Difference between revisions of "GWS/Current/GWSPEGuide/Configure"

From Genesys Documentation
Jump to: navigation, search
Line 6: Line 6:
 
|ComingSoon=No
 
|ComingSoon=No
 
|Section={{Section
 
|Section={{Section
|sectionHeading=Prerequisites
+
|sectionHeading=Create API clients
 +
|anchor=api
 
|alignment=Vertical
 
|alignment=Vertical
|structuredtext====Deploy Genesys Authentication===
+
|structuredtext=Use the Genesys Authentication operations API to {{Link-AnywhereElse|product=AUTH|version=Current|manual=AuthPEGuide|topic=Provision|anchor=CreateAPI|display text=create API clients}} for the GWS services. Refer to the '''API clients''' table for the '''name''' and '''client_id''' values you must use in the API request. Make note of '''encrypted_client_secret''' in the responses - you need this value to set the related parameter in {{Link-SomewhereInThisVersion|manual=GWSPEGuide|topic=Configure|anchor=override|display text=Override Helm chart values}}.
The common Authentication Service must be deployed first.
+
{{{!}} class="wikitable"
===Secret Configuration for Pulling Image===
+
{{!}}+API clients
If you haven't done so already, create a secret for accessing the JFrog registry:
+
!Service
kubectl create secret docker-registry <credential-name> --docker-server=<docker repo> --docker-username=<username> --docker-password=<password> --docker-email=<emailid>
+
!name
 +
!client_id
 +
!Helm chart parameter
 +
{{!}}-
 +
{{!}}Provisioning Service
 +
{{!}}gws-app-provisioning
 +
{{!}}gws-app-provisioning
 +
{{!}}secrets.gws-app-provisioning-client-secret
 +
{{!}}-
 +
{{!}}Workspace Service
 +
{{!}}gws-app-workspace
 +
{{!}}gws-app-workspace
 +
{{!}}secrets.gws-app-workspace-client-secret
 +
{{!}}-
 +
{{!}}Configuration Service
 +
{{!}}gws-platform-configuration
 +
{{!}}gws-platform-configuration
 +
{{!}}secrets.gws-platform-configuration-client-secret
 +
{{!}}-
 +
{{!}}Data Collector Service
 +
{{!}}gws-platform-datacollector
 +
{{!}}gws-platform-datacollector
 +
{{!}}secrets.gws-platform-datacollector-client-secret
 +
{{!}}-
 +
{{!}}Interaction Service
 +
{{!}}gws-platform-ixn
 +
{{!}}gws-platform-ixn
 +
{{!}}secrets.gws-platform-ixn-client-secret
 +
{{!}}-
 +
{{!}}OCS Service
 +
{{!}}gws-platform-ocs
 +
{{!}}gws-platform-ocs
 +
{{!}}secrets.gws-platform-ocs-client-secret
 +
{{!}}-
 +
{{!}}Setting Service
 +
{{!}}gws-platform-setting
 +
{{!}}gws-platform-setting
 +
{{!}}secrets.gws-platform-setting-client-secret
 +
{{!}}-
 +
{{!}}Statistics Service
 +
{{!}}gws-platform-statistics
 +
{{!}}gws-platform-statistics
 +
{{!}}secrets.gws-platform-statistics-client-secret
 +
{{!}}-
 +
{{!}}Voice Service
 +
{{!}}gws-platform-voice
 +
{{!}}gws-platform-voice
 +
{{!}}secrets.gws-platform-voice-client-secret
 +
{{!}}}
 +
|Status=No
 +
}}{{Section
 +
|sectionHeading=Configure a secret to access JFrog
 +
|anchor=Secret
 +
|alignment=Vertical
 +
|structuredtext=If you haven't done so already, create a secret for accessing the JFrog registry:
 +
<source lang="text">kubectl create secret docker-registry <credential-name> --docker-server=<docker repo> --docker-username=<username> --docker-password=<password> --docker-email=<emailid></source>
  
 
Now map the secret to the default service account:
 
Now map the secret to the default service account:
kubectl secrets link default <credential-name> --for=pull
+
<source lang="text">kubectl secrets link default <credential-name> --for=pull</source>
 
|Status=No
 
|Status=No
}}{{Section
+
}}
|sectionHeading=Prepare your environment
+
{{Section
 +
|sectionHeading=Override Helm chart values
 +
|anchor=override
 
|alignment=Vertical
 
|alignment=Vertical
|structuredtext====Check the Cluster===
+
|structuredtext=You can specify parameters for the deployment by overriding Helm chart values in the '''values.yaml''' file. <!--See the tables below for a full list of overridable values available for each container in Web Services and Applications (GWS).-->
Run the following command to get the version of the cluster:
 
oc get clusterversion
 
  
===Create a New Project===
+
For more information about how to override Helm chart values, see {{SuiteLevelLink|helmoverride}} in the ''Setting up Genesys Engage Cloud Private Edition'' guide.
Use the following command to create a new project:
 
oc new -project gws
 
  
===Enable Security Context===
+
If you want to use arbitrary UIDs in your OpenShift deployment, you must override the '''securityContext''' settings in the '''values.yaml''' file, so that no user or group IDs are specified. For details, see {{Link-SomewhereInThisVersion|manual=GWSPEGuide|topic=Configure|anchor=security|display text=Configure security}} below.
Use the following command to enable the security context to the default service account:
+
|Status=No
oc adm policy add-scc-to-user genesys-restricted -z default -n gws
+
}}{{Section
 +
|sectionHeading=Create or update the versions file
 +
|anchor=versions
 +
|alignment=Vertical
 +
|structuredtext=Create or update the '''versions.yaml''' file with the latest container versions for your deployment. See {{Link-AnywhereElse|product=ReleaseNotes|version=Current|manual=GenesysEngage-cloud|topic=GWSHelm|display text=Updated Helm Charts and Containers}} for Web Services and Applications for the full list of versions.
  
===Download GWS Helm Charts===
+
For example:<syntaxhighlight>
Download the GWS helm charts from JFrog using your credentials.
+
gws-app-provisioning:9.0.000.93
 
+
gws-app-workspace:9.0.000.90
===Create Two API Clients===
+
gws-platform-configuration:9.0.000.79
+
gws-platform-datacollector:9.0.000.50
Create two API clients on Genesys Authentication using the following procedure:
+
gws-platform-ixn:9.0.000.43
curl --location --request POST '<gauth-url>/auth/v3/ops/clients' \
+
gws-platform-ocs:9.0.000.46
--header 'Content-Type: application/json' \
+
gws-platform-setting:9.0.000.52
--user ops:ops \ ---------------------------- Cloud ops credentials (<username:password>) from values_gauth.yaml. The default value is ops:ops
+
gws-platform-statistics:9.0.000.61
--data-raw '{"data": {
+
gws-platform-voice:9.0.000.66
  "name": "external_api_client", ----------------- <Client Name>
+
gws-system-nginx:9.0.000.16
  "clientType": "CONFIDENTIAL",
+
gws-ui-crmworkspace:9.0.000.62
  "refreshTokenExpirationTimeout": 43200,
+
gws-ui-provisioning:9.0.000.84
  "client_id": "external_api_client", ----------------- <Client ID>
+
gws-ui-workspace:9.0.000.82
  "client_secret": "", --------------------------<Client Password>
+
</syntaxhighlight><br />
  "authorities": ["ROLE_INTERNAL_CLIENT"],
+
|Status=No
  "scope": ["*"],
+
}}{{Section
  "authorizedGrantTypes": ["client_credentials", "authorization_code", "refresh_token", "password"],
+
|sectionHeading=Configure Kubernetes
  "redirectURIs": ["<nowiki>https://gauth</nowiki>.<yourcluster.com>","<nowiki>https://wwe</nowiki>.<yourcluster.com>","<nowiki>https://gws</nowiki>.<yourcluster.com>","<nowiki>https://pro</nowiki>[https://prov v].<yourcluster.com>"], -----> should add gws/prov external URLS here
+
|anchor=kubernetes
  "accessTokenExpirationTimeout": 43200,
+
|alignment=Vertical
  "contactCenterIds": [
+
|structuredtext=GWS stores the following sensitive data as Kubernetes secrets. See the '''secrets.*''' parameters in the {{Link-SomewhereInThisVersion|manual=GWSPEGuide|topic=Configure|anchor=globalP|display text=Global parameters}} table in the "Override Helm chart values" section for details.
  "*" ------------------ <CCID or *>
 
  ]   
 
  }
 
}'
 
Result:
 
"status": {
 
  "code": 0
 
  },
 
  "data": {
 
  "clientType": "CONFIDENTIAL",
 
  "scope": [
 
    "*"
 
  ],
 
  "internalClient": false,
 
  "authorizedGrantTypes": [
 
    "refresh_token",
 
    "client_credentials",
 
    "password",
 
    "authorization_code",
 
    "urn:ietf:params:oauth:grant-type:token-exchange",
 
    "urn:ietf:params:oauth:grant-type:jwt-bearer"
 
  ],
 
  "authorities": [
 
    "ROLE_INTERNAL_CLIENT"
 
  ],
 
  "redirectURIs": [
 
    "<nowiki>https://gauth</nowiki>.<yourcluster.com>",
 
    "<nowiki>https://gws</nowiki>.<yourcluster.com>",
 
    "<nowiki>https://prov</nowiki>.<yourcluster.com>",       
 
    ],
 
  "contactCenterIds": [
 
    "9350e2fc-a1dd-4c65-8d40-1f75a2e080dd"
 
  ],
 
  "accessTokenExpirationTimeout": 43200,
 
  "refreshTokenExpirationTimeout": 43200,
 
  "createdAt": 1619796576236,
 
  "name": "external_api_client",
 
  "client_id": "external_api_client",
 
  "client_secret": "secret",
 
  "encrypted_client_secret": "A34BOmXDedZwbTKrwmd4eA=="
 
  }
 
 
 
 
====1. API Client for gws====
 
 
 
*'''name''': gws-app-workspace (Note: Name should not be changed)
 
*'''client_Id''': gws-app-workspace (Note: Client ID should not be changed)
 
*'''client_secret''': <Your password> - default password is 'secret'
 
 
 
Record the 'encrypted_client_secret' as it is used to create your secret.
 
 
 
====2. API Client for provisioning (Agent-setup)====
 
 
 
*'''name''': gws-app-provisioning (Note: Name should not be changed)
 
*'''client_Id''': gws-app-provisioning (Note: Client ID should not be changed)
 
*'''client_secret''': <secret>
 
 
 
Record the 'encrypted_client_secret' as it is used to create your secret.  
 
 
 
===Create Secrets===
 
Add the following lines to the value override file to have Helm create secrets during deployment:
 
secrets:
 
  gws-consul-token: <token-from consul>
 
  gws-postgres-username: <gws postgres DB username>
 
  gws-postgres-password: <gws postgres DB password>
 
  ops-user: <ops user>
 
  ops-pass-encr: <ops password>
 
  agentsetup-postgres-username: <prov postgres username>
 
  agentsetup-postgres-password: <prov postgres password>
 
  gws-app-workspace-encrypted: <secret(encrypted) for gws-app-workspace client>
 
  gws-app-provisioning-encrypted: <secret(encrypted) for gws-app-provisioning client>
 
 
 
===Update Parameters in values.yaml===
 
In the values.yaml file provided by Genesys, update following parameters:
 
Image repo details:
 
  REGISTRY: <docker-repo>
 
Postgres:
 
  POSTGRES_ADDR: Postgres service DB URL
 
  POSTGRES_DB: Postgres DB name for gws service
 
  POSTGRES_USER: Postgres user to access gws DB
 
  POSTGRES_PASS: Postgres Password
 
Redis:
 
  REDIS_ADDR: Address of the Redis cluster
 
  REDIS_PORT: Redis Port
 
elastic:
 
  ELASTICSEARCH_ADDR: Elastic search service master address
 
  ELASTICSEARCH_PORT: Port of ES service
 
Authentication service configurations:
 
  Add/update below variables in env section of all services under 'gwsServices'
 
  GWS_SERVICE_AUTH_URL: <nowiki>http://gauth-auth.gauth.svc.cluster.local.:80</nowiki> // Genesys Authentication variable - pointes to internal auth service URL from gauth namesapce, Example: <nowiki>http://gauth-auth.gauth.svc.cluster.local.:80</nowiki>
 
  GWS_SERVICE_ENV_URL: <nowiki>http://gauth-environment.gauth.svc.cluster.local.:80</nowiki> // Environment variable pointes to internal environment service URL from gauth namesapce, Example: <nowiki>http://gauth-environment.gauth.svc.cluster.local.:80</nowiki>
 
  GWS_WORKSPACE_SERVICES_ENV: <nowiki>http://gauth-environment.gauth.svc.cluster.local.:80</nowiki> // Environment variable - pointes to internal environment service URL from gauth namesapce, Example: <nowiki>http://gauth-environment.gauth.svc.cluster.local.:80</nowiki>
 
  GWS_WORKSPACE_SERVICES_AUTH: <nowiki>http://gauth-auth.gauth.svc.cluster.local.:80</nowiki> // Genesys Authentication variable - should be pointed to internal auth service URL from gauth namesapce, Example: <nowiki>http://gauth-auth.gauth.svc.cluster.local.:80</nowiki>
 
  GWS_WORKSPACE_SERVICES_AUTH_FOR_REDIRECT: <nowiki>https://gauth</nowiki>.<yourclusterdomain>.com //Genesys Authentication redirect variable - pointes to external https ingress URL from gauth namesapce, Example: <nowiki>https://gauth.apps</nowiki>.<yourclusterdomain>.com
 
 
 
===Update the Value Overrides for Agent Setup===
 
Agent Setup is part of the GWS deployment. It needs to be configured before the GWS deployment.  
 
 
 
From the gws-services helm charts, update the following lines in the value overrides under the <code>gwsServices</code> > <code>appProvisioning</code> > <code>context</code> > <code>env</code> section before installing GWS:
 
 
 
*GWS_SERVICE_AUTH_URL: Auth internal service URI from gauth namespace (for example, <nowiki>http://gauth-auth.gauth.svc.cluster.local.:80</nowiki>)
 
*GWS_SERVICE_ENV_URL: Environment internal service URI from gauth namespace (for example, <nowiki>http://gauth-environment.gauth.svc.cluster.local.:80</nowiki>)
 
*GWS_SERVICE_CONF_URL: gws internal service URI from gws namespace (for example, <nowiki>http://gws-service-proxy.gws.svc.cluster.local:80</nowiki>)
 
*GWS_PROVISIONING_SERVICES_AUTH_FOR_REDIRECT : External https ingress URLS from gauth service(ex: <nowiki>https://gauth</nowiki>.<yourclusterdomain.com>)
 
*GWS_PROVISIONING_OBJECTCACHE_POSTGRES_USER: <Postgres DB user for provisioning service>
 
*GWS_PROVISIONING_OBJECTCACHE_POSTGRES_PASSWORD:  <Postgres DB password for provisioning service>
 
*GWS_PROVISIONING_OBJECTCACHE_POSTGRES_HOST:  <Postgres DB host for provisioning>
 
*GWS_PROVISIONING_OBJECTCACHE_POSTGRES_PORT:  <Postgres DB Port for provisioning >
 
  
===Create or Update versions.yaml===
+
*Redis password (gws-redis-password)
Create/update the versions.yaml file with the latest docker versions. See {{Link-AnywhereElse|product=ReleaseNotes|version=Current|manual=GenesysEngage-cloud|topic=GWSHelm|display text=Updated Helm Charts and Containers}}.<span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span>
+
*Consul API token (gws-consul-token)
 +
*PostgreSQL database credentials for GWS (gws-postgres-username and gws-postgres-password)
 +
*PostgreSQL database credentials for Agent Setup (agentsetup-postgres-username and agentsetup-postgres-password)
 +
*Client secret for the Provisioning Service (gws-app-provisioning-client-secret)
 +
*Client secret for the Workspace Service (gws-app-workspace-client-secret )
 +
*Client secret for the Configuration Service (gws-platform-configuration-client-secret)
 +
*Client secret for the Data Collector Service (gws-platform-datacollector-client-secret)
 +
*Client secret for the Interaction Service (gws-platform-ixn-client-secret)
 +
*Client secret for the OCS Service (gws-platform-ocs-client-secret)
 +
*Client secret for the Setting Service (gws-platform-setting-client-secret)
 +
*Client secret for the Statistics Service (gws-platform-statistics-client-secret)
 +
*Client secret for the Voice Service (gws-platform-voice-client-secret)
 +
*Credentials for the operational user (ops-username and ops-password)
 +
*{{Editgrn open}}JM: Missing description{{Editgrn close}} (gws-screen-recording-public-secret)
 +
*{{Editgrn open}}JM: Missing description{{Editgrn close}} (gws-screen-recording-private-secret)
 
|Status=No
 
|Status=No
 
}}
 
}}

Revision as of 20:52, October 29, 2021

This topic is part of the manual Genesys Web Services and Applications Private Edition Guide for version Current of Genesys Web Services and Applications.

Learn how to configure Genesys Web Services and Applications.

Create API clients

Use the Genesys Authentication operations API to create API clients for the GWS services. Refer to the API clients table for the name and client_id values you must use in the API request. Make note of encrypted_client_secret in the responses - you need this value to set the related parameter in Override Helm chart values.

API clients
Service name client_id Helm chart parameter
Provisioning Service gws-app-provisioning gws-app-provisioning secrets.gws-app-provisioning-client-secret
Workspace Service gws-app-workspace gws-app-workspace secrets.gws-app-workspace-client-secret
Configuration Service gws-platform-configuration gws-platform-configuration secrets.gws-platform-configuration-client-secret
Data Collector Service gws-platform-datacollector gws-platform-datacollector secrets.gws-platform-datacollector-client-secret
Interaction Service gws-platform-ixn gws-platform-ixn secrets.gws-platform-ixn-client-secret
OCS Service gws-platform-ocs gws-platform-ocs secrets.gws-platform-ocs-client-secret
Setting Service gws-platform-setting gws-platform-setting secrets.gws-platform-setting-client-secret
Statistics Service gws-platform-statistics gws-platform-statistics secrets.gws-platform-statistics-client-secret
Voice Service gws-platform-voice gws-platform-voice secrets.gws-platform-voice-client-secret

Configure a secret to access JFrog

If you haven't done so already, create a secret for accessing the JFrog registry: 

kubectl create secret docker-registry <credential-name> --docker-server=<docker repo> --docker-username=<username> --docker-password=<password> --docker-email=<emailid>

Now map the secret to the default service account: 

kubectl secrets link default <credential-name> --for=pull

Override Helm chart values

You can specify parameters for the deployment by overriding Helm chart values in the values.yaml file.

For more information about how to override Helm chart values, see Overriding Helm chart values in the Setting up Genesys Engage Cloud Private Edition guide.

If you want to use arbitrary UIDs in your OpenShift deployment, you must override the securityContext settings in the values.yaml file, so that no user or group IDs are specified. For details, see Configure security below.

Create or update the versions file

Create or update the versions.yaml file with the latest container versions for your deployment. See Updated Helm Charts and Containers for Web Services and Applications for the full list of versions.

For example:
gws-app-provisioning:9.0.000.93
gws-app-workspace:9.0.000.90
gws-platform-configuration:9.0.000.79
gws-platform-datacollector:9.0.000.50
gws-platform-ixn:9.0.000.43
gws-platform-ocs:9.0.000.46
gws-platform-setting:9.0.000.52
gws-platform-statistics:9.0.000.61
gws-platform-voice:9.0.000.66
gws-system-nginx:9.0.000.16
gws-ui-crmworkspace:9.0.000.62
gws-ui-provisioning:9.0.000.84
gws-ui-workspace:9.0.000.82

Configure Kubernetes

GWS stores the following sensitive data as Kubernetes secrets. See the secrets.* parameters in the Global parameters table in the "Override Helm chart values" section for details.

  • Redis password (gws-redis-password)
  • Consul API token (gws-consul-token)
  • PostgreSQL database credentials for GWS (gws-postgres-username and gws-postgres-password)
  • PostgreSQL database credentials for Agent Setup (agentsetup-postgres-username and agentsetup-postgres-password)
  • Client secret for the Provisioning Service (gws-app-provisioning-client-secret)
  • Client secret for the Workspace Service (gws-app-workspace-client-secret )
  • Client secret for the Configuration Service (gws-platform-configuration-client-secret)
  • Client secret for the Data Collector Service (gws-platform-datacollector-client-secret)
  • Client secret for the Interaction Service (gws-platform-ixn-client-secret)
  • Client secret for the OCS Service (gws-platform-ocs-client-secret)
  • Client secret for the Setting Service (gws-platform-setting-client-secret)
  • Client secret for the Statistics Service (gws-platform-statistics-client-secret)
  • Client secret for the Voice Service (gws-platform-voice-client-secret)
  • Credentials for the operational user (ops-username and ops-password)
  • JM: Missing description (gws-screen-recording-public-secret)
  • JM: Missing description (gws-screen-recording-private-secret)

Configure security

To learn more about how security is configured for private edition, be sure to read the Permissions and OpenShift security settings topics in the Setting up Genesys Engage Cloud Private Edition guide.

The security context settings define the privilege and access control settings for pods and containers.

By default, the user and group IDs are set in the values.yaml file as 500:500:500, meaning the genesys user. 

deploymentGlobals:
  securityContext:
    runAsUser: 500
    runAsGroup: 500
    fsGroup: 500
    runAsNonRoot: true

Arbitrary UIDs in OpenShift

If you want to use arbitrary UIDs in your OpenShift deployment, you must override the securityContext settings in the values.yaml file, so that you do not define any specific IDs. 

deploymentGlobals:
  securityContext:
    runAsUser: null
    runAsGroup: 0
    fsGroup: null
    runAsNonRoot: true
Retrieved from "https://all.docs.genesys.com/GWS/Current/GWSPEGuide/Configure (2025-07-14 22:21:12)"
Comments or questions about this documentation? Contact us for support!