Merge branch 'vnext-release' into review-gcp

.secrets.baseline

@@ -100,23 +100,23 @@
         "hashed_secret": "5a2ea68e9ea943ea31948fe51388c798e13346a9",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 227,
+        "line_number": 234,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "fa9beb99e4029ad5a6615399e7bbae21356086b3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 488,
+        "line_number": 495,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "076a042dcb8e3b7be55cbbe95e1f18f577ef1ba5",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 534,
+        "line_number": 541,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -134,15 +134,15 @@
         "hashed_secret": "5a2ea68e9ea943ea31948fe51388c798e13346a9",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 145,
+        "line_number": 152,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "fa9beb99e4029ad5a6615399e7bbae21356086b3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 387,
+        "line_number": 394,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -404,23 +404,23 @@
         "hashed_secret": "5a2ea68e9ea943ea31948fe51388c798e13346a9",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 225,
+        "line_number": 250,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "fa9beb99e4029ad5a6615399e7bbae21356086b3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 379,
+        "line_number": 405,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "076a042dcb8e3b7be55cbbe95e1f18f577ef1ba5",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 425,
+        "line_number": 451,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -1111,38 +1111,66 @@
         "verified_result": null
       }
     ],
-    "platform/azure/README-Azure-SQL-MI.md": [
+    "platform/azure/README.md": [
       {
-        "hashed_secret": "547ef58bd39c2e3cc6ff7e61ea31e3d23e6382f1",
+        "hashed_secret": "07596f183f5e91b1778d5e47b2752b8d42aa763d",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 62,
+        "line_number": 174,
         "type": "Secret Keyword",
         "verified_result": null
-      }
-    ],
-    "platform/azure/README.md": [
+      },
+      {
+        "hashed_secret": "3ea3f9802accf8817bacd6f3df46a73b93ccddec",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 175,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
       {
         "hashed_secret": "12d57965bd88277e9e9d69dc2b36aae2c0b7e316",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 227,
+        "line_number": 274,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "41b864c967d31ed0bf10562e22faa36324405048",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 245,
+        "line_number": 292,
         "type": "Secret Keyword",
         "verified_result": null
-      },
+      }
+    ],
+    "platform/azure/aks-nginx-values.yaml": [
+      {
+        "hashed_secret": "547ef58bd39c2e3cc6ff7e61ea31e3d23e6382f1",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 21,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ],
+    "platform/azure/aks-sqlmi-values.yaml": [
+      {
+        "hashed_secret": "547ef58bd39c2e3cc6ff7e61ea31e3d23e6382f1",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 14,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ],
+    "platform/azure/aks-values.yaml": [
       {
         "hashed_secret": "547ef58bd39c2e3cc6ff7e61ea31e3d23e6382f1",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 406,
+        "line_number": 14,
         "type": "Secret Keyword",
         "verified_result": null
       }

README.md

@@ -17,10 +17,22 @@ The ODM Docker material is used here, which is available in the [odm-ondocker](h
 
 ![Flow](images/ODMinKubernetes-DeploymentOverview.png)
 
+## Supported Versions  
+
+This repository provides materials for the following versions of IBM ODM:  
+
+| ODM Version      |
+|--------------|
+| **[9.0.0.1 (Latest)](README.md)**    |
+| **[8.12.0.1](https://github.com/DecisionsDev/odm-docker-kubernetes/tree/8.12.0.1)**                               |
+| **[8.11.0.1](https://github.com/DecisionsDev/odm-docker-kubernetes/tree/8.11.0.1)**                               |
+
+Each version has dedicated deployment instructions and materials tailored to its release. Select the version that matches your requirements for compatibility and features.  
 
 ### Deploying ODM Rules on a specific platform
 
 - [Amazon EKS](platform/eks/README.md)
+- [Amazon ECS Fargate](platform/ecs/README.md) (BETA)
 - [Azure AKS](platform/azure/README.md)
 - [Google Cloud GKE](platform/gcloud/README.md)
 - [Redhat OpenShift Kubernetes Service on IBM Cloud (ROKS)](platform/roks/README.md)

authentication/AzureAD/README_WITH_CLIENT_SECRET.md

@@ -26,7 +26,7 @@
 
 1. Create the *ODM application*.
 
-    In **Azure Active Directory** / **App registration**, click **New Registration**:
+    In **Microsoft Entra Id** / **Manage** / **App registration**, click **New Registration**:
 
     * Name: **ODM Application**
     * Supported account types / Who can use this application or access this API?: select `Accounts in this organizational directory only (Default Directory only - Single tenant)`
@@ -36,7 +36,7 @@
 
 2. Retrieve Tenant and Client information.
 
-    In **Azure Active Directory** / **App Registration**, select **ODM Application** and click **Overview**:
+    In **Microsoft Entra Id** / **Manage** / **App Registration**, select **ODM Application** and click **Overview**:
 
     * Application (client) ID: **Client ID**. It will be referenced as `CLIENT_ID` in the next steps.
     * Directory (tenant) ID: **Your Tenant ID**. It will be referenced as `TENANT_ID` in the next steps.
@@ -45,7 +45,7 @@
 
 3. Generate an OpenID client secret.
 
-    In **Azure Active Directory** / **App registrations**, select **ODM Application**:
+    In **Microsoft Entra Id** / **Manage** / **App registrations**, select **ODM Application**:
 
     * From the Overview page, click on the link Client credentials: **Add a certificate or secret** or on the **Manage / Certificates & secrets** tab
     * Click + New Client Secret
@@ -58,24 +58,24 @@
 
 4. Add Claims.
 
-    In **Azure Active Directory** / **App registrations**, select **ODM Application**, and in **Manage / Token Configuration**:
+    In **Microsoft Entra Id** / **Manage** / **App registrations**, select **ODM Application**, and in **Manage / Token Configuration**:
 
-  * Add Optional Email ID Claim
+  * Add Optional **email** ID Claim
     * Click +Add optional claim
     * Select ID
-    * Check Email
-    * Click Add
-
-  * Add Optional Email Access Claim
-    * Click +Add optional claim
-    * Select Access
-    * Check Email
+    * Check **email**
     * Click Add
 
     * Turn on Microsoft Graph email permission
       * Check Turn on the Microsoft Graph email permission
       * Click Add
 
+  * Add Optional **email** Access Claim
+    * Click +Add optional claim
+    * Select Access
+    * Check **email**
+    * Click Add
+
   * Add Group Claim
     * Click +Add groups claim
     * Check Security Groups
@@ -85,19 +85,19 @@
 
    To allow ODM rest-api to use the password flow with email as user identifier and the client-credentials flow with client_id as user identifier, we need to create a new claim named "identity" that will take the relevant value according to the flow:
 
-   In **Azure Active Directory** / **Enterprise applications**, select **ODM Application**, and in **Manage / Single sign-on**:
+   In **Microsoft Entra Id** / **Manage** / **Enterprise applications**, select **ODM Application**, and in **Manage / Single sign-on**:
 
   * Click Edit in the "Attributes & Claims" section
     * Click + Add new claim
-      * Name: identity
+      * Name: **identity**
       * Fill 2 Claim conditions in the exact following order:
         1. User Type: Any / Scoped Groups: 0 / Source: Attribute / Value: <CLIENT_ID>
         2. User Type: Members / Scoped Groups: 0 / Source: Attribute / Value: user.mail
     * Click Save
 
 6. API Permissions.
 
-    In **Azure Active Directory** / **App Registration**, select **ODM Application**, and then click **API Permissions**.
+    In **Microsoft Entra Id** / **Manage** / **App Registration**, select **ODM Application**, and then click **API Permissions**.
 
     * Click Grant Admin Consent for Default Directory
 
@@ -109,14 +109,21 @@
 
 7. Manifest change.
 
-    In **Azure Active Directory** / **App Registration**, select **ODM Application**, and then click **Manifest**.
+    In **Microsoft Entra Id** / **Manage** / **App Registration**, select **ODM Application**, and then click **Manifest**.
+
+    The Manifest feature (a JSON representation of an app registration) is currently in transition.
+    [**AAD Graph app manifest**](https://learn.microsoft.com/en-us/entra/identity-platform/azure-active-directory-graph-app-manifest-deprecation) will be deprecated soon and not editable anymore starting 12/2/2024. It will be replaced by the **Microsoft Graph App Manifest**
 
     As explained in [accessTokenAcceptedVersion attribute explanation](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest#accesstokenacceptedversion-attribute), change the value to 2.
 
     ODM OpenID Liberty configuration needs version 2.0 for the issuerIdentifier. See the [openIdWebSecurity.xml](templates/openIdWebSecurity.xml) file.
 
     It is also necessary to set **acceptMappedClaims** to true to manage claims. Without this setting, you get the exception **AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.** when requesting a token.
 
+    With **Microsoft Graph App Manifest**:
+    *  **acceptMappedClaims** is relocated as a property of the **api** attribute
+    *  **accessTokenAcceptedVersion** is relocated as a property of the **api** attribute and renamed **requestedAccessTokenVersion**
+
    Then, click Save.
 
 8. Check the configuration.
@@ -318,7 +325,7 @@
 
     ```shell
     kubectl create secret generic users-groups-synchro-secret \
-        --from-file=sidecar-start.sh \
+        --from-file=./output/sidecar-start.sh \
         --from-file=generate-user-group-mgt.sh
     ```
     > **Note**
@@ -340,7 +347,7 @@
   ```shell
   helm search repo ibm-odm-prod
   NAME                  	CHART VERSION	APP VERSION	DESCRIPTION
-  ibm-helm/ibm-odm-prod   24.0.0          9.0.0.0   	IBM Operational Decision Manager
+  ibm-helm/ibm-odm-prod   24.1.0          9.0.0.1   	IBM Operational Decision Manager
   ```
 
 ### Run the `helm install` command
@@ -352,7 +359,7 @@ You can now install the product. We will use the PostgreSQL internal database an
   See the [Preparing to install](https://www.ibm.com/docs/en/odm/9.0.0?topic=production-preparing-install-operational-decision-manager) documentation for additional information.
 
   ```shell
-  helm install my-odm-release ibm-helm/ibm-odm-prod \
+  helm install my-odm-release ibm-helm/ibm-odm-prod --version 24.1.0 \
           --set image.repository=cp.icr.io/cp/cp4a/odm --set image.pullSecrets=icregistry-secret \
           --set oidc.enabled=true \
           --set license=true \
@@ -377,7 +384,7 @@ You can now install the product. We will use the PostgreSQL internal database an
   When the NGINX Ingress Controller is ready, you can install the ODM release with:
 
   ```
-  helm install my-odm-release ibm-helm/ibm-odm-prod \
+  helm install my-odm-release ibm-helm/ibm-odm-prod --version 24.1.0 \
           --set image.repository=cp.icr.io/cp/cp4a/odm --set image.pullSecrets=icregistry-secret \
           --set oidc.enabled=true \
           --set license=true \
@@ -449,7 +456,7 @@ You can now install the product. We will use the PostgreSQL internal database an
       - Decision Server Runtime redirect URI:  `https://<INGRESS_ADDRESS>/DecisionService/openid/redirect/odm`
       - Rule Designer redirect URI: `https://127.0.0.1:9081/oidcCallback`
 
-   From the Azure console, in **Azure Active Directory** / **App Registrations** / **ODM Application**:
+   From the Microsoft Azure console, in **Microsoft Entra Id** / **Manage** / **App Registrations** / **ODM Application**:
 
     - Click the `Add a Redirect URI` link
     - Click `Add Platform`
@@ -507,11 +514,11 @@ To manage ODM runtime call on the next steps, we used the [Loan Validation Decis
 
 Import the **Loan Validation Service** in Decision Center connected using *myodmuser*@YOURDOMAIN created at step 2
 
-![Import project](../Keycloak/images/import_project.png)
+![Import project](images/import_project.png)
 
 Deploy the **Loan Validation Service** production_deployment ruleapps using the **production deployment** deployment configuration in the Deployments>Configurations tab.
 
-![Deploy project](../Keycloak/images/deploy_project.png)
+![Deploy project](images/deploy_project.png)
 
 You can retrieve the payload.json from the ODM Decision Server Console or use [the provided payload](payload.json).
 
@@ -520,7 +527,7 @@ As explained in the ODM on Certified Kubernetes documentation [Configuring user
 You can realize a basic authentication ODM runtime call the following way:
 
   ```shell
-$ curl -H "Content-Type: application/json" -k --data @payload.json \
+curl -H "Content-Type: application/json" -k --data @payload.json \
         -H "Authorization: Basic b2RtQWRtaW46b2RtQWRtaW4=" \
       https://<DS_RUNTIME_HOST>/DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0
 ```
@@ -530,15 +537,15 @@ Where b2RtQWRtaW46b2RtQWRtaW4= is the base64 encoding of the current username:pa
 But if you want to execute a bearer authentication ODM runtime call using the Client Credentials flow, you have to get a bearer access token:
 
 ```shell
-$ curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded" \
+curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded" \
     -d 'client_id=<CLIENT_ID>&scope=<CLIENT_ID>%2F.default&client_secret=<CLIENT_SECRET>&grant_type=client_credentials' \
     'https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token'
 ```
 
 And use the retrieved access token in the following way:
 
   ```shell
-$ curl -H "Content-Type: application/json" -k --data @payload.json \
+curl -H "Content-Type: application/json" -k --data @payload.json \
         -H "Authorization: Bearer <ACCESS_TOKEN>" \
         https://<DS_RUNTIME_HOST>/DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0
 ```