Preparing to install IBM Operational Decision Manager

Before you install Operational Decision Manager, you must prepare your environment.

About this task

The preparation includes configuring a database for persistence, configuring the PodSecurityPolicy or SecurityContextConstraints in your cluster, customizing the installation, and configuring Rule Designer.

Procedure

  1. Configure the persistence.

    Operational Decision Manager must persist data in a database.

    1. Optional: Create and configure a database.

      You have three ways to persist the data: use the PostgreSQL internal database; use a supported external database, which can be Db2®, PostgreSQL, or New in 8.10.5 Microsoft SQL Server; or use a custom external database, which can be Oracle. For more information, see Configuring the database.

    2. Create a database credentials secret.

      To secure access to the database, you must create a secret that encrypts the database user and password before you install the Helm release.

      1. Log in to your Certified Kubernetes cluster with an administrator user.

        For example, on OpenShift, use the oc login command:

        $ oc login https://CLUSTERIP:8443 --token=<hidden>
      2. Create the secret by running the following kubectl command.
        $ kubectl create secret generic <odm-db-secret> --from-literal=db-user=<user-name> --from-literal=db-password=<password>
        secret "<odm-db-secret>" created
      3. Reference this secret during the installation. For more information, see Installing a Helm release of ODM for production. Depending on the type of database, enter the name of the secret for the internal database (internalDatabase.secretCredentials) or external database (externalDatabase.secretCredentials).
    3. Optional: Create a Persistent Volume.

      If you plan on using the internal database with a predefined PVC, you must have a persistent volume (PV) before you install the Operational Decision Manager containers. PV represents an underlying storage capacity in the infrastructure. PV must be created with accessMode, ReadWriteOnce, and storage capacity of 5Gi or more. For more information about how to create a PV, see your cluster provider instructions.

  2. Grant the appropriate PodSecurityPolicy or SecurityContextConstraints to the service account.

    Check which PodSecurityPolicy or SecurityContextConstraints is validated for your cluster configuration. See Prerequisites for details.

    If the serviceAccount uses a PodSecurityPolicy, the cluster administrator must scope the namespace.

    If the serviceAccount uses SecurityContextConstraints:
    • For 8.10.4 The predefined SecurityContextConstraints name ibm-restricted-scc is verified for this chart. An OpenShift cluster administrator must bind them either to the target namespace, or to the serviceAccount specifically.
      1. To add the SecurityContextConstraints (scc) to the serviceAccount, download the verified ibm scc here.
      2. Create the verified scc in your cluster.
        $ oc create -f ibm-restricted-scc.yaml
      3. Add the scc to the serviceAccount.
        $ oc adm policy add-scc-to-user ibm-restricted-scc /
         -z serviceAccountName /
         -n namespace

        Where serviceAccountName is your custom service account name or the namespace default serviceAccount.

      4. If you decide to bind the scc to the target namespace, run the following command.
        $ oc adm policy add-scc-to-group ibm-restricted-scc /
          system:serviceaccounts:namespace
    • For 8.10.5 The predefined SecurityContextConstraints name restricted is verified for this chart. In OpenShift, restricted scc is used by default for authenticated users.

      To use the restricted scc, you must set the customization.runAsUser parameter to empty so that the containers use an arbitrary UID.

      $ helm install release_name \
          --set customization.runAsUser='' \
          /path/to/ibm-odm-prod-version.tgz
      Note: Similarly, if you use the internal database, the internalDatabase.runAsUser parameter must be set to empty.
  3. If you want to customize the installation, refer to the tasks under Customizing ODM for production.
  4. If you want to create your own decision services from scratch, install Rule Designer from the Eclipse Marketplace.

What to do next

After you complete the setup of your environment, go to Installing a Helm release of ODM for production.