Merge pull request #76 from ibm-client-engineering/ross-cherry-picks

Merging in of latest changes
ibm-client-engineering · Nov 28, 2023 · 0b6f212 · 0b6f212
2 parents 9cdc065 + 03cd4df
commit 0b6f212
Show file tree

Hide file tree

Showing 9 changed files with 187 additions and 41 deletions.
diff --git a/docs/3-Create/Deploy/ier.mdx b/docs/3-Create/Deploy/ier.mdx
@@ -18,6 +18,64 @@ kubectl create secret generic ibm-ier-secret \
 --from-literal=keystorePassword="p@ssw0rd" \
 --from-literal=ltpaPassword="p@ssw0rd"
 ```
+
+### Create the config map `fncmdeploy-tm-custom-env`
+
+This step is required when deploying IER to the cluster. Task Manager pods require the `TM_JOB_URL` env variable to point to the location of the IER plugin.
+
+`fncmdeploy-tm-custom-env.yaml`
+```tsx
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: fncmdeploy-tm-custom-env
+  labels:
+    app: fncmdeploy-tm-custom-env
+data:
+  TM_JOB_URL: "https://fncmdeploy-ier-svc:9443/EnterpriseRecordsPlugin/IERApplicationPlugin.jar"
+```
+In our case, the TM_JOB_URL referenced [here](https://www.ibm.com/docs/en/enterprise-records/5.2.1?topic=in-configuring-content-navigator-task-manager-enterprise-records#frmco011__1)
+needs to point to the internal service URL, not the external URL as it does not exist.
+
+This is also a custom env variable for Task Manager that we will enable in the CR below.
+
+Apply it to the cluster
+```bash
+kubectl apply -f fncmdeploy-tm-custom-env.yaml
+```
+
+### Update the CR for Task Manager
+
+In the filenet CR you used to deploy the cluster, make the following changes and additions:
+
+Under the Task Manager application block in the CR add the `custom_configmap` to point to the config map we just created. Also make sure the `security_roles_to_group_mapping` are set to `cpadmins` and `cpusers` as these are the groups that exist in LDAP.
+
+```tsx
+        // highlight-start
+        custom_configmap:
+         - name: fncmdeploy-tm-custom-env
+           is_env: true
+        // highlight-end
+        # - name: <name of configmap>
+        #   volume_path:  # optional
+
+        ## All users/groups belong to one of three roles (Admin, User, or Auditor) that are specific to Task Manager.
+        ## Each role takes a list of users/groups (e.g., groups: [taskAdmins, taskAdmins2]).  Refer to Knowledge Center documentation for details.
+        security_roles_to_group_mapping:
+          task_admins:
+        // highlight-next-line
+            groups: [cpadmins]
+            users: []
+          task_users:
+        // highlight-next-line
+            groups: [cpusers]
+            users: []
+          task_auditors:
+        // highlight-next-line
+            groups: [cpadmins]
+            users: []
+```
+
 ### Updating CR for IER deployment
 
 In the filenet CR you used to deploy the cluster, make the following changes and additions:
@@ -28,7 +86,7 @@ In the filenet CR you used to deploy the cluster, make the following changes and
     cmis: false
     css: false
     es: false
-    tm: false
+    tm: true
     ban: true
     // highlight-start
     ier: true
@@ -87,6 +145,41 @@ After the `navigator_configuration` entry in the CR, add the following section
         failure_threshold: 6
 ```
 
+### Uploading config jars to the Task Manager pod
+
+Before we apply the modified CR, let's prepare the Task Manager pod.
+
+The following files are required for the Task Manager pod:
+- [`Jace.jar`](/deployment_files/IER_config/Jace.jar)
+- [`pe.jar`](/deployment_files/IER_config/pe.jar)
+- [`peResources.jar`](/deployment_files/IER_config/peResources.jar)
+- [`TM-Liberty.xml`](/deployment_files/IER_config/TM-Liberty.xml)
+
+The above files and how to get them are referenced [here](https://www.ibm.com/docs/en/enterprise-records/5.2.1?topic=in-configuring-content-navigator-task-manager-enterprise-records#frmco011__1), but we've included them in our repo.
+
+Retrieve the name of your existing Task Manager pod
+
+```tsx
+kubectl get pods | grep tm-deploy
+//highlight-next-line
+fncmdeploy-tm-deploy-9db6b7f7f-6zzjb          1/1     Running   0          5d20h
+```
+
+Push the jars downloaded above to the `configDropins/overrides` directory on the Task Manager pod.
+
+```tsx
+kubectl cp Jace.jar fncmdeploy-tm-deploy-9db6b7f7f-6zzjb:configDropins/overrides
+kubectl cp pe.jar fncmdeploy-tm-deploy-9db6b7f7f-6zzjb:configDropins/overrides
+kubectl cp peResources.jar fncmdeploy-tm-deploy-9db6b7f7f-6zzjb:configDropins/overrides
+```
+
+Push up the `TM-Liberty.xml` file to `configDropins/overrides`
+```tsx
+kubectl cp TM-Liberty.xml fncmdeploy-tm-deploy-9db6b7f7f-6zzjb:configDropins/overrides
+```
+
+
+
 ### Apply the CR
 
 ```bash
@@ -110,8 +203,8 @@ fncmdeploy-navigator-deploy-58b9c95c4-k9gx7   1/1     Running   0          157m
 fncmdeploy-tm-deploy-7d4fd64759-x28qw         1/1     Running   0          6d6h
 ibm-fncm-operator-748884b478-qkd4f            1/1     Running   0          4d2h
 postgres-759fd876ff-d5fxd                     1/1     Running   0          6d9h
-
 ```
+
 ## IER Configuration 
 Please make sure below object stores are created and required configurations are in place 
 
@@ -367,4 +460,4 @@ Scale the navigator deployment down and up. If your replicas are more that 1, sc
 ```tsx
 kubectl scale deploy fncmdeploy-navigator-deploy --replicas=0
 kubectl scale deploy fncmdeploy-navigator-deploy --replicas=1
-```
+```
diff --git a/docs/3-Create/Deploy/operator.mdx b/docs/3-Create/Deploy/operator.mdx
@@ -135,6 +135,7 @@ kubectl create secret generic ibm-ban-secret \
   --from-literal=jMailPassword="{xor}GDoxNiosbg=="
 ```
 
+### Create the `ldap-bind-secret`
 Create a secret in the filenet namespace for the ldap-bind secret
 
 `ldap_secrets.yaml`
@@ -708,13 +709,13 @@ spec:
         license: accept
         security_roles_to_group_mapping:
            task_admins:
-             groups: [taskAdmins]
+             groups: [cpadmin]
              users: []
            task_users:
-             groups: [taskUsers]
+             groups: [cpusers]
              users: []
            task_auditors:
-             groups: [taskAuditors]
+             groups: [cpadmin]
              users: []
       monitor_enabled: false
       logging_enabled: false

diff --git a/docs/3-Create/Deploy/postgres.mdx b/docs/3-Create/Deploy/postgres.mdx
@@ -208,7 +208,7 @@ For this deployment, we will be creating the following databases:
 - `gcddb`
 - `icndb`
 
-And one single object store for now
+Initial Object Store database
 
 - `osdb`
 
@@ -252,9 +252,75 @@ CREATE TABLESPACE osdb_tbs OWNER ceuser LOCATION '/pgsqldata/osdb';
 GRANT CREATE ON TABLESPACE osdb_tbs TO ceuser;
 ```
 
+## IER Databases and Object Stores
+
+For IER support, we will be creating the following databases:
+- `fposdb` - File Plan Object Store
+- `rosdb` - Record Object Store
+
+In this instance we will also be creating two extra table spaces for `rosdb` for the indexarea and workflows.
+
+### Create the tablespace directories
+
+Retrieve the postgres pod id with this command:
+```tsx
+kubectl get pods | grep postgres
+
+// highlight-next-line
+postgres-759fd876ff-d5fxd                     1/1     Running   0          6d10h
+```
+Connect to the postgres pod and create the tablespace directories for `fposdb` and `rosdb`. This will also include the paths for the indexarea and workflows for `rosdb`. 
+
+```tsx
+kubectl exec -it postgres-759fd876ff-d5fxd -- mkdir /pgsqldata/fposdb /pgsqldata/rosdb /pgsqldata/rosdbwf /pgsqldata/rosdbidx 
+kubectl exec -it postgres-759fd876ff-d5fxd -- chmod 700 /pgsqldata/fposdb /pgsqldata/rosdb /pgsqldata/rosdbwf /pgsqldata/rosdbidx 
+```
+
+### Create the IER object store databases
+
+Connect to `defaultdb`. Our password will be `p@ssw0rd`.
+
+```tsx
+kubectl exec -it postgres-759fd876ff-d5fxd -- psql -h localhost -U admin --password -p 5432 defaultdb
+```
+
+Create the databases. Each `\connect` statement will require the `p@ssw0rd` password.
+
+```tsx
+CREATE DATABASE fposdb OWNER ceuser TEMPLATE template0 ENCODING UTF8;
+GRANT ALL ON DATABASE fposdb TO ceuser;
+REVOKE CONNECT ON DATABASE fposdb FROM public;
+
+// highlight-next-line
+\connect fposdb
+CREATE TABLESPACE fposdb_tbs OWNER ceuser LOCATION '/pgsqldata/fposdb';
+GRANT CREATE ON TABLESPACE fposdb_tbs TO ceuser;
+
+CREATE DATABASE rosdb OWNER ceuser TEMPLATE template0 ENCODING UTF8;
+GRANT ALL ON DATABASE rosdb TO ceuser;
+REVOKE CONNECT ON DATABASE rosdb FROM public;
+
+// highlight-next-line
+\connect rosdb
+CREATE TABLESPACE rosdb_tbs OWNER ceuser LOCATION '/pgsqldata/rosdb';
+GRANT CREATE ON TABLESPACE rosdb_tbs TO ceuser;
+```
+
+We will also now create the tablespaces in `rosdb` for the index area and workflows 
+
+```tsx
+// highlight-start
+CREATE TABLESPACE rosdbwf_tbs OWNER ceuser LOCATION '/pgsqldata/rosdbwf';
+CREATE TABLESPACE rosdbidx_tbs OWNER ceuser LOCATION '/pgsqldata/rosdbidx';
+GRANT CREATE ON TABLESPACE rosdbwf_tbs TO ceuser;
+GRANT CREATE ON TABLESPACE rosdbidx_tbs TO ceuser;
+// highlight-end
+
+```
+
 ## Appendix
 
-### Adding Object Store Databases
+### Adding Other Object Store Databases
 
 :::note
 This presumes you already have completed the above steps 
@@ -266,10 +332,6 @@ Extra object stores
 - `os2db`
 - `os3db`
 
-FilePlan Object Store and Record Object Store for IER
-- `fposdb`
-- `rosb`
-
 #### Creating the tablespace directories in postgres pod
 
 Determine the name of your postgres pod by first making sure we're in the right namespace:
@@ -285,8 +347,8 @@ postgres-759fd876ff-d5fxd                     1/1     Running   0          7d22h
 
 Now create the tablespace folders on the pod. These will be living in the PVC storage:
 ```tsx
-kubectl exec -it postgres-759fd876ff-d5fxd -- mkdir /pgsqldata/fposdb /pgsqldata/rosdb /pgsqldata/os2db /pgsqldata/os3db
-kubectl exec -it postgres-759fd876ff-d5fxd -- chmod 700 /pgsqldata/fposdb /pgsqldata/rosdb /pgsqldata/os2db /pgsqldata/os3db
+kubectl exec -it postgres-759fd876ff-d5fxd -- mkdir /pgsqldata/os2db /pgsqldata/os3db
+kubectl exec -it postgres-759fd876ff-d5fxd -- chmod 700 /pgsqldata/os2db /pgsqldata/os3db
 ```
 
 #### Create the databases
@@ -296,6 +358,7 @@ Connect to `defaultdb`. Our password will be `p@ssw0rd`.
 ```tsx
 kubectl exec -it postgres-759fd876ff-d5fxd -- psql -h localhost -U admin --password -p 5432 defaultdb
 ```
+Now create the databases
 
 Create each database listed above. When you run the `\connect` command, it will query you for the password. It will still be `p@ssw0rd`.
 
@@ -319,23 +382,4 @@ REVOKE CONNECT ON DATABASE os3db FROM public;
 \connect os3db
 CREATE TABLESPACE os3db_tbs OWNER ceuser LOCATION '/pgsqldata/os3db';
 GRANT CREATE ON TABLESPACE os3db_tbs TO ceuser;
-
-CREATE DATABASE fposdb OWNER ceuser TEMPLATE template0 ENCODING UTF8;
-GRANT ALL ON DATABASE fposdb TO ceuser;
-REVOKE CONNECT ON DATABASE fposdb FROM public;
-
-// highlight-next-line
-\connect fposdb
-CREATE TABLESPACE fposdb_tbs OWNER ceuser LOCATION '/pgsqldata/fposdb';
-GRANT CREATE ON TABLESPACE fposdb_tbs TO ceuser;
-
-CREATE DATABASE rosdb OWNER ceuser TEMPLATE template0 ENCODING UTF8;
-GRANT ALL ON DATABASE rosdb TO ceuser;
-REVOKE CONNECT ON DATABASE rosdb FROM public;
-
-// highlight-next-line
-\connect rosdb
-CREATE TABLESPACE rosdb_tbs OWNER ceuser LOCATION '/pgsqldata/rosdb';
-GRANT CREATE ON TABLESPACE rosdb_tbs TO ceuser;
-
-```
+```
diff --git a/static/deployment_files/IER_config/Common.zip b/static/deployment_files/IER_config/Common.zip
diff --git a/static/deployment_files/IER_config/Jace.jar b/static/deployment_files/IER_config/Jace.jar
diff --git a/static/deployment_files/IER_config/TM-Liberty.xml b/static/deployment_files/IER_config/TM-Liberty.xml
@@ -0,0 +1,8 @@
+<server>
+        <library id="ecmTaskManagerLib">
+                <fileset dir="${server.config.dir}/lib" includes="*.jar" scanInterval="5s" />
+                <folder dir="/opt/ibm/orm" />
+		<folder dir="/opt/ibm/wlp/usr/servers/defaultServer/configDropins/overrides" />
+        </library>
+
+</server>
diff --git a/static/deployment_files/IER_config/pe.jar b/static/deployment_files/IER_config/pe.jar
diff --git a/static/deployment_files/IER_config/peResources.jar b/static/deployment_files/IER_config/peResources.jar
diff --git a/static/deployment_files/ibm_fncm_cr_production-5.5.11.yaml b/static/deployment_files/ibm_fncm_cr_production-5.5.11.yaml
@@ -42,7 +42,7 @@ spec:
     cmis: false
     css: false
     es: false
-    tm: false
+    tm: true
     ban: true
     ier: true
 
@@ -1334,23 +1334,23 @@ spec:
         ## The volume_path is optional for a configmap that holds files as its data and if it's not specified,
         ## then the files will be mounted to the overrides directory.  If the configmap data holds environment variables
         ## then is_env is required and set it to true.
-        #custom_configmap:
+        custom_configmap:
+         - name: fncmdeploy-tm-custom-env
+           is_env: true
         # - name: <name of configmap>
         #   volume_path:  # optional
-        # - name: <name of configmap>
-        #   is_env: # required if the configmap holds environment variables.
 
         ## All users/groups belong to one of three roles (Admin, User, or Auditor) that are specific to Task Manager.
         ## Each role takes a list of users/groups (e.g., groups: [taskAdmins, taskAdmins2]).  Refer to Knowledge Center documentation for details.
         security_roles_to_group_mapping:
           task_admins:
-            groups: [taskAdmins]
+            groups: [cpadmins]
             users: []
           task_users:
-            groups: [taskUsers]
+            groups: [cpusers]
             users: []
           task_auditors:
-            groups: [taskAuditors]
+            groups: [cpadmins]
             users: []
 
       ## Enable/disable monitoring where metrics can be sent to Graphite or scraped by Prometheus