Merge pull request #744 from IBM/cp4ba-20240702

CP4BA ODM fix and ADS GenAI
IBM · Jul 3, 2024 · 486b562 · 486b562
2 parents 5be16c3 + 1d33349
commit 486b562
Show file tree

Hide file tree

Showing 9 changed files with 74 additions and 64 deletions.
diff --git a/automation-roles/50-install-cloud-pak/cp4ba/cp4ba-core/tasks/postdeploy/ads.yml b/automation-roles/50-install-cloud-pak/cp4ba/cp4ba-core/tasks/postdeploy/ads.yml
@@ -63,58 +63,6 @@
   ansible.builtin.include_tasks: ads-maven-plugins.yml
   with_dict: "{{ ads_maven_plugins_response.json | json_query('resources') }}"
 
-- name: Get roles
-  ansible.builtin.uri:
-    url: "https://cpd-{{ cp4ba_project_name }}.{{ apps_endpoint_domain }}/usermgmt/v1/roles"
-    method: GET
-    headers:
-      Authorization: "Bearer {{ zen_token }}"
-    validate_certs: false
-    status_code: 200
-  register: roles_response
-
-- name: Retrieve existing ADS admin role ID
-  ansible.builtin.set_fact:
-    ads_admin_role_id: "{{ roles_response.json | json_query(condition_query) | first | default('', true) }}"
-  vars:
-    condition_query:
-      "rows[?doc.role_name == 'ADS Admin'].id"
-
-- name: Create ADS admin role
-  when: ads_admin_role_id | length == 0
-  block:
-    - name: ADS permissions
-      ansible.builtin.set_fact:
-        ads_perms_list:
-          - "{{ _current_cp4ba_cluster.cp4ba.patterns.decisions_ads.enabled and
-            _current_cp4ba_cluster.cp4ba.patterns.decisions_ads.optional_components.ads_designer | ternary('administer_ads_platform', '') }}"
-          - "{{ _current_cp4ba_cluster.cp4ba.patterns.decisions_ads.enabled and
-            _current_cp4ba_cluster.cp4ba.patterns.decisions_ads.optional_components.ads_runtime | ternary('execute_ads_decision', '') }}"
-          - "{{ _current_cp4ba_cluster.cp4ba.patterns.decisions_ads.enabled and
-            _current_cp4ba_cluster.cp4ba.patterns.decisions_ads.optional_components.ads_runtime | ternary('manage_ads_decision', '') }}"
-          - "{{ _current_cp4ba_cluster.cp4ba.patterns.decisions_ads.enabled and
-            _current_cp4ba_cluster.cp4ba.patterns.decisions_ads.optional_components.ads_runtime | ternary('monitor_ads_runtime', '') }}"
-
-    # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=services-managing-user-permissions
-    - name: Create ADS admin role
-      ansible.builtin.uri:
-        url: "https://cpd-{{ cp4ba_project_name }}.{{ apps_endpoint_domain }}/usermgmt/v1/role"
-        method: POST
-        headers:
-          Authorization: "Bearer {{ zen_token }}"
-        body_format: json
-        body:
-          role_name: ADS Admin
-          description: ""
-          permissions: "{{ ads_perms_list | select | list }}"
-        validate_certs: false
-        status_code: 201
-      register: admin_role_response
-
-    - name: Set ADS admin role ID
-      ansible.builtin.set_fact:
-        ads_admin_role_id: "{{ admin_role_response.json | json_query('id') }}"
-
 - name: Get groups
   ansible.builtin.uri:
     url: "https://cpd-{{ cp4ba_project_name }}.{{ apps_endpoint_domain }}/usermgmt/v2/groups"
@@ -125,7 +73,7 @@
     status_code: 200
   register: groups_response
 
-- name: Add ADS Admin role to group {{ item }}
+- name: Add ADS roles to group {{ item }}
   ansible.builtin.uri:
     url: "https://cpd-{{ cp4ba_project_name }}.{{ apps_endpoint_domain }}/usermgmt/v2/groups/{{ groups_response.json | json_query(condition_query) | first }}"
     method: PATCH
@@ -134,7 +82,11 @@
     body_format: json
     body:
       add_role_identifiers:
-        - "{{ ads_admin_role_id }}"
+        - ads_deployment_spaces_manager
+        - ads_runtime_monitor
+        - ads_decision_manager
+        - ads_decision_user
+        - ads_platform_administrator
     validate_certs: false
     status_code:
       - 200
@@ -146,17 +98,21 @@
   with_items: "{{ lc_admin_groups }}"
 
 # Needed as group related permissions are updated only after first real login via browser
-- name: Add ADS Admin role to default admin user
+- name: Add ADS roles to default admin user and cpadminservice
   ansible.builtin.uri:
-    url: "https://cpd-{{ cp4ba_project_name }}.{{ apps_endpoint_domain }}/usermgmt/v1/user/{{ lc_principal_admin_user }}?add_roles=true"
+    url: "https://cpd-{{ cp4ba_project_name }}.{{ apps_endpoint_domain }}/usermgmt/v1/user/{{ item }}?add_roles=true"
     method: PUT
     headers:
       Authorization: "Bearer {{ zen_token }}"
     body_format: json
     body:
       username: "{{ item }}"
       user_roles:
-        - "{{ ads_admin_role_id }}"
+        - ads_deployment_spaces_manager
+        - ads_runtime_monitor
+        - ads_decision_manager
+        - ads_decision_user
+        - ads_platform_administrator
     validate_certs: false
     status_code:
       - 200

diff --git a/automation-roles/50-install-cloud-pak/cp4ba/cp4ba-core/tasks/postdeploy/odm.yml b/automation-roles/50-install-cloud-pak/cp4ba/cp4ba-core/tasks/postdeploy/odm.yml
@@ -59,9 +59,9 @@
   with_items: "{{ lc_admin_groups }}"
 
 # Needed as group related permissions are updated only after first real login via browser
-- name: Add all ODM roles to default admin user
+- name: Add all ODM roles to default admin user and cpadminservice
   ansible.builtin.uri:
-    url: "https://cpd-{{ cp4ba_project_name }}.{{ apps_endpoint_domain }}/usermgmt/v1/user/{{ lc_principal_admin_user }}?add_roles=true"
+    url: "https://cpd-{{ cp4ba_project_name }}.{{ apps_endpoint_domain }}/usermgmt/v1/user/{{ item }}?add_roles=true"
     method: PUT
     headers:
       Authorization: "Bearer {{ zen_token }}"
@@ -80,7 +80,6 @@
     - cpadminservice
     - "{{ lc_principal_admin_user }}"
 
-
 - name: Add ODM regular roles to group {{ item }}
   ansible.builtin.uri:
     url: "https://cpd-{{ cp4ba_project_name }}.{{ apps_endpoint_domain }}/usermgmt/v2/groups/{{ groups_response.json | json_query(condition_query) | first }}"
@@ -140,10 +139,10 @@
 
 - name: Find zen api key
   ansible.builtin.set_fact:
-    zen_api_key: "{{ usage.resources[0].data['cpadminservice-zen-api-key'] | regex_search(regexp,'\\1')
+    zen_api_key: "{{ usage.resources[0].data['cpadminservice-zen-api-key'] | regex_search(regexp,'\\1') | list | first
       if usage.resources | length != 0 and usage.resources[0].data['cpadminservice-zen-api-key'] is defined }}"
   vars:
-    regexp: 'key: (.*)'
+    regexp: 'the UI: (.*)'
 
 - name: Update credentials for server
   ansible.builtin.uri:

diff --git a/automation-roles/50-install-cloud-pak/cp4ba/cp4ba-core/tasks/postdeploy/zen.yml b/automation-roles/50-install-cloud-pak/cp4ba/cp4ba-core/tasks/postdeploy/zen.yml
@@ -326,8 +326,10 @@
 
 - name: Find zen api key
   ansible.builtin.set_fact:
-    zen_api_key: "{{ usage.resources[0].data['cpadminservice-zen-api-key']
+    zen_api_key: "{{ usage.resources[0].data['cpadminservice-zen-api-key'] | regex_search(regexp,'\\1') | list | first
       if usage.resources | length != 0 and usage.resources[0].data['cpadminservice-zen-api-key'] is defined }}"
+  vars:
+    regexp: 'the UI: (.*)'
 
 - name: Generate new Zen Api key
   when: zen_api_key | length == 0

diff --git a/automation-roles/50-install-cloud-pak/cp4ba/cp4ba-core/templates/ads/ads-secret.yaml.j2 b/automation-roles/50-install-cloud-pak/cp4ba/cp4ba-core/templates/ads/ads-secret.yaml.j2
@@ -33,3 +33,29 @@ stringData:
   mongoUri: "mongodb://{{ cp4ba_mongodb_admin_user }}:{{ cp4ba_universal_password }}@{{ cp4ba_mongodb_hostname }}:27017/ads?retryWrites=true&w=majority&authSource=admin"
   mongoHistoryUri: "mongodb://{{ cp4ba_mongodb_admin_user }}:{{ cp4ba_universal_password }}@{{ cp4ba_mongodb_hostname }}:27017/ads-history?retryWrites=true&w=majority&authSource=admin"
   runtimeMongoUri: "mongodb://{{ cp4ba_mongodb_admin_user }}:{{ cp4ba_universal_password }}@{{ cp4ba_mongodb_hostname }}:27017/ads-runtime?retryWrites=true&w=majority&authSource=admin"
+---
+# Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=services-configuring-generative-ai-secret
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ads-genai-secret
+  namespace: "{{ cp4ba_project_name }}"
+type: Opaque
+stringData:
+  genAI: |- 
+    { 
+      "name": "GENAI",
+      "type": "WML",
+      "description": null,
+      "updateTime": 0,
+      "authInfo": {
+        "authType": "IAM",
+        "apiKey": "{{ decisions_ads.gen_ai.apiKey | default('<watsonx_ai_api_key>') }}",
+        "authUrl": "{{ decisions_ads.gen_ai.authUrl | default('https://iam.bluemix.net/identity/token') }}"},
+        "providerAdditionalInfo": {
+            "providerType": "WML",
+            "mlUrl": "{{ decisions_ads.gen_ai.mlUrl | default('https://us-south.ml.cloud.ibm.com') }}",
+            "projectId": "{{ decisions_ads.gen_ai.projectId | default('<project_id>') }}"
+          },
+      "version": "V1"
+    }
diff --git a/automation-roles/50-install-cloud-pak/cp4ba/cp4ba-core/templates/ads/cr-designer.yaml.j2 b/automation-roles/50-install-cloud-pak/cp4ba/cp4ba-core/templates/ads/cr-designer.yaml.j2
@@ -1,5 +1,7 @@
 spec:
   ads_configuration:
+    # Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=services-configuring-generative-ai-secret
+    genai_secret_name: ads-genai-secret
     decision_designer:
       enabled: true
     credentials_service:

diff --git a/automation-roles/50-install-cloud-pak/cp4ba/cp4ba-core/templates/postdeploy.md.j2 b/automation-roles/50-install-cloud-pak/cp4ba/cp4ba-core/templates/postdeploy.md.j2
@@ -18,6 +18,7 @@ The following list specifies when you need to perform particular post-deployment
   - [Automation Decision Services (ADS) (decisions_ads pattern)](#automation-decision-services-ads-decisions_ads-pattern)
     - [ADS project git repo & connection](#ads-project-git-repo--connection) - When you want to connect your ADS solution to GIT repository.
     - [Develop custom libraries](#develop-custom-libraries) - When you want to create your custom ADS libraries.
+    - [Configure GenAI secret parameters](#configure-genai-secret-parameters) - When you want to use GenAI rules.
   - [FileNet Content Manager (FNCM) (content pattern)](#filenet-content-manager-fncm-content-pattern)
     - [Update Google OIDC redirect URIs](#update-google-oidc-redirect-uris) - (don't use now) When you configured Google ID for External Share.
     - [External Share](#external-share) - (don't use now) When you want to use External Share.
@@ -184,6 +185,12 @@ Import ca.crt which is available in *{{ cp4ba_project_name }}* Project in extern
 
 Installed VSCode and added Java Extension Pack
 
+### Configure GenAI secret parameters
+
+Based on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=services-configuring-generative-ai-secret
+
+The configuration in CR and Secret creation was already done for you. You now need to provide the connection details in the Secret *ads-genai-secret* in Project {{ cp4ba_project_name }}.
+Then the ADS pods restart automatically and that enables GenAI successful connection from ADS Designer.
 
 ## FileNet Content Manager (FNCM) (content pattern)
 

diff --git a/docs/src/30-reference/configuration/cloud-pak.md b/docs/src/30-reference/configuration/cloud-pak.md
@@ -548,6 +548,11 @@ cp4ba:
         optional_components:
           ads_designer: true # Designer (ADS)
           ads_runtime: true # Runtime (ADS)
+        gen_ai: # https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=services-configuring-generative-ai-secret
+          apiKey: <watsonx_ai_api_key>
+          authUrl: https://iam.bluemix.net/identity/token
+          mlUrl: https://us-south.ml.cloud.ibm.com
+          projectId: <project_id>          
       content: # FileNet Content Manager (FNCM) - https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=deployment-capabilities-production-deployments#concept_c2l_1ks_fnb__ecm
         enabled: true
         optional_components:
@@ -704,6 +709,11 @@ Placed in `cp4ba.patterns.decisions_ads` key.
 | optional_components                         | Sub object for definition of optional components for pattern. | Yes  | Object - specific to each pattern |
 | optional_components.ads_designer          | Set to `true` to enable Designer | Yes | true, false |
 | optional_components.ads_runtime          | Set to `true` to enable Runtime | Yes | true, false |
+| gen_ai          |  Sub object for definition of GenAI connection. More on https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=services-configuring-generative-ai-secret | false  | Object |
+| gen_ai.apiKey          | Set to real value of your Watsonx.AI platform | false | Your real value |
+| gen_ai.authUrl          | Set to real value of your Watsonx.AI platform | false | Your real value |
+| gen_ai.mlUrl          | Set to real value of your Watsonx.AI platform | false | Your real value |
+| gen_ai.projectId          | Set to real value of your Watsonx.AI platform | false | Your real value |
 
 #### Content pattern properties
 

diff --git a/docs/src/30-reference/configuration/cp4ba.md b/docs/src/30-reference/configuration/cp4ba.md
@@ -141,8 +141,11 @@ For your convenience the following post-deployment setup tasks have been automat
 - Workforce Insights - Connection setup. You just need to create WFI dashboard. https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/22.0.1?topic=secrets-creating-custom-bpc-workforce-secret
 - ADS - Nexus connection setup and all ADS plugins loaded.
 - ADS - Organization in Git created. https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/22.0.1?topic=gst-task-2-connecting-git-repository-sharing-decision-service
-- ADS - Automatic Git project connection https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/22.0.1?topic=services-connecting-remote-repository-automatically
+- ADS - Automatic Git project connection. https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/22.0.1?topic=services-connecting-remote-repository-automatically
+- ADS - Roles assigned to users and groups. https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=services-managing-user-permissions
+- ADS - Precreation of GenAI Secret. https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=services-configuring-generative-ai-secret
 - ODM - Service user credentials automatically assigned to servers.
+- ODM - Roles assigned to users and groups. https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/24.0.0?topic=access-managing-user-permissions
 - ADP - Organization in Git created. https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/22.0.1?topic=processing-setting-up-remote-git-organization
 - ADP - Default project data loaded. https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/22.0.1?topic=processing-loading-default-sample-data
 - ADP - Git connection and CDD repo creation done. https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=processing-setting-up-remote-git-organization

diff --git a/sample-configurations/sample-dynamic/config-samples/cp4ba.yaml b/sample-configurations/sample-dynamic/config-samples/cp4ba.yaml
@@ -38,6 +38,11 @@ cp4ba:
         optional_components:
           ads_designer: true # Designer (ADS)
           ads_runtime: true # Runtime (ADS)
+        gen_ai: # https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=services-configuring-generative-ai-secret
+          apiKey: <watsonx_ai_api_key>
+          authUrl: https://iam.bluemix.net/identity/token
+          mlUrl: https://us-south.ml.cloud.ibm.com
+          projectId: <project_id>
       content: # FileNet Content Manager (FNCM) - https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/latest?topic=deployment-capabilities-production-deployments#concept_c2l_1ks_fnb__ecm
         enabled: true
         optional_components: