DecisionsDev
diff --git a/‎.travis.yml
Lines changed: 0 additions & 16 deletions b/‎.travis.yml
Lines changed: 0 additions & 16 deletions
diff --git a/‎CONTRIBUTING.md
Lines changed: 2 additions & 4 deletions b/‎CONTRIBUTING.md
Lines changed: 2 additions & 4 deletions
diff --git a/‎README.md
Lines changed: 28 additions & 3 deletions b/‎README.md
Lines changed: 28 additions & 3 deletions
diff --git a/‎authentication/AzureAD/README.md
Lines changed: 2 additions & 2 deletions b/‎authentication/AzureAD/README.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎authentication/AzureAD/README_WITH_CLIENT_SECRET.md
Lines changed: 27 additions & 27 deletions b/‎authentication/AzureAD/README_WITH_CLIENT_SECRET.md
Lines changed: 27 additions & 27 deletions
@@ -46,12 +46,10 @@ In order for us to accept pull requests, you must declare that you wrote the cod
 1. Read this (from [developercertificate.org](http://developercertificate.org/)):
 
   ```
-  Developer Certificate of Origin
+Developer Certificate of Origin
 Version 1.1
 
-Copyright (C) 2004, 2023 The Linux Foundation and its contributors.
-660 York Street, Suite 102,
-San Francisco, CA 94110 USA
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
 
 Everyone is permitted to copy and distribute verbatim copies of this
 license document, but changing it is not allowed.
 
@@ -9,7 +9,7 @@ IBM Operational Decision Manager on Certified Kubernetes
 
 ##  Deploying IBM Operational Decision Manager on a Certified Kubernetes Cluster
 
-This repository centralizes materials to deploy [IBM® Operational Decision Manager](https://www.ibm.com/docs/en/odm/8.12.0) ODM on Certified Kubernetes. It is deployed in a clustered topology that uses WebSphere® Application Server Liberty on a Kubernetes cluster.
+This repository centralizes materials to deploy [IBM® Operational Decision Manager](https://www.ibm.com/docs/en/odm/9.0.0) ODM on Certified Kubernetes. It is deployed in a clustered topology that uses WebSphere® Application Server Liberty on a Kubernetes cluster.
 
 ODM is a decisioning platform to automate your business policies. Business rules are used at the heart of the platform to implement decision logic on a business vocabulary and run it as web decision services.
 
@@ -23,20 +23,45 @@ The ODM Docker material is used here, which is available in the [odm-ondocker](h
 - [Amazon EKS](platform/eks/README.md)
 - [Azure AKS](platform/azure/README.md)
 - [Google Cloud GKE](platform/gcloud/README.md)
+- [Redhat OpenShift Kubernetes Service on IBM Cloud (ROKS)](platform/roks/README.md)
 - [Minikube](platform/minikube/README.md) - Minikube can be used to evaluate ODM locally.
 
-### Contributions to customize the deployment
+### Integrating with Third-Party Providers
+
+#### Integration with OpenID Providers
+
+To integrate with OpenID providers for authentication and authorization, follow these steps:
 - [Configure ODM with an OpenID Okta service](authentication/Okta/README.md)
 - [Configure ODM with an Azure Active Directory service](authentication/AzureAD/README.md)
 - [Configure ODM with a Keycloak service](authentication/Keycloak/README.md)
+- [Configure ODM with a Cognito User Pool](authentication/Cognito/README.md)
+
+#### Managing Secrets within a Vault
+
+Ensure secure management of secrets within your deployment using one of the following methods:
+
+
+- [Manage secrets with Secret Store CSI Driver](./contrib/secrets-store/README.md): Use the Secrets Store CSI Driver (e.g., HashiCorp Vault) to securely manage sensitive information such as client secrets and keys. This option is designed to minimize configuration efforts and reduce the workload on your part.
+- [Manage secrets with Vault via InitContainer](./contrib/vault-initcontainer/README.md): Use an InitContainer to securely retrieve secrets from a Vault (e.g., HashiCorp Vault) and inject them into your application containers. This option requires more hands-on work but it offers greater flexibility to tailor the secret management to your specific requirements.
+
+We encourage you to explore both configurations to identify which setup aligns better with your operational needs and simplicity preferences. 
+
+#### Integration with Analytics Tools
+To enable analytics and monitoring capabilities within your deployment, consider integrating with analytics tools using Decisions' monitoring features:
+- [MPMetrics Integration](./contrib/monitor/mpmetrics/README.md) : Use MPMetrics for comprehensive monitoring and performance tracking. 
+- [OpenTelemetry Integration](./contrib/monitor/opentelemetry/README.md) : Leverage OpenTelemetry for observability and tracing functionalities. This article with guide you to configure your deployment to work seamlessly with OpenTelemetry.
+
+
+#### Contribution to customize the deployment
+
 - [Scope the Decision Server Console to a dedicated node with `kustomize`](contrib/kustomize/ds-console-dedicated-node/README.md)
 
 ## Issues and contributions
 
 For issues relating specifically to the Dockerfiles and scripts, please use the [GitHub issue tracker](https://github.com/ODMDev/odm-docker-kubernetes/issues). For more general issue relating to IBM Operational Decision Manager you can [get help](https://community.ibm.com/community/user/automation/communities/community-home?communitykey=c0005a22-520b-4181-bfad-feffd8bdc022) through the ODMDev community or, if you have production licenses for Operational Decision Manager, via the usual support channels. We welcome contributions following [our guidelines](https://github.com/ODMDev/odm-docker-kubernetes/blob/master/CONTRIBUTING.md).
 
 # Notice
-© Copyright IBM Corporation 2023.
+© Copyright IBM Corporation 2024.
 
 ## License
 ```text
 
@@ -125,7 +125,7 @@ After activating your account by email, you should have access to your Microsoft
 
       * Click the **myodmuser** user previously created
         * Edit properties
-        * Fill the email field with *myodmuser*@YOURDOMAIN
+        * Fill the email field with *myodmuser*@YOURDOMAIN (in the 'Contact Information' tab)
 
       * Try to log in to the [Azure portal](https://portal.azure.com/) with the user principal name.
        This may require to enable 2FA and/or change the password for the first time.
@@ -134,7 +134,7 @@ After activating your account by email, you should have access to your Microsoft
 
 ## Choose the way to set up your application
 
-Client credentials are used in the context of authentication in systems that utilize OAuth 2.0, a common protocol for secure authorization. These credentials are typically used by a client application (like a web or mobile app) to prove its identity to an authorization server in order to obtain access tokens for making API requests. There are two ways to use client credentials in Microfoft Entra ID: with a private key (often referred to as client certificates) and with a secret (usually referred to as a client secret).
+Client credentials are used in the context of authentication in systems that utilize OAuth 2.0, a common protocol for secure authorization. These credentials are typically used by a client application (like a web or mobile app) to prove its identity to an authorization server in order to obtain access tokens for making API requests. There are two ways to use client credentials in Microsoft Entra ID: with a private key (often referred to as client certificates) and with a secret (usually referred to as a client secret).
 
 [Client Credentials with a Secret](README_WITH_CLIENT_SECRET.md) (Client Secret):
 
 
@@ -87,12 +87,13 @@
 
    In **Azure Active Directory** / **Enterprise applications**, select **ODM Application**, and in **Manage / Single sign-on**:
 
-  * Click on Edit of the "Attributes & Claims" section
+  * Click Edit in the "Attributes & Claims" section
     * Click + Add new claim
       * Name: identity
       * Fill 2 Claim conditions in the exact following order:
-        1. User Type: Any / Scope Groups: 0 / Source: Attribute / Value: <CLIENT_ID>
-        2. User Type: Members / Scope Groups: 0 / Source: Attribute / Value: user.mail
+        1. User Type: Any / Scoped Groups: 0 / Source: Attribute / Value: <CLIENT_ID>
+        2. User Type: Members / Scoped Groups: 0 / Source: Attribute / Value: user.mail
+    * Click Save
 
 6. API Permissions.
 
@@ -116,7 +117,7 @@
 
     Download the [azuread-odm-script.zip](azuread-odm-script.zip) file to your machine and unzip it in your working directory. This .zip file contains scripts and templates to verify and set up ODM.
 
-    8.1 Verify the Client Credential Token
+    8.1 Verify the token issued using the 'Client Credentials' flow
 
     You can request an access token using the Client-Credentials flow to verify the token format.
     This token is used for the deployment between Decision Center and the Decision Server console:
@@ -153,13 +154,14 @@
     }
     ```
 
-    - *ver*: should be 2.0. otherwise you should verify the previous step **Manifest change**
     - *aud*: should be your CLIENT_ID
+    - *identity*: should be your CLIENT_ID
     - *iss*: should end with 2.0. otherwise you should verify the previous step **Manifest change**
+    - *ver*: should be 2.0. otherwise you should verify the previous step **Manifest change**
 
-    8.2 Verify the Client Password Token.
+    8.2 Verify the token issued using the 'Password Credentials' flow
 
-   To check that it has been correctly taken into account, you can request an ID token using the Client password flow.
+   To check that it has been correctly taken into account, you can request an ID token using the Password Credentials flow.
 
    This token is used for the invocation of the ODM components like Decision Center, Decision Servcer console, and the invocation of the Decision Server Runtime REST API.
 
@@ -178,25 +180,25 @@
     ```json
     {
       "aud": "<CLIENT_ID>",
-      ...
       "iss": "https://login.microsoftonline.com/<TENANT_ID>/v2.0",
       ...
       "email": "<USERNAME>",
-      "identity": "<USERNAME>",
       "groups": [
         "<GROUP>"
       ],
       ...
-      "ver": "2.0"
+      "ver": "2.0",
+      "identity": "<USERNAME>"
     }
     ```
 
     Verify:
     - *aud*: should be your CLIENT_ID
+    - *iss*: should end with 2.0. Otherwise you should verify the previous step **Manifest change**
     - *email*: should be present. Otherwise you should verify the creation of your user and fill the Email field.
     - *groups*: should contain your GROUP_ID
-    - *iss*: should end with 2.0. Otherwise you should verify the previous step **Manifest change**
     - *ver*: should be 2.0. Otherwise you should verify the previous step **Manifest change**
+    - *identity*: should be the user's email/username
 
   > If this command failed, try to log in to the [Azure portal](https://portal.azure.com/). You may have to enable 2FA and/or change the password for the first time.
 
@@ -264,7 +266,7 @@
     Where:
     - *TENANT_ID* and *CLIENT_ID* have been obtained from [previous step](#retrieve-tenant-and-client-information)
     - *CLIENT_SECRET* is listed in your ODM Application, section **General** / **Client Credentials**
-    - *GROUP_ID* is the ODM Admin group created in a [previous step](#manage-group-and-user) (*odm-admin*)
+    - *GROUP_ID* is the identifier of the ODM Admin group created in a [previous step](#manage-group-and-user) (ID of the group named *odm-admin*)
     - *SSO_DOMAIN* is the domain name of your SSO. If your AzureAD is connected to another SSO, you should add the SSO domain name in this parameter. If your user has been declared as explained in step **Create at least one user that belongs to this new group**, you can omit this parameter.
 
     The following four files are generated into the `output` directory:
@@ -273,10 +275,10 @@
       * All ODM roles are given to the GROUP_ID group
       * rtsAdministrators/resAdministrators/resExecutors ODM roles are given to the CLIENT_ID (which is seen as a user) to manage the client-credentials flow
     - openIdWebSecurity.xml contains two openIdConnectClient Liberty configurations:
-      * For web access to the Decision Center an Decision Server consoles using userIdentifier="email" with the Authorization Code flow
-      * For the rest-api call using userIdentifier="aud" with the client-credentials flow
+      * For web access to the Decision Center and Decision Server consoles using userIdentifier="email" with the Authorization Code flow
+      * For the rest-api calls using userIdentifier="aud" with the client-credentials flow
     - openIdParameters.properties configures several features like allowed domains, logout, and some internal ODM OpenId features
-    - OdmOidcProviders.json configures the client-credentials OpenId provider used by the Decision Center server configuration to connect Decision Center to the Decision Server console and Decision Center to the Decision Runner
+    - OdmOidcProviders.json configures the client-credentials OpenId provider used by the Decision Center server configuration to connect Decision Center to the Decision Server console and Decision Center to Decision Runner
 
 3. Create the Microsoft Entra ID authentication secret.
 
@@ -302,7 +304,7 @@
   ```shell
   helm search repo ibm-odm-prod
   NAME                  	CHART VERSION	APP VERSION	DESCRIPTION
-  ibm-helm/ibm-odm-prod	        23.1.0       	8.12.0.0   	IBM Operational Decision Manager
+  ibm-helm/ibm-odm-prod   24.0.0          9.0.0.0   	IBM Operational Decision Manager
   ```
 
 ### Run the `helm install` command
@@ -311,7 +313,7 @@ You can now install the product. We will use the PostgreSQL internal database an
 
 #### a. Installation on OpenShift using Routes
 
-  See the [Preparing to install](https://www.ibm.com/docs/en/odm/8.12.0?topic=production-preparing-install-operational-decision-manager) documentation for additional information.
+  See the [Preparing to install](https://www.ibm.com/docs/en/odm/9.0.0?topic=production-preparing-install-operational-decision-manager) documentation for additional information.
 
   ```shell
   helm install my-odm-release ibm-helm/ibm-odm-prod \
@@ -354,7 +356,7 @@ You can now install the product. We will use the PostgreSQL internal database an
 
 1. Get the ODM endpoints.
 
-    Refer to the [documentation](https://www.ibm.com/docs/en/odm/8.12.0?topic=tasks-configuring-external-access) to retrieve the endpoints.
+    Refer to the [documentation](https://www.ibm.com/docs/en/odm/9.0.0?topic=tasks-configuring-external-access) to retrieve the endpoints.
     For example, on OpenShift you can get the route names and hosts with:
 
     ```shell
@@ -403,14 +405,14 @@ You can now install the product. We will use the PostgreSQL internal database an
 
    From the Azure console, in **Azure Active Directory** / **App Registrations** / **ODM Application**:
 
-    - Click`Add Redirect URIs link`
+    - Click the `Add a Redirect URI` link
     - Click `Add Platform`
     - Select `Web`
     - `Redirect URIs` Add the Decision Center redirect URI that you got earlier (`https://<DC_HOST>/decisioncenter/openid/redirect/odm` -- don't forget to replace <DC_HOST> with your actual host name!)
-    - Check Access Token and ID Token
-    - Click Configure
-    - Click Add URI Link
-      - Repeat the previous steps for all other redirect URIs.
+    - Check the `Access Token` and `ID Token` check boxes
+    - Click `Configure`
+    - Click the `Add URI` Link and enter another redirect URI
+      - Repeat the previous step until all redirect URIs have been entered.
 
     - Click **Save** at the bottom of the page.
     ![Add URI](images/AddURI.png)
@@ -419,8 +421,6 @@ You can now install the product. We will use the PostgreSQL internal database an
 
 Well done!  You can now connect to ODM using the endpoints you got [earlier](#register-the-odm-redirect-url) and log in as an ODM admin with the account you created in [the first step](#manage-group-and-user).
 
->Note:  Logout in ODM components using Microsoft Entra ID authentication raises an error for the time being.  This is a known issue.  We recommend to use a private window in your browser to log in, so that logout is done just by closing this window.
-
 ### Set up Rule Designer
 
 To be able to securely connect your Rule Designer to the Decision Server and Decision Center services that are running in Certified Kubernetes, you need to establish a TLS connection through a security certificate in addition to the OpenID configuration.
@@ -449,7 +449,7 @@ To be able to securely connect your Rule Designer to the Decision Server and Dec
 
 4. Restart Rule Designer.
 
-For more information, refer to the [documentation](https://www.ibm.com/docs/en/odm/8.12.0?topic=designer-importing-security-certificate-in-rule).
+For more information, refer to the [documentation](https://www.ibm.com/docs/en/odm/9.0.0?topic=designer-importing-security-certificate-in-rule).
 
 ### Getting Started with IBM Operational Decision Manager for Containers
 
@@ -469,7 +469,7 @@ Deploy the **Loan Validation Service** production_deployment ruleapps using the
 
 You can retrieve the payload.json from the ODM Decision Server Console or use [the provided payload](payload.json).
 
-As explained in the ODM on Certified Kubernetes documentation [Configuring user access with OpenID](https://www.ibm.com/docs/en/odm/8.12.0?topic=access-configuring-user-openid), we advise to use basic authentication for the ODM runtime call for performance reasons and to avoid the issue of token expiration and revocation.
+As explained in the ODM on Certified Kubernetes documentation [Configuring user access with OpenID](https://www.ibm.com/docs/en/odm/9.0.0?topic=access-configuring-user-openid), we advise to use basic authentication for the ODM runtime call for performance reasons and to avoid the issue of token expiration and revocation.
 
 You can realize a basic authentication ODM runtime call the following way: