to expose ODM services on GKE: +> +> 1. **GKE Ingress (Default - Documented in this README):** Uses the [GKE Ingress controller](https://cloud.google.com/kubernetes-engine/docs/concepts/ingress) with container-native load balancing. This is the standard approach documented in the steps below. +> +> 2. **GKE Gateway API (Recommended for Advanced Features):** Uses the [GKE Gateway API](https://cloud.google.com/kubernetes-engine/docs/concepts/gateway-api) which provides more advanced routing capabilities, better session affinity management, and is the future direction for Kubernetes networking. See the [GKE Gateway API deployment guide](README_GATEWAY.md). +> +> 3. **NGINX Ingress Controller (Deprecated):** The [NGINX Ingress Controller deployment guide](README_NGINX.md) is deprecated and will be removed in the coming months. Please use GKE Ingress or GKE Gateway API instead. + ## Included components The project comes with the following components: -- [IBM Operational Decision Manager](https://www.ibm.com/docs/en/odm/9.5.0?topic=operational-decision-manager-certified-kubernetes-950) +- [IBM Operational Decision Manager](https://www.ibm.com/docs/en/odm/9.6.0?topic=operational-decision-manager-certified-kubernetes-960) - [Google Kubernetes Engine (GKE)](https://cloud.google.com/kubernetes-engine) - [Google Cloud SQL for PostgreSQL](https://cloud.google.com/sql) - [IBM License Service](https://github.com/IBM/ibm-licensing-operator) @@ -42,7 +53,7 @@ Then, perform the following tasks: Without the relevant billing level, some Google Cloud resources will not be created. > [!NOTE] -> Prerequisites and software supported by ODM 9.5.0 are listed on [the Detailed System Requirements page](https://www.ibm.com/support/pages/ibm-operational-decision-manager-detailed-system-requirements). +> Prerequisites and software supported by ODM 9.6.0 are listed on [the Detailed System Requirements page](https://www.ibm.com/support/pages/ibm-operational-decision-manager-detailed-system-requirements). ## Steps to deploy ODM on Kubernetes from Google GKE @@ -98,13 +109,10 @@ Regions and zones (used below) can be listed respectively with `gcloud compute r ```shell gcloud container clusters create \ - --release-channel=regular --cluster-version=1.33 \ + --release-channel=regular --cluster-version=1.34 \ --enable-autoscaling --num-nodes=6 --total-min-nodes=1 --total-max-nodes=16 ``` -> [!NOTE] -> If you get a red warning about a missing gke-gcloud-auth-plugin, install it with `gcloud components install gke-gcloud-auth-plugin`. -> For Kubernetes versions lower than 1.26 you have to enable it for each kubectl command with `export USE_GKE_GCLOUD_AUTH_PLUGIN=True` ([more information](https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke)). > [!NOTE] > You can also create your cluster from the Google Cloud Platform using the **Kubernetes Engine** > **Clusters** panel and clicking the **Create** button > ![Create cluster](images/create_cluster.png) @@ -137,7 +145,7 @@ We will use the Google Cloud Platform console to create the database instance. - Go to the [SQL context](https://console.cloud.google.com/sql), and then click the **CREATE INSTANCE** button - Click **Choose PostgreSQL** - - Database version: `PostgreSQL 16` + - Database version: `PostgreSQL 18` - Instance ID: ```` - Password: ```` - Take note of this password. - Region: ```` (must be the same as the cluster for the communication to be optimal between the database and the ODM instance) @@ -203,7 +211,7 @@ helm repo update ```shell helm search repo ibm-odm-prod NAME CHART VERSION APP VERSION DESCRIPTION -ibm-helm/ibm-odm-prod 25.1.0 9.5.0.1 IBM Operational Decision Manager +ibm-helm/ibm-odm-prod 26.0.0 9.6.0.0 IBM Operational Decision Manager ``` ### 4. Manage a digital certificate (2 min) @@ -225,7 +233,7 @@ openssl req -x509 -nodes -days 1000 -newkey rsa:2048 -keyout mynicecompany.key \ kubectl create secret tls mynicecompany-tls-secret --key mynicecompany.key --cert mynicecompany.crt ``` -The certificate must be the same as the one you used to enable TLS connections in your ODM release. For more information, see [Server certificates](https://www.ibm.com/docs/en/odm/9.5.0?topic=production-defining-security-certificate) and [Working with certificates and SSL](https://docs.oracle.com/cd/E19830-01/819-4712/ablqw/index.html). +The certificate must be the same as the one you used to enable TLS connections in your ODM release. For more information, see [Server certificates](https://www.ibm.com/docs/en/odm/9.6.0?topic=production-defining-security-certificate) and [Working with certificates and SSL](https://docs.oracle.com/cd/E19830-01/819-4712/ablqw/index.html). ### 5. Install the ODM release (10 min) @@ -247,22 +255,6 @@ It automatically creates an HTTPS GKE load balancer. We will disable the ODM int helm install ibm-helm/ibm-odm-prod -f gcp-values.yaml ``` -> [!NOTE] -> -> - You might prefer to access ODM components through the NGINX Ingress controller instead of using the IP addresses. If so, please follow [these instructions](README_NGINX.md). -> -> - This command installs the **latest available version** of the chart. -> If you want to install a **specific version**, add the `--version` option: -> -> ```bash -> helm install ibm-helm/ibm-odm-prod --version -f gcp-values.yaml -> ``` -> -> You can list all available versions using: -> -> ```bash -> helm search repo ibm-helm/ibm-odm-prod -l -> ``` #### Check the topology @@ -313,7 +305,7 @@ A configuration that uses [BackendConfig](https://cloud.google.com/kubernetes-en ```shell kubectl annotate service -odm-decisioncenter \ - cloud.google.com/backend-config='{"ports": {"9453":"dc-backendconfig"}}' + cloud.google.com/backend-config='{"ports": {"80":"dc-backendconfig"}}' ``` As soon as GKE manages Decision Center session affinity at the load balancer level, you can check the ClientIP availability below the Decision Center Network Endpoint Group configuration from the Google Cloud Console in the Load Balancer details. @@ -358,64 +350,192 @@ We only have to manage a configuration to simulate the mynicecompany.com access. ### 7. Track ODM usage -#### 7.1. Install the IBM Usage Metering service +#### 7.1 Install the IBM Usage Metering Service -IBM Usage Metering Service gathers metrics to monitor compliance and create reports. It captures business value metrics for auditing purposes and to visualize metric usage in reporting tools, and sends the information to IBM Software Central. +The IBM Usage Metering Service (UMS) is a critical component that gathers metrics to monitor compliance and create reports. It captures business value metrics for auditing purposes, visualizes metric usage in reporting tools, and sends the information to IBM Software Central. -From ODM 9.6.0 onwards, it is required to install this metering service in the same namespace as ODM. ODM will systematically reports usage metrics to the metering service through a CronJob. If the service is not installed, the job fails when it runs. For more information about the installation and configuration of UMS, see [Installing the usage metering service](https://www.ibm.com/docs/en/odm/9.6.0?topic=production-installing-metering). +**Prerequisites:** +- Cluster-admin permissions or appropriate RBAC roles +- Target namespace must exist before installation +- ODM 9.6.0 or later installed +**Important Requirements:** +- From ODM 9.6.0 onwards, UMS **must** be installed in the same namespace as ODM +- ODM reports usage metrics to UMS through a scheduled CronJob +- If UMS is not installed, the CronJob will fail when it runs -#### 7.2 Install the IBM License Service +**Installation:** -Follow the **Installation** section of the [Manual installation without the Operator Lifecycle Manager (OLM)](https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.x_cd?topic=ilsfpcr-installing-license-service-without-operator-lifecycle-manager-olm) and stop before it asks you to update the License Service instance. It will be done in the next paragraph. +For detailed installation and configuration instructions, see [Installing the usage metering service](https://www.ibm.com/docs/en/odm/9.6.0?topic=metrics-installing-metering). -##### 7.2.1 Create the IBM Licensing instance +**Troubleshooting:** -Get the [licensing-instance.yaml](./licensing-instance.yaml) file and run the following command: +If the CronJob fails, check the pod logs: +```bash +kubectl logs -n -l job-name= +``` -```shell -kubectl apply -f licensing-instance.yaml -n ibm-licensing +**Configuration Options:** + +After installing UMS, choose one of the following configuration modes based on your environment: + +1. **Online Mode** (Recommended): Automatic data transmission to IBM Software Central +2. **Offline Mode** (Air-gapped): Manual data download and upload process + +##### 7.1.1 Online Mode (Recommended) + +In online mode, the Usage Metering Service automatically sends usage data to IBM Software Central on a scheduled basis. This is the recommended configuration for environments with internet connectivity. + +**Key Features:** +- Automatic data transmission every 24 hours +- No manual intervention required after initial setup +- Automatic retry on transmission failures + +**Configuration Requirements:** +- IBM Entitlement Key (required for authentication) +- Network connectivity to IBM Software Central (`swc.saas.ibm.com`) + +For complete step-by-step instructions on configuring online mode, refer to: + +📖 **[Automatic data transmission to IBM Software Central](https://www.ibm.com/docs/en/odm/9.6.0?topic=metrics-automatic-data-transmission)** + +This documentation covers: +- Creating the IBM Entitlement Key secret +- Configuring the IBMUsageMetering instance +- Verifying the configuration +- Monitoring data transmission +- Troubleshooting common issues + +##### 7.1.2 Offline Mode (Air-gapped Environments) + +For offline/air-gapped environments where the Usage Metering Service cannot connect directly to IBM Software Central, you need to manually download and upload usage data. + +**Step 1: Expose the Usage Metering Service** + +Create a LoadBalancer service to expose UMS: + +```bash +kubectl apply -f usage-metering-service-loadbalancer.yaml ``` -> [!NOTE] -> You can find more information and use cases on [this page](https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.12.0?topic=service-configuring). +**Step 2: Download Usage Data** + +Retrieve the metering service data from the LoadBalancer: -##### 7.2.2 Modify GKE Load Balancer settings +```bash +export NAMESPACE= +EXTERNAL_IP=$(kubectl get service ibm-usage-metering-instance-loadbalancer -n "${NAMESPACE}" -o jsonpath='{.status.loadBalancer.ingress[0].ip}') -As Google native Load Balancer does not support the same URL rewriting rules as other ones (such as NGINX), [some settings have to be modified](https://cloud.google.com/load-balancing/docs/https/setting-up-url-rewrite) directly on GCP Web UI. +UMS_TOKEN=$(kubectl get secret ibm-usage-metering-upload-token -n "${NAMESPACE}" -o jsonpath='{.data.token}' 2>/dev/null | base64 -d || echo "") +curl -k --output "swc_payload.tar.gz" \ + --header "Authorization: Bearer ${UMS_TOKEN}" \ + --url "https://${EXTERNAL_IP}:8080/api/v1/swc" +``` -You have to look for the ibm-licensing-service-instance in the list of Ingresses, then select its Load Balancer in the list of resources at the bottom: +**Step 3: Upload to IBM Software Central** -![Load balancing resources](images/lb_resources.png) +After downloading the `swc_payload.tar.gz` file, you need to upload it to IBM Software Central to report your usage metrics. The upload process requires authentication with your IBM ID and must be performed from a machine with internet access. -Edit the rule about /ibm-licensing-service-instance/* and add `/` as path prefix rewrite: +For detailed instructions on how to upload the usage data file to IBM Software Central, including authentication steps and troubleshooting, refer to: -![Load balancing Host and Path rules](images/lb_host_and_path_rules.png) -![Load balancing Rewrite](images/lb_rewrite.png) +📖 **[Uploading usage metrics to IBM Software Central](https://www.ibm.com/docs/en/odm/9.6.0?topic=metrics-uploading-usage-software-central)** -> [!NOTE] -> GKE Load Balancer may take a few minutes after its new configuration to actually apply it. +**Additional Resources:** -##### 7.2.3 Retrieving license usage +For general information about collecting and sending usage metrics, see: +📖 **[Collecting and sending usage metrics](https://www.ibm.com/docs/en/odm/9.6.0?topic=production-collecting-sending-usage-metrics)** + +#### 7.2 Install the IBM License Service -After a couple of minutes, the Ingress configuration is created and you will be able to access the IBM License Service by retrieving the URL with the following command: +This section explains how to track ODM usage with the IBM License Service. + +Follow the instructions in the **Installation** section of the [Manual installation without the Operator Lifecycle Manager (OLM)](https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.x_cd?topic=ilsfpcr-installing-license-service-without-operator-lifecycle-manager-olm) + + +#### 7.2.1 Expose the licensing service using the GKE LoadBalancer + +Wait a couple of minutes for the installation to be done. + +You should see two pods running: + ```bash +NAME READY STATUS RESTARTS AGE +ibm-licensing-operator-b8564f765-jsb95 1/1 Running 0 4m26s +ibm-licensing-service-instance-787996886d-pzmlg 1/1 Running 0 88s +``` + +To expose the licensing service using the GKE LoadBalancer, run the command: + +```bash +kubectl patch svc ibm-licensing-service-instance -p '{"spec": { "type": "LoadBalancer"}}' -n ibm-licensing +``` + +Wait a couple of minutes for the changes to be applied. +Then, you should see an EXTERNAL-IP available for the exposed licensing service. ```shell -export LICENSING_URL=$(kubectl get ingress ibm-licensing-service-instance -n ibm-licensing -o jsonpath='{.status.loadBalancer.ingress[0].ip}')/ibm-licensing-service-instance -export TOKEN=$(kubectl get secret ibm-licensing-token -o jsonpath={.data.token} -n ibm-licensing | base64 -d) +kubectl get service -n ibm-licensing +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +ibm-licensing-service-instance LoadBalancer 10.0.58.142 xxx.xxx.xxx.xxx 8080:32301/TCP 10m +``` + +#### 7.2.2 Patch the IBM Licensing instance + +Get the [licensing-instance.yaml](./licensing-instance.yaml) file and run the command: + +```bash +kubectl patch IBMLicensing instance --type merge --patch-file licensing-instance.yaml -n ibm-licensing +``` + +Wait a couple of minutes for the changes to be applied. + +### 7.3.3 Retrieve license usage + +You will be able to access the IBM License Service by retrieving the URL and the required token with this command: + +```bash +export LICENSING_URL=$(kubectl get service ibm-licensing-service-instance -n ibm-licensing -o jsonpath='{.status.loadBalancer.ingress[0].ip}') +export TOKEN=$(kubectl get secret ibm-licensing-token -n ibm-licensing -o jsonpath='{.data.token}' |base64 -d) ``` -You can access the `http://${LICENSING_URL}/status?token=${TOKEN}` URL to view the licensing usage or retrieve the licensing report .zip file by running the following command: +> **Note** +> If `LICENSING_URL` is empty, take a look at the [troubleshooting](https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.x_cd?topic=service-troubleshooting-license) page. + +You can access the `}`http://${LICENSING_URL}:8080/status?token=${TOKEN URL to view the licensing usage or retrieve the licensing report .zip file by running: ```shell -curl -v "http://${LICENSING_URL}/snapshot?token=${TOKEN}" --output report.zip +curl -k "http://${LICENSING_URL}:8080/snapshot?token=${TOKEN}" --output report.zip ``` If your IBM License Service instance is not running properly, refer to this [troubleshooting page](https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.x_cd?topic=service-troubleshooting-license). +#### 7.2.4 Reporting License Usage to IBM Software Central + +For complete information about reporting license usage to IBM Software Central, refer to the official documentation: + +📖 **[Reporting License Usage to IBM Software Central](https://www.ibm.com/docs/en/odm/9.6.0?topic=metering-reporting-license-usage-software-central)** + +##### Online Mode Configuration + +For detailed steps on configuring online mode (automatic data transmission), including creating the IBM Entitlement Key secret, configuring the IBMLicensing Custom Resource, and verifying the setup, refer to the [online mode documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=central-online-mode-configuration). + +##### Offline Mode (Air-gapped Environments) + +For air-gapped environments where ILS cannot directly connect to Software Central, download the usage data using the LoadBalancer-specific commands below: + +```bash +export LICENSING_URL=$(kubectl get service ibm-licensing-service-instance -n ibm-licensing -o jsonpath='{.status.loadBalancer.ingress[0].ip}') +export TOKEN=$(kubectl get secret ibm-licensing-token -o jsonpath={.data.token} -n ibm-licensing | base64 -d) + +curl --insecure --output "swc_payload.tar.gz" \ + "http://${LICENSING_URL}:8080/swc_aggregations?token=${TOKEN}" +``` + +For complete instructions on transferring and uploading the downloaded file to Software Central, refer to the [offline mode documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=central-offline-mode-air-gapped-environments). + + ## Troubleshooting -If your ODM instances are not running properly, refer to [our dedicated troubleshooting page](https://www.ibm.com/docs/en/odm/9.5.0?topic=950-troubleshooting). +If your ODM instances are not running properly, refer to [our dedicated troubleshooting page](https://www.ibm.com/docs/en/odm/9.6.0?topic=960-troubleshooting). ## Getting Started with IBM Operational Decision Manager for Containers diff --git a/platform/gcloud/README_GATEWAY.md b/platform/gcloud/README_GATEWAY.md new file mode 100644 index 00000000..6556d589 --- /dev/null +++ b/platform/gcloud/README_GATEWAY.md @@ -0,0 +1,560 @@ +# Deploying IBM Operational Decision Manager on Google GKE + +This project demonstrates how to deploy an IBM® Operational Decision Manager (ODM) clustered topology using the [Gateway API with GKE](https://cloud.google.com/kubernetes-engine/docs/concepts/gateway-api). + +The ODM services will be exposed using the Gateway API provided by GKE's native Gateway Controller. +This deployment implements Kubernetes and Docker technologies. +Here is the Google Cloud home page: + +![Architecture](images/architecture-gateway.png) + +The ODM on Kubernetes Docker images are available in the [IBM Entitled Registry](https://www.ibm.com/cloud/container-registry). The ODM Helm chart is available in the [IBM Helm charts repository](https://github.com/IBM/charts). + +## Included components + +The project comes with the following components: + +- [IBM Operational Decision Manager](https://www.ibm.com/docs/en/odm/9.6.0?topic=operational-decision-manager-certified-kubernetes-960) +- [Google Kubernetes Engine (GKE)](https://cloud.google.com/kubernetes-engine) +- [Google Cloud SQL for PostgreSQL](https://cloud.google.com/sql) +- [IBM License Service](https://github.com/IBM/ibm-licensing-operator) + +## Tested environment + +The commands and tools have been tested on macOS and Linux. + +## Prerequisites + +First, install the following software on your machine: + +- [gcloud CLI](https://cloud.google.com/sdk/gcloud) +- [kubectl](https://kubernetes.io/docs/tasks/tools/) +- [Helm v3](https://helm.sh/docs/intro/install/) + +Then, perform the following tasks: + +1. Create a Google Cloud account by connecting to the Google Cloud Platform [console](https://console.cloud.google.com/). When prompted to sign in, create a new account by clicking **Create account**. + +2. [Create a Google Cloud project](https://cloud.google.com/resource-manager/docs/creating-managing-projects) + +3. [Manage the associated billing](https://cloud.google.com/billing/docs/how-to/modify-project#confirm_billing_is_enabled_on_a_project). + +Without the relevant billing level, some Google Cloud resources will not be created. + +> [!NOTE] +> Prerequisites and software supported by ODM 9.5.0 are listed on [the Detailed System Requirements page](https://www.ibm.com/support/pages/ibm-operational-decision-manager-detailed-system-requirements). + +## Steps to deploy ODM on Kubernetes from Google GKE + + + +- [1. Prepare your GKE instance 30 min](#1-prepare-your-gke-instance-30-min) +- [2. Create the Google Cloud SQL PostgreSQL instance 10 min](#2-create-the-google-cloud-sql-postgresql-instance-10-min) +- [3. Prepare your environment for the ODM installation 10 min](#3-prepare-your-environment-for-the-odm-installation-10-min) +- [4. Manage a digital certificate 2 min](#4-manage-a-digital-certificate-2-min) +- [5. Install the ODM release 10 min](#5-install-the-odm-release-10-min) +- [6. Access ODM services](#6-access-odm-services) +- [7. Track ODM usage](#7-track-odm-usage) +- [Troubleshooting](#troubleshooting) +- [Getting Started with IBM Operational Decision Manager for Containers](#getting-started-with-ibm-operational-decision-manager-for-containers) + + + +### 1. Prepare your GKE instance (30 min) + +Refer to the [GKE quickstart](https://cloud.google.com/kubernetes-engine/docs/quickstart) for more information. + +#### Log into Google Cloud + +After installing the `gcloud` tool, use the following command line: + +```shell +gcloud auth login +``` + +#### Create a GKE cluster + +There are several [types of clusters](https://docs.cloud.google.com/kubernetes-engine/docs/concepts/configuration-overview#availability). +In this article, we chose to create a [regional cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-regional-cluster). +Regions and zones (used below) can be listed respectively with `gcloud compute regions list` and `gcloud compute zones list`. + +- Set the project (associated to a billing account): + + ```shell + gcloud config set project + ``` + +- Set the region: + + ```shell + gcloud config set compute/region + ``` + +- Set the zone: + + ```shell + gcloud config set compute/zone + ``` + +- Create a cluster and [enable autoscaling](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-autoscaler). Here, we start with 6 nodes (16 max): + + ```shell + gcloud container clusters create \ + --release-channel=regular --cluster-version=1.34 \ + --enable-autoscaling --num-nodes=6 --total-min-nodes=1 --total-max-nodes=16 --gateway-api=standard + ``` + +> [!NOTE] +> You can also create your cluster from the Google Cloud Platform using the **Kubernetes Engine** > **Clusters** panel and clicking the **Create** button +> ![Create cluster](images/create_cluster.png) + +#### Set up your environment + +- Create a kubeconfig to connect to your cluster: + + ```shell + gcloud container clusters get-credentials + ``` + +> [!NOTE] +> You can also retrieve the command line to configure `kubectl` from the Google Cloud Console using the **Kubernetes Engine** > **Clusters** panel and clicking **Connect** on the dedicated cluster. +> ![Connection](images/connection.png) + +- Check your environment + + If your environment is set up correctly, you should be able to get the cluster information by running the following command: + + ```shell + kubectl cluster-info + ``` + +### 2. Create the Google Cloud SQL PostgreSQL instance (10 min) + +#### Create the database instance + +We will use the Google Cloud Platform console to create the database instance. + +- Go to the [SQL context](https://console.cloud.google.com/sql), and then click the **CREATE INSTANCE** button +- Click **Choose PostgreSQL** + - Database version: `PostgreSQL 18` + - Instance ID: ```` + - Password: ```` - Take note of this password. + - Region: ```` (must be the same as the cluster for the communication to be optimal between the database and the ODM instance) + - Eventually select **Multiple zones** for Zonal availability for redundancy + - Expand **Show customization option** and expand **Connections** + - As *Public IP* is selected by default, in Authorized networks, click the **ADD NETWORK** button, put a name and add *0.0.0.0/0* for Network, then click **DONE**. + > NOTE: It is not recommended to use a public IP. In a production environment, you should use a private IP. +- Click **CREATE INSTANCE** + +After the database instance is created, you can drill on the SQL instance overview to retrieve needed information to connect to this instance, like the IP address and the connection name. Take note of the **Public IP address**. + +![Database overview](images/database_overview.png) + +#### Create the database secret for Google Cloud SQL PostgreSQL + +To secure access to the database, you must create a secret that encrypts the database user and password before you install the Helm release. + +```shell +kubectl create secret generic odmdbsecret \ + --from-literal=db-user=postgres \ + --from-literal=db-password= +``` + +Where: + +- `` is the database password (PASSWORD set during the PostgreSQL instance creation above) + +### 3. Prepare your environment for the ODM installation (10 min) + +To get access to the ODM material, you need an IBM entitlement key to pull the images from the IBM Entitled Registry. + +#### Retrieve your entitled registry key + +- Log in to [MyIBM Container Software Library](https://myibm.ibm.com/products-services/containerlibrary) with the IBMid and password that are associated with the entitled software. + +- In the Container software library tile, verify your entitlement on the **View library** page, and then go to **Get entitlement key** to retrieve the key. + +#### Create a pull secret by running a kubectl create secret command + +```shell +kubectl create secret docker-registry ibm-entitlement-key \ + --docker-server=cp.icr.io \ + --docker-username=cp \ + --docker-password='' +``` + +Where `` is the entitlement key from the previous step. Make sure you enclose the key in quotes. + +> Note: +> +> 1. The **cp.icr.io** value for the docker-server parameter is the only registry domain name that contains the images. You must set the *docker-username* to **cp** to use an entitlement key as *docker-password*. +> 2. The `ibm-entitlement-key` secret name will be used for the `image.pullSecrets` parameter when you run a Helm install of your containers. The `image.repository` parameter is also set by default to `cp.icr.io/cp/cp4a/odm`. + +#### Add the public IBM Helm charts repository + +```shell +helm repo add ibm-helm https://raw.githubusercontent.com/IBM/charts/master/repo/ibm-helm +helm repo update +``` + +#### Check you can access ODM charts + +```shell +helm search repo ibm-odm-prod +NAME CHART VERSION APP VERSION DESCRIPTION +ibm-helm/ibm-odm-prod 26.0.0 9.6.0.0 IBM Operational Decision Manager +``` + +### 4. Manage a digital certificate (2 min) + +#### (Optional) Generate a self-signed certificate + +In this step, you will generate a certificate to be used by the GKE load balancer. + +If you do not have a trusted certificate, you can use OpenSSL and other cryptography and certificate management libraries to generate a certificate file and a private key to define the domain name and to set the expiration date. The following command creates a self-signed certificate (`.crt` file) and a private key (`.key` file) that accept the domain name *mynicecompany.com*. The expiration is set to 1000 days: + +```shell +openssl req -x509 -nodes -days 1000 -newkey rsa:2048 -keyout mynicecompany.key \ + -out mynicecompany.crt -subj "/CN=mynicecompany.com/OU=it/O=mynicecompany/L=Paris/C=FR" +``` + +#### Create a TLS secret with these keys + +```shell +kubectl create secret tls mynicecompany-tls-secret --key mynicecompany.key --cert mynicecompany.crt +``` + +The certificate must be the same as the one you used to enable TLS connections in your ODM release. For more information, see [Server certificates](https://www.ibm.com/docs/en/odm/9.6.0?topic=production-defining-security-certificate) and [Working with certificates and SSL](https://docs.oracle.com/cd/E19830-01/819-4712/ablqw/index.html). + +### 5. Install the ODM release (10 min) + +#### Install an ODM Helm release + +The ODM services will be exposed with an Ingress that uses the previously created `mynicecompany` certificate. +It automatically creates an HTTPS GKE load balancer. We will disable the ODM internal TLS as it is not needed. + +- Get the [gcp-values-gateway.yaml](./gcp-values-gateway.yaml) file and replace the following key: + + - ``: the database IP + +> [!NOTE] +> You can configure the driversUrl parameter to point to the appropriate version of the Google Cloud SQL PostgreSQL driver. For more information, refer to the [Cloud SQL Connector for Java](https://github.com/GoogleCloudPlatform/cloud-sql-jdbc-socket-factory#cloud-sql-connector-for-java) documentation. + +- Install the chart from IBM's public Helm charts repository: + + ```shell + helm install ibm-helm/ibm-odm-prod -f gcp-values-gateway.yaml + ``` + +Example: + + ```shell + helm install myodmsample ibm-helm/ibm-odm-prod -f gcp-values-gateway.yaml + ``` + + +> [!NOTE] +> +> - This command installs the **latest available version** of the chart. +> If you want to install a **specific version**, add the `--version` option: +> +> ```bash +> helm install ibm-helm/ibm-odm-prod --version -f gcp-values.yaml +> ``` +> +> You can list all available versions using: +> +> ```bash +> helm search repo ibm-helm/ibm-odm-prod -l +> ``` + +#### Check the topology + +Run the following command to check the status of the pods that have been created: + +```shell +kubectl get pods +NAME READY STATUS RESTARTS AGE +-odm-decisioncenter-*** 1/1 Running 0 20m +-odm-decisionrunner-*** 1/1 Running 0 20m +-odm-decisionserverconsole-*** 1/1 Running 0 20m +-odm-decisionserverruntime-*** 1/1 Running 0 20m +``` + +#### Deploy the Gateway API Configuration + +Now that the ODM services are running, you need to deploy the Gateway API resources to expose them externally. + +The [odm-gateway.yaml](./odm-gateway.yaml) file contains three types of resources: +- **Gateway**: Configures the GKE load balancer with HTTPS termination using the `mynicecompany-tls-secret` certificate +- **HTTPRoute**: Defines routing rules for all ODM services based on URL paths +- **HealthCheckPolicy**: Configures custom health checks for each ODM component to ensure proper monitoring + +Before applying the configuration, update the file to match your release name by replacing `myodmsample` with your actual Helm release name in: +- Gateway metadata name +- HTTPRoute backend service names +- HealthCheckPolicy service names + +Apply the Gateway configuration: + +```shell +kubectl apply -f odm-gateway.yaml +``` + +The Gateway will create a new GKE load balancer with the following characteristics: +- Uses the `gke-l7-global-external-managed` Gateway class for global external load balancing +- Terminates HTTPS using the `mynicecompany-tls-secret` certificate +- Routes traffic to ODM services based on URL paths +- Implements custom health checks for each ODM component + +You can check the Gateway status with: + +```shell +kubectl get gateway -odm-gateway +kubectl get httproute -odm-httproute +``` + +The Gateway will remain in *Provisioning* state for several minutes until all backends are healthy. You can monitor the status in the [Kubernetes Engine / Gateways Panel](https://console.cloud.google.com/kubernetes/gateways) or check the [load balancer status](https://console.cloud.google.com/net-services/loadbalancing/list/loadBalancers). + +When the Gateway shows a *Programmed* status, all ODM services are accessible. + +> [!NOTE] +> The Gateway API automatically handles session affinity for Decision Center through the HealthCheckPolicy configuration, eliminating the need for manual BackendConfig annotations. + +> [!NOTE] +> The Gateway API configuration is the recommended approach for this deployment. If you prefer to use the traditional Ingress approach instead, please refer to the main [README.md](README.md). + + + +### 6. Access ODM services + +In a real enterprise use case, to access the mynicecompany.com domain name, you have to deal with [Google Managed Certificate](https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs) and [Google Cloud DNS](https://cloud.google.com/dns). + +In this trial, we use a self-signed certificate. So, there is no extra charge like certificate and domain purchase. +We only have to manage a configuration to simulate the mynicecompany.com access. + +- Get the EXTERNAL-IP with the command line: + + ```shell + kubectl get gateway -odm-gateway -o jsonpath='{.status.addresses[0].value}' + ``` + +- Edit your /etc/hosts file and add the following entry: + + ```shell + mynicecompany.com + ``` + +- You can now access all ODM services with the following URLs: + + + | SERVICE NAME | URL | USERNAME/PASSWORD + | --- | --- | --- + | Decision Server Console | | odmAdmin/odmAdmin + | Decision Center | | odmAdmin/odmAdmin + | Decision Center REST-API | | odmAdmin/odmAdmin + | Decision Server Runtime | | odmAdmin/odmAdmin + | Decision Runner | | odmAdmin/odmAdmin + + +> [!NOTE] +> You can also access the Gateway frontends from the Google Cloud console under the [Kubernetes Engine/Gateways Panel](https://console.cloud.google.com/kubernetes/gateways). + + +### 7. Track ODM usage + +#### 7.1 Install the IBM Usage Metering Service + +The IBM Usage Metering Service (UMS) is a critical component that gathers metrics to monitor compliance and create reports. It captures business value metrics for auditing purposes, visualizes metric usage in reporting tools, and sends the information to IBM Software Central. + +**Prerequisites:** +- Cluster-admin permissions or appropriate RBAC roles +- Target namespace must exist before installation +- ODM 9.6.0 or later installed + +**Important Requirements:** +- From ODM 9.6.0 onwards, UMS **must** be installed in the same namespace as ODM +- ODM reports usage metrics to UMS through a scheduled CronJob +- If UMS is not installed, the CronJob will fail when it runs + +**Installation:** + +For detailed installation and configuration instructions, see [Installing the usage metering service](https://www.ibm.com/docs/en/odm/9.6.0?topic=metrics-installing-metering). + +**Troubleshooting:** + +If the CronJob fails, check the pod logs: +```bash +kubectl logs -n -l job-name= +``` + +**Configuration Options:** + +After installing UMS, choose one of the following configuration modes based on your environment: + +1. **Online Mode** (Recommended): Automatic data transmission to IBM Software Central +2. **Offline Mode** (Air-gapped): Manual data download and upload process + +##### 7.1.1 Online Mode (Recommended) + +In online mode, the Usage Metering Service automatically sends usage data to IBM Software Central on a scheduled basis. This is the recommended configuration for environments with internet connectivity. + +**Key Features:** +- Automatic data transmission every 24 hours +- No manual intervention required after initial setup +- Automatic retry on transmission failures + +**Configuration Requirements:** +- IBM Entitlement Key (required for authentication) +- Network connectivity to IBM Software Central (`swc.saas.ibm.com`) + +For complete step-by-step instructions on configuring online mode, refer to: + +📖 **[Automatic data transmission to IBM Software Central](https://www.ibm.com/docs/en/odm/9.6.0?topic=metrics-automatic-data-transmission)** + +This documentation covers: +- Creating the IBM Entitlement Key secret +- Configuring the IBMUsageMetering instance +- Verifying the configuration +- Monitoring data transmission +- Troubleshooting common issues + +##### 7.1.2 Offline Mode (Air-gapped Environments) + +For offline/air-gapped environments where the Usage Metering Service cannot connect directly to IBM Software Central, you need to manually download and upload usage data. + +**Step 1: Expose the Usage Metering Service** + +Create a LoadBalancer service to expose UMS: + +```bash +kubectl apply -f usage-metering-service-loadbalancer.yaml +``` + +**Step 2: Download Usage Data** + +Retrieve the metering service data from the LoadBalancer: + +```bash +export NAMESPACE= +UMS_URL=$(kubectl get service ibm-usage-metering-instance-loadbalancer -n "${NAMESPACE}" -o jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null || echo "") + +UMS_TOKEN=$(kubectl get secret ibm-usage-metering-upload-token -n "${NAMESPACE}" -o jsonpath='{.data.token}' 2>/dev/null | base64 -d || echo "") +curl -k --output "swc_payload.tar.gz" \ + --header "Authorization: Bearer ${UMS_TOKEN}" \ + --url "https://${UMS_URL}:8080/api/v1/swc" +``` + +**Step 3: Upload to IBM Software Central** + +After downloading the `swc_payload.tar.gz` file, you need to upload it to IBM Software Central to report your usage metrics. The upload process requires authentication with your IBM ID and must be performed from a machine with internet access. + +For detailed instructions on how to upload the usage data file to IBM Software Central, including authentication steps and troubleshooting, refer to: + +📖 **[Uploading usage metrics to IBM Software Central](https://www.ibm.com/docs/en/odm/9.6.0?topic=metrics-uploading-usage-software-central)** + +**Additional Resources:** + +For general information about collecting and sending usage metrics, see: +📖 **[Collecting and sending usage metrics](https://www.ibm.com/docs/en/odm/9.6.0?topic=production-collecting-sending-usage-metrics)** + +#### 7.2 Install the IBM License Service + +This section explains how to track ODM usage with the IBM License Service. + +Follow the instructions in the **Installation** section of the [Manual installation without the Operator Lifecycle Manager (OLM)](https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.x_cd?topic=ilsfpcr-installing-license-service-without-operator-lifecycle-manager-olm) documentation, **except for the step 3** which should be replaced by: + + +##### 7.2.1 Create the IBM Licensing instance + +Get the [licensing-instance-gateway.yaml](./licensing-instance-gateway.yaml) file and run the following command: + +```shell +kubectl apply -f licensing-instance-gateway.yaml -n ibm-licensing +``` + + + +##### 7.2.2 Expose the IBM License Service + +You need to create a Gateway to expose the IBM License Service using GKE's native Gateway API. + +Get the [`ils-gateway.yaml`](./ils-gateway.yaml) file and apply the gateway configuration with the following command: + +```bash +kubectl apply -f ils-gateway.yaml -n ibm-licensing +``` + +**Verification:** + +Wait for the Gateway to be ready (this may take a few minutes): + +```bash +kubectl wait --for=condition=Programmed gateway/ils-gateway -n ibm-licensing --timeout=5m +``` + +Check the Gateway status: + +```bash +kubectl get gateway ils-gateway -n ibm-licensing +kubectl describe gateway ils-gateway -n ibm-licensing +``` + +> [!NOTE] +> The Gateway uses the `gke-l7-global-external-managed` Gateway class and requires HTTPS with a valid certificate. Ensure the `ibm-license-service-cert-internal` secret exists in the `ibm-licensing` namespace before applying this configuration. + +##### 7.2.3 Retrieving license usage + +After a couple of minutes, the Ingress configuration is created and you will be able to access the IBM License Service by retrieving the URL with the following command: + +```shell +export LICENSING_URL=$(kubectl get gateway ils-gateway -n ibm-licensing -o jsonpath='{.status.addresses[0].value}')/ibm-licensing-service-instance +export TOKEN=$(kubectl get secret ibm-licensing-token -o jsonpath={.data.token} -n ibm-licensing | base64 -d) +``` + +You can access the `https://${LICENSING_URL}/status?token=${TOKEN}` URL to view the licensing usage or retrieve the licensing report .zip file by running the following command: + +```shell +curl "https://${LICENSING_URL}/snapshot?token=${TOKEN}" -k --output ils-report.zip +``` + +If your IBM License Service instance is not running properly, refer to this [troubleshooting page](https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.x_cd?topic=service-troubleshooting-license). + +##### 7.2.4 Reporting License Usage to IBM Software Central + +For complete information about reporting license usage to IBM Software Central, refer to the official documentation: + +📖 **[Reporting License Usage to IBM Software Central](https://www.ibm.com/docs/en/odm/9.6.0?topic=metering-reporting-license-usage-software-central)** + +###### Online Mode Configuration + +For detailed steps on configuring online mode (automatic data transmission), including creating the IBM Entitlement Key secret, configuring the IBMLicensing Custom Resource, and verifying the setup, refer to the [online mode documentation](https://www.ibm.com/docs/en/odm/9.6.0?topic=metering-reporting-license-usage-software-central). + +###### Offline Mode (Air-gapped Environments) + +For air-gapped environments where ILS cannot directly connect to Software Central, download the usage data using the Gateway-specific commands below: + +```bash +export LICENSING_URL=$(kubectl get gateway ils-gateway -n ibm-licensing -o jsonpath='{.status.addresses[0].value}')/ibm-licensing-service-instance +export TOKEN=$(kubectl get secret ibm-licensing-token -o jsonpath={.data.token} -n ibm-licensing | base64 -d) + +curl --insecure --output "swc_payload.tar.gz" \ + "https://${LICENSING_URL}/swc_aggregations?token=${TOKEN}" +``` + +For complete instructions on transferring and uploading the downloaded file to Software Central, refer to the [offline mode documentation]( https://www.ibm.com/docs/en/odm/9.6.0?topic=central-online-mode-configuration). + + + +## Troubleshooting + +If your ODM instances are not running properly, refer to [our dedicated troubleshooting page](https://www.ibm.com/docs/en/odm/9.6.0?topic=960-troubleshooting). + +## Getting Started with IBM Operational Decision Manager for Containers + +Get hands-on experience with IBM Operational Decision Manager in a container environment by following this [Getting started tutorial](https://github.com/DecisionsDev/odm-for-container-getting-started/blob/master/README.md). + +## License + +[Apache 2.0](/LICENSE) + diff --git a/platform/gcloud/README_NGINX.md b/platform/gcloud/README_NGINX.md index 2b525246..179f02d4 100644 --- a/platform/gcloud/README_NGINX.md +++ b/platform/gcloud/README_NGINX.md @@ -1,18 +1,30 @@ +> [!WARNING] +> **NGINX Ingress Controller is DEPRECATED for GKE deployments.** +> +> Google Cloud now recommends using the **GKE Gateway API** (container-native load balancer) instead of NGINX Ingress Controller. The Gateway API provides better integration with Google Cloud services, improved performance, and native support for features like session affinity. +> +> **Please use the [GKE Gateway deployment guide](README_GATEWAY.md) instead of this NGINX-based approach.** +> +> This documentation is kept for reference purposes only for existing deployments and **will be removed in the coming months**. + +--- + # Install an ODM Helm release and expose it with a NGINX Ingress controller (15 min) This section explains how to expose the ODM services to Internet connectivity with a NGINX Ingress controller instead of the standard Google Cloud load balancer. -For reference, see the [Google Cloud documentation](https://cloud.google.com/community/tutorials/nginx-ingress-gke). - ## Table of Contents - - [Create a NGINX Ingress controller](#create-a-nginx-ingress-controller) - [Install the ODM release](#install-the-odm-release) -- [Check the deployment and access ODM services](#check-the-deployment-and-access-odm-services) -- [Deploy and check IBM Licensing Service](#deploy-and-check-ibm-licensing-service) - +- [Access the ODM services](#access-the-odm-services) +- [Track ODM usage](#track-odm-usage) + - [Install the IBM Usage Metering service](#install-the-ibm-usage-metering-service) + - [Retrieve metering usage](#retrieve-metering-usage) + - [Install the IBM License Service and retrieve license usage](#install-the-ibm-license-service-and-retrieve-license-usage) + - [Patch the IBM Licensing instance with Nginx configuration](#patch-the-ibm-licensing-instance-with-nginx-configuration) +- [Troubleshooting](#troubleshooting) ### Create a NGINX Ingress controller @@ -38,23 +50,131 @@ helm install mycompany ibm-helm/ibm-odm-prod -f gcp-values.yaml \ ``` > **Note** -> By default, NGINX does not enable sticky session. If you want to use sticky session to connect to DC, refer to [Using sticky session for Decision Center connection](../../contrib/sticky-session/README.md) +> By default,NGINX does not enable stick y session. If you want to use sticky session to connect to DC, refer to [Using sticky session for Decision Center connection](../../contrib/sticky-session/README.md) + +### Edit the file /etc/hosts on your host + +```shell +# vi /etc/hosts + mynicecompany.com +``` + +### Access the ODM services + +Check that ODM services are in NodePort type: + +```shell +kubectl get services --selector release= +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +release-odm-decisioncenter NodePort 10.0.178.43 443:32720/TCP 16m +release-odm-decisionrunner NodePort 10.0.171.46 443:30223/TCP 16m +release-odm-decisionserverconsole NodePort 10.0.106.222 443:30280/TCP 16m +release-odm-decisionserverconsole-notif ClusterIP 10.0.115.118 1883/TCP 16m +release-odm-decisionserverruntime NodePort 10.0.232.212 443:30082/TCP 16m +``` + +The ODM services are available at the following URLs: + + +| SERVICE NAME | URL | USERNAME/PASSWORD +| --- | --- | --- +| Decision Server Console | https://mynicecompany.com/res | odmAdmin/\ +| Decision Center | https://mynicecompany.com/decisioncenter | odmAdmin/\ +| Decision Server Runtime | https://mynicecompany.com/DecisionService | odmAdmin/\ +| Decision Runner | https://mynicecompany.com/DecisionRunner | odmAdmin/\ + + +Where: + +* \ is the password set using the **usersPassword** helm chart parameter + + -### Check the deployment and access ODM services -Refer to the [the main README](README.md#check-the-topology) to check the deployment and access the ODM services. +## Track ODM usage -### Deploy and check IBM Licensing Service +### Install the IBM Usage Metering service -Refer to [the main README](README.md#check-the-topology) to install IBM Licensing Service, except that you have to apply this updated IBMLicensing instance instead: +IBM Usage Metering Service gathers metrics to monitor compliance and create reports. It captures business value metrics for auditing purposes and to visualize metric usage in reporting tools, and sends the information to IBM Software Central. +From ODM 9.6.0 onwards, it is required to install this metering service in the same namespace as ODM. ODM will systematically reports usage metrics to the metering service through a CronJob. If the service is not installed, the job fails when it runs. For more information about the installation and configuration of UMS, see [Installing the usage metering service](https://www.ibm.com/docs/en/odm/9.6.0?topic=production-installing-metering). + + +### Retrieve metering usage + +expose the metering service: ```shell -kubectl apply -f licensing-instance-NGINX.yaml -n ibm-licensing +kubectl apply -f usage-metering-service-NGINX.yaml ``` + +To get the Usage Metering report, run the command below: + +```bash +UMS_TOKEN=$(kubectl get secret ibm-usage-metering-upload-token -n "${NAMESPACE}" -o jsonpath='{.data.token}' 2>/dev/null | base64 -d || echo "") + +curl -k --output report.zip \ + --header "Authorization: Bearer ${UMS_TOKEN}" \ + --url "https://mynicecompany.com/ibm-usage-metering-instance/api/v1/snapshot" +``` + +### Install the IBM License Service and retrieve license usage + +This section explains how to track ODM usage with the IBM License Service. + +Follow the instructions in the **Installation** section of the [Manual installation without the Operator Lifecycle Manager (OLM)](https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.14.0?topic=ilsfpcr-installing-license-service-without-operator-lifecycle-manager-olm#installation) documentation, **except for the step 3** which should be replaced by: + +> 3. Use `git clone`. +> +>```bash +>export operator_release_version=4.2.20 +>git clone -b ${operator_release_version} https://github.com/IBM/ibm-licensing-operator.git +>cd ibm-licensing-operator/ +>``` + +### Patch the IBM Licensing instance with Nginx configuration + +Get the [licensing-instance-nginx.yaml](./licensing-instance-nginx.yaml) file and run the command: + +```bash +kubectl patch IBMLicensing instance --type merge --patch-file licensing-instance-nginx.yaml -n ibm-licensing +``` + +Wait a couple of minutes for the changes to be applied. + +Run the following command to see the status of Ingress instance: + +```bash +kubectl get ingress -n ibm-licensing +``` + +You should be able to see the address and other details about `ibm-licensing-service-instance`. +``` +NAME CLASS HOSTS ADDRESS PORTS AGE +ibm-licensing-service-instance nginx * xxx.xxx.xxx.xxx 80 11m +``` + +You will be able to access the IBM License Service by retrieving the URL with this command: + +```bash +export LICENSING_URL=$(kubectl get ingress ibm-licensing-service-instance -n ibm-licensing -o jsonpath='{.status.loadBalancer.ingress[0].ip}')/ibm-licensing-service-instance +export TOKEN=$(kubectl get secret ibm-licensing-token -n ibm-licensing -o jsonpath='{.data.token}' |base64 -d) +echo "http://${LICENSING_URL}/status?token=${TOKEN}" +``` + +You can access the `http://${LICENSING_URL}/status?token=${TOKEN}` URL to view the licensing usage. + +Alternatively you can retrieve the licensing `report.zip` file by running: + +```bash +curl "http://${LICENSING_URL}/snapshot?token=${TOKEN}" --output report.zip +``` + +If your IBM License Service instance is not running properly, refer to this [troubleshooting page](https://www.ibm.com/docs/en/cloud-paks/foundational-services/4.14.0?topic=service-troubleshooting-license). + ## Troubleshooting -If your ODM instances are not running properly, please refer to [our dedicated troubleshooting page](https://www.ibm.com/docs/en/odm/9.5.0?topic=950-troubleshooting-support). +If your ODM instances are not running properly, please refer to [our dedicated troubleshooting page](https://www.ibm.com/docs/en/odm/9.6.0?topic=950-troubleshooting-support). ## License diff --git a/platform/gcloud/gcp-values-gateway.yaml b/platform/gcloud/gcp-values-gateway.yaml new file mode 100644 index 00000000..8d7584b4 --- /dev/null +++ b/platform/gcloud/gcp-values-gateway.yaml @@ -0,0 +1,18 @@ +license: true +usersPassword: "odmAdmin" + +image: + repository: cp.icr.io/cp/cp4a/odm + pullSecrets: + - ibm-entitlement-key + +service: + enableTLS: false + + +externalDatabase: + type: postgres + secretCredentials: odmdbsecret + port: 5432 + serverName: + databaseName: postgres diff --git a/platform/gcloud/ils-gateway.yaml b/platform/gcloud/ils-gateway.yaml new file mode 100644 index 00000000..a80c4e87 --- /dev/null +++ b/platform/gcloud/ils-gateway.yaml @@ -0,0 +1,50 @@ +# Gateway API descriptor for GKE native Gateway Controller +# This uses GKE's built-in Gateway API support (no additional CRDs needed) +# Requires: gcloud container clusters update CLUSTER_NAME --gateway-api=standard + +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: ils-gateway + namespace: ibm-licensing +spec: + # Use GKE's native Gateway Controller + # Options: gke-l7-global-external-managed, gke-l7-regional-external-managed, gke-l7-rilb + gatewayClassName: gke-l7-global-external-managed + listeners: + - name: https + protocol: HTTPS + port: 443 + tls: + mode: Terminate + certificateRefs: + - kind: Secret + name: ibm-license-service-cert-internal + namespace: ibm-licensing + allowedRoutes: + namespaces: + from: Same +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: ils-httproute +spec: + parentRefs: + - name: ils-gateway + namespace: ibm-licensing + rules: + - matches: + - path: + type: PathPrefix + value: /ibm-licensing-service-instance + filters: + - type: URLRewrite + urlRewrite: + path: + type: ReplacePrefixMatch + replacePrefixMatch: / + backendRefs: + - name: ibm-licensing-service-instance + port: 8080 + weight: 1 diff --git a/platform/gcloud/images/architecture-gateway.png b/platform/gcloud/images/architecture-gateway.png new file mode 100644 index 00000000..82d3984c Binary files /dev/null and b/platform/gcloud/images/architecture-gateway.png differ diff --git a/platform/gcloud/images/lb.png b/platform/gcloud/images/lb.png index 92dcb0c7..85d59311 100644 Binary files a/platform/gcloud/images/lb.png and b/platform/gcloud/images/lb.png differ diff --git a/platform/gcloud/images/odm-gateway.drawio b/platform/gcloud/images/odm-gateway.drawio new file mode 100644 index 00000000..20d42bad --- /dev/null +++ b/platform/gcloud/images/odm-gateway.drawio @@ -0,0 +1,221 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/platform/gcloud/licensing-instance-gateway.yaml b/platform/gcloud/licensing-instance-gateway.yaml new file mode 100644 index 00000000..affca5ea --- /dev/null +++ b/platform/gcloud/licensing-instance-gateway.yaml @@ -0,0 +1,13 @@ +apiVersion: operator.ibm.com/v1alpha1 +kind: IBMLicensing +metadata: + name: instance +spec: + apiSecretToken: ibm-licensing-token + datasource: datacollector + httpsEnable: false + routeEnabled: false + gatewayEnabled: false + instanceNamespace: ibm-licensing + license: + accept: true diff --git a/platform/gcloud/licensing-instance-NGINX.yaml b/platform/gcloud/licensing-instance-nginx.yaml similarity index 100% rename from platform/gcloud/licensing-instance-NGINX.yaml rename to platform/gcloud/licensing-instance-nginx.yaml diff --git a/platform/gcloud/licensing-instance.yaml b/platform/gcloud/licensing-instance.yaml index e87bd849..07a2bdda 100644 --- a/platform/gcloud/licensing-instance.yaml +++ b/platform/gcloud/licensing-instance.yaml @@ -6,7 +6,7 @@ spec: apiSecretToken: ibm-licensing-token datasource: datacollector httpsEnable: false - ingressEnabled: true + ingressEnabled: false ingressOptions: annotations: ingress.kubernetes.io/rewrite-target: / diff --git a/platform/gcloud/odm-gateway.yaml b/platform/gcloud/odm-gateway.yaml new file mode 100644 index 00000000..be947293 --- /dev/null +++ b/platform/gcloud/odm-gateway.yaml @@ -0,0 +1,182 @@ +# Gateway API descriptor for GKE native Gateway Controller +# This uses GKE's built-in Gateway API support (no additional CRDs needed) +# Requires: gcloud container clusters update CLUSTER_NAME --gateway-api=standard + +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: myodmsample-odm-gateway +spec: + # Use GKE's native Gateway Controller + # Options: gke-l7-global-external-managed, gke-l7-regional-external-managed, gke-l7-rilb + gatewayClassName: gke-l7-global-external-managed + listeners: + - name: https + protocol: HTTPS + port: 443 + hostname: "mynicecompany.com" + tls: + mode: Terminate + certificateRefs: + - kind: Secret + name: mynicecompany-tls-secret + allowedRoutes: + namespaces: + from: Same +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: myodmsample-odm-httproute +spec: + parentRefs: + - name: myodmsample-odm-gateway + rules: + # Decision Server Console - /res + - matches: + - path: + type: PathPrefix + value: /res + backendRefs: + - name: myodmsample-odm-decisionserverconsole + port: 80 + weight: 1 + + # Decision Center - /decisioncenter + - matches: + - path: + type: PathPrefix + value: /decisioncenter + backendRefs: + - name: myodmsample-odm-decisioncenter + port: 80 + weight: 1 + + # Decision Center API - /decisioncenter-api + - matches: + - path: + type: PathPrefix + value: /decisioncenter-api + backendRefs: + - name: myodmsample-odm-decisioncenter + port: 80 + weight: 1 + + # Decision Server Runtime - /DecisionService + - matches: + - path: + type: PathPrefix + value: /DecisionService + backendRefs: + - name: myodmsample-odm-decisionserverruntime + port: 80 + weight: 1 + + # Decision Runner - /DecisionRunner + - matches: + - path: + type: PathPrefix + value: /DecisionRunner + backendRefs: + - name: myodmsample-odm-decisionrunner + port: 80 + weight: 1 + +--- +# Health checks — required because GKE defaults to GET / which returns 302 on Liberty +apiVersion: networking.gke.io/v1 +kind: HealthCheckPolicy +metadata: + name: odm-decisioncenter-healthcheck +spec: + default: + checkIntervalSec: 15 + timeoutSec: 10 + healthyThreshold: 1 + unhealthyThreshold: 2 + config: + type: HTTP + httpHealthCheck: + port: 9060 + requestPath: /decisioncenter/healthCheck + targetRef: + group: "" + kind: Service + name: myodmsample-odm-decisioncenter + +--- +apiVersion: networking.gke.io/v1 +kind: HealthCheckPolicy +metadata: + name: odm-decisionserverconsole-healthcheck +spec: + default: + checkIntervalSec: 15 + timeoutSec: 10 + healthyThreshold: 1 + unhealthyThreshold: 2 + config: + type: HTTP + httpHealthCheck: + port: 9080 + requestPath: /res/login.jsp + targetRef: + group: "" + kind: Service + name: myodmsample-odm-decisionserverconsole + +--- +apiVersion: networking.gke.io/v1 +kind: HealthCheckPolicy +metadata: + name: odm-decisionserverruntime-healthcheck +spec: + default: + checkIntervalSec: 15 + timeoutSec: 10 + healthyThreshold: 1 + unhealthyThreshold: 2 + config: + type: HTTP + httpHealthCheck: + port: 9080 + requestPath: /DecisionService/ + targetRef: + group: "" + kind: Service + name: myodmsample-odm-decisionserverruntime + +--- +apiVersion: networking.gke.io/v1 +kind: HealthCheckPolicy +metadata: + name: odm-decisionrunner-healthcheck +spec: + default: + checkIntervalSec: 15 + timeoutSec: 10 + healthyThreshold: 1 + unhealthyThreshold: 2 + config: + type: HTTP + httpHealthCheck: + port: 9080 + requestPath: /DecisionRunner/ + targetRef: + group: "" + kind: Service + name: myodmsample-odm-decisionrunner + +--- +apiVersion: networking.gke.io/v1 +kind: GCPBackendPolicy +metadata: + name: dc-backend-service-policy +spec: + targetRef: + group: "" + kind: Service + name: myodmsample-odm-decisioncenter + default: + sessionAffinity: + type: GENERATED_COOKIE # ← matches your pod's C \ No newline at end of file diff --git a/platform/gcloud/usage-metering-service-NGINX.yaml b/platform/gcloud/usage-metering-service-NGINX.yaml new file mode 100644 index 00000000..66bad146 --- /dev/null +++ b/platform/gcloud/usage-metering-service-NGINX.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: usage-metering-svc-ingress + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + nginx.ingress.kubernetes.io/rewrite-target: "/$2" +spec: + ingressClassName: nginx + rules: + - host: mynicecompany.com + http: + paths: + - path: /ibm-usage-metering-instance(/|$)(.*) + pathType: ImplementationSpecific + backend: + service: + name: ibm-usage-metering-instance + port: + number: 8080 \ No newline at end of file diff --git a/platform/gcloud/usage-metering-service-loadbalancer.yaml b/platform/gcloud/usage-metering-service-loadbalancer.yaml new file mode 100644 index 00000000..ad3caf7c --- /dev/null +++ b/platform/gcloud/usage-metering-service-loadbalancer.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: ibm-usage-metering-instance-loadbalancer +spec: + type: LoadBalancer + ports: + - name: ibm-usage-metering-fetch + port: 8080 + protocol: TCP + targetPort: 8080 + - name: ibm-usage-metering-upload + port: 8081 + protocol: TCP + targetPort: 8081 + selector: + app.kubernetes.io/component: ibm-usage-metering-instance + app.kubernetes.io/name: ibm-usage-metering \ No newline at end of file