Preparing to install IBM Operational Decision Manager
Before you install Operational Decision Manager, you must prepare your environment.
About this task
The preparation includes configuring a database for persistence, configuring the PodSecurityPolicy or SecurityContextConstraints in your cluster, customizing the installation, and configuring Rule Designer.
Procedure
- Configure the persistence.
Operational Decision Manager must persist data in a database.
- Optional: Create and configure a database.
You have three ways to persist the data: use the PostgreSQL internal database; use a supported external database, which can be Db2®, PostgreSQL, or New in 8.10.5 Microsoft SQL Server; or use a custom external database, which can be Oracle. For more information, see Configuring the database.
- Create a database credentials secret.
To secure access to the database, you must create a secret that encrypts the database user and password before you install the Helm release.
- Log in to your Certified Kubernetes cluster with an administrator user.
For example, on OpenShift, use the
oc login
command:$ oc login https://CLUSTERIP:8443 --token=<hidden>
- Create the secret by running the following
kubectl
command.$ kubectl create secret generic <odm-db-secret> --from-literal=db-user=<user-name> --from-literal=db-password=<password> secret "<odm-db-secret>" created
- Reference this secret during the installation. For more information, see Installing a Helm release of ODM for production. Depending on the type of database, enter the
name of the secret for the internal database (
internalDatabase.secretCredentials
) or external database (externalDatabase.secretCredentials
).
- Log in to your Certified Kubernetes cluster with an administrator user.
- Optional: Create a Persistent Volume.
If you plan on using the internal database with a predefined PVC, you must have a persistent volume (PV) before you install the Operational Decision Manager containers. PV represents an underlying storage capacity in the infrastructure. PV must be created with
accessMode
,ReadWriteOnce
, and storage capacity of 5Gi or more. For more information about how to create a PV, see your cluster provider instructions.
- Optional: Create and configure a database.
-
Grant the appropriate PodSecurityPolicy or SecurityContextConstraints to the service
account.
Check which PodSecurityPolicy or SecurityContextConstraints is validated for your cluster configuration. See Prerequisites for details.
If the serviceAccount uses a PodSecurityPolicy, the cluster administrator must scope the namespace.
If the serviceAccount uses SecurityContextConstraints:- For
8.10.4 The predefined
SecurityContextConstraints name
ibm-restricted-scc
is verified for this chart. An OpenShift cluster administrator must bind them either to the target namespace, or to the serviceAccount specifically.- To add the SecurityContextConstraints (
scc
) to the serviceAccount, download the verified ibmscc
here. - Create the verified
scc
in your cluster.$ oc create -f ibm-restricted-scc.yaml
- Add the
scc
to the serviceAccount.$ oc adm policy add-scc-to-user ibm-restricted-scc / -z serviceAccountName / -n namespace
Where serviceAccountName is your custom service account name or the namespace
default
serviceAccount. - If you decide to bind the
scc
to the target namespace, run the following command.$ oc adm policy add-scc-to-group ibm-restricted-scc / system:serviceaccounts:namespace
- To add the SecurityContextConstraints (
- For
8.10.5 The predefined
SecurityContextConstraints name
restricted
is verified for this chart. In OpenShift,restricted
scc is used by default for authenticated users.To use the
restricted
scc, you must set thecustomization.runAsUser
parameter toempty
so that the containers use an arbitrary UID.$ helm install release_name \ --set customization.runAsUser='' \ /path/to/ibm-odm-prod-version.tgz
Note: Similarly, if you use the internal database, theinternalDatabase.runAsUser
parameter must be set toempty
.
- For
8.10.4 The predefined
SecurityContextConstraints name
- If you want to customize the installation, refer to the tasks under Customizing ODM for production.
- If you want to create your own decision services from scratch, install Rule Designer from the Eclipse Marketplace.
What to do next
After you complete the setup of your environment, go to Installing a Helm release of ODM for production.