Review gke (#115)

* Okta (#108)

* Start doc on okta

* Add web app integration image

* Update README.md

* Add images for the group and claim

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Add images

* Update README.md

* Add template script

* Update README.md

* prepare environment

* ODM configuration

* cosmetic

* update

* update

* rename providers file

* Update README.md

* Update README.md

* Add new images

* Update README.md

* change provider template

* Update README.md

* Update README.md

* Update README.md

* Add interaction diagram

* Add credential flow

* Update README.md

* Update README.md

* Add Toc

* Update README.md

* Update README.md

* Update README.md

* use last chart and remove post install

use last chart 21.3.0 and remove post install not needed anymore

* Add predefined password flow

Add predefined password flow just to show that's a possibility

* some comments on the mapping

* use OPENID_PROVIDER linked to an existing provider

use the predefined client_credentials provider name providerhttps://github.com/ODMDev/odm-docker-kubernetes/blob/Okta/authentication/Okta/templates/OdmOpenidProviders.json#L4

* Accept env vars as input for OKTA_*

* missing OdmOidcProviders.json

* Create OdmOidcProviders.json

* Delete OdmOpenidProviders.json

* Update README.md

* Add new screenshot

* Update README.md

* Removed password auth between services

* Add new sections to create an Okta account

* Fixed Username format

* no message

* no message

* no message

* Added Sign-in redirect URIs

* Link updated for ODM 8.11

* Added explanation about OKTA_SERVER_NAME (instead of _URL) and other needed info

* OKTA_SERVER_URL (as input) has been renamed to OKTA_SERVER_NAME for coherence with README.md

* no message

* no message

* OKTA_API_SCOPE is now a variable

* no message

* Moved images outside

* no message

* no message

* Updated with right scope

* Mention only "Okta server"

* Removed mention of Helm release version

* Remove line about 1000 requests limits and added a link to rate limits

* no message

* New Interaction diagram

* Add blabla a bout claims

* Add license section

* Update README.md

* no message

* Added "job done"

* Add "add person" screenshot

* Added comment about logout issue

* Clarify ID and Access tokens

* Added Mathias suggestion about using a private window

* Update README.md

* Refactor the okta template section

* Update README.md

* Update README.md

* Update README.md

* Add application informations screenshot

* use kubectl instead of oc

* Fix syntaxe for linux for the sed command

* Update README.md

* Change Year + Add link to Okta documentation

* Add rule designer registration URL + Rule designer configuration

* Added endpoints doc URL

* Update README.md

* Doc review (#102)

* Review Okta documentation

* Fix Okta images

* Fix formatting in Okta doc

* Fix typos

* Release name have change. Needs to redo the screenshot

* Remove localhost:8080 url from the screenshot

* Update README.md

* Update README.md (#104)

proofreading

* Update README.md (#106)

proofreading

* Update README.md (#107)

proofreading

Co-authored-by: mathias-mouly <[email protected]>
Co-authored-by: Pierre-Yves Lochou <[email protected]>
Co-authored-by: Pierre-Yves Lochou <[email protected]>
Co-authored-by: Julie Garrone <[email protected]>
Co-authored-by: cmosbach <[email protected]>

* Add Gcloud link

* Update links

* Update links

* Last GKE Review

* Update README.md

* Update README.md

Co-authored-by: mathias-mouly <[email protected]>
Co-authored-by: Pierre-Yves Lochou <[email protected]>
Co-authored-by: Pierre-Yves Lochou <[email protected]>
Co-authored-by: Julie Garrone <[email protected]>
Co-authored-by: cmosbach <[email protected]>

Author: 5 people

platform/azure/README.md

@@ -24,7 +24,7 @@ The commands and tools have been tested on macOS and Linux.
 First, install the following software on your machine:
 
 - [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest)
-- [Helm v3](https://github.com/helm/helm/releases)
+- [Helm v3](https://helm.sh/docs/intro/install/)
 
 Then [create an Azure account and pay as you go](https://azure.microsoft.com/en-us/pricing/purchase-options/pay-as-you-go/).
 

platform/eks/README.md

@@ -3,26 +3,27 @@
 This project demonstrates how to deploy an IBM® Operational Decision Manager (ODM) clustered topology on the Amazon Elastic Kubernetes Service (EKS) cloud service. This deployment implements Kubernetes and Docker technologies.
 
 <img src="./images/eks-schema.jpg" alt="Flow" width="2050" height="600" />
-The ODM Docker material is available in Passport Advantage. It includes Docker container images and Helm chart descriptors.
+
+The ODM on Kubernetes material is available in [IBM Entitled Registry](https://www.ibm.com/cloud/container-registry) for the Docker images, and the [IBM Helm charts repository](https://github.com/IBM/charts) for the ODM Helm chart.
 
 ## Included components
 The project uses the following components:
-- [IBM Operational Decision Manager](https://www.ibm.com/support/knowledgecenter/en/SSQP76_8.10.x/com.ibm.odm.kube/kc_welcome_odm_kube.html)
+- [IBM Operational Decision Manager](https://www.ibm.com/docs/en/odm/8.11.0)
 - [Amazon Elastic Kubernetes Service (Amazon EKS)](https://aws.amazon.com/eks/)
-- [Amazon Elastic Container Registry (Amazon ECR) ](https://aws.amazon.com/ecr/)
-- [Amazon Relational Database Service (Amazon RDS) ](https://aws.amazon.com/rds/)
-- [Amazon Application Load Balancer(ALB)](https://aws.amazon.com/elasticloadbalancing/?nc=sn&loc=0)
+- [Amazon Elastic Container Registry (Amazon ECR)](https://aws.amazon.com/ecr/)
+- [Amazon Relational Database Service (Amazon RDS)](https://aws.amazon.com/rds/)
+- [AWS Application Load Balancer (ALB)](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html)
 
 ## Tested environment
-The commands and tools have been tested on MacOS and linux.
+The commands and tools have been tested on Linux and macOS.
 
 ## Prerequisites
 First, install the following software on your machine:
 * [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html)
-* [Helm](https://github.com/helm/helm/releases)
-* [Kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
+* [Helm v3](https://helm.sh/docs/intro/install/)
+* [Kubectl](https://kubernetes.io/docs/tasks/tools/)
 
-Then, create an [AWS Account](https://aws.amazon.com/getting-started/?sc_icontent=awssm-evergreen-getting_started&sc_iplace=2up&trk=ha_awssm-evergreen-getting_started&sc_ichannel=ha&sc_icampaign=evergreen-getting_started)
+Then, create an [AWS Account](https://aws.amazon.com/getting-started/).
 
 ## Steps to deploy ODM on Kubernetes from Amazon EKS
 
@@ -36,8 +37,8 @@ Then, create an [AWS Account](https://aws.amazon.com/getting-started/?sc_iconten
 
 For more information, see [Getting started with Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html)
 
-
 ### 1. Prepare your environment (40 min)
+
 #### a. Create an EKS cluster (30 min)
 
 Create an EKS cluster following [this documentation](https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html)

platform/gcloud/README.md

@@ -46,35 +46,35 @@ Without the relevant billing level, some Google Cloud resources will not be crea
 ## Steps to deploy ODM on Kubernetes from Google GKE
 
 <!-- TOC titleSize:2 tabSpaces:2 depthFrom:1 depthTo:6 withLinks:1 updateOnSave:1 orderedList:0 skip:0 title:0 charForUnorderedList:* -->
-* [Deploying IBM Operational Decision Manager on Google GKE](#deploying-ibm-operational-decision-manager-on-google-gke)
-  * [Included components](#included-components)
-  * [Tested environment](#tested-environment)
-  * [Prerequisites](#prerequisites)
-  * [Steps to deploy ODM on Kubernetes from Google GKE](#steps-to-deploy-odm-on-kubernetes-from-google-gke)
-  * [Prepare your GKE instance (30 min)](#prepare-your-gke-instance-30-min)
-    * [Log into Google Cloud](#log-into-google-cloud)
-    * [Create a GKE cluster](#create-a-gke-cluster)
-    * [Set up your environment to this cluster](#set-up-your-environment-to-this-cluster)
-  * [Create the Google Cloud SQL PostgreSQL instance (10 min)](#create-the-google-cloud-sql-postgresql-instance-10-min)
-  * [Prepare your environment for the ODM installation](#prepare-your-environment-for-the-odm-installation)
-    * [Using the IBM Entitled registry with your IBMid (10 min)](#using-the-ibm-entitled-registry-with-your-ibmid-10-min)
-    * [Create the datasource secrets for Google Cloud SQL PostgreSQL](#create-the-datasource-secrets-for-google-cloud-sql-postgresql)
-    * [Manage a digital certificate (2 min)](#manage-a-digital-certificate-2-min)
-  * [Install an ODM Helm release using the GKE loadbalancer (10 min)](#install-an-odm-helm-release-using-the-gke-loadbalancer-10-min)
-    * [Manage a PV containing the JDBC driver](#manage-a-pv-containing-the-jdbc-driver)
-    * [Install the ODM release](#install-the-odm-release)
-    * [Check the topology](#check-the-topology)
-    * [Check the Ingress and GKE LoadBalancer](#check-the-ingress-and-gke-loadbalancer)
-    * [Create a Backend Configuration for the Decision Center Service](#create-a-backend-configuration-for-the-decision-center-service)
-    * [Access ODM services](#access-odm-services)
-  * [Install the IBM License Service and retrieve license usage](#install-the-ibm-license-service-and-retrieve-license-usage)
-    * [Create a NGINX Ingress controller](#create-a-nginx-ingress-controller)
-    * [Install the IBM License Service](#install-the-ibm-license-service)
-    * [Create the Licensing instance](#create-the-licensing-instance)
-    * [Retrieving license usage](#retrieving-license-usage)
-  * [Optional steps](#optional-steps)
-  * [Troubleshooting](#troubleshooting)
-* [License](#license)
+- [Deploying IBM Operational Decision Manager on Google GKE](#deploying-ibm-operational-decision-manager-on-google-gke)
+  - [Included components](#included-components)
+  - [Tested environment](#tested-environment)
+  - [Prerequisites](#prerequisites)
+  - [Steps to deploy ODM on Kubernetes from Google GKE](#steps-to-deploy-odm-on-kubernetes-from-google-gke)
+  - [Prepare your GKE instance (30 min)](#prepare-your-gke-instance-30-min)
+    - [Log into Google Cloud](#log-into-google-cloud)
+    - [Create a GKE cluster](#create-a-gke-cluster)
+    - [Set up your environment to this cluster](#set-up-your-environment-to-this-cluster)
+  - [Create the Google Cloud SQL PostgreSQL instance (10 min)](#create-the-google-cloud-sql-postgresql-instance-10-min)
+  - [Prepare your environment for the ODM installation](#prepare-your-environment-for-the-odm-installation)
+    - [Using the IBM Entitled registry with your IBMid (10 min)](#using-the-ibm-entitled-registry-with-your-ibmid-10-min)
+    - [Create the datasource secrets for Google Cloud SQL PostgreSQL](#create-the-datasource-secrets-for-google-cloud-sql-postgresql)
+    - [Manage a digital certificate (2 min)](#manage-a-digital-certificate-2-min)
+  - [Install an ODM Helm release using the GKE loadbalancer (10 min)](#install-an-odm-helm-release-using-the-gke-loadbalancer-10-min)
+    - [Manage a PV containing the JDBC driver](#manage-a-pv-containing-the-jdbc-driver)
+    - [Install the ODM release](#install-the-odm-release)
+    - [Check the topology](#check-the-topology)
+    - [Check the Ingress and GKE LoadBalancer](#check-the-ingress-and-gke-loadbalancer)
+    - [Create a Backend Configuration for the Decision Center Service](#create-a-backend-configuration-for-the-decision-center-service)
+    - [Access ODM services](#access-odm-services)
+  - [Install the IBM License Service and retrieve license usage](#install-the-ibm-license-service-and-retrieve-license-usage)
+    - [Create a NGINX Ingress controller](#create-a-nginx-ingress-controller)
+    - [Install the IBM License Service](#install-the-ibm-license-service)
+    - [Create the Licensing instance](#create-the-licensing-instance)
+    - [Retrieving license usage](#retrieving-license-usage)
+  - [Optional steps](#optional-steps)
+  - [Troubleshooting](#troubleshooting)
+- [License](#license)
 <!-- /TOC -->
 
 ## Prepare your GKE instance (30 min)
@@ -98,7 +98,7 @@ In this article we chose to create a [regional cluster](https://cloud.google.com
 Set the project (associated to a billing account):
 
 ```
-gcloud config set project [PROJECT_NAME]
+gcloud config set project [PROJECT_ID]
 ```
 
 Set the zone:
@@ -110,13 +110,13 @@ gcloud config set compute/zone [ZONE (ex: europe-west1-b)]
 Set the region:
 
 ```
-gcloud config set compute/region [REGION (ex: europe-west1-b)]
+gcloud config set compute/region [REGION (ex: europe-west1)]
 ```
 
 Create a cluster and enable autoscaling. Here, we start with 4 nodes (with 16 max):
 
 ```
-gcloud container clusters create [CLUSTER_NAME] --num-nodes 4 --enable-autoscaling --min-nodes 1 --max-nodes 16
+gcloud container clusters create [CLUSTER_NAME] --num-nodes 6 --enable-autoscaling --min-nodes 1 --max-nodes 16
 ```
 
 You can also create your cluster from the Google Cloud Platform using the Kubernetes Engine Clusters panel, by clicking on the Create button
@@ -146,11 +146,13 @@ We will use the Google Cloud Console to create this instance:
 
 - Go on the [SQL context](https://console.cloud.google.com/sql) and click on the "CREATE INSTANCE" button
 - Choose PostgreSQL
+  - Instance ID : Chosse a name for your instance.
+  - Password : <PASSWORD> (Take a note of this password. You need it in the "Create the datasource secrets for Google Cloud SQL PostgreSQL" section)
   - Take "PostgreSQL 13" as database version
   - Choose a region similar to the cluster. So, the communication is optimal between the database and the ODM instance
   - Keep "Multiple zones" for Zonal availability to the highest availability
   - Expand "Customize your instance" and Expand "Connections"
-  - As Public IP is selected by default, click on the "ADD NETWORK" button, put a name and add "0.0.0.0/0" for Network, then click on "DONE"
+  - As Public IP is selected by default, click on the "ADD NETWORK" button, put a name and add "0.0.0.0/0" for Network, then click on "DONE". It's not recommended to use plublic IP. In production environment, you should use private IP.
 
 When created, you can drill on the SQL instance overview to retrieve needed information to connect to this instance like the IP adress and the connection name:
 
@@ -204,17 +206,15 @@ NAME                  	CHART VERSION	APP VERSION	DESCRIPTION
 ibmcharts/ibm-odm-prod	21.3.0       	8.11.0.0   	IBM Operational Decision Manager
 ```
 
-You can now proceed to the [datasource secret's creation](#create-the-datasource-secrets-for-azure-postgresql).
-
 ### Create the datasource secrets for Google Cloud SQL PostgreSQL
 
 The Google Cloud SQL PostgreSQL connection will be done using [Cloud SQL Connector for Java](https://github.com/GoogleCloudPlatform/cloud-sql-jdbc-socket-factory#cloud-sql-connector-for-java).
 
-If you don't want to build the driver, you can get the last [driver](https://storage.googleapis.com/cloud-sql-java-connector/) named postgres-socket-factory-X.X.X-jar-with-driver-and-dependencies.jar.
+If you don't want to build the driver, you can get the last [driver](https://github.com/GoogleCloudPlatform/cloud-sql-jdbc-socket-factory/releases) named postgres-socket-factory-X.X.X-jar-with-driver-and-dependencies.jar.
 
 We realised the test with the driver version [postgres-socket-factory-1.4.2-jar-with-driver-and-dependencies.jar](https://storage.googleapis.com/cloud-sql-java-connector/v1.4.2/postgres-socket-factory-1.4.2-jar-with-driver-and-dependencies.jar).
 
-Copy the files [datasource-dc.xml.template](datasource-dc.xml.template) and [datasource-ds.xml.template](datasource-ds.xml.template) to your local machine and rename them `datasource-dc.xml` and `datasource-ds.xml`.
+Copy the files [datasource-dc.xml](datasource-dc.xml) and [datasource-ds.xml](datasource-ds.xml) to your local machine.
 
 Replace the following placeholders:
 
@@ -223,7 +223,7 @@ Replace the following placeholders:
 - CONNECTION_NAME: The database connection name
 - DBNAME: The database name (default is postgres)
 - USERNAME: The database username (default is postgres)
-- PASSWORD: The database password
+- PASSWORD: The database password (PASSWORD enter in the step [Create the Google Cloud SQL PostgreSQL instance](#create-the-datasource-secrets-for-google-cloud-sql-postgresql))
 
 It should be something like in the following extract:
 
@@ -250,6 +250,7 @@ kubectl create secret generic <customdatasourcesecret> \
 
 1. Generate a self-signed certificate
 
+In this step, you will generate a certificate used by the GKE loadbalancer.  
 If you do not have a trusted certificate, you can use OpenSSL and other cryptography and certificate management libraries to generate a certificate file and a private key, to define the domain name, and to set the expiration date. The following command creates a self-signed certificate (.crt file) and a private key (.key file) that accepts the domain name *mycompany.com*. The expiration is set to 1000 days:
 
 ```
@@ -281,6 +282,7 @@ To workaround this issue, we will use a ReadWriteOnce PV used by an NGINX pod th
 Then, we will change the PV permission to ReadOnlyMany before to launch the ODM release in order to be able to install ODM on many nodes.
 
 1. [Enable the SCI FileStore Driver](https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/filestore-csi-driver#console_1).
+The cluster will restart. This take several minutes until the cluster is ready.
 
 2. Create the [filestore-example](filestore-example.yaml) storageClass:
 
@@ -293,18 +295,24 @@ kubectl apply -f filestore-example.yaml
 ```
 kubectl apply -f customdatasource-pvc.yaml
 ```
+This take some time until the PVC is ready. Wait until the PVC is ready before moving to the next step. You can verify the status by using this command line.
+
+```
+kubectl get pvc
+```
 
 4. Create a [nginx](nginx.yaml) pod using this PVC that will be used only to copy the driver because this container is accessible as root:
 
 ```
 kubectl apply -f nginx.yaml
 ```
 
+
 5. Copy the Google Cloud PostgresSQL driver on the nginx pod:
 
 ```
 export NGINX_COPY_POD=$(kubectl get pod | grep nginx-driver-copy)
-kubectl cp postgres-socket-factory-<X.X.X>-jar-with-driver-and-dependencies.jar $(NGINX_COPY_POD):/usr/share/nginx/html
+kubectl cp postgres-socket-factory-<X.X.X>-jar-with-driver-and-dependencies.jar ${NGINX_COPY_POD}:/usr/share/nginx/html
 ```
 
 6. Change the PV accessmode to ReadOnlyMany; this way, all ODM containers will be able to access the PV as readonly and scheduled on several node:
@@ -314,6 +322,13 @@ export PV_NAME=$(kubectl get pvc customdatasource-pvc -o jsonpath={.spec.volumeN
 kubectl patch pv $PV_NAME -p '{"spec":{"accessModes":["ReadOnlyMany"]}}'
 ```
 
+7. Clean up
+  
+You can now delete the nginx pods used to copy the PostgreSQL driver.
+```
+kubectl delete -f nginx.yaml
+```
+
 ### Install the ODM release
 
 You can now install the product.
@@ -397,7 +412,7 @@ We just have to manage a configuration to simulate the mycompany.com access.
 You can get the EXTERNAL-IP using the command line:
 
 ```
-kubectl get ingress <release>-odm-ingress -o json | jq -r '.status.loadBalancer.ingress[].ip'
+kubectl get ingress <release>-odm-ingress -o jsonpath='{.status.loadBalancer.ingress[].ip}'
 ```
 
 So, to access ODM services, you have to edit your /etc/hosts file and add the following entry:
@@ -430,6 +445,7 @@ This section explains how to track ODM usage with the IBM License Service.
 
     ```
     helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+    helm repo update
     ```
 
 2. Use Helm to deploy an NGINX Ingress controller:

platform/gcloud/README_NGINX.md

@@ -5,13 +5,14 @@ For reference, see the Google Cloud documentation https://cloud.google.com/commu
 
 <!-- TOC titleSize:2 tabSpaces:2 depthFrom:1 depthTo:6 withLinks:1 updateOnSave:1 orderedList:0 skip:0 title:1 charForUnorderedList:* -->
 ## Table of Contents
-* [Install an ODM Helm release and expose it with a NGINX Ingress controller (15 min)](#install-an-odm-helm-release-and-expose-it-with-a-nginx-ingress-controller-15-min)
-  * [Create a Kubernetes secret for the TLS certificate](#create-a-kubernetes-secret-for-the-tls-certificate)
-  * [Install the ODM release](#install-the-odm-release)
-  * [Edit your /etc/hosts](#edit-your-etchosts)
-  * [Access the ODM services](#access-the-odm-services)
-  * [Troubleshooting](#troubleshooting)
-* [License](#license)
+- [Install an ODM Helm release and expose it with a NGINX Ingress controller (15 min)](#install-an-odm-helm-release-and-expose-it-with-a-nginx-ingress-controller-15-min)
+  - [Table of Contents](#table-of-contents)
+  - [Create a Kubernetes secret for the TLS certificate](#create-a-kubernetes-secret-for-the-tls-certificate)
+  - [Install the ODM release](#install-the-odm-release)
+  - [Edit your /etc/hosts](#edit-your-etchosts)
+  - [Access the ODM services](#access-the-odm-services)
+  - [Troubleshooting](#troubleshooting)
+- [License](#license)
 <!-- /TOC -->
 
 NGINX has been installed while deploying IBM License Manager, see [README.md](README.md#create-a-nginx-ingress-controller).
@@ -28,7 +29,7 @@ openssl req -x509 -nodes -days 1000 -newkey rsa:2048 -keyout mycompany.key \
         -addext "subjectAltName=DNS:mycompany.com"
 ```
 
->Pay attention to use a real OpenSSL version and not LibreSSL.
+>By default on mac osx, the default Openssl (LibreSSL version) does not have the -addtext option. You need to install the "Official" OpenSSL implementation.  
 
 2. Create the according Kubernetes secret that contains the certificate
 

…atform/gcloud/datasource-dc.xml.template platform/gcloud/datasource-dc.xmlplatform/gcloud/datasource-dc.xml.template renamed to platform/gcloud/datasource-dc.xml platform/gcloud/datasource-dc.xml.template renamed to platform/gcloud/datasource-dc.xml

@@ -18,6 +18,6 @@
 		javax.sql.ConnectionPoolDataSource="org.postgresql.ds.PGConnectionPoolDataSource"/>
 	<properties URL="jdbc:postgresql://<IP>/<DBNAME>?cloudSqlInstance=<CONNECTION_NAME>;socketFactory=com.google.cloud.sql.postgres.SocketFactory"
 		user="postgres"
-		password="postgres"/>
+		password="PASSWORD"/>
   </dataSource>
 </server>