Difference between revisions of "GWS/Current/GWSPEGuide/Configure"

Revision as of 20:46, October 29, 2021

This topic is part of the manual Genesys Web Services and Applications Private Edition Guide for version Current of Genesys Web Services and Applications.

Prerequisites

Deploy Genesys Authentication

The common Authentication Service must be deployed first.

Secret Configuration for Pulling Image

If you haven't done so already, create a secret for accessing the JFrog registry:

kubectl create secret docker-registry <credential-name> --docker-server=<docker repo> --docker-username=<username> --docker-password=<password> --docker-email=<emailid>

Now map the secret to the default service account:

kubectl secrets link default <credential-name> --for=pull

Prepare your environment

Check the Cluster

Run the following command to get the version of the cluster:

oc get clusterversion

Create a New Project

Use the following command to create a new project:

oc new -project gws

Enable Security Context

Use the following command to enable the security context to the default service account:

oc adm policy add-scc-to-user genesys-restricted -z default -n gws

Download GWS Helm Charts

Download the GWS helm charts from JFrog using your credentials.

Create Two API Clients

Create two API clients on Genesys Authentication using the following procedure:

curl --location --request POST '<gauth-url>/auth/v3/ops/clients' \
--header 'Content-Type: application/json' \
--user ops:ops \ ---------------------------- Cloud ops credentials (<username:password>) from values_gauth.yaml. The default value is ops:ops
--data-raw '{"data": {
 "name": "external_api_client", ----------------- <Client Name>
 "clientType": "CONFIDENTIAL",
 "refreshTokenExpirationTimeout": 43200,
 "client_id": "external_api_client", ----------------- <Client ID>
 "client_secret": "", --------------------------<Client Password>
 "authorities": ["ROLE_INTERNAL_CLIENT"],
 "scope": ["*"],
 "authorizedGrantTypes": ["client_credentials", "authorization_code", "refresh_token", "password"],
 "redirectURIs": ["https://gauth.<yourcluster.com>","https://wwe.<yourcluster.com>","https://gws.<yourcluster.com>","https://prov.<yourcluster.com>"], -----> should add gws/prov external URLS here
  "accessTokenExpirationTimeout": 43200,
  "contactCenterIds": [
  "*" ------------------ <CCID or *>
 ]     
 }
}' 
Result:
"status": {
  "code": 0
 },
 "data": {
  "clientType": "CONFIDENTIAL",
  "scope": [
   "*"
  ],
 "internalClient": false,
  "authorizedGrantTypes": [
   "refresh_token",
   "client_credentials",
   "password",
   "authorization_code",
   "urn:ietf:params:oauth:grant-type:token-exchange",
   "urn:ietf:params:oauth:grant-type:jwt-bearer"
  ],
  "authorities": [
   "ROLE_INTERNAL_CLIENT"
  ], 
  "redirectURIs": [
   "https://gauth.<yourcluster.com>",
   "https://gws.<yourcluster.com>",
   "https://prov.<yourcluster.com>",         
   ],
  "contactCenterIds": [
   "9350e2fc-a1dd-4c65-8d40-1f75a2e080dd"
  ],
  "accessTokenExpirationTimeout": 43200,
  "refreshTokenExpirationTimeout": 43200,
  "createdAt": 1619796576236,
  "name": "external_api_client",
  "client_id": "external_api_client",
  "client_secret": "secret",
  "encrypted_client_secret": "A34BOmXDedZwbTKrwmd4eA=="
 }
}

1. API Client for gws

name: gws-app-workspace (Note: Name should not be changed)
client_Id: gws-app-workspace (Note: Client ID should not be changed)
client_secret: <Your password> - default password is 'secret'

Record the 'encrypted_client_secret' as it is used to create your secret.

2. API Client for provisioning (Agent-setup)

name: gws-app-provisioning (Note: Name should not be changed)
client_Id: gws-app-provisioning (Note: Client ID should not be changed)
client_secret: <secret>

Record the 'encrypted_client_secret' as it is used to create your secret.

Create Secrets

Add the following lines to the value override file to have Helm create secrets during deployment:

secrets:
 gws-consul-token: <token-from consul>
 gws-postgres-username: <gws postgres DB username>
 gws-postgres-password: <gws postgres DB password>
 ops-user: <ops user>
 ops-pass-encr: <ops password>
 agentsetup-postgres-username: <prov postgres username>
 agentsetup-postgres-password: <prov postgres password>
 gws-app-workspace-encrypted: <secret(encrypted) for gws-app-workspace client>
 gws-app-provisioning-encrypted: <secret(encrypted) for gws-app-provisioning client>

Update Parameters in values.yaml

In the values.yaml file provided by Genesys, update following parameters:

Image repo details:
 REGISTRY: <docker-repo>
Postgres:
 POSTGRES_ADDR: Postgres service DB URL
 POSTGRES_DB: Postgres DB name for gws service
 POSTGRES_USER: Postgres user to access gws DB
 POSTGRES_PASS: Postgres Password
Redis:
 REDIS_ADDR: Address of the Redis cluster
 REDIS_PORT: Redis Port
elastic:
 ELASTICSEARCH_ADDR: Elastic search service master address
 ELASTICSEARCH_PORT: Port of ES service
Authentication service configurations:
 Add/update below variables in env section of all services under 'gwsServices'
  GWS_SERVICE_AUTH_URL: http://gauth-auth.gauth.svc.cluster.local.:80 // Genesys Authentication variable - pointes to internal auth service URL from gauth namesapce, Example: http://gauth-auth.gauth.svc.cluster.local.:80
  GWS_SERVICE_ENV_URL: http://gauth-environment.gauth.svc.cluster.local.:80 // Environment variable pointes to internal environment service URL from gauth namesapce, Example: http://gauth-environment.gauth.svc.cluster.local.:80
  GWS_WORKSPACE_SERVICES_ENV: http://gauth-environment.gauth.svc.cluster.local.:80 // Environment variable - pointes to internal environment service URL from gauth namesapce, Example: http://gauth-environment.gauth.svc.cluster.local.:80
  GWS_WORKSPACE_SERVICES_AUTH: http://gauth-auth.gauth.svc.cluster.local.:80 // Genesys Authentication variable - should be pointed to internal auth service URL from gauth namesapce, Example: http://gauth-auth.gauth.svc.cluster.local.:80
  GWS_WORKSPACE_SERVICES_AUTH_FOR_REDIRECT: https://gauth.<yourclusterdomain>.com //Genesys Authentication redirect variable - pointes to external https ingress URL from gauth namesapce, Example: https://gauth.apps.<yourclusterdomain>.com

Update the Value Overrides for Agent Setup

Agent Setup is part of the GWS deployment. It needs to be configured before the GWS deployment.

From the gws-services helm charts, update the following lines in the value overrides under the gwsServices > appProvisioning > context > env section before installing GWS:

GWS_SERVICE_AUTH_URL: Auth internal service URI from gauth namespace (for example, http://gauth-auth.gauth.svc.cluster.local.:80)
GWS_SERVICE_ENV_URL: Environment internal service URI from gauth namespace (for example, http://gauth-environment.gauth.svc.cluster.local.:80)
GWS_SERVICE_CONF_URL: gws internal service URI from gws namespace (for example, http://gws-service-proxy.gws.svc.cluster.local:80)
GWS_PROVISIONING_SERVICES_AUTH_FOR_REDIRECT : External https ingress URLS from gauth service(ex: https://gauth.<yourclusterdomain.com>)
GWS_PROVISIONING_OBJECTCACHE_POSTGRES_USER: <Postgres DB user for provisioning service>
GWS_PROVISIONING_OBJECTCACHE_POSTGRES_PASSWORD: <Postgres DB password for provisioning service>
GWS_PROVISIONING_OBJECTCACHE_POSTGRES_HOST: <Postgres DB host for provisioning>
GWS_PROVISIONING_OBJECTCACHE_POSTGRES_PORT: <Postgres DB Port for provisioning >

Create or Update versions.yaml

Create/update the versions.yaml file with the latest docker versions. See Updated Helm Charts and Containers.

Configure security

To learn more about how security is configured for private edition, be sure to read the Permissions and OpenShift security settings topics in the Setting up Genesys Engage Cloud Private Edition guide.

The security context settings define the privilege and access control settings for pods and containers.

By default, the user and group IDs are set in the values.yaml file as 500:500:500, meaning the genesys user.

deploymentGlobals:
  securityContext:
    runAsUser: 500
    runAsGroup: 500
    fsGroup: 500
    runAsNonRoot: true

Arbitrary UIDs in OpenShift

If you want to use arbitrary UIDs in your OpenShift deployment, you must override the securityContext settings in the values.yaml file, so that you do not define any specific IDs.

deploymentGlobals:
  securityContext:
    runAsUser: null
    runAsGroup: 0
    fsGroup: null
    runAsNonRoot: true

For details about these parameters and possible values, see deploymentGlobals.securityContext.* in the Global parameters table above.

Pod priority

You can configure pod priority by overriding the priorityClassName option for each of the Web Services and Applications components - see Override Helm chart values. For example:

gwsServices:
  gws-platform-configuration:
    priorityClassName: genesysengage-high-priority

Genesys recommends the following priority for GWS pods:

Critical priority pods

gws-app-provisioning
gws-app-workspace
gws-platform-voice

High priority pods

gws-platform-configuration
gws-platform-datacollector
gws-platform-ixn
gws-platform-ocs
gws-platform-setting
gws-platform-statistics
gws-system-nginx
gws-ui-crmworkspace
gws-ui-provisioning
gws-ui-workspace

Next steps

@@ Line 11: / Line 11: @@
 The common Authentication Service must be deployed first.
 ===Secret Configuration for Pulling Image===
-You might already have you secret created.
+If you haven't done so already, create a secret for accessing the JFrog registry:
+ kubectl create secret docker-registry <credential-name> --docker-server=<docker repo> --docker-username=<username> --docker-password=<password> --docker-email=<emailid>
-One of the way to do it is by using the following command:
+Now map the secret to the default service account:
- oc create secret docker-registry <credential-name> --docker-server=<docker repo> --docker-username=<username> --docker-password=<password> --docker-email=<emailid>
+  kubectl secrets link default <credential-name> --for=pull
-You have to execute the following command to map the secret to the default service account:
-  oc secrets link default <credential-name> --for=pull
 |Status=No
 }}{{Section
@@ Line 165: / Line 164: @@
 ===Create or Update versions.yaml===
 Create/update the versions.yaml file with the latest docker versions. See {{Link-AnywhereElse|product=ReleaseNotes|version=Current|manual=GenesysEngage-cloud|topic=GWSHelm|display text=Updated Helm Charts and Containers}}.<span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span>
+|Status=No
+}}
+{{Section
+|sectionHeading=Configure security
+|anchor=security
+|alignment=Vertical
+|structuredtext=To learn more about how security is configured for private edition, be sure to read the {{Link-AnywhereElse|product=PrivateEdition|version=Current|manual=PEGuide|topic=Prerequisites|display text=Permissions}} and {{Link-AnywhereElse|product=PrivateEdition|version=Current|manual=PEGuide|topic=ConfigSecurity}} topics in the ''Setting up Genesys Engage Cloud Private Edition'' guide.
+The security context settings define the privilege and access control settings for pods and containers.
+By default, the user and group IDs are set in the '''values.yaml''' file as <tt>500:500:500</tt>, meaning the '''genesys''' user.
+<syntaxhighlight>
+deploymentGlobals:
+  securityContext:
+    runAsUser: 500
+    runAsGroup: 500
+    fsGroup: 500
+    runAsNonRoot: true
+</syntaxhighlight>
+===Arbitrary UIDs in OpenShift===
+If you want to use arbitrary UIDs in your OpenShift deployment, you must override the '''securityContext''' settings in the '''values.yaml''' file, so that you do not define any specific IDs.
+<syntaxhighlight>
+deploymentGlobals:
+  securityContext:
+    runAsUser: null
+    runAsGroup: 0
+    fsGroup: null
+    runAsNonRoot: true
+</syntaxhighlight>
+For details about these parameters and possible values, see '''deploymentGlobals.securityContext.*''' in the {{Link-SomewhereInThisVersion|manual=GWSPEGuide|topic=Configure|anchor=globalP|display text=Global parameters}} table above.
+|Status=No
+}}{{Section
+|sectionHeading=Pod priority
+|anchor=priority
+|alignment=Vertical
+|structuredtext=You can configure pod priority by overriding the '''priorityClassName''' option for each of the Web Services and Applications components - see {{Link-SomewhereInThisVersion|manual=GWSPEGuide|topic=Configure|anchor=override|display text=Override Helm chart values}}. For example:<syntaxhighlight>
+gwsServices:
+  gws-platform-configuration:
+    priorityClassName: genesysengage-high-priority
+</syntaxhighlight>
+Genesys recommends the following priority for GWS pods:
+'''Critical priority pods'''
+*gws-app-provisioning
+*gws-app-workspace
+*gws-platform-voice
+'''High priority pods'''
+*gws-platform-configuration
+*gws-platform-datacollector
+*gws-platform-ixn
+*gws-platform-ocs
+*gws-platform-setting
+*gws-platform-statistics
+*gws-system-nginx
+*gws-ui-crmworkspace
+*gws-ui-provisioning
+*gws-ui-workspace
+|Status=No
+}}{{Section
+|sectionHeading=Next steps
+|anchor=next
+|alignment=Vertical
+|structuredtext=*{{Link-SomewhereInThisVersion|manual=GWSPEGuide|topic=Deploy}}
+*{{Link-SomewhereInThisVersion|manual=GWSPEGuide|topic=ConfigureIngress}}
+*{{Link-SomewhereInThisVersion|manual=GWSPEGuide|topic=DeployIngress}}
+*{{Link-SomewhereInThisVersion|manual=GWSPEGuide|topic=ProvisionAS}}
 |Status=No
 }}
 |PEPageType=9c3ae89b-4f75-495b-85f8-d8c4afcb3f97
 }}

Genesys Web Services and Applications Private Edition Guide

Overview

Configure and deploy

Upgrade, roll back, or uninstall